ubuntu-phone team mailing list archive

Thread
Date

Re: How do I know an app is safe to install?

To: Robert Schroll <rschroll@xxxxxxxxx>
From: Michael Zanetti <michael.zanetti@xxxxxxxxxxxxx>
Date: Tue, 15 Oct 2013 15:01:32 +0200
Cc: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
In-reply-to: <525d3af1.e90f310a.5f01.fffff64a@mx.google.com>
User-agent: KMail/4.11.2 (Linux/3.11.0-8-generic; KDE/4.11.2; x86_64; ; )

On Tuesday 15 October 2013 12:51:07 Robert Schroll wrote:
> On Tue, Oct 15, 2013 at 9:16 AM, Michael Zanetti
> 
> <michael.zanetti@xxxxxxxxxxxxx> wrote:
> > App Developers don't want to publish their code and the
> > vast majority of users doesn't seem to care about anything security
> > at all
> > anyways. It's a sad situation for people like us who actually DO care
> > about
> > security.
> > 
> > However, I haven't given up hope that at some point someone will set
> > up some
> > App Repository for Ubuntu Touch which requires developers to upload a
> > source
> > package, the binary will be built on the trusted server and the exact
> > same
> > source archive published along with the binary.
> 
> Personally, I'd much prefer to publish through this system.  Not only
> would it provide more assurance for my users that my source actually is
> my source, it would free me from having to play with pbuilder and
> chroots to build click packages.  I doubt that I'm typical in this
> regard, but one datum is better than none, right?

Well, tbh you'd need to care even more about pbuilder etc as it can be quite 
complex to make a remote server compile your stuff. In that case it's not just 
about somehow compiling a binary, but rather providing a fail-proof recipe for 
the server to build it. So actually this more complex.

References

How do I know an app is safe to install?
From: jeremy Tayco, 2013-10-14
Re: How do I know an app is safe to install?
From: Michael Zanetti, 2013-10-15
Re: How do I know an app is safe to install?
From: Robert Schroll, 2013-10-15