Hi,
(I work on F-Droid)
On 22.06.20 13:20, Mark Murphy wrote:
> On Sun, Jun 21, 2020, at 22:20, John Sullivan wrote:
>> Just a quick comment on that last part. It may be worth mentioning for
>> a fuller picture that F-Droid signs the builds themselves because they
>> build them themselves. They publish all of the source that they are
>> building as well as the server software that does the build. Doesn't
>> mean things are 100% reproducible, but it might be relevant to mention.
>
> The *intent* is for F-Droid to build the apps themselves solely from the
> original sources. With sufficient motivation ("those are lovely kneecaps you
> got there -- it would be a pity if we had to break them"), F-Droid could be
> convinced to deliver altered apps. And, as with the Google App Bundle
> scenario, there is nothing to stop them. That then puts the onus on app
> developers or the broader ecosystem to detect this, and I don't know if
> anyone is looking. Perhaps people are looking and I just don't know about it
> -- if you know of people who are, I'd love to hear about them!
A targeted attack would be harder for F-Droid as you have no control
from which mirror a client will pull an updated index and no accounts or
other information beside the IP to identify a target. Untargeted attacks
should be relatively easy to detect as it's only the package index file
that needs to be monitored (and it is by various bots, etc.)
But yes, we are working on a real solution to this, where different
entities build the same packages indenpendent from each other and the
client only installing an update once he got enough rebuilder
attestations from trusted parties.
>
> That being said, I replaced the section where I mentioned F-Droid with
> another one where I don't mention them directly. A revised post is attached.
>
> Thanks for the feedback!
>
Marcus
_______________________________________________
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email: [email protected]
