I wonder which of F-Droid or individual projects' GitHub profiles are more likely to be used in a supply chain attack. How does one mitigate against that from either source?
Login to reply
Replies (1)
Thing is f-droid uses the same github source. So a compromised project will simply affect everyone. On the otherhand f-droid could maliciously point to a different cloned compromised repo and end user wouldn't even know. So still best to take out the middle man and know your updating to the official repo and not a different unofficial clone.