this post was submitted on 13 May 2025
552 points (98.9% liked)
Technology
69999 readers
4715 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
"If dev goes rougue"
Isnt that a risk for all app stores?
For fdroid the app is compiled on fdroid servers when dev tags a new release on GitHub. So the app matches the source, it's not possible to put a tainted APK to download
Now, if the malicious code is slowly added to the source over the course of an year like it happened with the xz utils, this won't change the result, but it's easier to do so with a compiled binary. Release clean source and infected binary, it will take a longer time to get caught
For the closed source app stores, on iOS there's the manual inspection (which is not infallible especially if they timebomb or geofence the bad feature) and for Google there's the automated inspection (which fails often seeing the news) that should find problems