Malware in an app that you got from F-Droid? Check the source code. If source code is clean then F-Droid team did it. As easy as that. Developers can also choose to include or exclude their apps from F-Droid repository. So this point doesn’t really hold any water.
Does PG team have any thoughts on this?
That is an interesting take. I guess I’d like to have some insights about it as well.
The question is what’s the realistic alternative to F-Droid really.
RSS or Obtainium? Not as convenient (e.g. no unattended updates possible) and again you have to trust more parties (namely all the individual developers rather than the F-Droid team) to not give you a bad update.
Download APK from the developer’s website (e.g. Whatsapp, various crypto wallets)? Rarely available and you won’t be notified of updates.
Aurora Store? Connects to Google, tends to not work with the anonymous login and otherwise requires a Google account to work. Using it is against the TOS so your account might get banned, or Google could one day close the APIs that Aurora connects to. This should be used as a last resort, e.g. to get a banking app that’s only available on the Play Store.
There’s not really anything else.
Personally, I run the triple strategy of (1) use F-Droid when available (either in the main repo or an official repo from the developer), (2) use Obtainium for other stuff that’s on Github but not on F-Droid (e.g. the MEGA app which is source-available but non-free), (3) Aurora store for whatever I can’t get otherwise (e.g. banking app).
So is Whatsapp and I bet it’s also super duper secure. PG recommendation when?
So youre using extremely invasive apps/services from one of the most evil companies in the world (that makes most of their profit from collecting data to sell ads), and you think it’s preferable to using completely FOSS alternatives just because your running it in a “sandbox”? Your entitled to that opinion of course but it shouldn’t be the “official” guidance on a website like PG.
I’d like to add that play store sandboxing is only available on a pixel with a really specific ROM. So unless PG stance is to tell everyone to just ditch their phone and get a googlephone, it’s not that much useful as a main recommendation
Fdroid does have a client issue. The official client is awful. Neo Store is OK but doesn’t reliably notify about updates. I have Droid-ify to get the notifications and Neo Store because the download/update process is better.
If you don’t like the client, it doesn’t mean that it’s awful.
Why would you need to get notified about updates when the client can do them in the background seamlessly?
Either way, use the F-Droid Basic client. It’s the best one.
You do know that you yourself can continue to use and recommend F-Droid without Privacy Guides doing so right ? I love F-Droid myself and don’t feel I have to agree with every part of PG.
The amount of reproducable builds is increasing rapidly: Reproducible builds, signing keys, and binary repos | F-Droid - Free and Open Source Android App Repository
Calyx is helping F-Droid with client issues: CalyxOS & F-Droid
I’m going to mark this thread as rejected, because I think we are all in agreement that F-Droid Basic is a better client if we do recommend their first-party clients again, and that discussion is here:
Feel free to reply to this thread only if you have something to add about the official, traditional F-Droid client app, and not F-Droid Basic (because that is being discussed at the link above) or the F-Droid service/repos in general (because those already aren’t recommended against in the first place).