On Mon, Mar 7, 2016, at 11:11 AM, Spencer wrote:
Hi,
Holger Levsen: https://reproducible-builds.org and https://reproducible.debian.net
Thanks!
Nathan Freitas: https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
Thanks!
However, even though reproducible-builds seems to address the manual install as well, which is good, I read the problem as being the actual backdoor of auto-update.
Since my Dad will not be able to make this verification, removing auto-update from the package is the only real resolution here.
I think our goal is to remove any one person from having the authority to release an update. F-Droid or similar package managers should expect multiple signatures in the future instead of just one. Part of the trust people will place in projects or apps in the future is that they are not only open-source, but have a judicially diverse or robust set of signatories.
Besides, given the broken/missing auto-update opt-out in packages like OrFox, it is difficult to trust the developers, since it is the user who defines "malicious".
Can you explain this more? I want to make sure I don't misunderstand what the issue is.
+n