[liberationtech] Proposal for more-trustable code from app stores; comments welcome.
Max R.D. Parmer
maxp at trystero.is
Wed Sep 24 21:39:46 PDT 2014
On Wed, Sep 24, 2014 at 01:25:02PM -0500, Karl Fogel wrote:
> Quick summary is:
>
> Today, app stores don't even clearly *distinguish* open-source from
> closed-source apps, let alone do the builds themselves.
>
> It would be great if app stores built open-source apps directly from
> the public source tree, stating exactly which snapshot was used. And
> it would be even better if they did so with deterministic builds --
> though even just knowing that the app store had done the build
> themselves (instead of the app's author doing it) would be a huge win,
> and deterministic builds would be gravy.
>
> Details in the article.
Direct link:
https://openitp.org/circumvention-tech/app-stores-and-trustable-code.html
Deterministic builds really would be great, this would enable
multi-party verified builds a la gitian but overall, I agree, choosing
one party to trust with the build would be an improvement. It's not
as if the app store proprietor is a neutral party in the transaction,
they could just as well tamper the developer's (possibly untrustworthy)
build.
More information about the liberationtech
mailing list