<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div><div>Anyone know the details of F-droid's app signature validation? Ideally it would be like Debian, with a trusted keyring for checking the signatures on all apps. And if an .apk is not signed by a key in the trusted keyring, it should give an error.</div><div><br></div><div>.hc</div><br><div><div>On Mar 28, 2012, at 10:29 AM, Travis Biehn wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><p>Android won't let you install over packages with a different key. But it comes down to fdroids handling of install and update processes.</p><p>Travis</p>
<div class="gmail_quote">On Mar 28, 2012 10:26 AM, "Hans-Christoph Steiner" <<a href="mailto:hans@guardianproject.info">hans@guardianproject.info</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><br></div><div>Ah, f-droid doesn't do any signature validation? It should at least compare updates to the original key.</div><div><br></div><div>.hc</div><br><div><div>On Mar 28, 2012, at 10:08 AM, Travis Biehn wrote:</div>
<br><blockquote type="cite"><p>The apk can be signed by anyone...</p>
<div class="gmail_quote">On Mar 28, 2012 10:06 AM, "Hans-Christoph Steiner" <<a href="mailto:hans@guardianproject.info" target="_blank">hans@guardianproject.info</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Mar 27, 2012, at 6:02 AM, Rick Valenzuela wrote:<br>
<br>
> On 2012/03/26 3:42 PM, Manuel wrote:<br>
>> One note (and also the only thing that's keeping me from doing the<br>
>> same): You will likely not be able to use apps you bought in Market,<br>
>> because their license check will probably fail if you aren't logged<br>
>> in with the account you used for the purchase.<br>
><br>
> I expect some functionality will break sometime. But so far, all have<br>
> been usable. The two separate pro licenses I have also backed up with<br>
> Titanium Backup, and operate fine. But looking versions on the Play<br>
> website, I can see that I'm missing updates. So that's one drawback. But<br>
> at least I can see the "What's new" tab to see if it's a security patch<br>
> or desirable bugfix.<br>
><br>
>> On Mon, Mar 26, 2012 at 10:35:14AM -0400, Hans-Christoph Steiner<br>
>> wrote:<br>
>>><br>
>>> I think that's a save assumption. AOSP (Android Open Source<br>
>>> Project) provides a whole operating system that is truly free<br>
>>> software. Having to agree to Google's privacy policy to use it<br>
>>> would make it non-free. The ROMs are generally based off of AOSP.<br>
>>> So congratulations! you have escaped Google on your phone :).<br>
><br>
> heh, well, not quite: I was stuck without update on one app that pushed<br>
> me to flash gapps and log in to Play. I updated that and everything else.<br>
><br>
> Just to experiment, though, I then backed up with Titanium Backup and<br>
> then made an update.zip of the TB itself, then made a nandroid backup.<br>
> Went back and started over again . So my phone is back without the<br>
> Google propietary apps on my phone, no account link, and updated apps.<br>
<br>
Good point, didn't think of that.<br>
<br>
>>> If you want a Free as in Freedom app store, check out F-Droid.<br>
>>> We're working on getting all of our stuff in there, as well as all<br>
>>> the things we find useful.<br>
><br>
> yep! already on there, with both repos. i've found quite a few<br>
> replacement apps on fdroid, too, that have let me ditch ones with<br>
> sketchy permissions I got from the market. One thing I did notice when<br>
> adding the Guardian Project repo: The f-droid repo is not SSL.<br>
<br>
Yes, we probably should provide TLS connections to our repo. Since the APKs themselves are signed, it probably is not a big security risk to use plain text transfer. It is definitely a privacy risk, since someone in the middle could follow which apps you are installing.<br>
<br>
.hc<br>
<br>
_______________________________________________<br>
Guardian-dev mailing list<br>
<br>
Post: <a href="mailto:Guardian-dev@lists.mayfirst.org" target="_blank">Guardian-dev@lists.mayfirst.org</a><br>
List info: <a href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev" target="_blank">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a><br>
<br>
To Unsubscribe<br>
Send email to: <a href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org" target="_blank">Guardian-dev-unsubscribe@lists.mayfirst.org</a><br>
Or visit: <a href="https://lists.mayfirst.org/mailman/options/guardian-dev/tbiehn%40gmail.com" target="_blank">https://lists.mayfirst.org/mailman/options/guardian-dev/tbiehn%40gmail.com</a><br>
<br>
You are subscribed as: <a href="mailto:tbiehn@gmail.com" target="_blank">tbiehn@gmail.com</a><br>
</blockquote></div>
</blockquote></div><br></div></blockquote></div>
</blockquote></div><br></body></html>