I'll repost my reply from the [email protected] list: FDroid already provides most of what you describe, all of the over 1000 APKs (except Firefox, that's in the works) are built only from 100% publicly available source. I'm in the midst of finalizing a funding proposal to add deterministic builds to FDroid. We have all the key bits prototyped in FDroid, including decentralized and peer-to-peer app distribution. Android has the benefit here of not forcing the use of Google Play, indeed there are hundreds of millions of Android devices sold without Google Play, so we have a chance of getting bigger adoption. Here are some relevant bits:
https://f-droid.org/wiki/page/Verification_Server https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds https://guardianproject.info/2014/06/09/our-first-deterministic-build-lil-debi-0-4-7/ Debian is also working full-tilt on making all of the packages be built in a reproducible way. More info here: https://wiki.debian.org/ReproducibleBuilds https://lists.alioth.debian.org/pipermail/reproducible-builds/ .hc Nathan of Guardian wrote: > This one is for you _hc > > > ----- Original message ----- > From: Karl Fogel <[email protected]> > To: liberationtech <[email protected]> > Subject: [liberationtech] Proposal for more-trustable code from app > stores; comments welcome. > Date: Wed, 24 Sep 2014 13:25:02 -0500 > > Thoughts welcome on the usefulness of this proposal: > > https://twitter.com/OpenITP/status/514836088511537152 > > Quick summary is: > > Today, app stores don't even clearly *distinguish* open-source from > closed-source apps, let alone do the builds themselves. > > It would be great if app stores built open-source apps directly from > the public source tree, stating exactly which snapshot was used. And > it would be even better if they did so with deterministic builds -- > though even just knowing that the app store had done the build > themselves (instead of the app's author doing it) would be a huge win, > and deterministic builds would be gravy. > > Details in the article. > > -Karl > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
