[Community] Trust and Google

Neal H. Walfield neal at walfield.org
Sun Aug 10 16:06:49 CEST 2014

At Sun, 10 Aug 2014 12:17:54 +0200,
wonderphone at posteo.de wrote:
> > he explicitly 
> > distrusts custom ROMs and software repositories other than Google Play. 
> > His argument is that he doesn't know anything about the authors
> > and their motives. --> My question: Is this a reasonable point and if
> > yes, what can we do to have a water-tight chain of trust without
> > exposing the private life and secret thoughts of the OpenPhoenux OS
> > developers? I understand that we have signed binaries from signed
> > source code and with the commits from the Git software there should be
> > not gap in the chain. But can we be really sure that the code really
> > does what it is supposed to? Can we really take its harmlessness for
> > granted just because it is open source?

There is a difference between the software authors and the software
distributors.  I also only tend to trust well known distributors
(e.g., Debian).  As I understand it, it is common to download custom
ROMs for Android from bulletin boards.  I would never install one of
those (unless I was analyzing it for exploits).

Also, see this comment from Moxie on distributing text secure on

  Google does not
  have complete control over all updates: I sign all APKs with my own
  code signing key that is kept offline. These signatures are enforced
  by the PackageManagerService on each user's device, not by the Play
  Store itself. The mechanics are very similar to TACK (http://tack.io),
  which is what we're currently advocating for the TLS world.

  This is in huge contrast to how the bulk of apps on fdroid are
  distributed. Most are not signed by the developers, but by fdroid
  itself, with keys that they keep online. I believe this is a dangerous
  situation, and is one of the primary reasons (along with having to
  enable 3rd party sources) that I don't recommend using fdroid.



More information about the Community mailing list