When I download the source tarball of my app, the archive contains only files from the app repository and not other used srclibs. I understand that we trust the well known repositories for jars with sources (I guess that author of an artifact isn’t allowed to publish an update under same version, right?) but what about srclibs, are they snapshotted anywhere?
My app currently uses a popular library from GitHub but I already forked that library to include a few patches. I could include some malicious code and overwrite the repo after F-Droid finishes the build so no one would see that source code. One could probably even serve some malicious version of a repo only to F-Droid build server.
Your scenario doesn’t make any sense. If you fork something and then change it in your workspace, you have to push what you changed into the upstream, or make a pull request, so that your change is included.
Fdroid will not access and include your fork, but your upstream.
Even when the srclib won’t be forked, what prevents the lib author to overwrite git history, especially for smaller repositories which no one tracks/clones?
So, based on the linked issue, am I to understand that six years ago F-Droid knew that some of the source tarballs didn’t contain all of the source code necessary to build the APKs and they just closed the bug report without fixing it?
The last comment on the bug was “As discussed, this is not a proper fix to the problem. Closing for now.” So, if the proposed fix was not the proper fix and the bug was just closed, was some other fix implemented that isn’t reflected in this bug report? Or has it just sat this way for the past six years?
