Yes, after you've installed them and then used adb, at which point why can't you use your own binaries?
-
-
Replying to @taviso @dEnergy_dTime and
No, before you install. Ever heard of third party Play Store clients?
1 reply 0 retweets 1 like -
Replying to @RichFelker @taviso and
But if there weren't a workflow to do this it wouldn't mean repro builds are useless. It would be a flaw in the store's app delivery model that needs fixing.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dEnergy_dTime and
I see, so the threat model that means everyone should be using repro builds is: An android user that is willing to violate the terms of usage, can build their own application, but can't sideload so they can use the build they trust, for some reason? Correct?
2 replies 0 retweets 0 likes -
Replying to @taviso @RichFelker and
no, a security expert that gets the source code of an application to verify his organization should, in fact, use e.g. that e2e crypto messenger, does a build, build matches what's on app store, expert says "is OK", admins/users deploy/install now officially trusted software.
1 reply 0 retweets 3 likes -
Replying to @dEnergy_dTime @taviso and
honestly, I'm a bit confused why you still think the end user would need to build the software. If you know what the binary should look like, you can delegate trust.
1 reply 0 retweets 2 likes -
Replying to @dEnergy_dTime @RichFelker and
Someone you trust needs to build the software. I'm saying, why not get the binaries from them - that system works today, it's how Linux distributions work.
3 replies 0 retweets 1 like -
Replying to @taviso @RichFelker and
say I read through the signal app source code and build infra. It's sound. How can I tell the world that the app they are currently pulling from Google's app store is source-audited? Applies the same to Linux distros.
1 reply 0 retweets 1 like -
Replying to @dEnergy_dTime @RichFelker and
You can say "The source code and build infrastructure is safe"?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
Are we back to bugdoors and all-or-nothing absolutism? *sigh*
1 reply 0 retweets 0 likes
What are you talking about? You've invented this fantasy threat model where the user can't build software, but it is open source, and you do trust the vendor but not their build software, and then when I point out it doesn't match reality you call it "absolutism"?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.