mirror of
https://github.com/f-droid/fdroidclient.git
synced 2026-04-23 00:10:50 -04:00
efdf328fd3
Two repositories can (and always could) end up with the same exact .apk file. If that .apk is the "suggested version", then we should eliminate the idea of "suggested version code" and instead have a "suggested apk" (which implicitly includes the repository it comes from, so we choose the one with the better priority). Right now, we kind of assume that it doesn't matter which repo provides the suggested apk, as long as one of them has an .apk with the correct version code and signing key. It shouldn't _particularly_ matter from a security perspective, because a malicious repo wont be able to trick a user into installing an apk with a different signing key, but it would be good to iron this out. This commit adds a TODO explaining this for th ebenefit of any CRer.