Thats part of the problem though. Supposedly catfriend1 gave researchxxl their signing keys, and researchxxl used these on their new github account. No one was aware that catfriend1 was not maintaining the repo anymore until users saw unexpected/unannounced updates and looked into the matter. This sparked a short lived discussion on F-Droid forums about what should be done when maintainer transfers are handled poorly like this. F-Droid admins decided that it wasn’t that big of an issue, which is problematic… this supposedly happened between two people meeting each other online and discussing it with each other. But its possible that catfriend1 is being blackmailed or otherwise coerced into handing off this data. This type of credential attack could happen with a compromised machine, without the victim ever realizing it in time. The fact that F-Droid treats this so casually is upsetting. Signed developer certificates protect you from MITM attacks, it does not protect you from the sources themselves being compromised.
Yes, I understand the situation is shady and f-droid maybe didn’t handle it the best way on a human level, and that is important when evaluating trustworthiness.
What I was focusing on was more on the technical side: As long as I can:
trust f-droid to actually build from source and only publish something guaranteed to match the source, and
read the source code myself, or trust an independent researcher to study it, and confirm there’s no malware,
then I don’t need to trust the maintainer of the project at all, and I can ignore all the drama, being assured with a high degree of certainty there is no malware
I can also ignore any drama involving f-droid as long as I still trust them to build from source. This can also be verified by independent researchers by buulding themselves ans comparing, once again filtering out the drama and noise, though most people probably won’t go this far.
Signed developer certificates protect you from MITM attacks, it does not protect you from the sources themselves being compromised.
Very true, and that’s why f-droid building from source can only guarantee the apk matches the source, but you still need to trust someone else (or yourself) to study the source and confirm nothing shady is going on, which of course isn’t something most people would do for any open source app they install.
Still, for “high profile” cases it just take one (independent) person to go through the source and publish their findings.
Thats part of the problem though. Supposedly catfriend1 gave researchxxl their signing keys, and researchxxl used these on their new github account. No one was aware that catfriend1 was not maintaining the repo anymore until users saw unexpected/unannounced updates and looked into the matter. This sparked a short lived discussion on F-Droid forums about what should be done when maintainer transfers are handled poorly like this. F-Droid admins decided that it wasn’t that big of an issue, which is problematic… this supposedly happened between two people meeting each other online and discussing it with each other. But its possible that catfriend1 is being blackmailed or otherwise coerced into handing off this data. This type of credential attack could happen with a compromised machine, without the victim ever realizing it in time. The fact that F-Droid treats this so casually is upsetting. Signed developer certificates protect you from MITM attacks, it does not protect you from the sources themselves being compromised.
Yes, I understand the situation is shady and f-droid maybe didn’t handle it the best way on a human level, and that is important when evaluating trustworthiness.
What I was focusing on was more on the technical side: As long as I can:
then I don’t need to trust the maintainer of the project at all, and I can ignore all the drama, being assured with a high degree of certainty there is no malware
I can also ignore any drama involving f-droid as long as I still trust them to build from source. This can also be verified by independent researchers by buulding themselves ans comparing, once again filtering out the drama and noise, though most people probably won’t go this far.
Very true, and that’s why f-droid building from source can only guarantee the apk matches the source, but you still need to trust someone else (or yourself) to study the source and confirm nothing shady is going on, which of course isn’t something most people would do for any open source app they install.
Still, for “high profile” cases it just take one (independent) person to go through the source and publish their findings.