Hacker News new | past | comments | ask | show | jobs | submit login

>> Can I run a client from the Git repo and still use all of their infrastructure?

> Yes. You can.

The thing is, lucideer, the "restrictions" on the use of the source code are engineered to raise the barrier to independent use, notably by preventing or discouraging redistribution. This means that only those who are able and willing to compile Android source can run their own binaries. Everyone else has to go with the binaries they distribute which, as the other poster has correctly argued, cannot be independently verified.

> Do you have some personal issue with OWS?

I do not know about him. But I do. Please read on.

> and provided via F-Droid (though I have read their arguments against that w.r.t. performance)

Oh, so it's "performance" this time? It's not something about "updates" like last time¹, or "features", or "metrics"?

Do you really not think, if you go through the discussions, that there's just too many excuses? Does it make sense to you? Do you not get the feeling someone's got something to hide, if you would pardon the pun? :-)

But I tell you what really got in my tits, it was this message: (https://github.com/WhisperSystems/Signal-Android/issues/53#i...)

"Please do not install software from F-Droid. It is an unverified build, exceptionally out of date, and should be considered malware."

You know what? I fucking trust F-Droid. And I for one I am very grateful to everyone who collaborate to make that happen and stand firm in their commitment to open source, and especially to Ciaran, the founder, who gives so much to the community in spite of very challenging family issues (which are publicly known). Top bloke he is.

And then you get some lying, incompetent, manipulative², and possibly delusional individual accuse them of distributing malware. That is seriously not cool.

For those of you unaware, this is the person we are talking about (I suggest you read the comments too): http://www.gandibar.net/post/2010/04/07/The-googlesharingnet...

¹ Cooperative and competent (or at least willing) open source developers can set it up so that F-Droid auto-builds every time you tag a new release. ² And I say this because I'm sure someone will correctly argue that he did not call F-Droid itself malware--that would be too crass even for this guy. He's very careful in choosing his words.




I would love to see Signal provided on F-Droid, as I mentioned above, but I would temper my criticism quite a lot more than yours, for a number of reasons:

1. I haven't read/heard excuses based on updates/features/metrics/&c. as you mention, but their one performance excuse sounds reasonably plausible. Moxie has commented that he'd welcome a PR[0] even if it had bad performance (provided it only ran conditionally of course).

2. The tone in your Github link is a bit heavy-handed, and calling it malware is going too far, but I can understand the developer of software for which security is extremely critical advising strongly against using an outdated version that's being built and distributed by someone else. There is definitely no implication in that comment that F-Droid is malware, he's only referring to TextSecure.

3. I understand your Github link was just to provide an indication of Moxie's tone, but it is very old and the actual factual details in there are probably not very relevant today.

4. I trust the F-Droid software itself, but not necessarily the repository. The distribution of the outdated TextSecure above is as good an example as any - the idea of a 3rd-party building TextSecure and providing it through F-Droid may be all well and good in the spirit of Free Software, but it doesn't really instill trust when the actual author of the software isn't involved at all.

Finally, I'd never heard of the Gandi issues with Moxie's cert before reading that article. After reading it, I'm much more inclined to be suspicious of Gandi than of Moxie. The article is littered with red flags - that fact that their initial response seems to be to go after their customer rather than to question their business relationship with Comodo being a big one.

[0] https://news.ycombinator.com/item?id=12883410


> Everyone else has to go with the binaries they distribute which, as the other poster has correctly argued, cannot be independently verified.

Do you have reverse engineering experience on Android?

APK uses the zip format. Extract its contents and compare those, minus the META-INF directory, which contains digests and a detached PKCS#7 signature.

Apps whose code output isn't reproducible can still be compared with a varying amount of IDA analysis.


Re-reading this post, I'm not sure why I typed IDA -- I meant baksmali. IDA is still useful for bundled ELF dependencies.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: