I am on GrapheneOS, but this concerns Android as a whole. From the options of Fdroid and GitHub (Obtainium) which is the safest way to install an app?
From the GrapheneOS forums, I see many people recommending GitHub over Fdroid as it is straight from the source. I know its true, but if a developer adds a ‘not-so-safe’ piece of code or introduces tracking, Obtainium would automatically update my app without letting me know about the changes. But from what I have seen from Fdroid they usually pause or cancel the update or app if these changes were to take place (Example, Simple Gallery or Mull for Android).
So I am confused. Whom should I trust more, Fdroid with their own app builds or the Developers on GitHub?
Also I have seen that Obtainium when used with a VPN to fetch app updates, will get rate limited by GitHub. Also I don’t really like GitHub as a code repository, with their tracking and rate limiting. I don’t know if Fdroid tracks user.
So then you trust the app enough that it provides the function you need from it? Trust doesn’t have to be an all or nothing ordeal.
It doesn’t have to be, but it should be.
I can trust an app to provide the needed functions, that doesn’t mean it doesn’t also perform other functions that I don’t need or want, and may potentially be malicious. And that can be literally any app that you haven’t personally reviewed the code and compiled.