A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
GrapheneOS /
npub123…g0ht5
2025-01-27 15:09:30
Author Public Key
npub1235tem4hfn34edqh8hxfja9amty73998f0eagnuu4zm423s9e8ksdg0ht5Published at
2025-01-27 15:09:30Event JSON
{
"id": "c50fae2c56e3a9507e127f42b5db17e39a0d65e76710b6d89d0222a96bcd5c48",
"pubkey": "5468bceeb74ce35cb4173dcc9974bddac9e894a74bf3d44f9ca8b7554605c9ed",
"created_at": 1737990570,
"kind": 1,
"tags": [
[
"proxy",
"https://grapheneos.social/users/GrapheneOS/statuses/113900949999725460",
"activitypub"
]
],
"content": "A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:\n\nhttps://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404\n\nThis led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.\n\nThis was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.",
"sig": "e6096e43d46ec640d05f3a28b18859a30b94591fb0f6b4cfd7dc3fdf3ddd316c895e13234fb749c0cdceee6d67db276bee860b32eafbd2fce65a703baf8e132f"
}