The source code of the client-side apps appears to be available on GitHub. So if they're bluffing, it won't be too long until someone calls them out on it.
Without a fully described mechanism to confirm that the client you download is not compiled with additional code (i.e. without specifying exactly how the client is compiled, using which version of which compiler, and which compile flags, dependency versions, etc) any kind of "the code seems to be on github" is kind of meaningless.
Ideally they should support reproducible builds so that anyone can confirm that the hash of the app corresponds to a specific tag on the source repository. Unfortunately app stores are making it harder to know what the hash of the app you are installing is, but for side-loading this should still be possible.
For web apps, the situation is even more difficult, but there is a technique called Secure Bookmarks which allows you to confirm that a specific bundle of JavaScript is running (at the expense of some usability):
One way to mitigate that is through Binary Transparency, which would allow people to detect if a release is made for which there is no source code available (assuming the project already has reproducible builds). There is already a project attempting this for Arch Linux packages[0].
Of course it's still possible that an update could be sent to everyone which contains some code that only runs when a certain username is entered, so users would need to avoid updating the app until an audit by a trusted third party had approved it.
The source code of the client-side apps appears to be available on GitHub. So if they're bluffing, it won't be too long until someone calls them out on it.
Without a fully described mechanism to confirm that the client you download is not compiled with additional code (i.e. without specifying exactly how the client is compiled, using which version of which compiler, and which compile flags, dependency versions, etc) any kind of "the code seems to be on github" is kind of meaningless.
Ideally they should support reproducible builds so that anyone can confirm that the hash of the app corresponds to a specific tag on the source repository. Unfortunately app stores are making it harder to know what the hash of the app you are installing is, but for side-loading this should still be possible.
For web apps, the situation is even more difficult, but there is a technique called Secure Bookmarks which allows you to confirm that a specific bundle of JavaScript is running (at the expense of some usability):
https://coins.github.io/secure-bookmark/
1 reply →
Unless they only send compromised code to you personally and nobody else.
One way to mitigate that is through Binary Transparency, which would allow people to detect if a release is made for which there is no source code available (assuming the project already has reproducible builds). There is already a project attempting this for Arch Linux packages[0].
Of course it's still possible that an update could be sent to everyone which contains some code that only runs when a certain username is entered, so users would need to avoid updating the app until an audit by a trusted third party had approved it.
[0] https://github.com/kpcyrd/pacman-bintrans
https://ente.io/transparency/
That's just a non-binding promise. If that's enough for you, you don't need encryption at all.
I think the correct link is: https://ente.io/architecture
1 reply →