I now use Obtanium[1] for my open source android apps, it grabs apks straight from the source (github, gitlab etc.). Once you get each app set up its a breeze and you don't have to deal with fdroids strangeness.
Obtanium is cool and useful for some apps, but it's a strictly worse option than f-droid . With it, when a developers goes rogue or a git repository gets overtaken there is no security measure anymore that could catch that. Also, the measures f-droid takes to ensure the software is free can be welcomed - the article nitpicks one case where it went wrong, but ignores completely that one could prefer free software in general. If one does, f-droid is the best choice available.
this is cool, I use f-droid, but there are a few external sites I still need to fetch APKs from every once and a while. Does this still check the signatures?
This is from 2022.
The only recent update is to add a reference to the Sniket blog post which is also from 2022. So this should have (2022) in its title.
This mostly seems like a cope that f-droid takes action on behalf of users and makes sure that apps are a open source as they claim.
Good. I don't trust application developers. I trust f-droid to do due diligence and ensure that the app is safe, not the app developer. Screw the "android security model", it's designed for containerizing closed-source software.
P.S. Edit:
Interestingly, the article contains a "Meta" section that claims that their criticisms are completely technical (I would disagree, they're largely subjective organizational criticisms based on "best practices"). The "Meta" section also claims that the project isn't associated with grapheneOS, which I didn't make much of until I read the page of the alternative app store they recommend (https://accrescent.app/) which seems to shout out grapheneOS users in particular.
Also, this section is really weird and sounds a lot like grapheneOS developers, who seem to be easily sidetracked by supposed "harassment campaigns":
"In spite of this, the release of this article has unfortunately triggered a mostly negative response from the F-Droid team and some of their community, who seem to take a dismissive stance toward this article rather than bringing relevant counterpoints. Some of these individuals go as far as engaging in harassment campaigns against projects and security researchers that do not share their views; hopefully they realize that such unethical behavior undermines their own project and reputation. Creating a rift between developers and security researchers is not in anyone’s best interest."
Also also, I think that this article focuses too much on technical gimmicks to the detriment of the openness of the system as a whole, which I think is a common theme around grapheneOS. For example, grapheneOS's decision to only use the google pixel platform due to the specific trusted computing features of those phones, to the detriment of the portability and usability of the OS. So I suspect there may be some weird association with grapheneOS here.
I don't know what to think of this, it's very weird. I used to use grapheneOS but stopped mostly due to the erratic public behavior of grapheneOS developers. I don't think that it is malicious, but it indicative of a personality disorder which isn't conducive to leadership.
> Interestingly, the article contains a "Meta" section that claims that their criticisms are completely technical (I would disagree, they're largely subjective organizational criticisms based on "best practices").
I'd argue that it's a matter of threat model; most of their objections appear to be that they come from a completely different idea of what the goals of the system is and what it tries to protect against. Which... yeah, isn't a technical matter at all.
You are correct. These are people from the grapheneOS community, and it is evident from their positioning. This is not a valid security criticism, but baseless fud.
[1] https://github.com/ImranR98/Obtainium