Fdroid one is built by the fdroid team the other is built by github actions (on github servers, using the original dev's instructions).
The fdroid team curates packages: they validate signatures, checksums, build reproducibility, checks for suspicious app behavior, etc. The disvantage is that the fdroid version always lags a bit behind.
In terms of attack surface: the fdroid build can be tampered only by fdroid while the github build can be tampered only by github before arriving at your phone.
Wow thank you for that detailed post. You filled me with knowledge. I didnt know all of that. It seems neither way is fully trustworthy. I wonder if getting the apk directly from the developer website is the best practise then.
Apks from the developer website are most often the same as the ones on github.
Right but github could tamper with the apk.
That's not just theoretical, if you google it they have tampered with build signatures of joinmarket in the past.
And its owned by Microsoft. Im not so sure Obtainium is the best option pulling from github. F-Droid isnt perfect either. Just trying to figure out the safest most free way to get my apks from. You have been very helpful widening my understanding!🙏
It's all about who do you trust more. Sure fdroid is one more middleman, but they are a trusted agent in the FOSS community and provide valuable package curation and oversight.
There's no such thing as trustless binary distribution.
