Comment by westurner
5 hours ago
> For any developers interested in offering their own app store, Google says it'll launch its Registered App Stores program "with a version of a major Android release" before the end of the year. According to the company, the program will be available in other regions first before it comes to the US.
From https://news.ycombinator.com/item?id=37843650 :
> What's a ballpark figure for what the monthly cost to Fdroid would be to scan all uploaded APKs for security vulnerabilities?
Will the user need to basically add a pubkey for each 3rd party repo? Could they install an APK from Play Store to add the key, or will there be something like the distribution-gpg-keys package?
F-Droid build APKs themselves from source, so presumably 0, as they don't allow APKs to be uploaded.
F-Droid does do some safety checks themselves already too, I don't know exactly what.
Edit: Perhaps I am mistaken... but I think the linked post was referring to users adding additional repos to the F-Droid store, not the default F-Droid repo??
The objective with adding a third party repository key IIUC, would be to not need to prompt about installing from unauthenticated sources if they're installing from a third-party repo; so the fdroid key for the APKs that they or a CDN host would be verifiable.
It would be good to scan the sources with SAST and DAST and scan the APKs once they're built too.