Okay, sounds good. Is there a nice diagram that shows the steps. I only ask this as while I think I have a handle on it this morning, it wasn't obvious last night how it works, and if I get confused about it when a little tired, my suspicion is that plenty of other people will, too.
Paul. On Tue, Feb 10, 2015 at 9:21 PM, Hans-Christoph Steiner < [email protected]> wrote: > > The point here is to eliminate the need to trust f-droid or any other > entity. > f-droid.org is just one instance of this service, anyone can take > fdroidserver > and build their own instance. Then there is additionally planned a > lightweight fdroid instance, the Verification Server, that just does > builds to > verify that they match what is published on f-droid.org. > > This whole thing is built on the APK signature, so you have to trust that. > FDroid is also rolling out GPG signatures, but making reproducible APKs > that > match by hash is a lot harder than match by APK signature. But you don't > have > to trust any people in the whole chain, you can verify it all yourself, and > run your own instance. > > For the record, the F-Droid org is incorporated in the UK, so NSLs don't > apply. But I imagine that the UK has something similar. I'm not sure > where > the servers are. > > .hc > > Paul Gardner-Stephen: > > Super :) > > > > Now, how do we make sure that F-Droid doesn't get hit by a NSL? > > > > Paul. > > > > On Tue, Feb 10, 2015 at 7:59 PM, Hans-Christoph Steiner < > > [email protected]> wrote: > > > >> > >> Yes, this is very useful! That's why we have implemented this in > FDroid. > >> Its > >> pretty raw at the moment, but we do have at least one app that has been > >> accepted to FDroid using a reproducible build process. This app was > built > >> by > >> f-droid.org's build infrastructure, then compared against the official > >> Guardian Project build, and since they matched, f-droid.org published > an > >> APK > >> using our signature: > >> > >> > https://f-droid.org/repository/browse/?fdid=info.guardianproject.checkey > >> > >> Anyone can submit their app to f-droid.org as long as it is all free > >> software. > >> To make f-droid.org verify its build against yours, just include a > >> download > >> link to your official APK in the Binaries: metadata field: > >> > >> > https://gitlab.com/fdroid/fdroiddata/tree/master/metadata/info.guardianproject.checkey.txt > >> > >> You can read more here: > >> * https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds > >> * https://f-droid.org/wiki/page/Verification_Server > >> > >> .hc > >> > >> Paul Gardner-Stephen: > >>> Deterministic compilation of Android applications would be a great step > >>> forward to provide some protection against forced insertion of > backdoors > >>> into binaries. Not perfect, but helpful. Of course it doesn't help on > >>> Apple. > >>> > >>> It would also be interesting to have a mechanism where you can ask an > >>> application serve up the compiled byte code for any class for remote > >>> verification. Of course this would be spoofable, but including the > >> "real" > >>> byte code would bloat the application, which would be noticeable in the > >>> increased size of the class files. > >>> > >>> Actually, I am over-doing that. We could have a service where the > >> android > >>> apps get compiled from public, auditable source code, and the APKs > >>> downloaded from the net or people's phones (to stop attacks forcing > >> Google > >>> to do two-faced apk serving, with the "bad" apk going to phones, and > the > >>> "good" apk going to the audit server). Then compare the compiled > classes > >>> and resource files to look for any differences. Has the advantage that > it > >>> would reveal any naughty insertions. > >>> > >>> Would these be useful things? > >>> > >>> Paul. > >>> > >>> On Tue, Feb 10, 2015 at 1:22 AM, Patrick Connolly < > >>> [email protected]> wrote: > >>> > >>>> This is great! Thanks, Nick! > >>>> > >>>> Related to your comment, Tim, it might be informative if the > watermarks > >> of > >>>> the endorsers at the bottom of the "about" page were also near the top > >> of > >>>> the front. It seems the partners could be more visible on page one to > >> give > >>>> the whole project more weight. > >>>> > >>>> I've cc'd canary watch, as I'm not 100% sure Nick is on this list. > >>>> > >>>> -------------------------------------------- > >>>> Q: Why is this email [hopefully] five sentences or less? | A: > >>>> http://five.sentenc.es > >>>> > >>>> NOTE that my incoming emails are delayed from arriving in my inbox > until > >>>> 9am daily. If you need to reach me sooner, please use other means of > >>>> getting in touch. #slowwebmovement > >>>> On Feb 9, 2015 5:31 AM, "Hans-Christoph Steiner" < > >>>> [email protected]> wrote: > >>>> > >>>>> > >>>>> I imagine EFF, Harvard Law's Berkman Center, and NYU Law had some > >> really > >>>>> good > >>>>> lawyers look at this before they endorsed it ;-) It is uncharted > >>>>> territory to > >>>>> some degree, in terms of courts. But it sounds like those lawyers > >>>>> forming a > >>>>> posse in case this does go to court. > >>>>> > >>>>> Also, for those who don't know, Nick Merrill, the man behind Calyx, > was > >>>>> the > >>>>> plaintiff in Doe v. Ashcroft, which challenged the legality of > aspects > >> of > >>>>> National Security Letters (NSLs): > >>>>> https://en.wikipedia.org/wiki/Nicholas_Merrill > >>>>> > >>>>> I can't really imagine a better legal team behind this effort. I > >> suppose > >>>>> they > >>>>> are missing an ACLU endorsement... > >>>>> > >>>>> .hc > >>>>> > >>>>> Tim Bray: > >>>>>> I almost don’t want to show this to others because of the > alphabetical > >>>>>> ordering putting 8chan prominently at the top… Also I’d like to > hear > >>>>> some > >>>>>> really good lawyers take up the question of whether these things > >>>>> actually > >>>>>> work. But interesting, thanks. > >>>>>> > >>>>>> On Sat, Feb 7, 2015 at 1:20 AM, Hans-Christoph Steiner < > >>>>>> [email protected]> wrote: > >>>>>> > >>>>>>> > >>>>>>> Looks like our man Nick has vetted the warrant canary idea and > thinks > >>>>> its > >>>>>>> worth doing: > >>>>>>> > >>>>>>> https://canarywatch.org/ > >>>>>>> > >>>>>>> At the very least, there are a bunch of lawyers behind it (EFF, > >>>>> Berkman, > >>>>>>> NYU > >>>>>>> Law), so hopefully they'll be willing to offer their services if it > >>>>> comes > >>>>>>> to it. > >>>>>>> > >>>>>>> .hc > >>>>>>> > >>>>>>> -- > >>>>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > >>>>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Guardian-dev mailing list > >>>>>>> > >>>>>>> Post: [email protected] > >>>>>>> List info: > https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>>>>>> > >>>>>>> To Unsubscribe > >>>>>>> Send email to: > [email protected] > >>>>>>> Or visit: > >>>>>>> > >>>>> > >> > https://lists.mayfirst.org/mailman/options/guardian-dev/tbray%40textuality.com > >>>>>>> > >>>>>>> You are subscribed as: [email protected] > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> -- > >>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > >>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 > >>>>> _______________________________________________ > >>>>> Guardian-dev mailing list > >>>>> > >>>>> Post: [email protected] > >>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>>>> > >>>>> To Unsubscribe > >>>>> Send email to: [email protected] > >>>>> Or visit: > >>>>> > >> > https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com > >>>>> > >>>>> You are subscribed as: [email protected] > >>>>> > >>>> > >>>> _______________________________________________ > >>>> Guardian-dev mailing list > >>>> > >>>> Post: [email protected] > >>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>>> > >>>> To Unsubscribe > >>>> Send email to: [email protected] > >>>> Or visit: > >>>> > >> > https://lists.mayfirst.org/mailman/options/guardian-dev/paul%40servalproject.org > >>>> > >>>> You are subscribed as: [email protected] > >>>> > >>>> > >>> > >> > >> -- > >> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > >> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 > >> > > > > -- > PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
