top | item 46932529

(no title)

c0l0 | 23 days ago

I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.

discuss

dijit|23 days ago

Yes, I understand the value of signatures, but thats not how PKI works.

RedComet|23 days ago

If the owner of a device can't sign and install their own software, then your definition of PKI doesn't "work" at all.

The first party must be able to entirely decide that "some third party" for it to be anything more than an obfuscation of digital serfdom.