Comment by M95D
1 month ago
> I like the idea of a central signing authority for open source.
It would be the most corrupt(ible) org ever involved in open source and it would promote locked-down computing, as that would be their main reason to exist. Be careful what you wish for!
While agree that this is a problem if becoming an attack vector, FDoid does already do central signing of their own builds. With reproducible builds actually the attack vector would be minimal and actually maybe there could be multiple of such entities, which would make this even more robust. I just think the answer to power is not always decentralization. Alternatively government actors could also build open source for their citizens. Here would have at least democratically mandated corruption. IMHO this is much better than the current quasi government of the internet by a few powerful gatekeepers.
Then it wouldnt' be a central signing authority. Not that it matters. Several signing authorities would not equally divide the clients. One would emerge as central, become corrupted by industry commercial interests, promoted further by them, and end up some sort of Google of signing where you can't do anything on your computer without their knowledge and approval.
My second argument stands.