Scenario: One of my apps relies on an external JAR, which I also maintain. It is not on Maven Central but the source code is in a GitLab repository. I have set up a pipeline which builds the JAR after every push and uploads it to the project’s Maven package registry on GitLab. Gradle/Maven are configured to pull the dependency from there.
Would that setup satisfy F-Droid’s requirements regarding building everything from source/not including any unverifiable blobs?