In the play store you’re trusting Google and the developer.
I’m not sure how obtainium works. But if you download binaries from GitHub, you’re trusting the developer to accurately build their source code into the binary without adding anything. You’re also trusting GitHub implicitly – way back when, source forge was sometimes adding malware to downloads iirc.
F-droid is kind of cool in that they are saying, “we will ensure for you that the code you execute is the same as the open source code you can read”. But this added level of insurance comes with downsides – like sometimes it’s harder for the developer to make their code build properly, or maybe updates take longer.
Yes you are trusting them, and the developer. Just like you are trusting F-droid if you download from them. You also have to trust that the compiler program doesn’t do anything fishy. It’s trust all the way down.
The good news is that lots of people are working on making the systems trustworthy, and you as a consumer can learn to distinguish between what can be trusted for your usecase and what can’t.
In the play store you’re trusting Google and the developer.
I’m not sure how obtainium works. But if you download binaries from GitHub, you’re trusting the developer to accurately build their source code into the binary without adding anything. You’re also trusting GitHub implicitly – way back when, source forge was sometimes adding malware to downloads iirc.
F-droid is kind of cool in that they are saying, “we will ensure for you that the code you execute is the same as the open source code you can read”. But this added level of insurance comes with downsides – like sometimes it’s harder for the developer to make their code build properly, or maybe updates take longer.
And here I’m trusting Accrescent to actually deliver me an executable that has not been tampered with
Yes you are trusting them, and the developer. Just like you are trusting F-droid if you download from them. You also have to trust that the compiler program doesn’t do anything fishy. It’s trust all the way down.
The good news is that lots of people are working on making the systems trustworthy, and you as a consumer can learn to distinguish between what can be trusted for your usecase and what can’t.