Electric Sheep on Nostr: Thanks a lot for the detailed response. Just posting the link would have been quicker ...
Thanks a lot for the detailed response. Just posting the link would have been quicker for you, so I appreciate you taking the time.
"If the dev releases the apk on F-Droid only, then that is the release repo (not GitHub/GitLab, Codeberg), straight from the dev. Using Obtanium, in this case, now introduces a third party"
I guess the underlying issue here is one of dev practice. If all mobile app devs ran their own
release repo, independent of *both* code forge and app library, then something like Obtainium could always download directly from the dev.
Installing with F-Droid could then be an automated process of adding that repo, and installing from it. At least as an option, for those who don't want to trust the F-Droid team to compile from source.
As things stand, people using Android apps are usually forced to trust either Goggle Prey Store, GritHub, or F-Droid. I know which of the 3 I trust. F-Droid is the only one where full source code is available for *every* link in their distro chain.
In the long term though, the solution to all this is Reproducible Builds. Or some other way of checking whether a binary (or server) is compiled from the published source code.
"If the dev releases the apk on F-Droid only, then that is the release repo (not GitHub/GitLab, Codeberg), straight from the dev. Using Obtanium, in this case, now introduces a third party"
I guess the underlying issue here is one of dev practice. If all mobile app devs ran their own
release repo, independent of *both* code forge and app library, then something like Obtainium could always download directly from the dev.
Installing with F-Droid could then be an automated process of adding that repo, and installing from it. At least as an option, for those who don't want to trust the F-Droid team to compile from source.
As things stand, people using Android apps are usually forced to trust either Goggle Prey Store, GritHub, or F-Droid. I know which of the 3 I trust. F-Droid is the only one where full source code is available for *every* link in their distro chain.
In the long term though, the solution to all this is Reproducible Builds. Or some other way of checking whether a binary (or server) is compiled from the published source code.