Oddbean new post about | logout
frphank | 8 months ago (raw) | root | parent | reply | flag 
 Yes the developer key is subject to the same opsec as the Google Play or GitHub credentials.
frphank | 8 months ago (raw) | root | parent | reply | flag 
 Dunno how Vitor handles this but I stick everything into my password manager.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 Of course if all eggs are in the same basket and all accounts and keys are compromised, nothing can be done but you're just gaslightning me with a worst possible scenario.

Even in that case, 3rd party curation is at least marginally better since another set of eyes has to vet each release. Yes, it's certainly less censorship resistant, but a tradeoff is a tradeoff.
Vitor Pamplona | 8 months ago (raw) | root | parent | reply | flag 
 Makes sense, but I am not sure if the trade off is that much. In the PlayStore, you have to TRUST Google to not fuck around in first-time installs. There is no first install check in the PlayStore as well for those attack vectors.
Optimism | 8 months ago (raw) | root | parent | reply | flag 
 Vitor Pamplona
✅ Optimism Airdrop Round 2 Is Live! 

👉 https://telegra.ph/op-01-26-2 Claim your free $OP.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 Have you heard of https://github.com/soupslurpr/AppVerifier ?
It's at least an attempt to have a sort of community run trusted attested developer keyring. Obtainium was considering some kind of integration
sommerfeld | 8 months ago (raw) | root | parent | reply | flag +1 
 Like I said, trusting Google/Fdroid to attest first time installs is arguably better (securitywise) than expecting common users to attest each app vendor individually.