Comment by westurner

We depend upon package repositories to maintain the list of packages for a given namespace, and to always serve the most recent signed list of packages for the requested, some, or all namespaces in the repository's package catalog. The SLSA and TUF specs summarize the vulnerabilities, risks, and components of software supply chain security.

Fdroid does not claim to scan all uploaded APKs AFAIU. Fdroid > Security Model: https://f-droid.org/en/docs/Security_Model/ :

> There is a big emphasis on operating in the public and making everything publicly available. We include source tarballs and build logs when we publish binaries

What's a ballpark figure for what the monthly cost to Fdroid would be to scan all uploaded APKs for security vulnerabilities?

Practically, it should be easy to add an upload_scan_and_post_back_to_the_pull_request task to each project's e.g. GitHub Actions YAML build definition; but then how does or how can SLSA help prove that the scan results were actually requested and merging and releasing were prevented if positive?