In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
Your options are building from source, downloading dev apks, or using an app store. If you can’t trust anyone, then you need to build from source
Fdroid is the best of the app stores, they are always trying to stay ahead of the curve when it comes to privacy, security, and trust
Reproducible builds are the standard for FOSS trust, see this article for an overview. They close the gap between app stores and dev apks
Fdroid are constantly working to increase the prevalence of reproducible builds, and to enable you to verify more so you have to rely less on trust