F-Droid has incredibly poor security practices and a strong anti-security attitude held by most of the people involved. They've consistently engaged in coverups of vulnerabilities and targeting multiple security researchers with libel and harassment.

It's a massive single point of failure and not worthy of the trust many people are placing in it. It's adding another trusted party compared to using the apps built and signed by the developers. It is not avoiding trust in the developers of apps.

Regularly not shipping critical Firefox security patches for months is the norm for the main F-Droid repository. Whether or not they sign the apps themselves as they do for the vast majority of apps, updates can be indefinitely delayed based on issues with their outdated infrastructure or their Debian-style downstream patches needing to be updated.

For the small subset signed by the app developers, many kinds of disagreements between F-Droid and developers will mean an end to receiving updates.

You are not the only ones that struggle with f-droid. (There is an ongoing struggle to fix certificate pinning by f-droid by a former maintainer, which has neither been acknowledeg nor accepted).

But the question is: what alternatives are there? As far as i can tell, f-droid is the only large scale-repository of open source apps there is.

@newhinton There is a new project here accrescent.app/

I don't know much about it, can't verify anything, just heard about it

Accrescent

Accrescent is an Android app store focused on security, privacy, and usability.

^Accrescent

@Kulei @newhinton We recommend using Accrescent for the apps which are available through it. It's not specific to either open source apps or privacy focused apps but rather is meant to become a Play Store alternative.

Obtainium + App Verifier for getting apps directly from developers, although we'd prefer a leaner and more security focused approach than Obtainium.

While I appreciate bringing up the security concerns the existence of alternatives to #FDroid I do not think we have those when it comes to pure FOSS apps without the usual big corporate trackers/libs. #Accrescent lists a few apps and fails to provide relevant information about them (such as requested permissions). E.g. #Qlango includes multiple tracking libraries by #Meta / #Facebook and doesn't look like it is FOSS to any degree. Even while the #FDroid repo is not carefully curated I don't run into traps like these. 🤷

There is a need for a curated and maintained FOSS app repo and currently there is nobody but @fdroidorg providing it. #Obtainium, #Accrescent are mostly option for expert users who exactly know who to trust and what they are looking for. @Kulei @newhinton

#Accrescent IMO absolutely needs
- better description of app
- permissions list
- license info of app
- download size of apk
- website link if available
- (minimum Android sdk)

@cryptgoat @mynacol @GrapheneOS @fdroidorg @Kulei @newhinton

@accrescent Sounds great. I am looking forward to it. Thanks for #Accrescent and contributing to the #FLOSS community. I greatly appreciate that.

Adding an info whether an app is FLOSS is helpful.