Super :) Now, how do we make sure that F-Droid doesn't get hit by a NSL?
Paul. On Tue, Feb 10, 2015 at 7:59 PM, Hans-Christoph Steiner < [email protected]> wrote: > > Yes, this is very useful! That's why we have implemented this in FDroid. > Its > pretty raw at the moment, but we do have at least one app that has been > accepted to FDroid using a reproducible build process. This app was built > by > f-droid.org's build infrastructure, then compared against the official > Guardian Project build, and since they matched, f-droid.org published an > APK > using our signature: > > https://f-droid.org/repository/browse/?fdid=info.guardianproject.checkey > > Anyone can submit their app to f-droid.org as long as it is all free > software. > To make f-droid.org verify its build against yours, just include a > download > link to your official APK in the Binaries: metadata field: > > https://gitlab.com/fdroid/fdroiddata/tree/master/metadata/info.guardianproject.checkey.txt > > You can read more here: > * https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds > * https://f-droid.org/wiki/page/Verification_Server > > .hc > > Paul Gardner-Stephen: > > Deterministic compilation of Android applications would be a great step > > forward to provide some protection against forced insertion of backdoors > > into binaries. Not perfect, but helpful. Of course it doesn't help on > > Apple. > > > > It would also be interesting to have a mechanism where you can ask an > > application serve up the compiled byte code for any class for remote > > verification. Of course this would be spoofable, but including the > "real" > > byte code would bloat the application, which would be noticeable in the > > increased size of the class files. > > > > Actually, I am over-doing that. We could have a service where the > android > > apps get compiled from public, auditable source code, and the APKs > > downloaded from the net or people's phones (to stop attacks forcing > Google > > to do two-faced apk serving, with the "bad" apk going to phones, and the > > "good" apk going to the audit server). Then compare the compiled classes > > and resource files to look for any differences. Has the advantage that it > > would reveal any naughty insertions. > > > > Would these be useful things? > > > > Paul. > > > > On Tue, Feb 10, 2015 at 1:22 AM, Patrick Connolly < > > [email protected]> wrote: > > > >> This is great! Thanks, Nick! > >> > >> Related to your comment, Tim, it might be informative if the watermarks > of > >> the endorsers at the bottom of the "about" page were also near the top > of > >> the front. It seems the partners could be more visible on page one to > give > >> the whole project more weight. > >> > >> I've cc'd canary watch, as I'm not 100% sure Nick is on this list. > >> > >> -------------------------------------------- > >> Q: Why is this email [hopefully] five sentences or less? | A: > >> http://five.sentenc.es > >> > >> NOTE that my incoming emails are delayed from arriving in my inbox until > >> 9am daily. If you need to reach me sooner, please use other means of > >> getting in touch. #slowwebmovement > >> On Feb 9, 2015 5:31 AM, "Hans-Christoph Steiner" < > >> [email protected]> wrote: > >> > >>> > >>> I imagine EFF, Harvard Law's Berkman Center, and NYU Law had some > really > >>> good > >>> lawyers look at this before they endorsed it ;-) It is uncharted > >>> territory to > >>> some degree, in terms of courts. But it sounds like those lawyers > >>> forming a > >>> posse in case this does go to court. > >>> > >>> Also, for those who don't know, Nick Merrill, the man behind Calyx, was > >>> the > >>> plaintiff in Doe v. Ashcroft, which challenged the legality of aspects > of > >>> National Security Letters (NSLs): > >>> https://en.wikipedia.org/wiki/Nicholas_Merrill > >>> > >>> I can't really imagine a better legal team behind this effort. I > suppose > >>> they > >>> are missing an ACLU endorsement... > >>> > >>> .hc > >>> > >>> Tim Bray: > >>>> I almost don’t want to show this to others because of the alphabetical > >>>> ordering putting 8chan prominently at the top… Also I’d like to hear > >>> some > >>>> really good lawyers take up the question of whether these things > >>> actually > >>>> work. But interesting, thanks. > >>>> > >>>> On Sat, Feb 7, 2015 at 1:20 AM, Hans-Christoph Steiner < > >>>> [email protected]> wrote: > >>>> > >>>>> > >>>>> Looks like our man Nick has vetted the warrant canary idea and thinks > >>> its > >>>>> worth doing: > >>>>> > >>>>> https://canarywatch.org/ > >>>>> > >>>>> At the very least, there are a bunch of lawyers behind it (EFF, > >>> Berkman, > >>>>> NYU > >>>>> Law), so hopefully they'll be willing to offer their services if it > >>> comes > >>>>> to it. > >>>>> > >>>>> .hc > >>>>> > >>>>> -- > >>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > >>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 > >>>>> > >>>>> _______________________________________________ > >>>>> Guardian-dev mailing list > >>>>> > >>>>> Post: [email protected] > >>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>>>> > >>>>> To Unsubscribe > >>>>> Send email to: [email protected] > >>>>> Or visit: > >>>>> > >>> > https://lists.mayfirst.org/mailman/options/guardian-dev/tbray%40textuality.com > >>>>> > >>>>> You are subscribed as: [email protected] > >>>>> > >>>> > >>>> > >>>> > >>> > >>> -- > >>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > >>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 > >>> _______________________________________________ > >>> Guardian-dev mailing list > >>> > >>> Post: [email protected] > >>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>> > >>> To Unsubscribe > >>> Send email to: [email protected] > >>> Or visit: > >>> > https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com > >>> > >>> You are subscribed as: [email protected] > >>> > >> > >> _______________________________________________ > >> Guardian-dev mailing list > >> > >> Post: [email protected] > >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >> > >> To Unsubscribe > >> Send email to: [email protected] > >> Or visit: > >> > https://lists.mayfirst.org/mailman/options/guardian-dev/paul%40servalproject.org > >> > >> You are subscribed as: [email protected] > >> > >> > > > > -- > PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
