In the play store you’re trusting Google and the developer.
I’m not sure how obtainium works. But if you download binaries from GitHub, you’re trusting the developer to accurately build their source code into the binary without adding anything. You’re also trusting GitHub implicitly – way back when, source forge was sometimes adding malware to downloads iirc.
Yes you are trusting them, and the developer. Just like you are trusting F-droid if you download from them. You also have to trust that the compiler program doesn’t do anything fishy. It’s trust all the way down.
The good news is that lots of people are working on making the systems trustworthy, and you as a consumer can learn to distinguish between what can be trusted for your usecase and what can’t.
In the play store you’re trusting Google and the developer.
I’m not sure how obtainium works. But if you download binaries from GitHub, you’re trusting the developer to accurately build their source code into the binary without adding anything. You’re also trusting GitHub implicitly – way back when, source forge was sometimes adding malware to downloads iirc.
And here I’m trusting Accrescent to actually deliver me an executable that has not been tampered with
Yes you are trusting them, and the developer. Just like you are trusting F-droid if you download from them. You also have to trust that the compiler program doesn’t do anything fishy. It’s trust all the way down.
The good news is that lots of people are working on making the systems trustworthy, and you as a consumer can learn to distinguish between what can be trusted for your usecase and what can’t.