When I download the source tarball of my app, the archive contains only files from the app repository and not other used srclibs. I understand that we trust the well known repositories for jars with sources (I guess that author of an artifact isn’t allowed to publish an update under same version, right?) but what about srclibs, are they snapshotted anywhere?
My app currently uses a popular library from GitHub but I already forked that library to include a few patches. I could include some malicious code and overwrite the repo after F-Droid finishes the build so no one would see that source code. One could probably even serve some malicious version of a repo only to F-Droid build server.