Jolla Store is the safest place to get apps. It it causes issues like this, it drives the devs to OpenRepoa and Chum instead, and that’s not a good thing in the long run…
While it is off-topic, I couldn’t let it slide.
I would argue that Chum is the safest as you have a chance to examine a code from which the package has been generated.
In the case of Jolla Store, packages are checked for installation and tested a bit, but you don’t know whether some kind of evil code would kick in later. For the sake of the argument,
rm -rf ~ could be just behind
if (today() > data_of_submission+5*days). As the testers in the Store do not have code, it is impossible to test for such “nice” feature if they do tests within couple of days after submission.
In practice, we don’t read through the code on Chum submissions either as there is no manpower to do so. But it would be possible to find if some complaints will start coming in.
Chum obviously has more libs under the hood, way more open API that the Store. So, while care has been taken to ensure consistency of the build environment and libs, it is possible that something can go wrong with the apps in some conditions. But I would consider Chum to be rather safe place.
So, as explained above, Chum and Store have different trade-offs in terms of safety which has to be realized. Now, if we could push into the Store submission system directly from Chum builds automatically, you could combine the both advantages as well. Obviously, marking in the Store that the package has been Chum-built as a quality sticker to convey that info to the users.
Sorry for going off-topic.