zlacker

>>pabs3+(OP)
I really wish we would take defining what it means for an artifact to be signed more seriously.

Which key(s) is it signed with? What is the hash of the corresponding unsigned artifact?

Signature verification tools should have some option which prints these things in a machine-readable format.

I did some work on reproducibility of Android apps and system images with Nix, and while defining a build step which can automatically establish these relationships sounds a bit goofy, it can make the issues with underspecified edge cases visible by defining verification more strictly. I did not do this to look for those edge cases though.

I am still working on that type of stuff now, but on more fundamental issues of trust we could start addressing with systems like Nix.

>>mschwa+VV
blame browsers and the url padlock "cuz users are dumb" attitude.

i still believe "pgp is too complex" was the most successful cia counter action after they lost the crypto wars to the people.

solving via nix only works within the flawed assumptions that end users either fully trust google or fdroid and are incapable of anything else.

>>1oooqo+a11
“Users are dumb” is not and was never the attitude. On average, people are average. You’ve just got completely unrealistic expectations of people. You’re asking for the world to be built around your wants, needs, preferences, and areas of expertise. Something this complex in the hands of 99.99% of the population would be entirely useless.

>>bologn+Aj1
A few years ago everyone that had ever used a computer knew what a file and a folder was and could move a document to an USB drive.

Thanks to the efforts of Google to "simplify" smartphones the average young person now couldn't find and double-click a downloaded file if their life depended on it.

In the US, a manual car is considered an anti-theft device. In Europe, basically everyone that isn't obscenely rich has driven a manual car at some point.

People learn what they're expected to learn.