Replying to Avatar sommerfeld

Fdroid one is built by the fdroid team the other is built by github actions (on github servers, using the original dev's instructions).

The fdroid team curates packages: they validate signatures, checksums, build reproducibility, checks for suspicious app behavior, etc. The disvantage is that the fdroid version always lags a bit behind.

In terms of attack surface: the fdroid build can be tampered only by fdroid while the github build can be tampered only by github before arriving at your phone.
51
516add19... 2y ago

Wow thank you for that detailed post. You filled me with knowledge. I didnt know all of that. It seems neither way is fully trustworthy. I wonder if getting the apk directly from the developer website is the best practise then.

Reply to this note

Please Login to reply.

Discussion

Avatar
sommerfeld 2y ago

Apks from the developer website are most often the same as the ones on github.

51
516add19... 2y ago

Right but github could tamper with the apk.

Avatar
sommerfeld 2y ago

That's not just theoretical, if you google it they have tampered with build signatures of joinmarket in the past.

51
516add19... 2y ago

And its owned by Microsoft. Im not so sure Obtainium is the best option pulling from github. F-Droid isnt perfect either. Just trying to figure out the safest most free way to get my apks from. You have been very helpful widening my understanding!🙏

Avatar
sommerfeld 2y ago

My preference: fdroid > obtanium > aurora store. The one exception is amethyst which moves too fast for fdroid.

51
516add19... 2y ago

Agree 💯

In that order.

I should try Amethyst from Obtainium. I suppose I should first uninstall from F-Droid.

Avatar
sommerfeld 2y ago

It's all about who do you trust more. Sure fdroid is one more middleman, but they are a trusted agent in the FOSS community and provide valuable package curation and oversight.

There's no such thing as trustless binary distribution.