On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner wrote: > > new blog post: > https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/ > > With F-Droid, we have been working towards getting a complete app > distribution > channel that is able to reproducibly build each Android app from source.
This is really fantastic. I can't wait to get Orbot moved over. > while > this may sound like a mundane detail, it does provide lots of tangible > benefits. First, it means that anyone can verify that the app that they > are > using is 100% built from the source code, with nothing else added. That > verifies that the app is indeed 100% free, open source software. > > It also verifies that there have not been any malicious bits of code > added > into the app during the build process. As has been demonstrated in the > 31c3 > Reproducible Builds talk, just flipping a single bit is enough to create > a > usable exploit in an app. > > The F-Droid project is leading the way with its system for publishing > verified > builds. We know have our first full example, building upon our previous > work > with making Lil’ Debi build reproducibly. We started with our simple > little > utility app Checkey since it has few moving parts (first get one working, > then > the rest). > > When you download Checkey from f-droid.org, you will get an APK that was > signed using the official Guardian Project offline signing key that was > built > by f-droid.org. No, we did not give them a copy of our key, instead, the > fdroid publish process now looks for the Binaries: tag in the build > recipe. If > it sees that, it downloads that APK, then builds the app from source, > then > checks to make sure that they match using a simple diff of the APK > contents > and by checking that the signature on the official APK also validates on > the > APK that f-droid.org built. > > Now that we have our little Checkey working, we can work towards getting > all > of our apps verifying in the same way, eliminating a whole field of > exploits > that we have to worry about. You can follow the progress of this work on > the > F-Droid wiki Reproducible Builds page, and learn about a future > application of > it on the Verification Server page. > > The next two apps that are in the reproducible pipeline are LEAP‘s > Bitmask and > our LocationPrivacy. > > .hc > -- > PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: [email protected] -- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
