[guardian-dev] Manipulating App Bundles
Mark Murphy
mmurphy at commonsware.com
Mon Jun 22 07:20:18 EDT 2020
On Sun, Jun 21, 2020, at 22:20, John Sullivan wrote:
> Just a quick comment on that last part. It may be worth mentioning for
> a fuller picture that F-Droid signs the builds themselves because they
> build them themselves. They publish all of the source that they are
> building as well as the server software that does the build. Doesn't
> mean things are 100% reproducible, but it might be relevant to mention.
The *intent* is for F-Droid to build the apps themselves solely from the original sources. With sufficient motivation ("those are lovely kneecaps you got there -- it would be a pity if we had to break them"), F-Droid could be convinced to deliver altered apps. And, as with the Google App Bundle scenario, there is nothing to stop them. That then puts the onus on app developers or the broader ecosystem to detect this, and I don't know if anyone is looking. Perhaps people are looking and I just don't know about it -- if you know of people who are, I'd love to hear about them!
That being said, I replaced the section where I mentioned F-Droid with another one where I don't mention them directly. A revised post is attached.
Thanks for the feedback!
--
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20200622/1ddace45/attachment-0001.html>
More information about the guardian-dev
mailing list