Oddbean new post about | logout
 Yes the developer key is subject to the same opsec as the Google Play or GitHub credentials. 
 Dunno how Vitor handles this but I stick everything into my password manager. 
 Of course if all eggs are in the same basket and all accounts and keys are compromised, nothing can be done but you're just gaslightning me with a worst possible scenario.

Even in that case, 3rd party curation is at least marginally better since another set of eyes has to vet each release. Yes, it's certainly less censorship resistant, but a tradeoff is a tradeoff. 
 Makes sense, but I am not sure if the trade off is that much. In the PlayStore, you have to TRUST Google to not fuck around in first-time installs. There is no first install check in the PlayStore as well for those attack vectors. 
 Vitor Pamplona
✅ Optimism Airdrop Round 2 Is Live! 

👉 https://telegra.ph/op-01-26-2 Claim your free $OP.
 
 Have you heard of https://github.com/soupslurpr/AppVerifier ?
It's at least an attempt to have a sort of community run trusted attested developer keyring. Obtainium was considering some kind of integration 
 Like I said, trusting Google/Fdroid to attest first time installs is arguably better (securitywise) than expecting common users to attest each app vendor individually.