On Sun, Jun 21, 2020 at 05:32:35PM -0400, Mark Murphy wrote: > On Wed, Jun 17, 2020, at 19:08, Nathan of Guardian wrote: > > > I am sincerely hoping that I'm forgetting something that prevents this. > > > > I don't think you are. If there was some kind of binary transparency > > where you could see all the builds that were done and released, that > > might be a small step... But still, once they have your private signing > > key, they can do anything they please. > > Yeah, I thought so. > > So, I'm going to poke the bear and see what happens. If anyone has any > feedback on the attached draft blog post, I am up for any suggestions! > > Note: I mention F-Droid, as their policy had been to sign apps with their own > signing key. It looks like now that there are some options for avoiding this, > but I felt the need to address this head on. >
Just a quick comment on that last part. It may be worth mentioning for a fuller picture that F-Droid signs the builds themselves because they build them themselves. They publish all of the source that they are building as well as the server software that does the build. Doesn't mean things are 100% reproducible, but it might be relevant to mention. -john _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
