Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #147021
| From | Arno Welzel <usenet@arnowelzel.de> |
|---|---|
| Newsgroups | comp.mobile.android |
| Subject | Re: Why does open source software include a "signing key"? |
| Date | 2025-03-06 11:30 +0100 |
| Message-ID | <m2tbqeF6l2mU4@mid.individual.net> (permalink) |
| References | (2 earlier) <vpt27q$2mns$1@nnrp.usenet.blueworldhosting.com> <m2g0m3F67bkU6@mid.individual.net> <vpunur$69ss$1@dont-email.me> <m2gg1cF8gagU1@mid.individual.net> <vpv68b$8tek$1@dont-email.me> |
R.Wieser, 2025-03-01 15:40: > Arno, > >> At the very first install at all, there is no chain of trust back to the >> original developer > > I think there is. > >> for example when using F-Droid. Then only F-Droid is signing the app. > > And they will do that for any random app ? Hey F-Droid, I got a few info- > and other stealers here, and as you guys don't bother to check if I'm on the > up-and-up I can use you guys to spread my malwarez ! Yes - you can try that. However since all software on F-Droid *must* be open source, this won't work unnoticed. At least one has to suggest an application to be added to the repository of F-Droid first - and at this point, the app won't get accepted, if it contains suspicious code. Both otherwise F-Droid only takes the sources and builds the package themself: <https://f-droid.org/de/packages/de.arnowelzel.android.periodical/> Sources: <https://github.com/arnowelzel/periodical> You won't find any of my signatures in the package provided by F-Droid. > No, if F-Droid is only using their own name on the apps than they will try > to make *damn* sure that they are not used to spread malware. And we trust > them to be good at it. And yes, even in that case I do believe that > F-Droid knows, at least by name, the developers of the apps they offer for > download - so that they, just like Google, can cut off any app-maker who is > engaging in "funny stuff". Exactly - but still there is no certificate chain in F-Droid packages which lead to the original developer. -- Arno Welzel https://arnowelzel.de
Back to comp.mobile.android | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100
csiph-web