Heads up to all #Riot users: with the recent attack on @matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
To avoid maintenance overhead, however, it's likely to happen that F-Droid users must also change the app in near future. Still, there's no need to act now.
@robin @fdroidorg only signs what it has built itself from the source code. And yes, signing is a manual step here. But that doesn't prevent your going to fishysite.com and load some malicious APK of some (other) app, no 😉
@robin that's one of the core features! We only allow apps that are fully open source (i.e. no proprietary components), so we can build them from the source and you (the users) know "what's inside". This also means everone can review the code and deduce from that to the APK. And a potential security audit would also tell how secure the app you install is. No trackers in the code = no trackers in the app, etc.pp.
