That's not the interesting question. How easy is it to verify that the APKs are built from the published source code, without any added funny business?
The F-Droid devs put a lot of work on reproducible builds. Not all software complies, but with an interest in information security there's no exucse not to.
That's the use case of F-Droid, and comparing it to self publishing APKs without even as much as a GPG signature is so beside the point it borders on deceptive.
That blog post is deceptive. Their instructions only reproduce the Java part, which is pretty easy to do. But Signal requires libraries written in C (aka "native code"), and they do not have that building reproducibly. The only Android messenger really doing reproducible builds is Briar.
There is nothing wrong with F-Droid. The problem isn’t that F-Droid is toxic. People can disagree without either side being at fault... is a point I am at pains to make in this thread.
Not interested. I'm not litigating F-Droid and don't need to. F-Droid advocates, and some F-Droid critics, disagree: if F-Droid is implicated in an argument, we must fully adjudicate all its pro's and con's. No, that's not how the world works. I'm sufficiently well informed about F-Droid to know --- and I mean this in a benign sense, the same way I feel about OCaml or slab allocator design --- that I don't care.
That's a security concern he feels he can address for himself if Signal is made available to him on F-Droid. But for the overwhelming majority of Signal users, there isn't even in theory a security benefit, because they're exposed to their platform vendor no matter what Signal does.
Signal has decided --- sensibly, I think! --- to focus on the needs of the "normie" users. DeVault disagrees with that decision. He is welcome to do so, but it was Signal's decision to make, not his.
He is indeed welcome to do so. It is perfectly rational for him to choose some other software.
Far from not something that warrants a character assassination. Specifically, it's not something "clownish" that we should be "ashamed" to have on the front page. We get the community we deserve.
Please read what I wrote more carefully. Him wanting to use different software isn't clownish. I respect the prerogative of the phone sysadmins.
Him saying that Moxie Marlinspike is untrustworthy because of a disagreement, and then urging people to use Matrix --- that's a clownish argument. And it is the bulk of his argument, paragraph by paragraph: all the reasons why the only rational reason anyone could disagree with Drew DeVault is if they are sneakily trying to screw people over.
Literally nowhere in the article does he say that. The article presents two main arguments why the author chooses not to use Signal (and that by extension, other people with the same interest should do the same), that it requires Google services with root privileges, and that it doesn't federate or interoperate. There are no personal attacks on Signal's author, the author presents his reasons in a fairly objective light, so there should be no reason to chastise him.
