[guardian-dev] warrant canary

Hans-Christoph Steiner hans at guardianproject.info
Tue Feb 10 04:29:57 EST 2015 

Yes, this is very useful!  That's why we have implemented this in FDroid.  Its
pretty raw at the moment, but we do have at least one app that has been
accepted to FDroid using a reproducible build process.  This app was built by
f-droid.org's build infrastructure, then compared against the official
Guardian Project build, and since they matched, f-droid.org published an APK
using our signature:

https://f-droid.org/repository/browse/?fdid=info.guardianproject.checkey

Anyone can submit their app to f-droid.org as long as it is all free software.
 To make f-droid.org verify its build against yours, just include a download
link to your official APK in the Binaries: metadata field:
https://gitlab.com/fdroid/fdroiddata/tree/master/metadata/info.guardianproject.checkey.txt

You can read more here:
* https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
* https://f-droid.org/wiki/page/Verification_Server

.hc

Paul Gardner-Stephen:
> Deterministic compilation of Android applications would be a great step
> forward to provide some protection against forced insertion of backdoors
> into binaries.  Not perfect, but helpful.  Of course it doesn't help on
> Apple.
> 
> It would also be interesting to have a mechanism where you can ask an
> application serve up the compiled byte code for any class for remote
> verification.  Of course this would be spoofable, but including the "real"
> byte code would bloat the application, which would be noticeable in the
> increased size of the class files.
> 
> Actually, I am over-doing that.  We could have a service where the android
> apps get compiled from public, auditable source code, and the APKs
> downloaded from the net or people's phones (to stop attacks forcing Google
> to do two-faced apk serving, with the "bad" apk going to phones, and the
> "good" apk going to the audit server).  Then compare the compiled classes
> and resource files to look for any differences. Has the advantage that it
> would reveal any naughty insertions.
> 
> Would these be useful things?
> 
> Paul.
> 
> On Tue, Feb 10, 2015 at 1:22 AM, Patrick Connolly <
> patrick.c.connolly at gmail.com> wrote:
> 
>> This is great! Thanks, Nick!
>>
>> Related to your comment, Tim, it might be informative if the watermarks of
>> the endorsers at the bottom of the "about" page were also near the top of
>> the front. It seems the partners could be more visible on page one to give
>> the whole project more weight.
>>
>> I've cc'd canary watch, as I'm not 100% sure Nick is on this list.
>>
>> --------------------------------------------
>> Q: Why is this email [hopefully] five sentences or less? | A:
>> http://five.sentenc.es
>>
>> NOTE that my incoming emails are delayed from arriving in my inbox until
>> 9am daily. If you need to reach me sooner, please use other means of
>> getting in touch. #slowwebmovement
>> On Feb 9, 2015 5:31 AM, "Hans-Christoph Steiner" <
>> hans at guardianproject.info> wrote:
>>
>>>
>>> I imagine EFF, Harvard Law's Berkman Center, and NYU Law had some really
>>> good
>>> lawyers look at this before they endorsed it ;-)  It is uncharted
>>> territory to
>>> some degree, in terms of courts.  But it sounds like those lawyers
>>> forming a
>>> posse in case this does go to court.
>>>
>>> Also, for those who don't know, Nick Merrill, the man behind Calyx, was
>>> the
>>> plaintiff in Doe v. Ashcroft, which challenged the legality of aspects of
>>> National Security Letters (NSLs):
>>> https://en.wikipedia.org/wiki/Nicholas_Merrill
>>>
>>> I can't really imagine a better legal team behind this effort.  I suppose
>>> they
>>> are missing an ACLU endorsement...
>>>
>>> .hc
>>>
>>> Tim Bray:
>>>> I almost don’t want to show this to others because of the alphabetical
>>>> ordering putting 8chan prominently at the top…  Also I’d like to hear
>>> some
>>>> really good lawyers take up the question of whether these things
>>> actually
>>>> work.  But interesting, thanks.
>>>>
>>>> On Sat, Feb 7, 2015 at 1:20 AM, Hans-Christoph Steiner <
>>>> hans at guardianproject.info> wrote:
>>>>
>>>>>
>>>>> Looks like our man Nick has vetted the warrant canary idea and thinks
>>> its
>>>>> worth doing:
>>>>>
>>>>> https://canarywatch.org/
>>>>>
>>>>> At the very least, there are a bunch of lawyers behind it (EFF,
>>> Berkman,
>>>>> NYU
>>>>> Law), so hopefully they'll be willing to offer their services if it
>>> comes
>>>>> to it.
>>>>>
>>>>> .hc
>>>>>
>>>>> --
>>>>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>>>>>
>>>>> _______________________________________________
>>>>> Guardian-dev mailing list
>>>>>
>>>>> Post: Guardian-dev at lists.mayfirst.org
>>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>
>>>>> To Unsubscribe
>>>>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>         Or visit:
>>>>>
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/tbray%40textuality.com
>>>>>
>>>>> You are subscribed as: tbray at textuality.com
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>>         Or visit:
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com
>>>
>>> You are subscribed as: patrick.c.connolly at gmail.com
>>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/paul%40servalproject.org
>>
>> You are subscribed as: paul at servalproject.org
>>
>>
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81

More information about the guardian-dev mailing list