On Wed, Sep 24, 2014 at 01:25:02PM -0500, Karl Fogel wrote: > Quick summary is: > > Today, app stores don't even clearly *distinguish* open-source from > closed-source apps, let alone do the builds themselves. > > It would be great if app stores built open-source apps directly from > the public source tree, stating exactly which snapshot was used. And > it would be even better if they did so with deterministic builds -- > though even just knowing that the app store had done the build > themselves (instead of the app's author doing it) would be a huge win, > and deterministic builds would be gravy. > > Details in the article. Direct link: https://openitp.org/circumvention-tech/app-stores-and-trustable-code.html
Deterministic builds really would be great, this would enable multi-party verified builds a la gitian but overall, I agree, choosing one party to trust with the build would be an improvement. It's not as if the app store proprietor is a neutral party in the transaction, they could just as well tamper the developer's (possibly untrustworthy) build. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.