-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Nathan of Guardian wrote: > > > On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner wrote: >> >> new blog post: >> https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/ >> >> >> >> >> >> With F-Droid, we have been working towards getting a complete app >> distribution channel that is able to reproducibly build each >> Android app from source. > > This is really fantastic. I can't wait to get Orbot moved over.
+1 I am interested in doing this for I2P Android and Bote, neither of which require the NDK to build. If you want another vict^H^H^H^Hperson to test the reproducible build process, let me know. str4d > >> while this may sound like a mundane detail, it does provide lots >> of tangible benefits. First, it means that anyone can verify that >> the app that they are using is 100% built from the source code, >> with nothing else added. That verifies that the app is indeed >> 100% free, open source software. >> >> It also verifies that there have not been any malicious bits of >> code added into the app during the build process. As has been >> demonstrated in the 31c3 Reproducible Builds talk, just flipping >> a single bit is enough to create a usable exploit in an app. >> >> The F-Droid project is leading the way with its system for >> publishing verified builds. We know have our first full example, >> building upon our previous work with making Lil’ Debi build >> reproducibly. We started with our simple little utility app >> Checkey since it has few moving parts (first get one working, >> then the rest). >> >> When you download Checkey from f-droid.org, you will get an APK >> that was signed using the official Guardian Project offline >> signing key that was built by f-droid.org. No, we did not give >> them a copy of our key, instead, the fdroid publish process now >> looks for the Binaries: tag in the build recipe. If it sees >> that, it downloads that APK, then builds the app from source, >> then checks to make sure that they match using a simple diff of >> the APK contents and by checking that the signature on the >> official APK also validates on the APK that f-droid.org built. >> >> Now that we have our little Checkey working, we can work towards >> getting all of our apps verifying in the same way, eliminating a >> whole field of exploits that we have to worry about. You can >> follow the progress of this work on the F-Droid wiki >> Reproducible Builds page, and learn about a future application of >> it on the Verification Server page. >> >> The next two apps that are in the reproducible pipeline are >> LEAP‘s Bitmask and our LocationPrivacy. >> >> .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 >> 374B BE81 >> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81 >> >> >> >> >> _______________________________________________ >> List info: >> https://lists.mayfirst.org/mailman/listinfo/guardian-dev To >> unsubscribe, email: [email protected] > > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU3XQ5AAoJEIA97kkaNHPnS+UP/RH8BGdMB0FCe46DipEq3gq2 6NhgXThPGVyHYiffqPiDaqOHnylwgwQgFdB7ztLUDmkGZkIwv44vOHwvjEHgMsdY Q6D7M0EslJ+u0Z70JPnyM1v/Or2gAJ1mP/tyoDKxfLsFNhoDOfqqK0gDe4l4S0vt yrEkEkk3qXPoITBM+rZZ+TTMGMnxMGVeLOdTneAKFs1jOdmrLAZ+/IFKzXALI7eJ PZQCG641HKICDv0jqQ5FznfMY1S0MmIwA4TpuFXRWMbtphODaUWBFsymlokPXHdS UoI0x8YmbDqlqhDMj+dTgCodQCEiaHKaFukHELl3ZGlzFFzvDpu8Upss1yfjHtRX 3aKpihXAbdeX8tw/btpxYk6c9V5j35e5vo1/0/sbtnDpVIy76viGrPEBmlUDC21K 1hw4oEwabVxZy/nXLOb5UKBYAtehVh1n4O1Qz+Aq9b061H606WNpDgZU5iZglgSx FjBzbMUfwnq234REyRdwkqPPUJpfIiNsIcr/lcThDoVU0ZbDfRB7cG+7HPpa0CYV WWx7mDkwhaZzk1UYIQQuePFC9IdC8FZvgsEzR2IHoX70sWLog5lmuCuK6tIqILhs oH7OPmwdcT87bMzTGfkRi3sOyo7GXwykBEc0hzyAF0Zf2jm4n1LDpUliiskNdIiJ cZZWZ9zFprSRtjainiQ4 =Vh2K -----END PGP SIGNATURE----- _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
