[guardian-dev] Fwd: [liberationtech] Proposal for more-trustable code from app stores; comments welcome.

Hans-Christoph Steiner hans at guardianproject.info
Wed Sep 24 14:45:35 EDT 2014 

I'll repost my reply from the dev at openitp.org list:

FDroid already provides most of what you describe, all of the over 1000 APKs
(except Firefox, that's in the works) are built only from 100% publicly
available source. I'm in the midst of finalizing a funding proposal to add
deterministic builds to FDroid.  We have all the key bits prototyped in
FDroid, including decentralized and peer-to-peer app distribution.  Android
has the benefit here of not forcing the use of Google Play, indeed there are
hundreds of millions of Android devices sold without Google Play, so we have a
chance of getting bigger adoption. Here are some relevant bits:

https://f-droid.org/wiki/page/Verification_Server
https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
https://guardianproject.info/2014/06/09/our-first-deterministic-build-lil-debi-0-4-7/

Debian is also working full-tilt on making all of the packages be built in a
reproducible way.  More info here:

https://wiki.debian.org/ReproducibleBuilds
https://lists.alioth.debian.org/pipermail/reproducible-builds/

.hc

Nathan of Guardian wrote:
> This one is for you _hc
> 
> 
> ----- Original message -----
> From: Karl Fogel <kfogel at red-bean.com>
> To: liberationtech <liberationtech at lists.stanford.edu>
> Subject: [liberationtech] Proposal for more-trustable code from app
> stores; comments welcome.
> Date: Wed, 24 Sep 2014 13:25:02 -0500
> 
> Thoughts welcome on the usefulness of this proposal:
> 
>   https://twitter.com/OpenITP/status/514836088511537152
> 
> Quick summary is:
> 
>   Today, app stores don't even clearly *distinguish* open-source from
>   closed-source apps, let alone do the builds themselves.
> 
>   It would be great if app stores built open-source apps directly from
>   the public source tree, stating exactly which snapshot was used.  And
>   it would be even better if they did so with deterministic builds --
>   though even just knowing that the app store had done the build
>   themselves (instead of the app's author doing it) would be a huge win,
>   and deterministic builds would be gravy.
> 
> Details in the article.
> 
> -Karl
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140924/1a2041ba/attachment.sig>

More information about the Guardian-dev mailing list