Please review the draft for May's report

Daniel Shahaf d.s at
Wed Jun 10 14:10:45 UTC 2020

Bernhard M. Wiedemann wrote on Tue, 09 Jun 2020 12:31 +0200:
> Am 08.06.20 um 07:52 schrieb Daniel Shahaf:
> > Besides, there was no question, no concrete request, no clickable
> > URL…  
> was mentioned, though.

So was the word "clickable".  People are less likely to open URLs that
aren't clickable.

> How would the app-update workflow work in a perfect world, where we do
> not have to trust the app builder?
> Maybe like this:
> 1. developer pushes a signed git tag to the official repo
> 2. multiple independent builders build binaries and sign some
> "buildinfo" about source+binary hashes, publish it to some
> buildinfo-collection place.
> 3. after N trusted rebuilders agreed on what the correct binary should
> be, the app-store (e.g. F-Droid) publishes the binary for all users
> 3b. in theory, this could use anonymous uploads, where anyone can
> upload a binary to server.domain.tld/public/HASH as long as the HASH
> of the upload is the correct one.

Accepting anonymous uploads increases the attack surface (e.g., if
someone has a second preimage attack against the hash).  I'd recommend
to at least have the upload signed by a non-Web-of-Trust key and use key
pinning to verify future uploads.

> 4. F-Droid client pulls new app version and signed buildinfo files and
> checks if F-Droid server did the right thing



More information about the rb-general mailing list