The safest repository to an install application from, GitHub or F-Droid?

DeletedUser498

I am on GrapheneOS, but this concerns Android as a whole. From the options of F-Droid (Main) and GitHub (through Obtainium) which is the safest way to install an app?

From the GrapheneOS forums, I see many people recommending GitHub over F-Droid as it is straight from the source. I know its true, but if a developer adds a ‘not-so-safe’ piece of code or begins enshitification, Obtainium would update the app without letting me know about the changes. But from what I have seen, F-Droid usually pause or cancel the update/app if these changes were to take place (Example, Simple Gallery or Mull for Android).

So I am confused. Whom should I trust more, F-Droid with their own app builds or the Developers on GitHub?

Also I have seen that Obtainium when used with a VPN to fetch app updates, will get rate limited by GitHub. Also I don’t really like GitHub as a code repository, with their tracking and MS ownership. I don’t know if F-Droid tracks user.

Also, many third party applications do not have a listing on AppVerifier, or the developer may not publish the release hash, so it cannot be used to check the integrity unfortunately. But for the apps that do have the listing, F-Droid builds do pass them from my observations.

I know that this is a common thread, but I could not find a comprehensive answer.

Discussion on Lemmy.

vincente213

DeletedUser498

Most apps that are kept up to date on FDroid use reproducable builds, which means you are actually downloading the APK from the github repo anyways. In this situation, it is better to use F-Droid than Obtainium because they make sure the apps are actually open-source and the apks match the code (the reproducable builds part)

JustBeginnez

DeletedUser498 Also I have seen that Obtainium when used with a VPN to fetch app updates, will get rate limited by GitHub.

Rate limiting will be resolved once you create a GitHub account.

Eumenia

DeletedUser498 From the GrapheneOS forums, I see many people recommending GitHub over F-Droid as it is straight from the source. I know its true, but if a developer adds a ‘not-so-safe’ piece of code or begins enshitification, Obtainium would update the app without letting me know about the changes. But from what I have seen, F-Droid usually pause or cancel the update/app if these changes were to take place (Example, Simple Gallery or Mull for Android).

The main benefit of FDroid iat that their enforce rproducible builds, so the devs are prevented from close the source of your applications.
This also means that F-Droid can't put bad codes into the applications themselves, without it getting noticed.

JustBeginnez

Response to misinformation about our Sensors permission from F-Droid

DeletedUser499

Why use F-droid or obtainium,
Just go to Github, where they probably go anyway and download your apps, use a VPN if you have to. You may need to search a bit to find them.
My two apps I use came from Github and within both apps there was a toggle to enable app updates.
Obtainium, g@@gle play F-droid etc not required.

DeletedUser495

DeletedUser499 the problem with Github is it is Microsoft owned. You should always verify authenticity of an app you download.

I tend to go Aurora Store way. By now I know all apps genuinely come from Google. You can create a separate user with sandboxed Google to do these checks purely for app downloads (not for use). Download an app from Play and extract hash by App Manager (in particular app App info > Scanner) and later compare with hash extracted from the same app (and same version of course) in your daily driver profile. Of course this is not going to deal with any compatibility issues your app may encounter which Google/app developer in their wisdom decided to implement (I simply take a big fat pass on those apps, they are not worth my effort).

DeletedUser498

I am converting all my Obtanium/GitHub sourced applications to F-Droid ones. Thank you for your replies.

Quantum

DeletedUser498 You should definitely do a search on the forum about F-Droid vs Aurora vs Play Store vs Obtanium vs Accrescent