[HN Gopher] Decentralizing Distribution
___________________________________________________________________
Decentralizing Distribution
Author : marcodiego
Score : 44 points
Date : 2022-02-24 18:54 UTC (4 hours ago)
(HTM) web link (f-droid.org)
(TXT) w3m dump (f-droid.org)
| yjftsjthsd-h wrote:
| > Expand outreach and assistance to software developers, media
| organization, tech companies and more to promote adoption of the
| F-Droid platform for their software, content and devices
| (example: Mozilla could easily run a Mozilla app store that
| includes all the Mozilla channels: releases, nightlies, etc. They
| could also include a curated collection of reproducibly built
| apps that Mozilla approves of. Someone who trusts Mozilla can
| then easily choose to only have access to the Mozilla-curated app
| store)
|
| That would be fantastic!
| awinter-py wrote:
| interesting that it's 'veracity and distribution', not just
| distribution. makes sense that you need to hash the file, but I
| wonder about various higher-level ways to decentralize CI while
| maintaining a cheaply checkable 'affirmation'
|
| for example, can you cheaply verify repeatable builds? (on a
| phone even?). can you do intense linting for privacy violations
| like phone-home, then publish a 'lint payload' that's cheaply
| verifiable against the built binary?
|
| feels like if f-droid leads here, commercial software will have
| to adopt their tools to maintain their position of trust
|
| (also huge fan of f-droid project, I donate, I think it gets more
| important every year)
| yjftsjthsd-h wrote:
| I'm not sure if this is exactly what you want, but
| https://f-droid.org/en/docs/Reproducible_Builds/ is a thing
| mhitza wrote:
| Somehow related take.
|
| When I was still interested in blockchains back in 2018 I was
| thinking that instead of proof of work, wouldn't it be nice to
| have a distributed CI where you run your builds & tests on end-
| user machines, it computes a hash of the resulting artifact.
| Which is validated by multiple nodes that run the same job for
| validation (then split the PoW fees among themselves).
|
| It's not an easy problem to solve of course, and didn't go too
| deep into what TPM (Trusted Platform Module) can do, but I
| think you would need an isolation unit from the kernel/OS to
| allow running untrusted code, and prevent tampering. There's
| definitely a fine line between such a functionality and spyware
| that would need serious safeguards.
| redsolver wrote:
| I am working on a very similar project (decentralized app
| distribution on Android) called SkyDroid (https://skydroid.app/),
| with the difference that it is based on Sia Skynet (a
| Filecoin/IPFS competitor) and uses the DNS system for global app
| discovery - so for example the SkyDroid app itself is available
| on the skydroid.app domain inside of it. I'm curious about how
| they will try to solve the discovery issue, because if they just
| have one global decentralized pool of apps, it will be very hard
| to ensure that no malicious apps get in. But if they keep it a
| central repository of apps trusted by F-Droid by default, there's
| not really much decentralization going on. Most developers would
| still publish their apps in the main repo directly.
___________________________________________________________________
(page generated 2022-02-24 23:00 UTC)