> F-Droid insists on building the APKs for the apps.
You could say that OpenAPK blindly redistributes whatever APK upstream is peddling whereas F-Droid builds from source. I see the merits of both systems but prefer reproducible builds so that we can have the best of both worlds
It's a reason why I don't really trust signal. They don't want to be recompiled by 3rd party. You must either trust them (or the app stores, which isn't better) or go through the hassle of figuring out how to build it yourself.
It's fairly reasonable to discourage people from using random third-party compiled signal variants though. If you can't figure out building it yourself, using the official one will probably be safer.
Not trusting signal's build and building it yourself is a reasonable thing to do.
Not trusting signal's build and then turning around and trusting some third party build seems strange. The official build probably has more eyes on it, and signal has more reputation to lose.
You don't need to run the binaries at all if you don't want, you can just get the standard VPN configs and use your OS's network stack. You won't get all the fancy features, but otherwise it works fine.
Shizuku's license disallow 3rd party recompilation of the APK, fork or not. Presumably this is done to provide an option to legally takedown fake Shizuku which could contains backdoor. (The original APK is redistributable) Hence Shizuku is not on F-Droid.
F-Droid, however, allow the developer's binary to be reproduced if they have tested that the APK is reproducible when replacing the APK's signature with the original APK.
It allows recompilation, just not using the official logo. Similar to Firefox in Debian kind of issue.
Reproducible builds would allow distributing Shizuku in F-Droid, that’s correct. (If Shizuku banned third party builds by the means of code license, it would not be FOSS and thus wouldn’t be eligible for inclusion in F-Droid altogether.)
Well, for starters it is just a whole lot less work and money to distribute and maintain binaries up from the distributers' side, for the developers it comes down to a lower-barrier of entry to not have to adjust their workflow to whatever x platform may demand for building on their servers and in the end that gives the users more choices to work with. Of course, this is all in a perfect world where the chain of trust isn't broken so easily, which isn't an easy feat but given platforms like Windows thrive in spite of it, it is probably not as bad as many people may think.
All of that said, not particularly speaking for OpenAPK here, given their motives seems rather unclear to me. If I am to be charitable, I guess they're just trying to provide a different platform than f-droid for discoverability, but for whatever reason they seem to be marketing the distribution-side of things more which is just odd to me, but alas.
> given platforms like Windows thrive in spite of it, it is probably not as bad as many people may think.
There is a lot of extra work done behind the scenes to "thrive in spite of it". Windows Defender (built into Windows after XP) has to periodically download updated virus definitions and always scans programs for potential malware, and still can't catch them all.
F-Droid can also redistribute the signed upstream APK. The requirement for that is that the build is reproducible.
This is the best of both worlds because the distributor (F-Droid) verifies that the published source matches the binary but does not possess the private key to sign the APK. This means the distributor cannot push a backdoored binary blob at some later date.
You could say that OpenAPK blindly redistributes whatever APK upstream is peddling whereas F-Droid builds from source. I see the merits of both systems but prefer reproducible builds so that we can have the best of both worlds