Regardless of the fact that builds are reproducible, F-Droid has infrastructure. How is that infra secured? How are the servers that store signing keys secured? How are the build servers accessed? How is the access secured?
Okay, so the builds are reproducible -- is someone maintaining a concurrent system that verifies reproducibility and provides notification of a collision when things don't match up with built and served binaries?
Regardless of the fact that builds are reproducible, F-Droid has infrastructure. How is that infra secured? How are the servers that store signing keys secured? How are the build servers accessed? How is the access secured?
Okay, so the builds are reproducible -- is someone maintaining a concurrent system that verifies reproducibility and provides notification of a collision when things don't match up with built and served binaries?