technology

24146 readers

203 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 5 years ago

MODERATORS

context@hexbear.net

SexUnderSocialism@hexbear.net

gaycomputeruser@hexbear.net

Wakmrow@hexbear.net

SwitchyandWitchy@hexbear.net

GrapheneOS: "France is taking state actions against GrapheneOS." (grapheneos.social)

submitted 1 month ago by someone@hexbear.net to c/technology@hexbear.net

20 comments fedilink hide all child comments

@Fritange France is taking state actions against GrapheneOS. They're conflating us with companies which they've previously gone after and taken over their servers. We aren't vulnerable to being attacked in the same way but we still don't want accesses to our website/network services being logged or our website being hijacked. France isn't a safe country for GrapheneOS to operate in anymore and we're going to be protecting the project and our users by avoiding the country completely now.

From the official GrapheneOS Mastodon account.

you are viewing a single comment's thread
view the rest of the comments

[–] infuziSporg@hexbear.net 4 points 1 month ago* (last edited 1 month ago) (1 children)

Wouldn't it be really easy to just make a clone of GrapheneOS with a different name, and keep operating by distributing it faster than the state could react to it?

This might be a dumb question, I am not a dev.

[–] PorkrollPosadist@hexbear.net 7 points 1 month ago* (last edited 1 month ago)

An important aspect of software distributions (ranging from Linux distros to smartphone OSes to software development package repositories) is trust. I trust that the infrastructure hosted at gentoo.org is operated by the Gentoo Foundation. I trust that they trust the various repo mirrors listed there (either way, their authenticity can be verified). I know which IRC channels I can drop into, or where I can send an email to speak with them. From their website, I can verify that they are in control of those IRC channels, and I can obtain the public keys of various project members to verify any email I recieve from them is legitimate (and to encrypt my messages to them, should that be necessary). This is the foundation of an entire network of trust which prevents people from (convincingly) impersonating project contributors, or being able to distribute compromised packages or builds claiming them to be genuine.

Likewise, GrapheneOS has a reputation based in large part on their project infrastructure. It's not just that the users know what they're getting, but they know who they are getting it from. That they don't have to worry about people impersonating the project or its contributors on official channels. When infrastructure like this fractures, this reputation evaporates. Trust breaks down. Sure, the mechanisms will still work if you swap out one URL for another, but you no longer know who is in control of what, where your packages are coming from, who's reviewing them, who's signing off on them, etc. If I want to install GrapheneOS, I would want to download it directly from the GrapheneOS project. An "archived" copy of the latest image for my device found on ThePirateBay is not a suitable replacement. If some other organization with no history shows up claiming to be the successor to the now (hypothetically) defunct GrapheneOS project, that's hardly better.

There are other mechanisms like public key cryptography which can be (and are) used to establish the authenticity of a distribution, but there is a chicken and egg problem. Where do you obtain the public keys used to verify authenticity in the first place? Especially when there is no longer a canonical home for an organization and the infrastructure is constantly changing. It makes everything more confusing, unreliable, and risky. Developers and power-users will already have the public keys of important community members and project infrastructure, but for newcomers the whole thing becomes a lot more sketchy.

The GrapheneOS project appears to be taking reasonable precautions to ensure they remain in control of their infrastructure. It may be an exceptionally cautious measure, but that is supposed to be their raison d'être.