@anon89964105 summed up my thoughts quite well. It essentially means you’re adding another party to trust, that which is F-Droid. While yes, you can see the code of the app linked from some other place, you’re still trusting F-droid to verify that the code you’re running is indeed the code that you read some place else. Because you have no way of de-compiling and verifying the code that’s running on your device at any given moment in realtime. (unlike PWAs, where you can instantly verify, any second you wish) Perhaps F does a great job. I don’t know, I didn’t personally audit their code. In which case, more power to them. I think it’s an excellent initiative.
But I do know that in the grander scheme of things, f-droid caters to only 1% of all the apps in the play store… , and that’s nowhere nearly statistically high enough to conclude there will be enough eye balls auditing authenticity of stuff on F-Droid.
Also Android has over 3b users, and while I can’t find the statistics for the number of F-droid users there are out there, we can draw a rough estimate based on the search trends, which seems like less than 1% also.
( I would love for them to publish these kinds of usage stats and enlighten us all actually, I would love to be proven wrong on this one )
So for more than 99% of the Android users out there, what we’re talking about is statistically insignificant and inapplicable. This isn’t to invalidate f-droid itself, but to say: statistically, it doesn’t and likely won’t have enough eyeballs auditing it.
I can tell you first hand, because I (along with team Cryptee) regularly try to break things and criticise and audit big tech to hold them accountable. Here’s one from last year where I put the spotlight on Apple quite publicly on Motherboard / VICE. We spare time to do things like this, because the impact affects billion+ users. We wouldn’t spare the time to do the same for F-Droid, because for the amount of time we would have to spend to audit and break things, the impact would be so so statistically insignificant in comparison (to google / apple etc). And if other experts prioritise their time the way we do, I can statistically say that you’re better off and safer using Play Store vs F-Droid. This doesn’t mean one is ‘factually’ safer or not, it just means F ‘statistically’ won’t be safer.
— to reiterate, I’m not saying f-droid isn’t safe. But I’m saying you cannot mathematically prove it is, (as it necessarily adds an additional party to trust) and that statistically there are nowhere nearly enough eyeballs on it to speculate that some day someone may audit and maybe catch some inconsistency. If we’re speculating / extrapolating our trust in F-droid based on “someone can maybe audit in the future”, I’m merely suggesting we do so with numbers in hand to see the statistical likelihood of that happening.
Hoping these make sense! Thanks for the constructive convo folks