Updated by Denis 'GNUtoo' Carikli over 1 year ago
To download APK, and maintain them I've written https://git.replicant.us/replicant-next/vendor_f-droid/tree/ from scratch.
While it works the design of https://github.com/phhusson/vendor_foss looks way better as it can parse F-Droid repository to get the lastest APKs and it seems that it can even generate Android.mk for the individual applications.
Adding gpg verifications should be trivial, and adding the ability to get the APK source code as well (#2251) could be easier with it.
As the code is a bit more complex, we might also want to verify if everything is safe with vendor_foss.
PS: Note that I don't know yet how to avoid vulnerabilities when writing shell applications other than not using any data that comes from the network or other untrusted sources in variables. I probably need to find some documentation on how to properly quote variables and so on, to make sure we don't introduce issues in Replicant release through unsafe parsing of network data. Example of such vulnerability: http://www.openpma.org/gen4/Main_Page/