Here's a little thing that may not be obvious to many people....

When you install an open-source app from Google Play or the Apple app store, there is no guarantee that what you install actually matches the public code.

@fdroidorg are doing a great service. They independently build the public source code for apps from scratch, review for common issues, and publish their builds. Thanks to "reproducible builds" it's possible to verify they do not tamper with the code.

@XxAlexXx @fdroidorg Hi! Could you clarify your question?

This link provided in the post is a great overview of all the security-related aspects of the pipeline that F-Droid considers: (it's quite comprehensive!)

@snikket_im @fdroidorg Except it doesn't explain a malicious app which was intended to be malicious by the user

F-Droid does flag any known anti-features in the apps it includes in its repo. If anyone wants to offer a repo that tries to offer only trustworthy apps, a user could choose to use that with the F-Droid app, instead of the default repos. But then the question becomes can we trust the people running that repo? 🤔



@strypey @XxAlexXx @snikket_im it's turtles all the way down.

I think this is a tough questions all repos deal with? Currently just hoping there are enough eyes on code and not be too greedy installing things?

Although automated approaches might be good. Like saw malicious python libraries using `eval` and base64 encoding? Presumably some people were already scanning for dubious stuff and `eval` wasn't on the list. (don't use `eval` when you don't have to!)

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!