You haven't answered the most important question. You have to build the code anyway, so why can't you just use the code *you* built? I'm asking because that's exactly what I do, and I want to know what the security threat to me is.
-
-
Replying to @taviso @dEnergy_dTime and
See the app store tweet. Also, lots of time you don't want to actually build it. You can opt to trust that someone is doing it and that forgeries will be caught (maybe not a good idea but an option).
2 replies 0 retweets 0 likes -
Replying to @RichFelker @dEnergy_dTime and
I did, I explained that doesn't actually work with the app stores we have. Aren't you advocating for reproducible builds everywhere, not just in some niche fantasy threat models?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
It *does* work with them. You can easily grab binaries from Play Store to compare to your own build.
2 replies 0 retweets 0 likes -
Replying to @RichFelker @dEnergy_dTime and
Yes, after you've installed them and then used adb, at which point why can't you use your own binaries?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
No, before you install. Ever heard of third party Play Store clients?
1 reply 0 retweets 1 like -
Replying to @RichFelker @taviso and
But if there weren't a workflow to do this it wouldn't mean repro builds are useless. It would be a flaw in the store's app delivery model that needs fixing.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dEnergy_dTime and
I see, so the threat model that means everyone should be using repro builds is: An android user that is willing to violate the terms of usage, can build their own application, but can't sideload so they can use the build they trust, for some reason? Correct?
2 replies 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
I love how you're defending ToS that explicitly harm the user's security...
2 replies 0 retweets 2 likes -
Replying to @RichFelker @taviso and
Don't make that the hill you die on. If you really object to ToS violation for this purpose, fetch with real Play Store onto a burner.
1 reply 0 retweets 0 likes
Rich, don't change the topic: If you now agree the justification is weak, just say so.
-
-
Replying to @RichFelker @dEnergy_dTime and
Again, is this the threat model that means everyone should be using repro builds: Android users willing to violate the terms of usage, who can build their own application, but can't sideload for some reason?
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.