this post was submitted on 06 Feb 2024
1053 points (99.0% liked)
Microblog Memes
5765 readers
1983 users here now
A place to share screenshots of Microblog posts, whether from Mastodon, tumblr, ~~Twitter~~ X, KBin, Threads or elsewhere.
Created as an evolution of White People Twitter and other tweet-capture subreddits.
Rules:
- Please put at least one word relevant to the post in the post title.
- Be nice.
- No advertising, brand promotion or guerilla marketing.
- Posters are encouraged to link to the toot or tweet etc in the description of posts.
Related communities:
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
F-Droid compiles apps from source by itself, without blindly trusting that the APK provided by the developer actually came from the source code. After independent compilation, one of two things happen:
If the app uses reproducible builds, then F-Droid verifies that its own compiled APK matches byte-for-byte with the APK provided by the developer. If they match, F-Droid distributes the APK signed with the developer's signing key, same as Play Store does (except Play Store doesn't verify anything).
Otherwise, F-Droid distributes its own compiled APK signed with F-Droid's signing key.
In either case, F-Droid guarantees that you get an app that matches the source code exactly.
None of this process should matter to you as a user, and it's all fairly transparent from a user's perspective. F-Droid gives you certain guarantees and internally enforces these guarantees, while Play Store does not.
Plus, if the app supports reproducible build, fdorid will just delivers the app to you via the developer's signature. So it is just a additional verification without adding any trusted party. App signing section https://f-droid.org/docs/Security_Model/
fdroid also manually inspect the source to make sure nothing funky is going on. But of course that cannot be absolutely through, because the time and workforce constraint.
Finally, fdroid has updated to index v2 which improves the security of index v1, specifically:
https://f-droid.org/docs/Security_Model/