← Back to context

Comment by gpm

1 day ago

Eh...

The set of people who can maliciously modify it is the people who run f-droid, instead of the cloud provider and the people who run f-droid.

It'd be nice if we didn't have to trust the people who run f-droid, but given we do I see an argument that it's better for them to run the hardware so we only have to trust them and not someone else as well.

6 comments

gpm

Reply
lrvick  1 day ago

You actually do not have to trust the people who run f-droid for those apps whose maintainers enroll in reproducible builds and multi-party signing, which only f-droid supports unlike any alternatives.

  • gpm  1 day ago

    That looks cool, which might just be the point of your comment, but I don't think it actually changes the argument here.

    You still have to trust the app store to some extent. On first use, you're trusting f-droid to give you the copy of the app with appropriate signatures. Running in someone else's data-center still means you need to trust that data-center plus the people setting up the app store, instead of just the app store. It's just a breach of trust is less consequential since the attacker needs to catch the first install (of apps that even use that technology).

    • lrvick  1 day ago

      F-droid makes the most sense when shipped as the system appstore, along with pinned CA keychains as Calyxos did. Ideally f-droid was compiled from source and validated by the rom devs.

      The F-droid app itself can then verify signatures from both third party developers and first party builds on an f-droid machine.

      For all its faults (of which there are many) it is still a leaps and bounds better trust story than say Google Play. Developers can only publish code, and optional signatures, but not binaries.

      Combine that with distributed reproducible builds with signed evidence validated by the app and you end up not having to trust anything but the f-droid app itself on your device.

      1 reply →

  • imiric  1 day ago

    Why have we normalized "app stores" that build software whose authors likely already provide packages of?

    I've been using Obtainium more recently, and the idea is simple: a friendly UI that pulls packages directly from the original source. If I already trust the authors with the source code, then I'm inclined to trust them to provide safe binaries for me to use. Involving a middleman is just asking for trouble.

    App stores should only be distributors of binaries uploaded and signed by the original authors. When they're also maintainers, it not only significantly increases their operational burden, but requires an additional layer of trust from users.

ejj28  1 day ago

The cloud isn't the only other option, they could still own and run their own hardware but do it in a proper colocation datacenter.