On 2014-05-02 20:35, Andrew Cady wrote:
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
No, though I have two-factor authentication using a secure device
(not a cell phone), and I can't be vanned/rubber-hosed because I don't
actually know the password to my Google developer account. Some
of this does require trust that I have a secure signing/uploading
environment.
If you can upload code -- with or without a password -- then you can be
forced to upload malicious code (assuming you are vulnerable to vans
and
rubber hoses).
As could someone at Microsoft, Apple, or Canonical. My current system
fails closed pretty hard, even in the case of, say, someone breaking
into my apartment. The benefit of the project being open-source is that
such a change wouldn't go unnoticed. And it's trivial to fetch the
extension code from Google and compare it.
~Griffin
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.
