Federated network of F-Droid repositories

F-Droid is growing and that is awesome. But one day it will be too big to be easily sustainable without significant effort and resources. To avoid this problem, F-Droid service should be distributed to many providers, so each provider's server can be small enough to be easily maintained.

Now, it is relatively easy to add additional repository to F-Droid. I propose to enhance this feature and build federated network of F-Droid repositories.

Each repository should be standalone repository as it is now, but it should be easier for a user to add a new repository just by scanning app QR code containing both app ID and repository URL.

Since there will be a lot of repositories, user must know that this particular provider is trustworthy. This can be done the same way as GPG works -- web of trust. One repository could sign a public key of another repository and F-Droid app would show these signatures.

There also may be a new type of repository: meta-repository. Such repository would collect metadata of other repositories and provide search service for users. User will add a foreign repository before installing any app from it, but that is only one additional click to confirm it. Updates would be handled directly as they are now, or via meta repositories, so client does not have to connect everywhere every time.

Both Android and F-Droid use app signing heavily so security should not be a problem as long as there is a mechanism to inform users about dangerous repositories. The client should be able to select prefered repositories and check for which one the app will be installed.