policy for handling in-app updaters (with reproducible builds)
With RB, in-app updaters can update apps from other sources than F-Droid.
AFAIK on recent versions of Android that support the new APIs this might happen without the user having to confirm the update (or even knowing an update was installed).
This means that users may get updates they never expected, from a source they did not expect -- or consent -- to get updates from.
When I install an app from F-Droid I expect to get updates from F-Droid, not an in-app updater I may not even realise is enabled (or even exists).
At best, this is merely confusing for users.
But such updates could include proprietary dependencies or otherwise violate the F-Droid inclusion policy (which cannot be picked up by the scanner since the update did not go through F-Droid).
So I think we should have a policy on how to handle this.
I propose we mandate that in-app updaters must either be disabled, or at the very least opt-in (with actual meaningful consent, so it can't be e.g. the default setting in a welcome screen that users are likely to accept without reading).
cc @TheLastProject @eighthave @licaon-kter @linsui @IzzySoft