The importance of F-Droid, an Android app store (opens in new tab)

Privacyguides isn't very good in my experience. It's got a real "blind leading the blind" thing going on, where a bunch of half-truths are repeated ad-nauseam because at some point, someone told them that thing X is bad for your privacy. It's probably best exemplified in how they can't seem to stop recommending Brave, even though you're probably better off just loading up literally any other browser that isn't Google Chrome with privacy extensions instead.

Practically speaking, you should just assess the following threat model; which is going to be a greater threat to you:

* An application developer who can be bought out and have their tools replaced with adware. (Ref. https://news.ycombinator.com/item?id=38505229 )

* The F-Droid servers, where the most realistic threat is a rogue actor obtaining the keys.

That second one is also mitigated by the fact that F-Droid generally prefers to practice "reproducible signing"; basically they'll distribute the developers apk, not the one on F-Droids buildserver, if the F-Droid release matches the GitHub release (minus the signature obviously), making the signature problem mostly a non-issue.

For most people, I'd argue the former (a "surprise update" to insert anti-features[0]) is a greater risk than the latter, so F-Droids model fits them better. The sole exception would be extremely privacy sensitive apps where trusting the developer is more paramount than having the second man in-the-middle that F-Droids maintainers are. (A basic example of that would probably be Signal.)

[0]: As defined here, although not all are relevant for users: https://f-droid.org/docs/Anti-Features/ , although I'd just add de facto adding pointless microtransactions and subscriptions to this list. They're just not included since F-Droid wouldn't ship them.

This is part of the longstanding devs vs. distros tug of war. There is a loss of control for the devs, but it's better for the user to have distros like F-Droid. The alleged security benefits feel paternalistic, like the dev knows best so only they should be able to sign binaries. Why someone would get into FOSS development and then get upset when someone exercises their rights to build from source and distribute binaries is baffling to me.

> F-Droid compiles and signs all the apps on behalf of the application developers

At least they are open and honest about it. As opposite to Google, who promised to let developers do the signing, but soon (after gaining worldwide popularity) took over with extremely shoddy justification.

The first source you linked is run by GrapheneOS community members so it's slightly biased: https://privsec.dev/about/

Isn't this the same situation as with linux software repos?

Packager middlemen give me a layer of protection against application developers selling out to malware companies.

Do these same concerns still pertain to dev-hosted F-Droid repos? (E.g. I am thinking of how I install Bitwarden from the their own repo: https://mobileapp.bitwarden.com/fdroid/)

IMHO, one of the best parts about the F-Droid ecosystem is its openness. Security models are not a one-size-fits-all and it is important to me to have access to software from multiple sources.

Security is a while different topic. The article is about the positive aspects of demopolisation, freedom and competition.

There's no overwhelming financial incentive in open-source applications, while both mobile stores are a constant arms race in monetization, advertisement and shady practices, where legitimate and privacy respecting alternatives are relegated to obscurity and difficult to find even if you're specifically looking for them by name. In some ways FOSS software is even discouraged from being published due to some rules (see for example donation links being strictly forbidden) and the probability of fake malicious apps, like NewPipe or SimpleMobileTools clones.

Because F-Droid contains a minuscule fraction of the apps on the Google Play store and because since F-Droid only allows open source applications it's much easier for them to determine shady behaviour (Google can't simply mandate that all apps on their store be open source).

The Aurora Store app is just a frontend for the play store. It's a useful tool, but gives none of the benefits the existence of F-Droid provides to the world. Obtainium just fetches an .apk from a site, also useful, but provides none of the security aspects of F-Droid or the Play Store.

There is no good alternative to F-Droid. Thankfully that's just because it is such a great concept.

I didn't realise quite how many repos exist for f-droid:

https://forum.f-droid.org/t/known-repositories/721

Izzyondroid is the only one I've added in the past.

less coffee more nix

Me too! I would've legitimately given iPhone a spin had Apple actually complied with the spirit of the law and not just the fine print.