A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.
F-Droid has incredibly poor security practices and a strong anti-security attitude held by most of the people involved. They've consistently engaged in coverups of vulnerabilities and targeting multiple security researchers with libel and harassment.
It's a massive single point of failure and not worthy of the trust many people are placing in it. It's adding another trusted party compared to using the apps built and signed by the developers. It is not avoiding trust in the developers of apps.
Regularly not shipping critical Firefox security patches for months is the norm for the main F-Droid repository. Whether or not they sign the apps themselves as they do for the vast majority of apps, updates can be indefinitely delayed based on issues with their outdated infrastructure or their Debian-style downstream patches needing to be updated.
For the small subset signed by the app developers, many kinds of disagreements between F-Droid and developers will mean an end to receiving updates.
You are not the only ones that struggle with f-droid. (There is an ongoing struggle to fix certificate pinning by f-droid by a former maintainer, which has neither been acknowledeg nor accepted).
But the question is: what alternatives are there? As far as i can tell, f-droid is the only large scale-repository of open source apps there is.
@newhinton @GrapheneOS There is a new project here https://accrescent.app/
I don't know much about it, can't verify anything, just heard about it
@Kulei @newhinton We recommend using Accrescent for the apps which are available through it. It's not specific to either open source apps or privacy focused apps but rather is meant to become a Play Store alternative.
Obtainium + App Verifier for getting apps directly from developers, although we'd prefer a leaner and more security focused approach than Obtainium.
@GrapheneOS @Kulei @newhinton What checks does Accrescent perform other than enforcing a minimum API level? I assume more checks than Google Play, but what are they?
F-Droid has a warning like "this app was built for an older Android version and cannot be updated automatically" (rough translation). I assume this refers to the app targeting an old API level?
> F-Droid has a warning like "this app was built for an older Android version and cannot be updated automatically" (rough translation). I assume this refers to the app targeting an old API level?
Apps with an ancient target API level aren't possible to fully automatically update. This is F-Droid warning that their automatic updates don't fully work due to not complying with that minimum target API expectations, not them adding a warning about target API level.
@elgregor @Kulei @newhinton
> What checks does Accrescent perform other than enforcing a minimum API level? I assume more checks than Google Play, but what are they?
You can read about their requirements on their site. They have a system for tagging apps that's being implemented for marking which ones are open source, have reproducible builds, etc. If you only want to use it for open source apps, you'll be able to do that. Apps being open source does not mean other standards aren't relevant.