Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #147021

Re: Why does open source software include a "signing key"?

From Arno Welzel <usenet@arnowelzel.de>
Newsgroups comp.mobile.android
Subject Re: Why does open source software include a "signing key"?
Date 2025-03-06 11:30 +0100
Message-ID <m2tbqeF6l2mU4@mid.individual.net> (permalink)
References (2 earlier) <vpt27q$2mns$1@nnrp.usenet.blueworldhosting.com> <m2g0m3F67bkU6@mid.individual.net> <vpunur$69ss$1@dont-email.me> <m2gg1cF8gagU1@mid.individual.net> <vpv68b$8tek$1@dont-email.me>

Show all headers | View raw


R.Wieser, 2025-03-01 15:40:

> Arno,
> 
>> At the very first install at all, there is no chain of trust back to the
>> original developer
> 
> I think there is.
> 
>> for example when using F-Droid. Then only F-Droid is signing the app.
> 
> And they will do that for any random app ?  Hey F-Droid, I got a few info- 
> and other stealers here, and as you guys don't bother to check if I'm on the 
> up-and-up I can use you guys to spread my malwarez !

Yes - you can try that. However since all software on F-Droid *must* be
open source, this won't work unnoticed. At least one has to suggest an
application to be added to the repository of F-Droid first - and at this
point, the app won't get accepted, if it contains suspicious code.

Both otherwise F-Droid only takes the sources and builds the package
themself:

<https://f-droid.org/de/packages/de.arnowelzel.android.periodical/>

Sources:

<https://github.com/arnowelzel/periodical>

You won't find any of my signatures in the package provided by F-Droid.

> No, if F-Droid is only using their own name on the apps than they will try 
> to make *damn* sure that they are not used to spread malware.  And we trust 
> them to be good at it.   And yes, even in that case I do believe that 
> F-Droid knows, at least by name, the developers of the apps they offer for 
> download - so that they, just like Google, can cut off any app-maker who is 
> engaging in "funny stuff".

Exactly - but still there is no certificate chain in F-Droid packages
which lead to the original developer.


-- 
Arno Welzel
https://arnowelzel.de

Back to comp.mobile.android | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
  Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
  Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
      Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
        Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
  Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
      Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
        Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
          Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
            Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
            Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
        Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
          Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
            Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
              Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100

csiph-web