Yes, I understand the situation is shady and f-droid maybe didn’t handle it the best way on a human level, and that is important when evaluating trustworthiness.
What I was focusing on was more on the technical side: As long as I can:
trust f-droid to actually build from source and only publish something guaranteed to match the source, and
read the source code myself, or trust an independent researcher to study it, and confirm there’s no malware,
then I don’t need to trust the maintainer of the project at all, and I can ignore all the drama, being assured with a high degree of certainty there is no malware
I can also ignore any drama involving f-droid as long as I still trust them to build from source. This can also be verified by independent researchers by buulding themselves ans comparing, once again filtering out the drama and noise, though most people probably won’t go this far.
Yes, I understand the situation is shady and f-droid maybe didn’t handle it the best way on a human level, and that is important when evaluating trustworthiness.
What I was focusing on was more on the technical side: As long as I can:
then I don’t need to trust the maintainer of the project at all, and I can ignore all the drama, being assured with a high degree of certainty there is no malware
I can also ignore any drama involving f-droid as long as I still trust them to build from source. This can also be verified by independent researchers by buulding themselves ans comparing, once again filtering out the drama and noise, though most people probably won’t go this far.