[Community] Trust and Google
Neal H. Walfield
neal at walfield.org
Sun Aug 10 16:06:49 CEST 2014
At Sun, 10 Aug 2014 12:17:54 +0200,
wonderphone at posteo.de wrote:
> > he explicitly
> > distrusts custom ROMs and software repositories other than Google Play.
> > His argument is that he doesn't know anything about the authors
> > and their motives. --> My question: Is this a reasonable point and if
> > yes, what can we do to have a water-tight chain of trust without
> > exposing the private life and secret thoughts of the OpenPhoenux OS
> > developers? I understand that we have signed binaries from signed
> > source code and with the commits from the Git software there should be
> > not gap in the chain. But can we be really sure that the code really
> > does what it is supposed to? Can we really take its harmlessness for
> > granted just because it is open source?
There is a difference between the software authors and the software
distributors. I also only tend to trust well known distributors
(e.g., Debian). As I understand it, it is common to download custom
ROMs for Android from bulletin boards. I would never install one of
those (unless I was analyzing it for exploits).
Also, see this comment from Moxie on distributing text secure on
Google does not
have complete control over all updates: I sign all APKs with my own
code signing key that is kept offline. These signatures are enforced
by the PackageManagerService on each user's device, not by the Play
Store itself. The mechanics are very similar to TACK (http://tack.io),
which is what we're currently advocating for the TLS world.
This is in huge contrast to how the bulk of apps on fdroid are
distributed. Most are not signed by the developers, but by fdroid
itself, with keys that they keep online. I believe this is a dangerous
situation, and is one of the primary reasons (along with having to
enable 3rd party sources) that I don't recommend using fdroid.
More information about the Community