It’s not true that it just relies on badness enumeration.
- The list of external sources that you can pull from during build for example, is white listed… fdroidserver/scanner.py · master · F-Droid / fdroidserver · GitLab
- There are checks for example that ensure you’re not stuffing Zip files with improper extensions into your APK, fdroidserver/scanner.py · master · F-Droid / fdroidserver · GitLab The extensions that are acceptable for the zip mimetype, are whitelisted: .zip.
No one is arguing that F-Droid is perfect, but as a matter of fact it is more restrictive and provides an additional checks over just downloading an APK from GitHub release which could just be malware.
And I would be interested in seeing what ideas you have for the F-droid scanner that they’re rejecting. I’m showing actual examples where they make things more secure for users and protect their privacy. Your response isn’t a refutation, it’s a theoretical point that blacklisting isn’t good enough (which is true, it’s not all they’re doing), and it’s also silly because the alternative you’re accepting and that privacyguides is pushing is nothing, just blind trust for the author. Show me a PR where you have an idea for an improvement and a patch that’s rejected. I doubt you’ll find any of these tests no matter how basic in a CI on GitHub.