<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: kodebach</title><link>https://news.ycombinator.com/user?id=kodebach</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Sat, 04 Jul 2026 01:50:14 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=kodebach" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by kodebach in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>Google already announced the "Advanced Flow" that lets users override the verification. Yes, it's quite complicated, but it shows Google isn't trying to completely close down Android (yet). All this outcry is just lead to a boy who cried wolf situation. ADV is gonna become active, 90% people won't notice the rest will (begrudgingly) use the Advanced Flow. If Google then changes their mind actually does what F-Droid claims right now, nobody's gonna listen.<p>IMHO F-Droid is just mad because their store model of "developer publishes source code, F-Droid builds and signs the APK" would put immense liability on F-Droid. After all with that model F-Droid owns the private signing keys and now has to register them with Google. If they let a single malware app slide through, Google might designate F-Droid as a malware provider and block everything ever published on F-Droid. (Sidenote: Last I checked F-Droid had nothing in their policies that forbids publishing malware, just that it has to be open source) If you ask me this store model was always stupid and completely missed the point of having signed APKs. I think they also have a newer model where they don't own the private keys anymore, but there's still tons of legacy apps.<p>Of course Google might have been open to talks about some kind of verified app store program allowing F-Droid to operate under different terms. But that's certainly out the window after all the fear mongering, hyperbole and straight up propaganda F-Droid has put out in recent months.</p>
]]></description><pubDate>Thu, 02 Jul 2026 21:43:42 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767772</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=48767772</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767772</guid></item><item><title><![CDATA[New comment by kodebach in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>Since Apples App Store is DMA compliant, the EU won't do anything against this far less restrictive change from Google.</p>
]]></description><pubDate>Thu, 02 Jul 2026 21:26:45 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767578</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=48767578</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767578</guid></item><item><title><![CDATA[New comment by kodebach in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>If you're building the APK, you're probably installing via ADB, in which case none of the changes apply</p>
]]></description><pubDate>Thu, 02 Jul 2026 21:20:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767528</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=48767528</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767528</guid></item><item><title><![CDATA[New comment by kodebach in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>There actually is in some regions. For example in Germany any publication must include an Impressum with details about the author and publisher. This requirement also applies to websites</p>
]]></description><pubDate>Thu, 02 Jul 2026 21:19:26 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767518</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=48767518</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767518</guid></item><item><title><![CDATA[New comment by kodebach in "We have a 99% email reputation, but Gmail disagrees"]]></title><description><![CDATA[
<p>It's actually worse. I just signed up with a dummy email and the page says they need your email to create an account so, they can store the icon kits you've created. That kinda makes sense. But at no point do they ask you whether you want to subscribe to any form of newsletter. AFAICT not even the privacy policy mentions anything about that. You're just subscribed automatically. So by definition anything not crucial for creating the account is literal spam. I'm not even sure that's legal under GDPR.<p>But the thing that might actually be killing their reputation is that their mails seemingly come from <i>different</i> emails all looking like bounces+18741050-ecba-jopudmulwqqsumjwub=nespj.com@email.fontawesome.com. But even worse than that, the "confirm your email" email and the following "finish account setup" email came from two <i>different sub-domains</i>. Maybe this is just a new attempt to get around Google's spam filter, but it seems like the worst thing you could possibly do when sending emails.</p>
]]></description><pubDate>Sun, 12 Apr 2026 14:14:45 +0000</pubDate><link>https://news.ycombinator.com/item?id=47739939</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47739939</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47739939</guid></item><item><title><![CDATA[New comment by kodebach in "German implementation of eIDAS will require an Apple/Google account to function"]]></title><description><![CDATA[
<p>As strange as it is, but Austria is quite far ahead in terms of eIDAS since we've had Handysignatur for more than a decade. I wouldn't be surprised, if the Germans are planning to support hardware tokens, but haven't had the time yet.</p>
]]></description><pubDate>Sun, 05 Apr 2026 09:51:32 +0000</pubDate><link>https://news.ycombinator.com/item?id=47647760</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47647760</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47647760</guid></item><item><title><![CDATA[New comment by kodebach in "German implementation of eIDAS will require an Apple/Google account to function"]]></title><description><![CDATA[
<p>I agree, you should be able to run anything you want, root your device, etc., but you also have to accept the consequences of that. If an app can no longer verify its own integrity, certain features are simply impossible to implement securely.<p>Think of it this way: A physical ID (which is what we're trying to replace here) also has limitations, it looks a certain way, has a certain size, etc. Just because somebody wants a smaller ID or one with a larger font or a passport in a different colour or whatever, doesn't mean that this should be allowed or possible. Some limitations exist for a good reason</p>
]]></description><pubDate>Sun, 05 Apr 2026 09:40:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=47647703</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47647703</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47647703</guid></item><item><title><![CDATA[New comment by kodebach in "German implementation of eIDAS will require an Apple/Google account to function"]]></title><description><![CDATA[
<p>Simply because the law was written that way. But also the whole idea of identity verification becomes pretty useless, if there is no chain of trust. You could run a modified client that lets you assume any identity you choose, exactly the opposite of what eIDAS is trying to achieve.</p>
]]></description><pubDate>Sun, 05 Apr 2026 09:32:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=47647667</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47647667</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47647667</guid></item><item><title><![CDATA[New comment by kodebach in "Open Letter to Google on Mandatory Developer Registration for App Distribution"]]></title><description><![CDATA[
<p>Starting from their first announcement of this, Google has explicitly asked for comments and feedback from affected developers. They have a Google Form for exactly that linked on all the announcement pages.<p>The exceptions for students/hobbyist were always promised, but the "advanced flow" came later based on this feedback. AFAICT Google has, so far, only made things better after the initial announcement. I don't see why we shouldn't give them the benefit of doubt, at least until we have some specifics.<p>Pushing this open letter out just days/weeks before Google promised the next major update just seems off.</p>
]]></description><pubDate>Wed, 25 Feb 2026 00:08:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=47145427</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47145427</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47145427</guid></item><item><title><![CDATA[New comment by kodebach in "Open Letter to Google on Mandatory Developer Registration for App Distribution"]]></title><description><![CDATA[
<p>It is a non-sensical ruling. But IIRC the reason was basically that while Apple and Google did basically the same shit, only Google kept a written record of their monopolistic behaviour, so only Google was found guilty.<p>However, there is a relevant court case here. The one about Samsung's "Auto Blocker" (<a href="https://arstechnica.com/gadgets/2025/07/samsung-and-epic-games-call-a-truce-in-app-store-lawsuit/" rel="nofollow">https://arstechnica.com/gadgets/2025/07/samsung-and-epic-gam...</a>). Epic Games sued because Samsung made it too hard to install apps from "untrusted" sources. This may be a reason why Google is now trying to make the process more difficult on the developer side instead.</p>
]]></description><pubDate>Tue, 24 Feb 2026 20:37:40 +0000</pubDate><link>https://news.ycombinator.com/item?id=47142617</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47142617</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47142617</guid></item><item><title><![CDATA[New comment by kodebach in "Open Letter to Google on Mandatory Developer Registration for App Distribution"]]></title><description><![CDATA[
<p>My guess is that Android 17 will show the registered name of the developer of the app you're trying to install. With stolen IDs you can only get accounts for individual developers not for organisations.<p>When a scammer pretending to be your bank tells you to install an app for verification and it says "This app was created by John Smith" even grandma will get suspicious and ask why it doesn't show the bank's name.</p>
]]></description><pubDate>Tue, 24 Feb 2026 20:30:28 +0000</pubDate><link>https://news.ycombinator.com/item?id=47142507</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47142507</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47142507</guid></item><item><title><![CDATA[New comment by kodebach in "Open Letter to Google on Mandatory Developer Registration for App Distribution"]]></title><description><![CDATA[
<p>Like you said, for years now they have added more and  more restrictions to address various scams. So far none of them had any effect, other than annoying users of legitimate apps, because all the new restrictions were on the <i>user side</i>. This new approach restricts <i>developers</i>, but is actually a complete non-issue for most, since the vast majority of apps is distributed via Google Play already.<p>In the section "Existing Measures Are Sufficient." your letter also mentions<p>> Developer signing certificates that establish software provenance<p>without any explanation of how that would be the case. With the current system, yes, every app has to be signed. But that's it. There's no certificate chain required, no CA-checks are performed and self-signed certificates are accepted without issue. How is that supposed to establish any form of provenance?<p>If you really think there is a better solution to this, I would suggest you propose some viable alternative. So far all I've heard for the opponents of this change is, either "everything is fine" or "this is not the way", while conveniently ignoring the fact that there is an actual problem that needs a solution.<p>That said, I <i>do</i> generally agree, with you that mandatory verification for *all* apps would be overkill. But that is not what Google has announced in their latest blog posts. Yes, the flow to disable verification and the exemptions for hobbyists and students are just vague promises for now. But the public timeline (<a href="https://developer.android.com/developer-verification#timeline" rel="nofollow">https://developer.android.com/developer-verification#timelin...</a>) states developer verification will be generally available in March 2026. Why publish this letter now and not wait a few weeks so we can see what Google actually is planning before getting everybody outraged about it?</p>
]]></description><pubDate>Tue, 24 Feb 2026 20:12:18 +0000</pubDate><link>https://news.ycombinator.com/item?id=47142249</link><dc:creator>kodebach</dc:creator><comments>https://news.ycombinator.com/item?id=47142249</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47142249</guid></item></channel></rss>