For a crypto wallet it seems extremely dangerous to use a custom repo. What if one day it pushes an hacked version with the same signature and it takes all the money?
For this use case I’d consider only from fdroid, the only way it can be sure it matches the published source code
Those repos are maintained by the developers of the Monero wallet. So, if they were going to do that, they would also be able to push the malware version to the fdroid repo as well, because the signatures would match the developers.
The fdroid repository has only apps built by fdroid itself using the published source code, while a private repo could have a binary that doesn’t match the source.
It might be a financial incentive for someone to hack the dev, steal their signing keys, silently add a timebomb that at a specific time would send the whole content of the wallet to a specific monero address, replace the apk after a new release is added. Nobody would notice until too late
For a crypto wallet it seems extremely dangerous to use a custom repo. What if one day it pushes an hacked version with the same signature and it takes all the money?
For this use case I’d consider only from fdroid, the only way it can be sure it matches the published source code
Those repos are maintained by the developers of the Monero wallet. So, if they were going to do that, they would also be able to push the malware version to the fdroid repo as well, because the signatures would match the developers.
The fdroid repository has only apps built by fdroid itself using the published source code, while a private repo could have a binary that doesn’t match the source.
It might be a financial incentive for someone to hack the dev, steal their signing keys, silently add a timebomb that at a specific time would send the whole content of the wallet to a specific monero address, replace the apk after a new release is added. Nobody would notice until too late
Difficult hack but not impossible