[Commotion-dev] MeshTether to the Play Store

Nat Meysenburg nat at opentechinstitute.org
Fri Feb 8 22:36:22 UTC 2013 

Nathan of Guardian <nathan at guardianproject.info> writes:
> Ah ha! You are the one that created multiple versions of Orweb in the
> wild, signed by keys that aren't ours! :)

Indeed, I am...    :)

> Seriously though, this is my main issue with using the F-Droid
> shared/public repo for software related to activism or that could
> potentially have malicious versions out there. If someone installs
> from F-Droid, then they can't override that install with the version
> of the APK distributed by Commotion/OTI directly.
>
> I suppose if someone was using F-Droid then they should just keep
> using that version, but we take a lot of care at Guardian with
> building/signing our apps in a relatively safe and secure environment,
> and promoting a version of our app that is built in some other unknown
> shared environment always gives me cause for pause.

I agree. I find this to be a problem with F-Droid, and one that I am
torn on.

On the one hand, I think that there is immense value in F-Droid's
decision to build all apks themselves. The reasoning that I've read is
basically that they do it to ensure that all the software that F-Droid
distributes is actually free enough that it can be built from
source. 

However what you are doing there is replacing trust in the app
developer with trust in the maintainers of F-Droid. This has been a
problem for other devs, notably Moxie with TextSecure[0][1].

I am sympathetic to both sides of the argument. F-Droid maintains a Free
Software purism that I respect. They use gitorious over github, they
build all software they distribute from source, the don't include any ad
supported software that doesn't allow you to exclude the ads.

In general though, I really want to hold the developers of applications
directly responsible for issues, particularly security issues with
software aimed at activists. I want people living the US (and other
relatively less repressive countries) and claiming something to be
secure to put their real names on the software they're expecting people
to entrust their lives to. That's why I like signed software.

I think the real long term solution is to push F-Droid in the direction
of allowing signed APKs from the developer, and just having their server
side implementation build and verify that the built apks have matching
checksums (or some such similar mechanism); as a short cut to verifying
how free the code is.

Like all of this stuff, it is about who you delegate trust to. For
example, I have not met the majority of Debian developers and
maintainers who sign the software that I run on my machine. However,
I've delegated trust to Debian's system of raising maintainers and
developers, and establishing clear trust chains to people that I do know
and trust. I would say (and just say, since I have no data to back this
up) that the majority of people running Debian, much less its
derivations, don't have any connection or trust path to the people that
signed the software on their system. This is not wholly dissimilar to
the F-Droid situation.

Anyway, assuming things stay the way they are currently, as long as you
stay on top of pull requests for the F-Droid listing, MeshTether (or
other apps) can be kept up to date. But it is definitely an extra step
in the distribution chain. It is also not signed by one of the original
devs in any way which is a bummer.

I'm curious to hear other thoughts on this — as I'm obviously torn.

Best,
~~nat

[0] http://f-droid.org/posts/security-notice-textsecure/
[1] https://github.com/WhisperSystems/TextSecure/issues/53
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20130208/1d51a684/attachment.sig>

More information about the Commotion-dev mailing list