A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.
F-Droid has incredibly poor security practices and a strong anti-security attitude held by most of the people involved. They've consistently engaged in coverups of vulnerabilities and targeting multiple security researchers with libel and harassment.
It's a massive single point of failure and not worthy of the trust many people are placing in it. It's adding another trusted party compared to using the apps built and signed by the developers. It is not avoiding trust in the developers of apps.
Regularly not shipping critical Firefox security patches for months is the norm for the main F-Droid repository. Whether or not they sign the apps themselves as they do for the vast majority of apps, updates can be indefinitely delayed based on issues with their outdated infrastructure or their Debian-style downstream patches needing to be updated.
For the small subset signed by the app developers, many kinds of disagreements between F-Droid and developers will mean an end to receiving updates.
You are not the only ones that struggle with f-droid. (There is an ongoing struggle to fix certificate pinning by f-droid by a former maintainer, which has neither been acknowledeg nor accepted).
But the question is: what alternatives are there? As far as i can tell, f-droid is the only large scale-repository of open source apps there is.
@newhinton @GrapheneOS There is a new project here https://accrescent.app/
I don't know much about it, can't verify anything, just heard about it
@Kulei @newhinton We recommend using Accrescent for the apps which are available through it. It's not specific to either open source apps or privacy focused apps but rather is meant to become a Play Store alternative.
Obtainium + App Verifier for getting apps directly from developers, although we'd prefer a leaner and more security focused approach than Obtainium.
@GrapheneOS While I appreciate bringing up the security concerns the existence of alternatives to #FDroid I do not think we have those when it comes to pure FOSS apps without the usual big corporate trackers/libs. #Accrescent lists a few apps and fails to provide relevant information about them (such as requested permissions). E.g. #Qlango includes multiple tracking libraries by #Meta / #Facebook and doesn't look like it is FOSS to any degree. Even while the #FDroid repo is not carefully curated I don't run into traps like these. 🤷
There is a need for a curated and maintained FOSS app repo and currently there is nobody but @fdroidorg providing it. #Obtainium, #Accrescent are mostly option for expert users who exactly know who to trust and what they are looking for. @Kulei @newhinton
@cryptgoat @GrapheneOS @fdroidorg @Kulei @newhinton Thanks for the warning about Qlango. I was considering it.
