On May 2, 2014 8:46:08 PM EDT, Griffin Boyce <[email protected]> wrote: >On 2014-05-02 20:35, Andrew Cady wrote: >> On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote: >> >>> No, though I have two-factor authentication using a secure device >>> (not a cell phone), and I can't be vanned/rubber-hosed because I >don't >>> actually know the password to my Google developer account. Some >>> of this does require trust that I have a secure signing/uploading >>> environment. >> >> If you can upload code -- with or without a password -- then you can >be >> forced to upload malicious code (assuming you are vulnerable to vans >> and >> rubber hoses). > >As could someone at Microsoft, Apple, or Canonical. My current system >fails closed pretty hard, even in the case of, say, someone breaking >into my apartment. The benefit of the project being open-source is >that >such a change wouldn't go unnoticed. And it's trivial to fetch the >extension code from Google and compare it. >
Automated distributed deterministic build comparisons FTW! Seriously, it seems like we are pretty close with such a thing for Android APKs, so perhaps Chrome extension bundles could be added to the list, as well. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
