IDK if I would consider not blindly trusting an unknown third party to read all my notifications being paranoid, but if it is, then yeah, I guess I am.
I've used F-droid merely due to the open source guarantee, so how fast these apps are patched isn't a deal-breaker for me, but I'll definitely look into Obtanium now.
As a developer, the fact that F-Droid now compiles all your packages for you, using their own keys, is a non-starter for me. It means they are free to modify my code however they want or inject malware etc. (whether by mistake or not), and it's totally outside of my control, but still has my name on it.
I guess we can't win, can we? I worried more about random developers getting compromised since the surface area is much larger, but at the same time one entity compiling all packages makes them a more attractive target.
We've seen the released bundles being different to the source code before too AFAIR, so whether it's a single repository or F-Droid, both can easily screw users up if compromised.
I don't want to be paranoid but the world's not making it easy.
IDK if I would consider not blindly trusting an unknown third party to read all my notifications being paranoid, but if it is, then yeah, I guess I am.
I've used F-droid merely due to the open source guarantee, so how fast these apps are patched isn't a deal-breaker for me, but I'll definitely look into Obtanium now.
Thank you!