> [devs] have to maintain a slightly different version of their codebase that should comply with F-Droid’s requirements<p>Perhaps that's because I've got half a foot in the foss community and you don't hear a lot of "fml why is f-droid so strict about not using secret code", but to me it seems much more often that people complain about Google's policies than about F-Droid's. Especially since F-Droid's<p>> “quality control” offers close to no guarantees<p>because there are no restrictions on things that just work with root, donation links for open source open geo data contribution platforms[1], roll your own payment scheme without giving anyone a cut, put ads in it if you like...<p>... and yet I have no qualms letting my grandma browse around f-droid but am terrified of what bank phish she might be shown in an ad after roaming the google store. Technically the author is correct here, of course, but in practice this turns out to be a total non-issue. The rules are also not set in stone if it were to become one suddenly.<p>--- (edited to add)<p>> Their client also lacks TLS certificate pinning<p>As does every web browser, but somehow banking on websites seems to very rarely be intercepted? I don't get the fuss about this and I work in the security industry. We recommend the most secure solutions, but sometimes there are trade-offs here:<p>- Historically it has been recommended to turn off autocomplete in browsers <input> fields. I think we all agree on that one.<p>- Historically it has been recommended to turn off backups in Android because, gee, someone could make a backup of your app data and what if that's an attacker somehow! An auth token might get out! Nobody cares that this makes it physically impossible to backup your data at all anymore on Android (Apple is doing <i>very well</i> on that front, I am very much impressed there even if it's not enough to make me buy into Apple by a long shot). This is one of the reasons I root my device and make fairly extensive use of it.<p>- These days it's being recommended to use cert pinning which is a huge pain in the arms for anyone wanting to toy around with what the app does. Now in this case it's open source anyway, but think of, uh, yeah how about what the article mentions: "unlike Play Store which does that for all connections to Google". Wouldn't it be nice if you could actually see what this app sends to Google about you? Previously you'd add a cert to your OS and you'd be good to go. Now you have to modify the compiled application: a steep learning curve for anyone not working with app pentesting on a regular basis. For a high-security app like your banking app, alright, but for most other things I (as a tech nerd, clearly, I'm not an average user) think it's more harmful than beneficial.<p>> their website has (for some reason) always been hosting an outdated APK of F-Droid, and this is still the case today<p>Part of this sentence is a link to the forum. If you actually click that link, the "for some reason" becomes perfectly clear: f-droid-the-apk releases are shipped whenever it is ready, there is no beta channel in that sense. Whatever is on the homepage should work for everyone with any setup, and from there you can try to upgrade. If that fails, no biggie, you can just use the older version that works. Is what the forum says. (Not that I ever had a broken f-droid version myself, so not sure how important this really is.)<p>> F-Droid is not the only way to get and support open-source apps. [...] Most of the time, releases are available on GitHub, which is great since each GitHub releases page has an Atom feed.<p>Hah, the author just spent ~2800 words criticizing the liberal inclusion policy, missing api target enforcement, outdated (now slightly misleading) permission listings, lagging signature scheme update, and then concludes with "just download the apk from github <i>because it has an Atom feed</i>"! If only f-droid knew that this was the requirement for an endorsement by OP :D (jk)<p>No really, use f-droid instead of github please or make sure you know how to check pgp signatures and have a chain of trust to the developer somehow. Or trust microsoft/github blindly, that's okay too (many of your apps come from there indirectly anyhow, if I'm being fair). But as blanket advice for a source of apps? That's... interesting in this context.<p>> > Should I really care?<p>> If security (and privacy, as they overlap) matters to you [then yes]<p>It depends.... <i>how much</i> does security matter to you? Is this to the exclusion of all other values?<p>It's a bit black-and-white. But then, yeah, as others said, the author works on their own security-oriented Android flavor (which is very good work by the way!).<p>[1] see "un-features" <a href="https://github.com/streetcomplete/StreetComplete/releases/tag/v40.1" rel="nofollow">https://github.com/streetcomplete/StreetComplete/releases/ta...</a><p>Edit: was this marked as off-topic or why is it stuck to the bottom despite upvotes? Usually neutral comments float somewhere around 2/3rds of the page, this comment is not neutral but upvoted and is at rock bottom.