>>pabs3+(OP)
While none of that applies to F-Droids primary use case (the primary F-Droid repo builds all apps from source itself), it nonetheless looks like they failed to correctly handle the issue.
The only reason this didn't turn into a disaster was pure luck.
>>kuschk+X8
Yeah that's the big benefit of F-Droid, reproducible builds. It builds directly from github. I like that aspect of it a lot, it adds a lot of security that other app stores don't have.