• Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    I don’t see how supply chain attacks on F-Droid are any different from other app stores. Supply chain attacks would also attack the APK compiled on a deb’s machine.

    Also, APKs are signed on Google’s servers, devs don’t have control over those signatures anymore, unless they distribute their APKs through other means (which would impose similar if not worse risks compared to F-Droid, of course).