However this highlighted to me the very real risk of code updates not being properly reviewed before accepting them, and made me wonder why this wasn’t picked up by F-Droid before packaging and publishing as well? I don’t know the processes you follow, but I’m interested to understand please.
It is racist, but not everything can be checked that way. Moreover, the user came across this when he/she saw this in reality.
The code scanning is mostly on privacy, security, vulnerabilities, etc. This is more on what someone as a human will find as wrong. The words were jammed together there.
However, to cut it short, that is why we have open source stuff. Good it got caught by a human.
Thanks for replying. You’re right, in this case it was caught - I caught it too, but I wasn’t the first. It’s definitely a plus for open source that we can see the code that causes it, however in this case the detection method was usage rather than code inspection, so open source didn’t provide any benefit in detection.
Looking more broadly than this specific incident, I know that F-Droid does various checks on software to reveal anti-features etc, and to even decide whether or not to include in the repo. I believe sometimes changes are even made to code to make the apps suitable for F-Droid. Obviously this malicious change slipped through F-Droid’s checks, possibly because F-Droid puts a certain amount of trust in the app developer to check the merges that they receive from others?
