Search Mailing List Archives
[liberationtech] Proposal for more-trustable code from app stores; comments welcome.
kfogel at red-bean.com
Thu Sep 25 15:48:38 PDT 2014
Nick <liberationtech at njw.me.uk> writes:
>The wonderful F-Droid already does this, as pointed out in the
>article. So it doesn't seem like a proposal so much as an
>explanation of why it's important.
F-Droid does a lot of this. I couldn't find a standard way to get the
exact source snapshot a particular app's build comes, nor what the build
parameters were, although via the web site the app pages do give release
numbers. They're hard at work on deterministic builds now, apparently,
and I would guess that some of these essentially UI fixes will happen
along with that.
(I don't mean to sound like a complainer: F-Droid is fantastic. I just
hope they'll take it all the way :-) ).
>But to be honest I'm not sure why people who are happy to use a
>completely proprietary mobile computing system would care that much
>about this. They have already voted with their feet that freedom
>(and by extension security and privacy) are not important to them.
>Sure, there may be plenty of people who are ignorant enough of how
>computers actually work to not realise the sacrifices they're
>making, but I don't think this article is targeted for them.
It's about reducing the number of exposure points. With most app
stores, you have to trust the author for each app you have installed,
*and* you have to trust the app store. If you can get that down even to
just having to trust the app store, that's still a win.
One can't just say security and privacy "are" or "are not" important to
someone -- it's a matter of tradeoffs. Different people have different
tradeoffs they want to make; app stores that offer verified open source
apps give them more of a continuum along which to make that decision.
More information about the liberationtech