That’s it. Would you recommended any other repository?

  • Moonrise2473@feddit.it
    link
    fedilink
    arrow-up
    2
    ·
    8 months ago

    The fdroid repository has only apps built by fdroid itself using the published source code, while a private repo could have a binary that doesn’t match the source.

    It might be a financial incentive for someone to hack the dev, steal their signing keys, silently add a timebomb that at a specific time would send the whole content of the wallet to a specific monero address, replace the apk after a new release is added. Nobody would notice until too late

    Difficult hack but not impossible

    • shortwavesurfer
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      8 months ago

      That is a fair point. The protection of the main fdroid repo is that they build it from source and then compare the binaries to make sure they match if i understand reproduceable builds correctly.

      Edit: But if a hacker hacked the developer, wouldn’t they just change the source code as well so that they still match? Like if I wanted to hack Monerujo id want to get the git repo if possible along with the repo keys so i could push malicious code to the git repo, build a binary from that malicious code, publish it on the devs fdroid repo and then when fdroid compares the binary to source they match even though they are malicious.