You do realize that a binary-to-source comparison doesn't really do much if the root of the problem is that the source code has been tampered with? The idea with hashes and checking those against listed official ones is that it's supposed to be way harder to change the listed correct hash than going in and replacing the binary with one that's been tampered with. We're talking single (comparing to source) versus multiple (comparing to hash) point failure here.

As for malicious applications on the Play Store, open source "stores" are vulnerable in exactly the same way. A malicious developer or a malicious with access to the distribution platform accounts of a legitimate developer can use the store to push malicious versions of the application to end users regardless if the source code is available to them or not. The main reason we mostly see this on closed distribution platforms is that open ones are all by comparison absolutely tiny in terms of actual users.

Seriously, try to stay on topic and stop waffling on about reproducible whatever because once a malicious party gets the logins to the main repo, it's basically just a single point failure and "game over" from there on. Malicious code being pushed and then merged to projects is by no means an unprecedented thing. Only advantage reproducible-whatever has over closed stores is against malicious dev tools, but that's an extremely rare thing now that most basic dev tools are either free or cost next to nothing.

Thus in terms of automotive safety features reproducible whatever is more like device to stop people from coming and tipping your car on it's roof in the middle of the night. Sure, it can happen and it's annoying if it happens, but it's very rare and hardly the end of the world.

Really f-droid is in fact running tools on the source looking for defects same with debian and so on.

Closed source binary can have it source tampered with so where is the peer review to possibly detect it.

Reproducible builds allows you to audit source than build source and confirm that binary shipped is built from peer reviewed source code. Now this allows you to work out what binaries are build from tampered from source and what ones have not been built from tampered with source.

This is bull crap. The fact open source stores can run lint tools on the source that are able to confirm every code path is checked avoids issue google store and app store has suffered from where malware has been coded to detect when its not really on a device and not run the malicious version code. Having the source code limits ability to hide.

By the way before f-droid changed policy to reproducible build they were seeing the same attacks as google play and apples store was. Were a malware developer would take a legitimate binary patch it and attempt to submit it to the store under their account. This is still going on google play and apple store. So tiny in terms of users have not prevent the malware makers targeting it.

distribution platform accounts of a legitimate developer
This is not enough on a reproducible build system. You need to in fact breach multi accounts not just a single developer. In reproducible legitimate developer uploads source with build config and possibly binary to store to be distributed. Next source auditing is run. Next binary built by automated system under another developer/s then compared. Then the automated system puts the binary up for distribution if everything is approved. Please note this is spread across multi servers in most cases. So breaching a single administrator account will not work either. Notice difference here you don't in fact have a distribution platform accounts of a developer but each developer can sign stuff for release and multi signs equal releasable.

You will find debian repository keyring system works the same way where no single developer can release anything in the main repository..

On open source platform the malware would have to be in source. Can not be a binary patch. Can not be anything in the source that trips the lint systems.

Sorry its not game over. Without the ability to audit how can you absolutely know what is in infected in a repo and what is not. Reproducible means you can full audit infected repo and start over. In the process making a full list of everything the attacker modified and possibly catching them..

Having a login into f-droid or debian key entry does not mean you can distribute anything. Same with the way flathub is done. So the single point of failure is not part of the design of most of the open source solutions.

In fact google play store you upload a binary until it validated its not exposed to the public either.

The idea that that dev tools infected is rare is kind of true. But binaries being patched and uploaded under another account is highly common on google play. So binary modification of one form or another happens a lot more than most want to admit.

As I said, automated tools simply can't detect every malicious act by an application, particularly not when using really expressive languages. There's a reason why we have things like the underhanded C competition and there's really no reason to believe automated systems can detect what the humans who judge that competition have to have the contestants explain for them.

Are you really that blind? Because an automated check really isn't going to find anything beyond the obvious, neither will another developer and when the they're working off the compromised source files, the binary submitted by the malicious dev or hijacked dev account is obviously going to match what the other dev produces from the same compromised source files. This also doesn't factor in for malicious pull requests from third parties that are meant to trick the developer into merging the malicious changes and then distributing the compromised source files.

A whole distro, typically worked on by quite a few people, is a "bit" different than a single app, which are often developed and maintained by a single person.


Just no... You really can't audit malicious changes to code beyond the obvious. Any properly expressive language will leave space for an enormous amount of ways to do bad things in plain sight without an auditor being able to tell what's actually going on.

I already pointed out to you that open source app stores like the f-droid store are so tiny that there's really no reason for someone writing malware to target them. Thus it's completely idiotic to compare numbers of attempts at spreading malware directly without normalizing for the actual number of users.

Besides, as I've said twice already, if people used the hash and checked that they match infected binaries are not a problem.

Post again when you have at least caught up to 2007. Automated source auditing tools for detecting coder errors is far more effective at finding backdoor attempts than most people dream.. Sorry its been known for a while attempting to submit a backdoor with automated source code quality controls you are likely to get caught. Most attackers are not having their source code peer reviewed so they have coding errors that trip automate code static checking heck they even have habits of failing on more modern compilers as well.

Next automated does compare submit source against source repository and if it passes code audit processes.

Google and f-droid developers share attack numbers and normalise that. All appstores for android are targeted quite a bit particularly when you think you have almost a billion people in china who have trouble downloading from google play without issues being caused by china great firewall. F-droid device to device transfer of applications has some advantages in areas with this trouble.

F-droid number of installed users is not exactly small. Yes number of applications in f-droid truly does not line up with number of installed users. Functionality of f-droid is kind of key in quite a few cases.

As I said already, if it's as easy to fool a human as the Underhanded C competition demonstrates, then automated checking isn't going to fare all that much better and you're using a presentation from a company selling automated checking tools and will obviously try to play up the accuracy of their tools beyond what they're actually capable of. Calling them Theranos-level liars right off the bat may be taking it a bit too far, but Theranos should be a good example of why you should always have a big helping of cynicism on your mind when listening to a company tout their products.

Normalization would be fine and dandy if this was the 90s and people like Dark Avenger were the ones attacking it just for fun, but malware attacks are mostly done for profit these days. If you don't have anything actually worth stealing and people can see that, then a burglary is just going to be extremely unlikely and beyond what you can factor for with just normalization.

I haven't been able to find anything on their usage statistics beyond how it's not reported due to "privacy concerns" so I'm really not convinced F-droid has all that many more users than SailfishOS. Considering how the overwhelming majority of smartphone users don't feel any need to install an alternative app store nor have the knowledge to do so, F-Droid is going to be something for a small group of people paranoid of proprietary code.

Other than the fact you have carriers in china who on their phones install f-droid by default. So its not alternative app store to everyone. Sometimes it your default app store.

Underhanded C competition had not been run since 2016 do you know why. That right automated tools detected errors in every one ever made and they suggested using automated auditing in 2017 competition. Yes it simple to fool a human its a lot harder to fool automated auditing and human. Odd and strange code flow automated tools are really good at finding. Yes the items we as humans are really bad at spotting.

China is kind of a moot point when the default Android app store, along with a whole lot of Google APIs and services are literally banned in that country, but I couldn't find any evidence for F-droid being installed by default anywhere with a quick Google search. All I found was that just about all android devices sold in China come pre-installed with the Baidu, Tencent or the manufacturer's own app store.

Assumptions.. Assumptions... Assumptions... The Obfuscated Java Contest hasn't been run in years either, yet you still have people who churn out the most awful Java code imaginable at companies like Accenture.

Quick google search is not real use for information on what is deployed inside china.

You do know that we don't live in the days of Mao anymore when China was still a closed society? There's loads of Chinese English language content on the web and the so-called "Great Firewall of China" is there to block them from accessing content hosted outside of China, not people outside of China from accessing content hosted in China.

Seriously, either admit you don't have proof or show us some proof.

The reality has been when f-droid and other have performed ground surveys instead of your internet rules have found out lots of things.

Sorry Great Firewall of China in fact blocks both ways. Information declared a security risk is also blocked from those outside China. This include information on software installed by default on most phones shipped inside china.

F-droid device to device feature is highly popular in many countries including china.