Edit: @Melco@lemmy.world actually appears to be right, check my comments down below
> This fdroid repo version
How did you find it on F-Droid? What repos do you use?
> contains user tracking telemetry spyware as reported by exodus
Also, what you said there doesn't match the exodus report at all.
You might have confused something and looked at the wrong app.Please only stick to the official sources.
~~The official website for Futo VoiceInput is https://voiceinput.futo.org/.~~The Git repository is located at (their selfhosted GitLab instance) https://gitlab.futo.org/alex/voiceinput. Currently, they don't have an F-Droid release.
I am not affiliated with Futo, I just want to prevent misunderstandings.
I swear I only saw the Google Play link and the APK download link when I check their site like 5 hours ago.
You're actually right, I checked the app from their F-Droid repo and your results appear to be correct. I was really confused when I saw this, as it doesn't make any sense to put trackers in the F-Droid version, but not include them in the Google play version. It's just weird, misleading and confusing. I have no idea what's going on there, and why they made these decisions.
Please be more explicit about the so-called "tracker" reported by exodus here. "Tracker" is a broad term that covers not just actual tracking and ad libraries but also crash detection and error reporting libraries, which can be useful as long as they are opt-in with informed user consent. Without knowing the exact library detected here, and how it is used, one cannot assess whether it is truly spyware or not.
From a cursory glance at the build.gradle I do see ACRA as a dependency here, which is sometimes (mistakenly) considered as a "tracker" but is actually a free software crash reporting library used by many free software Android apps including NewPipe and the F-Droid client itself. A cursory search across the codebase reveals ACRA is not even always enabled (it seems to depend on build configuration) and this dialog appears to be where the user is asked for consent for sharing a crash report.
Of course, Exodus can't tell how a library is used or even if it's used at all, it just sees a scary class name and warns about trackers. It might be useful to check if some proprietary app has suspicious behavior but it is by no means an actual malware scanner.
edit: it doesn't appear Exodus considers ACRA as a "tracker" as it is not included in their list however my point still stands. an Exodus report by itself isn't proof of nefarious activity unless backed up with more concrete evidence e.g. network analysis or source code analysis.
edit 2: I just installed ClassyShark and ran it on NewPipe, and it does show ACRA as a "tracker" however Exodus itselfsays NewPipe has no trackers. ClassyShark has not been updated in over a year so I assume it is using an out of date database. Something like TrackerControl which is more actively updated might be a better alternative.
Maybe they just added it between your comment and mine. After all these things have to be added and updated at some point... maybe we caught the magic moment!