I am working on a very similar project (decentralized app distribution on Android) called SkyDroid (https://skydroid.app/), with the difference that it is based on Sia Skynet (a Filecoin/IPFS competitor) and uses the DNS system for global app discovery - so for example the SkyDroid app itself is available on the skydroid.app domain inside of it. I'm curious about how they will try to solve the discovery issue, because if they just have one global decentralized pool of apps, it will be very hard to ensure that no malicious apps get in. But if they keep it a central repository of apps trusted by F-Droid by default, there's not really much decentralization going on. Most developers would still publish their apps in the main repo directly.
We're taking a hybrid approach right now, where we incorporate IPFS support into our working stack. Then we can transition more and more to IPFS as it proves mature enough to replace the more centralized methods.
> it will be very hard to ensure that no malicious apps get in
Well isn't the whole idea of F-Droid is that the app can be build from the source that is available and the build checksum will match the source from anyone? Sure there can be malicious code, but code for that malicious code will also be available publicly.
