@obfusk@tech.lgbtThey are now claiming they can't use my patches as-is because of "code quality issues" (private apis). Which... applies to exactly one patch, the one they actually merged 8 months ago.
Because the only way to fix the vulnerability was to monkey patch androguard (and an updated version is still not available in Debian, nor has the Debian stable fdroidserver package received any patches, despite those packages being maintained by the F-Droid team, so that monkey patch is still needed).
They are also downplaying the impact by insisting this vulnerability is only a problem for third party repositories relying on fdroidserver; which even if true is showing a concerning disregard for the security of repositories of other projects relying on fdroidserver.
I have no words to describe how little remaining faith I now have in F-Droid's security and code review processes.