repository systems like etc have key issues that make them hard to decentralize properly: solid verification is optional, one repo can override packages from another, and the tooling makes it hard to see which repo was actually used. has additional measures which make it more trustworthy, but if devs add repos, those can still override it. verification helps a lot when using Maven repos but does not solve everything 1/2


and require signature verification, and is built on top of 's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml