cSploit downloads 3rd party "core" -- can find no information about this!
Upon installing and running cSploit (org.csploit.android), I am told:
Core version 1.0.11 is available, do you want to upgrade?
Then, when selecting "Yes", the download of
I have no idea what is being downloaded here. A quick check on the gateway would appear to show it coming from github; i.e., a 3rd-party source, outside of the control of f-droid. The cSpoit page in the repo does not mention this behaviour, nor does the wiki page.
It seems to me that what is going on here is inherently unsafe. Unless I am mistaken (and I hope that I am), it seems that an f-droid app, upon first execution, downloads 3rd-party content which may contain executable code, and it may execute it.
I was not under the impression that this was permissible. In particular, that an app
- could, as a prerequisite of its operation, download, install and/or execute 3rd-party content,
- could offer to upgrade from a 3rd party source
At the very least, there should be some mention of this on the app page, along with an explanation as to why -- if it is -- this behaviour is acceptable from the point-of-view of security and trust.
If I have misunderstood the situation, then I apologise for the noise.