@birdinfire@mstdn.social Well, hopefully we can both agree that reproducible builds (where the binary matches a known good hash no matter who builds or re-builds it) is the best solution here, and F-Droid is helping the effort toward that. Also don't forget that F-Droid is not a centralized technology -- the name does refer to a primary repo, but anyone can stand up their own repo and sign everything with their own key. Besides, which store allows you to pass through your own signature on your upload?