Source tarball may not contain all the source code (srclibs)

When I download the source tarball of my app, the archive contains only files from the app repository and not other used srclibs. I understand that we trust the well known repositories for jars with sources (I guess that author of an artifact isn’t allowed to publish an update under same version, right?) but what about srclibs, are they snapshotted anywhere?

My app currently uses a popular library from GitHub but I already forked that library to include a few patches. I could include some malicious code and overwrite the repo after F-Droid finishes the build so no one would see that source code. One could probably even serve some malicious version of a repo only to F-Droid build server.

1 Like

Your scenario doesn’t make any sense. If you fork something and then change it in your workspace, you have to push what you changed into the upstream, or make a pull request, so that your change is included.
Fdroid will not access and include your fork, but your upstream.

I do not have to push changes to upstream. F-Droid will probably gladly accept my fork with patches. Just like these srclibs:


Even when the srclib won’t be forked, what prevents the lib author to overwrite git history, especially for smaller repositories which no one tracks/clones?


So, based on the linked issue, am I to understand that six years ago F-Droid knew that some of the source tarballs didn’t contain all of the source code necessary to build the APKs and they just closed the bug report without fixing it?

The workflow changed in the meantime? Mmmkay…

The last comment on the bug was “As discussed, this is not a proper fix to the problem. Closing for now.” So, if the proposed fix was not the proper fix and the bug was just closed, was some other fix implemented that isn’t reflected in this bug report? Or has it just sat this way for the past six years?

1 Like

I guess no one got around to fix it, yes, you know how things work :expressionless:

1 Like

That is pretty concerning. Are there any other significant bugs in F-Droid that were closed without being fixed?

1 Like

For everyone to have:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.