Are F-Droid security concerns still valid or have they been mitigated?

Basically as the title says. I’m sure we all read the various articles about F-Droid’s insecurities but these articles are quite dated (2-3 years?). I was wondering if F-Droid have taken the necessary steps to deal with these issues yet or if they still apply. I remember one important issue was the fact that they re-use package ID’s for apps, is this still the case?

Autoupdating is now a feature and many (but not all) of the packages are reproducible (thus solving the signing key problem for those packages that are reproducible). There is still the issue of slow updates unfortunately. As for the issue you mentioned, I dont have direct knowledge about it.

Despite a few lingering problems, I still use FDroid


There has been work done to improve reproducible builds.

The CalyxOS team has recently started working with F-Droid, and some of their work has resulted in improvements such as F-Droid Full now being able to auto update apps without the F-Droid Privileged Extension. (The F-Droid Basic app has been able to do this for a while now).

  1. A lot of things have changed since that article was originally posted.

  2. There is a thing called threat modeling. Issues that are still present might not be relevant to you at all. There are plenty of people who are aware of the issues and are still using F-Droid, and I’m one of them.

According to the poll that I made, F-Droid is the most used app store by the PG community:

  1. Have you ever seen any of these issues actually affect any of the F-Droid users in the real world? I haven’t seen that, and last time I checked, F-Droid has an excellent track record.

I’m reading through their post linked in the comment you’re replying to and am not seeing what you’re talking about. Where in that post are they trying to take more credit than they deserve?

I guess he’s talking about a drama happened in the past (GrapheneOS x CalyxOS)

Would you mind elaborating more? I am aware that the latest version of F-Droid basic targets API level 34 and that there are more reproducible builds. What else, directly relevant to the things written in the article, have changed?

What issues are still present and have not been mitigated? I can’t threat model properly without knowing what has been fixed and what hasn’t.


This is also valid. I guess the concerns are mostly theoretical rather than practical issues that can affect people.