>We worked out a special arrangement so that this server is physically held by a long time contributor with a proven track record of securely hosting services.

Not clear if "contributor" is a person or an entity. The "hosting services" part make it sound more like a company rather than a natural person.

The OSU Open Source Lab gives machines to groups in their datacenter: https://osuosl.org/services/hosting/

It has hosted quite a few famous services.

There is nothing wrong with hosting prod at home. A free and open source project needs to be as sustainable and low maintenance as possible. Better to have a service up and running than down when the funds run out.

> I know self-hosting is held as a point of pride by many, but in my experience you’re still better off putting lower cost hardware in a cheap colo with the contract going to the business entity which has defined ownership and procedures. Sending it over to a single member to put somewhere puts a lot of control into that one person’s domain.

If they really want to run it out of a computer in their living room they should at least keep a couple servers on standby at different locations. Trusting a single person to manage the whole thing is fragile, but trusting a few people with boxes that are kept up to date seems pretty safe. What are the odds they'd all die together? Paying a colo or cloud provider is probably better if you care about more 9s of uptime, but do they really need it?

> one person had the physical server in their basement

Unless you have even the faintest idea about how F-Droid does it, please stop spreading FUD. All the article says is that it is not a normal contract but a special arrangement where one or a select few have physical access. It could be in a locked basement, it could be in a sealed off cage in a data center, it could be a private research area at a university. We don't know.

A special arrangement with an academic institution providing data center services wouldn't be at all surprising, that has been the case for many large open source projects since long before the term was invented, including Linux, Debian and GNU itself.

Many of these are run by professionals with high standards. The Debian project has done pioneering work with reproducible builds, for example, something the F-Droid project is also very much involved with. Those things are what creates trust in the project.

Yup. But the same can happen in shared hosting/colo/aws just as easily if only one person controls the keys to the kingdom. I know of at least a handful of open source projects that had to essentially start over because the leader went AWOL or a big fight happened.

That said, I still think that hosting a server in a member's house is a terrible decision for a project.

Ultimately hosting is not the most critical part as long as backups are stored in places other members of the projects have access to (and one copy could be in their own home, I don't think the f-droid repos have grown to be that big they can't be hosted on commodity NAS).

What is usually more critical is who has the credentials for the domain management.

Is colocation not considered to be "self-hosting" in the cloud era?

It's just a build server no? If that's the case it's not the end of the world.

Or does it also serve the APKs?

400K would go -fast- if they stuck to a traditional colo setup. Donations like this are rare and it may be all they get for a decade.

Personally I would feel better about round robin across multiple maintainer-home-hosted machines.

> a $400,000 grant

IDK if they could bag this kind of grant every year, but isn't this the scale where cloud hosting starts to make sense?