#Decentralized #software repository systems like #npm #maven #rubygems #pypi etc have key issues that make them hard to decentralize properly: solid verification is optional, one repo can override packages from another, and the tooling makes it hard to see which repo was actually used. #MavenCentral has additional measures which make it more trustworthy, but if devs add repos, those can still override it. #Gradle verification helps a lot when using Maven repos but does not solve everything 1/2
#Debian and #FDroid require signature verification, and #FDroid is built on top of #Android's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2
