The part about Signal is inaccurate. Signal actually offers reproducible builds on their website, they don't want to publish on F-Droid at this time precisely because it wouldn't be signed by their own key, but by F-Droid's which would now just add one more party who would have to be trusted.
> they don't want to publish on F-Droid at this time precisely because it wouldn't be signed by their own key
Actually developers can sign with their own key if the build is reproducible (in an FDroid build system) and F-Droid would have no issues with distributing this app.
Yes, F Droid builds it itself. Then compares with your build minus the signature. If it's the same it publishes with your signature. No need for any private key handling.
How hard have the Signal people tried? The article specifically says that a reproducible build could be signed by the originator:
>If Signal would be built reproducibly, everyone including F-Droid could check whether the app has been built straight from its source code and could then include it in F-Droid’s store
It’s not really a matter of “trying”. Signal’s issue has always been that regardless of reproducible builds, the packages served by F-Droid are signed by F-Droid, not the developer (Signal, in this example). I’m not sure what they could do on their end to change that practice from F-Droid.
Judging by signals history of apathy and hostility towards other open source projects and distributions, my guess would be "they haven't tried at all".
This attitude is tiring. F-droid is fine and appreciated, but I really wouldn't want anything critical (say a journalist or whistelblower) to depend on it. If you have to depend on f-droid doing builds, there are no guarantees (it's all best-effort). Firefox and its flavours are routinely outdated. Firefox klar(focus) was outdated for six months because they couldn't build it. Now, let's say that f-droid is poor and run by hobbyists, and upstream ought to do better FOSS builds. Even with that, they don't even have the bandwidth to serve packages. They have one main server which is routinely swamped. It's a struggle to download anything from f-droid reliably. They added mirrors recently, but the main server is still the bottleneck without which the mirrors are useless.
So a journalist or whistle-blower should use Play Store instead? You can put any repository you want on F-Droid and it'll alert you when there's new updates, that's much better than just having the apk.
> Firefox klar(focus) was outdated for six months because they couldn't build it.
A build that can't be reproduced is also a security threat.
>So a journalist or whistle-blower should use Play Store instead?
Of course. There is nothing wrong with the play store per se in this context other than it not being FOSS.
>A build that can't be reproduced is also a security threat.
No. That's not the issue. F-droid has its own requirements which basically boil down to building software in their own debian VM with no/limited external software. That's an orthogonal engineering issue unrelated to security outside this narrow scope. There is a lot of upstream software that cannot be 'built' by f-droid. It can demonstrably be built if you follow the upstream's README.
> There is nothing wrong with the play store per se in this context other than it not being FOSS.
Well, the store itself isn't free-software. But the software it distributes also isn't free software and is many times crapware/malware, without any human review. F-Droid has "AntiFeatures" tags on applications, and while these could be better, they're already more informational for end-users than blindly downloading/running programs : https://f-droid.org/wiki/page/Antifeatures
Then, there's also the problem that Google Play Store relies on Google Play Services. So if you don't want to install Google's universal backdoor on your phone (which Google used last year to push silent config updates on some phones, wtf?) you can't use that. Or you have to use F-Droid to setup a Play Store scrapper such as Yalp or Aurora.
