On Mon, Mar 7, 2016, at 11:11 AM, Spencer wrote:
Hi,
Holger Levsen: https://reproducible-builds.org and https://reproducible.debian.net
Thanks!
Nathan Freitas: https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
Thanks!
However, even though reproducible-builds seems to address the manual install as well, which is good, I read the problem as being the actual backdoor of auto-update.
Since my Dad will not be able to make this verification, removing auto-update from the package is the only real resolution here.
I think our goal is to remove any one person from having the authority to release an update. F-Droid or similar package managers should expect multiple signatures in the future instead of just one. Part of the trust people will place in projects or apps in the future is that they are not only open-source, but have a judicially diverse or robust set of signatories.
Besides, given the broken/missing auto-update opt-out in packages like OrFox, it is difficult to trust the developers, since it is the user who defines "malicious".
Can you explain this more? I want to make sure I don't misunderstand what the issue is.
+n
Hi,
Nathan Freitas: our goal is to remove any one person from having the authority to release an update.
If I understand correctly, this makes sense.
judicially diverse or robust set of signatories.
Web of trust for warez; seems like a good idea.
Can you explain this
Ofc.
Using OrFox as an example, a recently depreciated version had auto-update grayed out.
The current version resolved this but provides 'Enabled' and 'Wi-Fi only' as the two options, no way to opt-out.
In the world of usable security, this doesn't seem like an oversight to users and can degrade trust.
Wordlife, Spencer
-
Nathan Freitas -
Spencer