Plus, if the app supports reproducible build, fdorid will just delivers the app to you via the developer’s signature. So it is just a additional verification without adding any trusted party. App signing section https://f-droid.org/docs/Security_Model/
fdroid also manually inspect the source to make sure nothing funky is going on. But of course that cannot be absolutely through, because the time and workforce constraint.
Finally, fdroid has updated to index v2 which improves the security of index v1, specifically:
As of index-v2, files from the repo are verified based on SHA-256, including icons, screenshots, etc.
index-v2 uses any algorithm supported by apksigner and android-23 and newer, and relies on OpenJDK’s and Google’s maintenance of the currently valid signing algorithms. When index-v2 was launched, the signature algorithm in use was SHA256withRSA and the digest algorithm was SHA-256. index-v1 is signed by SHA1withRSA. As of this writing, SHA1 are still considered strong against second pre-image attacks, which is what is relevant for index JARs.
Plus, if the app supports reproducible build, fdorid will just delivers the app to you via the developer’s signature. So it is just a additional verification without adding any trusted party. App signing section https://f-droid.org/docs/Security_Model/
fdroid also manually inspect the source to make sure nothing funky is going on. But of course that cannot be absolutely through, because the time and workforce constraint.
Finally, fdroid has updated to index v2 which improves the security of index v1, specifically:
https://f-droid.org/docs/Security_Model/