Earlier this year, we reported about our progress concerning reproduciblebuilds. Meanwhile, more and more appsare using this; you can find some statisticsher...
Yes, that video is primarily complaining about F-Droid self-signing, and that it creates: a requirement to trust them; a single point of failure for security; and slows updates
The trade off is that developers must maintain their key, if they lose it the user must uninstall and reinstall the app, as Android will not trust an update signed with a different key
What alternative does the video promote? Trusting Google and the Playstore? Trusting each dev of every app to deliver apks which match the code? I don’t want to give the video more clicks if it’s scaring away people from F-droid towards worse alternatives.
No need to click, it complains about exactly what has now been changed. In essence you are always trusting the dev, why add other parties to that chain
Wrong, if you are using F-droid, you aren’t trusting the dev, you are trusting F-droid and the source code, the dev CAN NOT give you an app that doesn’t match the code, and the code can be seen and reviewed by anyone.
Yes, that video is primarily complaining about F-Droid self-signing, and that it creates: a requirement to trust them; a single point of failure for security; and slows updates
The trade off is that developers must maintain their key, if they lose it the user must uninstall and reinstall the app, as Android will not trust an update signed with a different key
What alternative does the video promote? Trusting Google and the Playstore? Trusting each dev of every app to deliver apks which match the code? I don’t want to give the video more clicks if it’s scaring away people from F-droid towards worse alternatives.
No need to click, it complains about exactly what has now been changed. In essence you are always trusting the dev, why add other parties to that chain
Wrong, if you are using F-droid, you aren’t trusting the dev, you are trusting F-droid and the source code, the dev CAN NOT give you an app that doesn’t match the code, and the code can be seen and reviewed by anyone.