Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #146879 > unrolled thread
| Started by | Marion <marion@facts.com> |
|---|---|
| First post | 2025-02-26 21:36 +0000 |
| Last post | 2025-03-07 14:58 +0100 |
| Articles | 3 on this page of 23 — 3 participants |
Back to article view | Back to comp.mobile.android
Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100
Page 2 of 2 — ← Prev page 1 [2]
| From | "R.Wieser" <address@is.invalid> |
|---|---|
| Date | 2025-03-07 09:50 +0100 |
| Message-ID | <vqec1d$3f0vr$1@dont-email.me> |
| In reply to | #147059 |
Arno, > Not really. The signatures can not be verified since there is no CA for > it. *Again*, that is where F-Droid comes in needing to check who created that self-signed cert, effectivily making F-Droid the CA - even though they do not(?) give out certs. Kiddo, if F-Droid would not be able to say with a decent ammount of certanty that a certain app was made by a certain, specific person than they would get overrun with malversants. Regards, Rudy Wieser
[toc] | [prev] | [next] | [standalone]
| From | Arno Welzel <usenet@arnowelzel.de> |
|---|---|
| Date | 2025-03-07 14:37 +0100 |
| Message-ID | <m30b4vFkj1jU2@mid.individual.net> |
| In reply to | #147061 |
R.Wieser, 2025-03-07 09:50: > Arno, > >> Not really. The signatures can not be verified since there is no CA for >> it. > > *Again*, that is where F-Droid comes in needing to check who created that > self-signed cert, effectivily making F-Droid the CA - even though they do > not(?) give out certs. But F-Droid has no proof who the person is, where they get the sources from. Even GitHub does not know - they just have an account connected to a repository but there is no *proof* who that person is who created that account in the first place. -- Arno Welzel https://arnowelzel.de
[toc] | [prev] | [next] | [standalone]
| From | "R.Wieser" <address@is.invalid> |
|---|---|
| Date | 2025-03-07 14:58 +0100 |
| Message-ID | <vqeu2i$3ilcc$1@dont-email.me> |
| In reply to | #147075 |
Arno, > But F-Droid has no proof who the person is, And you think that Google does ? Why ? > where they get the sources from. And you think that Google does ? Or even cares ? As I already mentioned, if I may take security firm reporting on Googles "walled garden", it has got quite a number of poisonned apps floating around. And than I won't even mention the ones that where good, but got sold lock-stock-and-barrel to nevarious players, which than created "updates" that are trojanned. So do yourself a favour, and do not think that an unbroken certificate chain meants all is on the up-and-up. It just means that nothing has changed in transport. I think this discussion has run its course. If you have nothing extra forward regarding the usage of app cerificates I think we can stop here. Regards, Rudy Wieser
[toc] | [prev] | [standalone]
Page 2 of 2 — ← Prev page 1 [2]
Back to top | Article view | comp.mobile.android
csiph-web