How can we trust the F-Droid package if they build and/or sign the APK themselves? Are there reproducible builds? And if so is anyone verifying them publicly?
this post was submitted on 28 Jul 2024
6 points (100.0% liked)
Security
684 readers
1 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
F-Droid is like package maintainers for Linux distributions. You have to trust them if you want to use their pre-built binary. However, some app builds are reproducible. Check the doc for more info.