Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146879 > unrolled thread

Why does open source software include a "signing key"?

Started byMarion <marion@facts.com>
First post2025-02-26 21:36 +0000
Last post2025-03-07 14:58 +0100
Articles 3 on this page of 23 — 3 participants

Back to article view | Back to comp.mobile.android


Contents

  Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
      Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
    Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
      Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
        Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
          Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
    Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
      Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
        Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
          Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
            Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
              Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
              Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
          Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
            Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
              Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
                  Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
                    Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
                      Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
                        Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
                          Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100

Page 2 of 2 — ← Prev page 1 [2]


#147061

From"R.Wieser" <address@is.invalid>
Date2025-03-07 09:50 +0100
Message-ID<vqec1d$3f0vr$1@dont-email.me>
In reply to#147059
Arno,

> Not really. The signatures can not be verified since there is no CA for 
> it.

*Again*, that is where F-Droid comes in needing to check who created that 
self-signed cert, effectivily making F-Droid the CA - even though they do 
not(?) give out certs.

Kiddo, if F-Droid would not be able to say with a decent ammount of certanty 
that a certain app was made by a certain, specific person than they would 
get overrun with malversants.

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]


#147075

FromArno Welzel <usenet@arnowelzel.de>
Date2025-03-07 14:37 +0100
Message-ID<m30b4vFkj1jU2@mid.individual.net>
In reply to#147061
R.Wieser, 2025-03-07 09:50:

> Arno,
> 
>> Not really. The signatures can not be verified since there is no CA for 
>> it.
> 
> *Again*, that is where F-Droid comes in needing to check who created that 
> self-signed cert, effectivily making F-Droid the CA - even though they do 
> not(?) give out certs.

But F-Droid has no proof who the person is, where they get the sources
from. Even GitHub does not know - they just have an account connected to
a repository but there is no *proof* who that person is who created that
account in the first place.



-- 
Arno Welzel
https://arnowelzel.de

[toc] | [prev] | [next] | [standalone]


#147077

From"R.Wieser" <address@is.invalid>
Date2025-03-07 14:58 +0100
Message-ID<vqeu2i$3ilcc$1@dont-email.me>
In reply to#147075
Arno,

> But F-Droid has no proof who the person is,

And you think that Google does ?    Why ?

> where they get the sources from.

And you think that Google does ?   Or even cares ?

As I already mentioned, if I may take security firm reporting on Googles 
"walled garden", it has got quite a number of poisonned apps floating 
around.  And than I won't even mention the ones that where good, but got 
sold lock-stock-and-barrel to nevarious players, which than created 
"updates" that are trojanned.

So do yourself a favour, and do not think that an unbroken certificate chain 
meants all is on the up-and-up.   It just means that nothing has changed in 
transport.

I think this discussion has run its course.  If you have nothing extra 
forward regarding the usage of app cerificates I think we can stop here.

Regards,
Rudy Wieser

[toc] | [prev] | [standalone]


Page 2 of 2 — ← Prev page 1 [2]

Back to top | Article view | comp.mobile.android


csiph-web