Oddbean new post about | logout
 "true Bitcoiner" lol https://image.nostr.build/24277f058f388facec1091fadc2cf6d329e66c0148ec05fcd1f37e3e64ac29aa.jpg 
 If the source code were available, how would you verify that what you downloaded is the same app? Genuine question. 
 unfortunately, I am too stupid to know. I just know that the red alert looks scary.   
 I agree that the red alert looks scary. I wasn’t aware this was what the app looked like while I was still figuring out my open-source strategy. I think I will delist it for now. Thanks for bringing this to my attention.

Unfortunately, just because a developer publishes source code for the app doesn't mean that's the source code you downloaded in the app. This is a complex problem that I’m not sure is solvable. 
 Isn't this is what the APK signature is for? To make sure the apk package hasn't been tampered with after publishing?  
 Sure, but how do you know the APK is the repository's source code? I can sign a malicious APK, and the signature will still be valid. 
 I simply do not know  
 Neither do I, which is why I'm skeptical of “open-source” apps and view them as a form of security theater: something that appears more secure but isn't.

The worst thing that can happen is that, in the name of open source, an app developer accidentally publishes secrets, which allows an attacker to publish a malicious version of the app that leaks every user key.

If I publish the source of my app, I will take care to ensure that the source code can't be built and released maliciously. 
 I appreciate your humility.