Open source assurance, verifable builds

[nuschpl]

I've added custom FUTO F-Droid repo, where it has on my phone right to install non Google apps. Then I've installed newest available Grayjay to learn that there is new update ( out of F-droid repo ) . Installing the update needs to give Grayjay itself(instead of F-droid) the right to install third party apps. Such approach is neither secure nor thrustworthy because:

1. OFC user need to trust all apps he trust on his phone but eventually the compromise with current Android hardening should be limited to the app itself. When every app on the phone would have the 'install 3rd party' permission that would mean full compromise of the device when single app has any problem degrading the whole reasonably secure architecture of Android OS
2. The app is open source, users which are fans of verifable build could get into some compromise of downloading binaries of F-Droid HTTP hosted repo with some automated tools. But hosting the binaries at another URL determined at runtime from Grayjay app is big no from that perspective. Please don't employ practices which yourself are fighting with.

[Zvonimir-FUTO]

Hey there, apologies on the late response to this.

So there was an issue with the F-Droid deployment that was bugging us for weeks which has been resolved few weeks ago so F-Droid version is the latest version and you can continue updating through the F-Droid.

There is also an option in settings called "Check" under "Auto Update" which you can set to Never and you will only update through the F-Droid store. When update shows there is also a button for "Never" as well.

Hope this resolved your issues.