The point here is to eliminate the need to trust f-droid or any other entity. f-droid.org is just one instance of this service, anyone can take fdroidserver and build their own instance. Then there is additionally planned a lightweight fdroid instance, the Verification Server, that just does builds to verify that they match what is published on f-droid.org.
This whole thing is built on the APK signature, so you have to trust that. FDroid is also rolling out GPG signatures, but making reproducible APKs that match by hash is a lot harder than match by APK signature. But you don't have to trust any people in the whole chain, you can verify it all yourself, and run your own instance. For the record, the F-Droid org is incorporated in the UK, so NSLs don't apply. But I imagine that the UK has something similar. I'm not sure where the servers are. .hc Paul Gardner-Stephen: > Super :) > > Now, how do we make sure that F-Droid doesn't get hit by a NSL? > > Paul. > > On Tue, Feb 10, 2015 at 7:59 PM, Hans-Christoph Steiner < > [email protected]> wrote: > >> >> Yes, this is very useful! That's why we have implemented this in FDroid. >> Its >> pretty raw at the moment, but we do have at least one app that has been >> accepted to FDroid using a reproducible build process. This app was built >> by >> f-droid.org's build infrastructure, then compared against the official >> Guardian Project build, and since they matched, f-droid.org published an >> APK >> using our signature: >> >> https://f-droid.org/repository/browse/?fdid=info.guardianproject.checkey >> >> Anyone can submit their app to f-droid.org as long as it is all free >> software. >> To make f-droid.org verify its build against yours, just include a >> download >> link to your official APK in the Binaries: metadata field: >> >> https://gitlab.com/fdroid/fdroiddata/tree/master/metadata/info.guardianproject.checkey.txt >> >> You can read more here: >> * https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds >> * https://f-droid.org/wiki/page/Verification_Server >> >> .hc >> >> Paul Gardner-Stephen: >>> Deterministic compilation of Android applications would be a great step >>> forward to provide some protection against forced insertion of backdoors >>> into binaries. Not perfect, but helpful. Of course it doesn't help on >>> Apple. >>> >>> It would also be interesting to have a mechanism where you can ask an >>> application serve up the compiled byte code for any class for remote >>> verification. Of course this would be spoofable, but including the >> "real" >>> byte code would bloat the application, which would be noticeable in the >>> increased size of the class files. >>> >>> Actually, I am over-doing that. We could have a service where the >> android >>> apps get compiled from public, auditable source code, and the APKs >>> downloaded from the net or people's phones (to stop attacks forcing >> Google >>> to do two-faced apk serving, with the "bad" apk going to phones, and the >>> "good" apk going to the audit server). Then compare the compiled classes >>> and resource files to look for any differences. Has the advantage that it >>> would reveal any naughty insertions. >>> >>> Would these be useful things? >>> >>> Paul. >>> >>> On Tue, Feb 10, 2015 at 1:22 AM, Patrick Connolly < >>> [email protected]> wrote: >>> >>>> This is great! Thanks, Nick! >>>> >>>> Related to your comment, Tim, it might be informative if the watermarks >> of >>>> the endorsers at the bottom of the "about" page were also near the top >> of >>>> the front. It seems the partners could be more visible on page one to >> give >>>> the whole project more weight. >>>> >>>> I've cc'd canary watch, as I'm not 100% sure Nick is on this list. >>>> >>>> -------------------------------------------- >>>> Q: Why is this email [hopefully] five sentences or less? | A: >>>> http://five.sentenc.es >>>> >>>> NOTE that my incoming emails are delayed from arriving in my inbox until >>>> 9am daily. If you need to reach me sooner, please use other means of >>>> getting in touch. #slowwebmovement >>>> On Feb 9, 2015 5:31 AM, "Hans-Christoph Steiner" < >>>> [email protected]> wrote: >>>> >>>>> >>>>> I imagine EFF, Harvard Law's Berkman Center, and NYU Law had some >> really >>>>> good >>>>> lawyers look at this before they endorsed it ;-) It is uncharted >>>>> territory to >>>>> some degree, in terms of courts. But it sounds like those lawyers >>>>> forming a >>>>> posse in case this does go to court. >>>>> >>>>> Also, for those who don't know, Nick Merrill, the man behind Calyx, was >>>>> the >>>>> plaintiff in Doe v. Ashcroft, which challenged the legality of aspects >> of >>>>> National Security Letters (NSLs): >>>>> https://en.wikipedia.org/wiki/Nicholas_Merrill >>>>> >>>>> I can't really imagine a better legal team behind this effort. I >> suppose >>>>> they >>>>> are missing an ACLU endorsement... >>>>> >>>>> .hc >>>>> >>>>> Tim Bray: >>>>>> I almost don’t want to show this to others because of the alphabetical >>>>>> ordering putting 8chan prominently at the top… Also I’d like to hear >>>>> some >>>>>> really good lawyers take up the question of whether these things >>>>> actually >>>>>> work. But interesting, thanks. >>>>>> >>>>>> On Sat, Feb 7, 2015 at 1:20 AM, Hans-Christoph Steiner < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> >>>>>>> Looks like our man Nick has vetted the warrant canary idea and thinks >>>>> its >>>>>>> worth doing: >>>>>>> >>>>>>> https://canarywatch.org/ >>>>>>> >>>>>>> At the very least, there are a bunch of lawyers behind it (EFF, >>>>> Berkman, >>>>>>> NYU >>>>>>> Law), so hopefully they'll be willing to offer their services if it >>>>> comes >>>>>>> to it. >>>>>>> >>>>>>> .hc >>>>>>> >>>>>>> -- >>>>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >>>>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Guardian-dev mailing list >>>>>>> >>>>>>> Post: [email protected] >>>>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>> >>>>>>> To Unsubscribe >>>>>>> Send email to: [email protected] >>>>>>> Or visit: >>>>>>> >>>>> >> https://lists.mayfirst.org/mailman/options/guardian-dev/tbray%40textuality.com >>>>>>> >>>>>>> You are subscribed as: [email protected] >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >>>>> _______________________________________________ >>>>> Guardian-dev mailing list >>>>> >>>>> Post: [email protected] >>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>> >>>>> To Unsubscribe >>>>> Send email to: [email protected] >>>>> Or visit: >>>>> >> https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com >>>>> >>>>> You are subscribed as: [email protected] >>>>> >>>> >>>> _______________________________________________ >>>> Guardian-dev mailing list >>>> >>>> Post: [email protected] >>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>> >>>> To Unsubscribe >>>> Send email to: [email protected] >>>> Or visit: >>>> >> https://lists.mayfirst.org/mailman/options/guardian-dev/paul%40servalproject.org >>>> >>>> You are subscribed as: [email protected] >>>> >>>> >>> >> >> -- >> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 >> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >> > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
