Yeah but supply chain attacks like that can hit literally anything. Debian repos, Play store, an individual publishing on his own website, it's all vulnerable.
The one true unit of time is hexadecimal encoded nanoseconds since the unix epoch. (I'm only half joking because I actually have authored code that used that before.)
If attestation ever became ubiquitous the difference between iOS and Android would cease to exist for me. I'd need a black box that lived in a desk drawer for interfacing with specific services and otherwise I'd cart around a camera in my pocket that happened to double as a linux tablet.
I believe most jurisdictions in the US have largely the same framework. At least everywhere I've lived all street corners were implicit pedestrian crossings with a legal requirement (often blatantly ignored) that vehicles yield. Similarly jaywalking is a misdemeanor and only applies within a certain distance of a crossing.
The only situations where it's enforced (from what I've seen so obviously biased) is major highways, city streets with dense traffic and a marked crossing within half a block, and when they want to search someone for contraband. In the latter case it's just an excuse to stop and harass you in the hopes they will manage to generate sufficient articulable suspicion to justify a search.
They don't care about F-Droid but they do care to choke out any potential competitors to their ecosystem before they can get a foothold. See their behavior surrounding device certification for example. They want to abuse the network effects of their ecosystem to prevent consumers from leaving. This is just more of that - vendor lock-in masquerading as an unfortunate necessity.
I'd argue OSS isn't sufficient on its own and that I suspect moderation only plays a small role. I think it's primarily the separation of roles. For a complete outsider whose only interest is exploiting users publishing a sufficiently popular piece of software and also gaining the ability to add things to the debian repos is a huge barrier. You'd have to invest years of work to do both of those things and then hope that no one happened to notice anything before it was too late.
Of course the FLOSS aspect adds an additional hurdle that this popular piece of software will have to somehow avoid having much of a contributor community around it since that would greatly increase the risks of your malicious changeset being reviewed. I guess what happened with XZ was about the best case scenario that an attacker could realistically hope for.
The section you linked in particular is a load of editorialized bullshit IMO. As far as I can tell the only legitimate complaint is that there is (or was?) some sort of issue with the signing methodology for both APKs and repository metadata. Specifically they were apparently very slow to replace deprecated methods that had known issues. However it's worth noting that they appear to have been following what were at one point standard practices.
The certificate pinning nonsense is particularly egregious. APT famously doesn't need TLS unless you're concerned about confidentiality. It's the same for any package manager that securely signs everything, and if there's ever a signing vulnerability then relying on TLS certainly might save you but seems extremely risky. On top of that the Android TOFU model means none of this matters in the slightest for already installed apps which is expected to be the case the vast majority of the time.
As far as I'm concerned F-Droid is the best currently available option. That said of course there are places it could improve.
It depends on the purpose of the reader. I can learn a technical topic from an LLM but not what another person genuinely thinks. I certainly can't convince it of anything nor befriend it.
Crazy idea, maybe they shouldn't be using those then. Maybe they should use email? Or god forbid a TOTP app. Or perhaps webauthn via the platform provided authenticator.
They very clearly aren't behaving in good faith. That's why the harsh sentiment.
reply