| I disagree that "it simply means installing". Because when you install software that isn't from the app store, it's unvetted and untrusted. There is a whole different structure of trust when you download and install an app from your provider's app store. No, it's not perfect. No, it won't prevent malware or scams. But there is trust, and there is a vetting process, and there are automatic updates and in-app purchases and the other perks that you get with an integrated app store. Sideloading, or "simply installing" from an APK, is a different procedure that involves mostly disabling the trust and certification features that your app store was providing. I have never needed to do this for any app on any Android device, and I've owned them since KitKat. In fact, I will probably enable S-mode on my next Windows machine, because it's that easy to just avoid 3rd party apps and crapware. So I don't know why people want to muddy the waters. You literally want to stamp out a differentiating term "because it's scary". Is that not censorship? Are you opposing freedom of speech now? Don't users and vendors have a right to call a thing what it is, or use different terms for different procedures? It seems absolutely nuts to try and censor this word, because y'all believe it was foisted on you by "lawmakers". That's nuts. |
| |
| ▲ | B1FIDO 3 hours ago | parent [-] | | What I'm talking about is actual trust. Like, there are cryptographic measures taken, certificates involved, code signing, that kind of thing. You claim that you "can install anything" on Windows, but that is simply false. The system's Driver Signature Enforcement will prohibit the install of unsigned or invalid signatures on device drivers. Windows SmartScreen will also give you trouble by blocking unsigned apps. So yeah, you can bypass these protective measures and "install whatever you want" ultimately, but it is basically the same process as sideloading on Android, isn't it? Disabling a bunch of protections that are there for your safety? Your trust, honestly, doesn't mean jack shit. There is cryptographic signing, and certificate authorities, and processes to approve the certificates that authorized developers use. You don't got jack shit with your "trust" of Termux and Kodi. It means nothing to the end-user. We do not work in "trust me bro" territory when it comes to signing software, anymore. I am sorry/not-sorry to say. It is very important to have a chain of trust that goes up somewhere above "goldenarm @ HN". | | |
| ▲ | TeMPOraL 2 hours ago | parent | next [-] | | Cryptographic trust is a different thing than actual trust. The latter is what makes the world work, the former is a tool people occasionally confuse for the real thing, but actually is mostly opposite to it. | | |
| ▲ | B1FIDO an hour ago | parent [-] | | Look we are talking about computers here. Computers don't understand or exercise actual trust as you describe it. Actual trust doesn't make computers work at all, because it doesn't exist in their world. So you need a proxy for it. The security vetting, the authentication, the scans that are done, whether by Google Play or by F-Droid, are a process that tries to eliminate egregious abuses and basically curate the collection so that the users have something to actually trust. Now you understand that actual trust comes in degrees, right? I don't trust everything on Play equally. There are plenty of different types of trust relationships between me and the Play Store and the devs who put their apps on it. But cryptographically, cybersecurity-wise, we need that CIA triad, and we need to authenticate that developers are who they say they are. And that authentication is the crux of cryptographic code signing. That we can trust that updates came from the source, and not a 3rd party injection or supply-chain attack. If Google or F-Droid countersigns it, then it's been through their vetting process as well. That's how cryptographic signing establishes trust relationships for computers. If your computer doesn't trust an app or a driver, it won't download, install or run it. Since you cannot teach a computer "actual trust" there must be an analogue to this. And it's working fine. I don't know what you're on about "opposite to actual trust". If you don't trust Google Play, that's a you problem. | | |
| ▲ | big-guy23 an hour ago | parent [-] | | > I don’t trust everything on play > If you don't trust Google Play, that's a you problem. When your lack of understanding is called out you devolve into rambling self-contradiction. Two me, should I trust this app, that has “cryptography “ “security vetting “ “authentication” “scans” “code signing” etc on an App Store that you are praising ? https://apps.apple.com/us/app/termux/id6738933789 | | |
| ▲ | B1FIDO an hour ago | parent [-] | | I honestly don't know what the fuck you're on about, bro. This is an Android-related thread. You just linked to Apple. You also faked the quote. I didn't write "I don't trust everything on play". That is not what I wrote. So you're full of shit. Fuck you. Anyway, regarding your shitty link: no, I do not trust that shit. Look at the publisher: "FREE AI UTILS COMPANY LIMITED". Copyright "McAnswers"? Fake stupid reviews? No way. Totally sus. Comparing it to the Play Store version, with a way different version number, and someone's actual name as the developer/publisher. I would say that the Apple Store app is some kind of fake and should not be trusted, even if Apple trusts them. See how that works out from cryptographic trust into "actual trust"? |
|
|
| |
| ▲ | 0x000xca0xfe an hour ago | parent | prev | next [-] | | > We do not work in "trust me bro" territory when it comes to signing software, anymore. I am sorry/not-sorry to say. It is very important to have a chain of trust that goes up somewhere above "goldenarm @ HN". If you so deeply believe in giving up user freedom and delegating control to authority maybe you are at the wrong place here, check the title of this website: "Hacker News".... | |
| ▲ | cindyllm 2 hours ago | parent | prev [-] | | [dead] |
|
|
