Right, which is a lower security standard then rebuilding from source. If you trust fdroid is the best. If you don’t trust fdroid, and it’s a reproducible build, then you get fdroid confirming the binary is from the source but it’s signed by the developer meaning fdroid didn’t modify it.
Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet modern security standards.
Other popular third-party repositories for F-Droid such as IzzyOnDroid alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers’ own repositories. However, it is not something that we can fully recommend, as apps are typically removed from that repository if they are later added to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they’re accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.
That said, the F-Droid and IzzyOnDroid repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through other means such as the Play Store, Aurora Store, or by getting the APK directly from the developer. You should use your best judgement when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk.
Oh, I see your point. But generally, I tend to trust the developer isn’t going to put out a binary that is different from the source code they publish. My chain of trust would be, fdroid, being the best, the developer, binary directly, being second, and open source, and then something like Google Play with closed source crapware.
From what I understand Izzy takes the builds directly from the applications git repository.
Right, which is a lower security standard then rebuilding from source. If you trust fdroid is the best. If you don’t trust fdroid, and it’s a reproducible build, then you get fdroid confirming the binary is from the source but it’s signed by the developer meaning fdroid didn’t modify it.
not necessarily
https://f-droid.org/docs/Reproducible_Builds/
Oh, I see your point. But generally, I tend to trust the developer isn’t going to put out a binary that is different from the source code they publish. My chain of trust would be, fdroid, being the best, the developer, binary directly, being second, and open source, and then something like Google Play with closed source crapware.