Re: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-26 Thread Karl Fogel 
John Sullivan  writes:
>> Nick  writes:
>>>The wonderful F-Droid already does this, as pointed out in the 
>>>article. So it doesn't seem like a proposal so much as an 
>>>explanation of why it's important.
>>
>> F-Droid does a lot of this.  I couldn't find a standard way to get the
>> exact source snapshot a particular app's build comes, nor what the build
>> parameters were, although via the web site the app pages do give release
>> numbers.  They're hard at work on deterministic builds now, apparently,
>> and I would guess that some of these essentially UI fixes will happen
>> along with that.
>
>That info is in the server metadata file for the app (for example the
>git tag for the source that was used to build the app, and the build
>parameters). Probably just needs to be exposed in the UI.

Thanks, John; agreed.  I saw your mail just after I filed

  https://gitlab.com/fdroid/fdroiddata/issues/76

about this very question.  By the way, I've also updated the post at
https://openitp.org/circumvention-tech/app-stores-and-trustable-code.html
to give F-Droid some more credit -- I think I relied too much on those
UI routes existing, when that's not necessarily a reliable indicator of
what F-Droid is doing on the back end.  Had I talked to you or someone
else at F-Droid first, though, I could have discovered just how much of
the proposal was already implemented there!  Sorry not to have done so.

In a private conversation with Brian Behlendorf, he pointed out that
there's a more general version proposal that should really be the goal.
I'd like to do a second piece on his proposal, but as I'm not sure I'll
get to it soon, I'm posting it here just so it has some circulation.
Quoting him (inner text is his, outer text is my reaction):

  Karl Fogel wrote:
  > Brian Behlendorf wrote:
  >>
  >> If we're proposing ideas for phone OS and app store folks, we should
  >> start from first principles:
  >> 
  >> * End users should be able to trust that the code installed on their
  >> system came as intended by the app author and as verified by the App
  >> Store against their policies.
  >> 
  >> * End users should be able to modify and recompile Open Source apps,
  >> and if they redistribute those modified works (whether direct or
  >> though app stores again), downstream recipients should be able to use
  >> the same means to verify the modified works.
  >> 
  >> This suggests to me the following process:
  >> 
  >> * App developer builds install image, generates a checksum, optionally
  >> signs it with a private pubkey.
  >> 
  >> * App developer sends install image, source code to app store, who
  >> perform their acceptance tests, build their own copy of the install
  >> image, then validate that both install images checksum to the same
  >> number.
  >> 
  >> * App developer publishes image name, version number, checksum, and
  >> signature to a well-known location on their own SSL website (the same
  >> way they did for robots.txt - call it appchecksums.txt) so that their
  >> identity can be tied to a registered domain name and SSL cert.
  >> 
  >> * App store publishes the install image, checksum, and URL to their
  >> repository, making it available to all downloaders.  If it's an Open
  >> Source package they also provide a clear URL to the specific revision
  >> of the code that builds the install image, as well as the OSI-approved
  >> license used.
  >> 
  >> * App store client on the phone is asked to install the app.  First
  >> they download the package, as well as the corresponding
  >> appchecksums.txt file from the developer's own website.  If they don't
  >> match, error out or prompt for exception handling.  If they do, feel
  >> free to install.
  >> 
  >> * App store client on the phone provides a means to download the
  >> source code if the app developer wishes to allow it - and it points to
  >> the same bundle of code that the app store used to verify the build.
  >> 
  >> This gets the app store out of the business of generating their own
  >> builds from a public tree (they still build, but only what the app
  >> developer asks them to build).  It also removes the historic
  >> dependency on a public tree, just in case the project is closed or the
  >> code hosting service disappears.
  >> 
  >> Thoughts?
  >
  > My thought is: spot-on.
  > 
  > I had meant that the app store should host a copy (e.g., a git or hg
  > clone) of every source tree it builds; in any case, many other people
  > will have copies.  The app store just needs to publish the snapshot
  > checksum -- the content ID checksum -- and the distributed archive of
  > the Internet can take it from there.  So yes, the store should host a
  > copy of the tree, and in the case of open source apps, that copy happens
  > to match one or more other copies found out on the Net anyway.  The
  > commit ID is the main thing.
  > 
  > But your overall idea: that the app store can still usefully prove to
  > the *author* as well as t

Re: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-26 Thread John Sullivan 
Karl Fogel  writes:

> Nick  writes:
>>The wonderful F-Droid already does this, as pointed out in the 
>>article. So it doesn't seem like a proposal so much as an 
>>explanation of why it's important.
>
> F-Droid does a lot of this.  I couldn't find a standard way to get the
> exact source snapshot a particular app's build comes, nor what the build
> parameters were, although via the web site the app pages do give release
> numbers.  They're hard at work on deterministic builds now, apparently,
> and I would guess that some of these essentially UI fixes will happen
> along with that.
>

That info is in the server metadata file for the app (for example the
git tag for the source that was used to build the app, and the build
parameters). Probably just needs to be exposed in the UI.

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-25 Thread Karl Fogel 
Nick  writes:
>The wonderful F-Droid already does this, as pointed out in the 
>article. So it doesn't seem like a proposal so much as an 
>explanation of why it's important.

F-Droid does a lot of this.  I couldn't find a standard way to get the
exact source snapshot a particular app's build comes, nor what the build
parameters were, although via the web site the app pages do give release
numbers.  They're hard at work on deterministic builds now, apparently,
and I would guess that some of these essentially UI fixes will happen
along with that.

(I don't mean to sound like a complainer: F-Droid is fantastic.  I just
hope they'll take it all the way :-) ).

>But to be honest I'm not sure why people who are happy to use a 
>completely proprietary mobile computing system would care that much 
>about this.  They have already voted with their feet that freedom 
>(and by extension security and privacy) are not important to them.  
>Sure, there may be plenty of people who are ignorant enough of how 
>computers actually work to not realise the sacrifices they're 
>making, but I don't think this article is targeted for them.

It's about reducing the number of exposure points.  With most app
stores, you have to trust the author for each app you have installed,
*and* you have to trust the app store.  If you can get that down even to
just having to trust the app store, that's still a win.

One can't just say security and privacy "are" or "are not" important to
someone -- it's a matter of tradeoffs.  Different people have different
tradeoffs they want to make; app stores that offer verified open source
apps give them more of a continuum along which to make that decision.

Best,
-K
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-25 Thread Wasa Bee 
On Thu, Sep 25, 2014 at 10:00 AM, Nick  wrote:

>
>
> But to be honest I'm not sure why people who are happy to use a
> completely proprietary mobile computing system would care that much
> about this.
>

There is a difference between trusting Google and the manufacturer VS
trusting the hundreds of proprietary apps and how they'll use your data...
The attack surface is much smaller in the former...




>
> Nick
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>
>
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-25 Thread Nick 
Quoth Karl Fogel: 
>   It would be great if app stores built open-source apps directly from
>   the public source tree, stating exactly which snapshot was used.  And
>   it would be even better if they did so with deterministic builds --
>   though even just knowing that the app store had done the build
>   themselves (instead of the app's author doing it) would be a huge win,
>   and deterministic builds would be gravy.

The wonderful F-Droid already does this, as pointed out in the 
article. So it doesn't seem like a proposal so much as an 
explanation of why it's important.

But to be honest I'm not sure why people who are happy to use a 
completely proprietary mobile computing system would care that much 
about this.  They have already voted with their feet that freedom 
(and by extension security and privacy) are not important to them.  
Sure, there may be plenty of people who are ignorant enough of how 
computers actually work to not realise the sacrifices they're 
making, but I don't think this article is targeted for them.

Nick
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-24 Thread Max R.D. Parmer 
On Wed, Sep 24, 2014 at 01:25:02PM -0500, Karl Fogel wrote:
> Quick summary is:
> 
>   Today, app stores don't even clearly *distinguish* open-source from
>   closed-source apps, let alone do the builds themselves.
> 
>   It would be great if app stores built open-source apps directly from
>   the public source tree, stating exactly which snapshot was used.  And
>   it would be even better if they did so with deterministic builds --
>   though even just knowing that the app store had done the build
>   themselves (instead of the app's author doing it) would be a huge win,
>   and deterministic builds would be gravy.
> 
> Details in the article.
Direct link:
https://openitp.org/circumvention-tech/app-stores-and-trustable-code.html

Deterministic builds really would be great, this would enable
multi-party verified builds a la gitian but overall, I agree, choosing
one party to trust with the build would be an improvement. It's not
as if the app store proprietor is a neutral party in the transaction,
they could just as well tamper the developer's (possibly untrustworthy)
build.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Proposal for more-trustable code from app stores; comments welcome.

2014-09-24 Thread Karl Fogel 
Thoughts welcome on the usefulness of this proposal:

  https://twitter.com/OpenITP/status/514836088511537152

Quick summary is:

  Today, app stores don't even clearly *distinguish* open-source from
  closed-source apps, let alone do the builds themselves.

  It would be great if app stores built open-source apps directly from
  the public source tree, stating exactly which snapshot was used.  And
  it would be even better if they did so with deterministic builds --
  though even just knowing that the app store had done the build
  themselves (instead of the app's author doing it) would be a huge win,
  and deterministic builds would be gravy.

Details in the article.

-Karl
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.