From a738834e00b4978ee214dd17efb4c3d7f16d98df Mon Sep 17 00:00:00 2001
From: Friendly Rabbit <169707731+friendly-rabbit-35@users.noreply.github.com>
Date: Tue, 9 Jul 2024 09:16:44 -0700
Subject: [PATCH] Embed link to relevant section of PrivSec post on FLOSS
 Security

Signed-off-by: Friendly Rabbit <169707731+friendly-rabbit-35@users.noreply.github.com>
---
 content/posts/android/F-Droid Security Issues.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/posts/android/F-Droid Security Issues.md b/content/posts/android/F-Droid Security Issues.md
index cdd4807..78de3e1 100644
--- a/content/posts/android/F-Droid Security Issues.md	
+++ b/content/posts/android/F-Droid Security Issues.md	
@@ -25,7 +25,7 @@ Normally, the developer is supposed to sign their own app prior to its upload on
 
 On the other hand, the Play Store now manages the app signing keys too. [Play App Signing](https://developer.android.com/studio/publish/app-signing#app-signing-google-play) is required for app bundles which are, in turn, required for new apps since August 2021. These signing keys can be uploaded or automatically generated, and are securely stored by the [Google Cloud Key Management Service](https://services.google.com/fh/files/misc/security_whitepapers_march2018.pdf). It should be noted that the developer still has to sign their app with **an upload key** so that Google can verify its authenticity before signing it with the app signing key. For apps created before August 2021 that may have [not opted in Play App Signing](https://developer.android.com/studio/publish/app-signing#opt-out) yet, the developer still manages the private key and is responsible for its security, as a compromised private key can allow a third party to sign and distribute malicious code.
 
-A common refrain used to argue for F-Droid is the claim that the Play Store is filled with malicious apps. Saying this is beside the point, though, as F-Droid's "quality control" offers **close to no guarantees**. Having access to the source code doesn't mean it can be easily reviewed. As such, users should not think of the F-Droid main repository as free of malicious apps, yet unfortunately many are inclined to believe this.
+A common refrain used to argue for F-Droid is the claim that the Play Store is filled with malicious apps. Saying this is beside the point, though, as F-Droid's "quality control" offers **close to no guarantees**. Having access to the source code [doesn't mean it can be easily reviewed](https://privsec.dev/posts/knowledge/floss-security/#reverse-engineering). As such, users should not think of the F-Droid main repository as free of malicious apps, yet unfortunately many are inclined to believe this.
 
 > But... can't I just trust F-Droid and be done with it?