To make the issue worse, F-Droid publishes a web page to state the result of their reproducible build. However, this page does not differentiate at all between these very different situations, just look:

verification.f-droid.org/packa…
verification.f-droid.org/packa…

(MBCompass is checked to the upstream APK, Catima is not).

Requests to make this difference obvious have been ignored and dismissed.

(2/4)

Another issue is that F-Droid's system is overly tightly integrated into fdroidserver, making it hard for third parties to set up their own builder, meaning no third party currently exists to confirm the results. We have to trust F-Droid's word that F-Droid is doing it all correctly.

This is why I strongly prefer IzzyOnDroid's system, which always compares to the developer's build, also has an independent builder (shields.rbtlog.dev/) and is easy to set up (codeberg.org/IzzyOnDroid/rbuil…).

(3/4)

rbuilder_setup

Scripts to automate setup of rbtlog, rbhelper, and their dependencies

^Codeberg.org

Don't get me wrong: I am glad F-Droid has a Reproducible Build system like IzzyOnDroid, I just really wish they were more clear and honest in their communication so people can tell what level of guarantee they are offering per app: actual reproducibility, or basic consistency of their build. And I wish they would take feedback more seriously.

(They are a few more issues, but they are way more minor so I left them out for simplicity's sake)

(4/4)