It’ seems a kind of trust colision. RikkaApps do not trust fdroid and fdroid do not trust RikkaApps.
I fully support this thinking! I think it’s Important to have a solution that acknowledge this and find a way to work that way. In my opinion this thinking should be the base on as many as possible OpenSource apps.
Trust is good control is better.
I’m not sure If I see it right but may the problem could be solved if RikkaApps and fdroid could create a Reproducible build.
If the content of the source code does not have to be modified by fdroid. Then a Reproducible Build should be possible?
If so, and fdroid could verify that the File from GitHub and the file from fdroid is identical. It should not be a problem.