Hacker News new | past | comments | ask | show | jobs | submit login

Not sure about today, but didn't f-droid sign all apps with an f-droid key, meaning you have to trust f-droid instead of Whisper systems?

From a security point of view it seems quite reasonable to object to f-droid handling all signatures.




If you browse the F-Droid website they actually mention that it's possible to use the .apk distributed by the developers, if the apk is reproducible. It's cumbersome and requires a lot of goodwill from both the developers and the F-Droid maintainers, but it's not impossible.

The thing is, people using F-Droid are most likely already aware that they can install the .apk directly from https://signal.org/android/apk/ so there's not much to gain (the .apk prompts the user when an update is available too).


Exactly, that was the reason Moxie gave for wanting to avoid F-Droid back in the day. Besides, I hear the .apk one can obtain from signal.org these days comes with an integrated update mechanism, anyway? As much as I am a fan of F-Droid, I really don't understand the criticism here. What advantages does F-Droid provide here?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: