Speaking as a KDE Connect user who's heard of F-Droid, I installed F-Droid, then deinstalled it. It was too noisy and intrusive. When I told it I didn't want to replace an app with its version it kept asking again and again, every day at least.

Since then I've head that the F-Droid operators insist on signing all apps themselves, instead of the developers' signature. That's as bad as the TLS inteceptors that insist on accepting an extra CA.

Some people seem to think that F-Droid is obviously preferable to Googleplay. That is, at the very least, not obvious.

Fdroid maintainers require shipped apk's to have 0 non-free components. The only way to ensure that is to build the apps themselves (so that they can verify code and control dependencies). This means that they can only use their own keys.

Debian is also signing all Debian packages with in their own repositories with their own keys, and nobody takes this as an issue.

No it doesn't. They could check the developer's signature against an APK built from source. It's not that difficult.

BTW. In my case the app they urged me to replace the stock keyboard with a version that had been built without support for Norwegian. Is the language data in Android non-free?

They can, and they offer that, if the developer supports reproducible builds.

Most apps aren’t possible to be built reproducibly, though, as the Android developer toolkit was never designed for reproducible builds and relies on stuff like filesystem ordering of files (which differs between machines).

You’re even able to ship your own builds signed with your own developer key on F-Droid if F-Droid is able to build the exact same APK themselves.

Reproducible builds are the best option for such a store :)

> Since then I've head that the F-Droid operators insist on signing all apps themselves, instead of the developers' signature.

They do reproducible builds starting from publicly available source. Given the AOSP design where code signatures are mandatory and updates are only allowed if signed by the same key, they're taking the best feasible approach.

> When I told it I didn't want to replace an app with its version it kept asking again and again, every day at least.

F-Droid can't replace a version installed form GPlay with it's own version as they are (except a handful) signed with a different key.

It also won't even show you these versions anymore unless you enable an expert settings options.

I trust the F-Droid maintainers more than J. Random app developer, honestly.

Care to elaborate? You're trusting the developer to write the source code and do all the debug builds, what's the problem with building the production build?

Assuming you trust F-Droid, it eliminates the possibility that the developer isn't using their published source code. eg. they might hide their tracking code from their public github repo but build it into their release apk.

I'm a linux user, I've never heard of it and the friction would make me hesitate

What friction? It's easier to use than the Play Store.

It also doesn't come preinstalled on any devices I'm aware of, which adds a significant amount of friction.

Even once you've installed it, it can't auto-update apps.

So? Netflix didn't come preinstalled on my phone, but I still use it.

Installing F-Droid is easy, and installing and managing apps through it is also easy. I prefer it when I can find a suitable app.

> Installing F-Droid is easy

but nevertheless harder than installing Netflix

> installing and managing apps through it is also easy

but updates are not automatic (unless you root)

I don't dispute that F-Droid is not terribly difficult to use, but the original statement that "It's easier to use than the Play Store" is obviously false as soon as you take into account the mechanics of getting it installed.

Yes it can, though it needs to be installed as a privileged app.

I need to look up what it is, if it's serious, how to install it, how to use it