[guardian-dev] Amazon S3-based repo bootstrap

Hans-Christoph Steiner hans at guardianproject.info
Wed Jun 25 16:59:27 EDT 2014


FDroid repos are similar to Debian apt repos in that they do not rely on the
security of the server they are on or the network transmission method.  Once
you trust a signing key, then it can verify whether all files in the repo are
what they should be.

Keep in mind the https://s3.amazonaws.com/guardianproject-fdroid/fdroid/repo
should be considered a test repo for now, since it uses a test key for signing.

I'll be finishing up the final repo soon, and the signing key for that one
should be included in the FDroid app itself, so it'll automatically know which
signing key to trust as long as you get a real FDroid APK.

.hc

On 06/25/2014 04:41 PM, Nathan of Guardian wrote:
> 
> We are now mirroring our F-Droid repos onto Amazon S3, and have created a
> simple page to allow people to bootstrap the fdroid app and our repo here:
> 
> https://s3.amazonaws.com/guardianproject/index.html
> 
> Obviously, trusting Amazon with our binaries is not ideal, but it has been
> shown that even China and Iran are not willing to block S3 at this point in
> time. In addition, the apps and repo is signed with our private key.
> 
> Let me know what you think!
> 
> +n
> 
> 
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> 
> You are subscribed as: hans at guardianproject.info
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list