[Android] Signed android binaries F-Droid etc

Tyler tylera at privatedemail.net
Sat Sep 29 08:21:53 CEST 2018 

Hi,

After doing some searching on this it appears that VLC was available in
F-Droid at some point https://forum.f-droid.org/t/where-is-the-vlc-app/108

My understanding is that it was removed because distributing old builds
isn't good practice and it was too difficult for F-Droid's maintainers
https://f-droid.org/wiki/page/org.videolan.vlc#Maintainer_Notes

From this twitter post
https://twitter.com/videolan/status/748448942141091840 it appears it
does still build on Android though and there are current builds
available on the mirror https://get.videolan.org/vlc-android/

For something to be in F-Droid's main repository ie
https://f-droid.org/repo they have to be able to build it without too
much fiddling about especially as they have an automatic Reproducible
Builds
https://f-droid.org/en/docs/Reproducible_Builds system running.

Currently downloading from that mirror has a single point of failure ie
the https certificate, which is a bit of a concern. If there was to be
some zero day or MITM there would actually be no way to verify the APK
downloaded is indeed officially from VideoLAN.

Now there has been the suggestion of "just install from Google Play".
However some of us feel that isn't really secure enough. Many use
devices with a ROM like LineageOS and purposefully do not install Google
Apps.

You are essentially trusting all your security to Google's signing keys,
which additionally could allow targeted attacks at the behest of foreign
governments.
https://www.smh.com.au/business/companies/spyware-on-phone-fears-as-dutton-pushes-new-security-laws-20180924-p505oc.html
what sort of person would knowingly use a device that comes with a built
in side channel attack that can be targeted at a selector - your Google
account and then kept secret from you.

So my questions are:

1) What would it take in order to modify the build system so that
F-Droid maintainers don't have to do significant work each release?

2) If that's not an option perhaps VideoLAN could have their own F-Droid
repository and then show it on
https://f-droid.org/wiki/page/Known_Repositories

3) At very least have detached PGP signatures .asc as you do for your
desktop releases.

-- 
Tyler

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.videolan.org/pipermail/android/attachments/20180929/ef1256e4/attachment.sig>

More information about the Android mailing list