F-Droid is an app store for Android where only open source applications are available for free. It provides an alternative to the proprietary Google Play Store, which is where most Android app distribution currently takes place. Because the Google Play Store is where most users go to find and install apps, this gives Google the power to exercise control over Android app developers. In this blog post, I describe the design, mechanism and results of this control from the perspective of a long-time Android app developer.
It would be a single point of failure for many apps in case the curators of F-Droid were dishonest or hacked. They could insert bad things into lots of packages without having to change the public source code. But it also becomes the only point where malware or backdoors could be inserted that way, instead of having to trust every single developer to build honestly off the source code, which we’d have to do if they just stuck prebuilt binaries up there. I don’t know how rational I’m being, but it makes me trust F-Droid apps more that they do it this way.
It would be a single point of failure for many apps in case the curators of F-Droid were dishonest or hacked. They could insert bad things into lots of packages without having to change the public source code. But it also becomes the only point where malware or backdoors could be inserted that way, instead of having to trust every single developer to build honestly off the source code, which we’d have to do if they just stuck prebuilt binaries up there. I don’t know how rational I’m being, but it makes me trust F-Droid apps more that they do it this way.
also worth pointing out that fdroid supports reproducible builds, which helps quite a bit with being trustable.