Please look into how code signing on Android works and what it means. It's not what you think — there are no CAs. By making their signing key public, if that's what they do, Cyanogen out their users at huge risk: any third party app can take any System or SystemOrSignature permission, or impersonate the system directly. On Sep 20, 2011 11:52 PM, "M.R." <[email protected]> wrote: > On 20/09/11 21:48, Peter Gutmann wrote: >> ...to sign their code. >> ...I get the impression they see >> security as a nuisance to be bypassed rather than a real requirement. >> > I'd like to assure you that code signing and the associated need > to buy a certificate service from a third party is viewed as a > "nuisance to be bypassed" by a great majority of independent > software vendors. > > Nobody is happy to see ~his~ product, which he ~knows~ presents > no threat to his customer, encumbered in both the construction and > the distribution to such a level in order to protect the buying > public from ~someone else's bad product~. It's "business 101" really. > And like always, the smaller the product, the more of a nuisance > this becomes. And like always, "the regulator" just wouldn't > admit that the regulation is an ill-conceived measure, which > encumbers the producer and does not really solve the problem that > was used as an excuse to introduce it in the first place, mostly > for the hidden "fringe benefits" that it brings to the regulator. > > Mark R. > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
