If you can do better let’s see it. This post is for altruists and archivists… clearly you’re neither.

the bots and down-vote brigades are outta control

If you think Fdroid security is on par with Google security… then I got a bridge to sell you

The diminished security resulting from the increased likelihood of a (single point of failure) supply chain attack.

Yes its possible for malicious devs to trojan apps, but due to apk signing it is much more difficult for a third party entity to induce a supply chain attack, which is my real concern when it comes to phone security.

If you have a lower threat model, this post isn’t for you…

Doesn’t affect the end user… beyond diminished security. Are you implying I should trust Fdroid devs as much as I would trust Google devs?

Love F-Droid but be aware of the risks and always try to use a developer repo when possible…

https://privsec.dev/posts/android/f-droid-security-issues/

From Riseup: “Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say,” the collective member told me. “So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.”

Intercept article: “And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly. The riseup collective is currently having internal discussions about when it will be able to update its warrant canary.”