Comment by jabwd
12 hours ago
> This is effectively a rando's basement. You. Do. Not. Know. Stop straw-manning stuff its so pointless.
12 hours ago
> This is effectively a rando's basement. You. Do. Not. Know. Stop straw-manning stuff its so pointless.
The not knowing is the point. From a security perspective, you have to assume the worst.
And maybe that is F-Droid's point: Security through obscurity. If the build infrastructure with the signing keys is unknown, then it's that much harder for Bad Actor to do things like backdoor E2E encrypted communication apps. This is, of course, the weakness in E2E encryption in apps obtained from mainstream/commercial app stores. For all we know, these may already be backdoored depending on where it came from.
However, the obscurity makes F-Droid hard to trust as an outsider to the project.