Some people aren’t a fan of F-droid managing the signing keys and that sometimes F-droid builds/deployments can take a bit. There is an argument for developer-managed signing keys being better than registry-managed signing keys for trust, but that also doesn’t make F-droid “bad”. While I’m not fully versed on it, I think the issue here only applies to the main F-droid repo since other repos might have different policies around builds and signing keys.
Personally, I like the experience of managing my most used apps through Obtanium via the devs git releases, but I only use that if the dev is good about publishing their signing key so it can be verified with AppVerifier. Otherwise, F-droid is safer than running an app installed without verifying the signing key.
Some people aren’t a fan of F-droid managing the signing keys and that sometimes F-droid builds/deployments can take a bit. There is an argument for developer-managed signing keys being better than registry-managed signing keys for trust, but that also doesn’t make F-droid “bad”. While I’m not fully versed on it, I think the issue here only applies to the main F-droid repo since other repos might have different policies around builds and signing keys.
Personally, I like the experience of managing my most used apps through Obtanium via the devs git releases, but I only use that if the dev is good about publishing their signing key so it can be verified with AppVerifier. Otherwise, F-droid is safer than running an app installed without verifying the signing key.
Hey, I really appreciate your input and breakdown on that, totally answers my question!