A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
GrapheneOS
npub1kw…se0nj
2025-01-27 15:09:30 UTC
Author Public Key
npub1kwarc5z9lwhen05uknd2nuwhhthd4ws0cku3t9j3rchm0fcd6luslse0njPublished at
2025-01-27 15:09:30 UTCEvent JSON
{
"id": "6dff816590d43c8d27d6cb4675dac32c1d13df3855f55ccf9c39097a0f55d9d9",
"pubkey": "b3ba3c5045fbaf99be9cb4daa9f1d7baeedaba0fc5b91596511e2fb7a70dd7f9",
"created_at": 1737990570,
"kind": 1,
"tags": [
[
"proxy",
"https://grapheneos.social/@GrapheneOS/113900949999725460",
"web"
],
[
"proxy",
"https://grapheneos.social/users/GrapheneOS/statuses/113900949999725460",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://grapheneos.social/users/GrapheneOS/statuses/113900949999725460",
"pink.momostr"
],
[
"-"
]
],
"content": "A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:\n\nhttps://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404\n\nThis led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.\n\nThis was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.",
"sig": "3460bb6ec8e7da54bf6834231663f113653096142462888d2af20c5efcc5e75780ad60e29b03ee465c91cf6a846b1e20ce7f929e7d803820cc6083a6ae9c6975"
}