bluejay@lemmy.dbzer0.comtoAndroid@lemdro.id•[Android][App] Obtainium. Get Android App Updates Directly From the Source.English
0·
1 year agoThe developer of obtainium or the packages we’re installing? I’ll assume the former. If you’re skeptical about obtainium you could still use it as a source to monitor && notify and then do your install manually.
How does f-droid solve this problem? From my understanding they confirm that the
.apk
provided by the dev matches what compiles from source and run it through Virus Total. Those are trivial steps for a malicious dev to take to slip in something nefarious.At that point you’re relying on the community to check every commit for nefarious code $x. Not to mention they could simply build up community trust for some time before slipping in the code, since they’d effectively be burned once (if?) their very first shady code commit is found.
I can’t imagine f-droid would go on the hook and say everything they build is also code reviewed for malicious stuff, right?