this post was submitted on 13 Aug 2024
61 points (90.7% liked)

Privacy

32039 readers
1371 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

So I've been in the rabbit hole of android privacy for some time, last I joined the GrapheneOS community but let's just say that they doesn't have a "healthy" opinion about other projects like f-droid.

So I am looking for generic communities that focus on mobile privacy that doesn't have drama or toxicity or "extreme opinions". Any suggestions? I prefer chat based communities like matrix or simplex instead of like reddit or lemmy.

top 50 comments
sorted by: hot top controversial new old
[–] 9tr6gyp3@lemmy.world 21 points 3 months ago (3 children)

What does a healthy opinion of F-Droid look like though? Lol

[–] jet@hackertalks.com 21 points 3 months ago* (last edited 3 months ago) (4 children)

Fdroid is introducing another trusted party to your supply chain, which should be a factor in anyone's threat molding.

https://f-droid.org/docs/Reproducible_Builds/ However, with reproducible builds now a package is built and signed by both fdroid and the original developer, so you get a net security benefit of having a third party attesting they can independently reproduce the binary from source. Problem solved right? Well, yes but mostly no. Most projects and packages don't have reproducible builds, so if your using fdroid for most packages your still trusting droid.

I think a lot of the online hate comes from people making assumptions that their use case and threat model applies to everyone. That's why I prefer discourse where we just talk about the attributes and not "you should"

[–] beyond@linkage.ds8.zone 12 points 3 months ago* (last edited 3 months ago) (1 children)

I feel like there's a lot of FUD around this subject, because people bring it up as if it's purely a negative without talking about the reasons why it's done the way it is. The whole point of F-Droid is that it's a repository (not a store) of free software applications. They have an inclusion policy forbidding proprietary code and dependencies, and in order to enforce this policy they have to build from publicly available source code, and in order to do so they need to sign the builds themselves. This means, yes, you are trusting F-Droid instead of the upstream developer - but given F-Droid has higher standards than upstream developers this is a tradeoff I am willing to make.

Reproducible builds solves this in a way that preserves the standards of F-Droid, however, "security peoples'" favored "alternatives" (such as Accrescent, Obtainium, and Google Play Store/Aurora Store) forego this entirely, showing they don't either have a viable solution to offer or that they don't really care about the problem that F-Droid is addressing to begin with.

[–] jet@hackertalks.com 3 points 3 months ago

Really well said!

[–] lord___vader@sh.itjust.works 4 points 3 months ago (1 children)

I completely understand, but this only adversely affects you if f-droid getting hacked is in your threat model. And not everyone have that.

[–] jet@hackertalks.com 2 points 3 months ago (1 children)

Yeah exactly. So pointing that out is sufficient, and it's up to every user to decide if the benefit is worth the risk. And I'm sure for most people fdroid is a net positive.

Now, I want to change gears, and talk about annoying personalities also being really beneficial. Crazy principled people drive change in the world. The open BSD founder, RMS, the graphene founder, these are crazy unreasonable uncompromising people which are difficult to get along, but they drive change. Sometimes we need those uncompromising people. I think putting up with them is the cost of a vibrant ecosystem.

load more comments (1 replies)
[–] refalo@programming.dev 4 points 3 months ago* (last edited 3 months ago) (2 children)

Do you know of an equivalent to https://reproducible-builds.org/citests/ for Android/F-Droid packages? I'd like to see some public verification of these reproducible builds, especially Signal.

[–] jet@hackertalks.com 2 points 3 months ago (1 children)

the public verification is that the developer signed binary matches the fdroid built binary

[–] refalo@programming.dev 3 points 3 months ago

Yes, but this is often not an option for non-developers

[–] possiblylinux127@lemmy.zip 2 points 3 months ago (1 children)

Signal isn't on F-droid. You need to use Molly for that.

[–] refalo@programming.dev 2 points 3 months ago

Indeed... I was not trying to imply that it was.

[–] possiblylinux127@lemmy.zip 2 points 3 months ago

There isn't anything better than F-droid as far as I can tell

[–] JackbyDev@programming.dev 8 points 3 months ago (1 children)

What's an unhealthy opinion of f-droid? Is something wrong with it? Genuine question. I'm out of the loop.

[–] lord___vader@sh.itjust.works 6 points 3 months ago (2 children)

F-droid acts as a trust for all the apps you download through it, which means if F droid is hacked, hackers can push fake update to all the apps. It is an issue, but not the biggest concern of average joe. Although F-droid should take it pretty seriously.

But I think hating on them is not the solution....

[–] JackbyDev@programming.dev 9 points 3 months ago (1 children)

Oh. Same is true for Google Play and literally every self updating app/program on the planet lmao.

[–] jet@hackertalks.com 2 points 3 months ago* (last edited 3 months ago) (1 children)

For Google Play: Google has root on play devices which is a separate issue, but the apps are actually signed by their developers and not google.

[–] refalo@programming.dev 7 points 3 months ago* (last edited 3 months ago) (1 children)

not google

This is not true... play store now requires you to give up your signing keys to google so they can sign the app themselves after injecting whatever they feel like. F-Droid does the same because they also compile your apps for you. Another reason some don't trust F-Droid (or Signal, Tor and a bunch of other free/open source software for that matter) is that they received funding from OTF which is funded by the US government and some people don't like that. And yes I know computers and the internet also came from the government /shrug

I have no skin in this game, I am not intentionally trying to spread any FUD (but I realize some people will still claim so, they are free to do so), just relaying information I have seen elsewhere. Happy to provide sources if anyone likes.

[–] jet@hackertalks.com 4 points 3 months ago* (last edited 3 months ago) (1 children)

https://support.google.com/googleplay/android-developer/answer/9842756?hl=en#zippy=%2Capp-signing-key-requirements

Thats a good point, but it looks like they still let you use your own keys if you want to, but they even say 90% of apps let google sign on their behalf. yeah, ok, full trust with google then.

Before 2021 all apps used their own keys it seems

load more comments (1 replies)
[–] possiblylinux127@lemmy.zip 3 points 3 months ago

They have actually made a bunch of security enhancements to there systems and processes. You can look at the blog if you are curious.

[–] lord___vader@sh.itjust.works 2 points 3 months ago (1 children)

I would like to not delve into infighting and would like to avoid it

[–] 9tr6gyp3@lemmy.world 5 points 3 months ago (1 children)

As you wish. But maybe open up to some new perspectives.

load more comments (1 replies)
[–] Libb@jlai.lu 14 points 3 months ago (3 children)

So I am looking for generic communities that focus on mobile privacy that doesn’t have drama or toxicity or “extreme opinions”. Any suggestions?

the excessive and constant noise a limited number of people is making, their rage when it's not pure hatred against whatever they don't like or whoever they don't agree with, is the main reason why, a Linux user worrying about privacy myself, I decided to stop wasting my time online with any such 'tech' communities. It has become almost impossible to have an open and calm discussion on any topic without someone jumping in and barking like some crazy dog — because reasons.

No matter what their reasons or motivations are to be angry or hateful, I have zero desire to listen to endless rabid barking. There isn't much to learn in that, at least when you're not a dog.

And I have no time for that either: we only have a limited amount of time to live before the game is over and there is no extra life to get, no second chance. I realized that a few years ago and decided I would not waste a second more of my time dealing with those constantly frustrated or hateful people. In tech or elsewhere.

Tech-wise, I have had much more stimulating and enriching discussions in communities that are not tech (or privacy or security or Linux)-related but communities where tech can still be discussed and debated (including by very competent tech people) just always in a broader discussion that don't focus on tech itself.

[–] lord___vader@sh.itjust.works 12 points 3 months ago (1 children)

It's sad that so many good projects is plagued by this crap. Like did we forget about the whole "respect other people's opinions" thing?

[–] Libb@jlai.lu 9 points 3 months ago* (last edited 3 months ago)

Like did we forget about the whole “respect other people’s opinions” thing?

I cant say if we have forgotten it or not, but it sure looks like we don't want to hear about it very much.

It's all turned binary (pun intended): you're with us or you're against us, either you're good or you're evil (and then, you deserve to be eliminated). Which is as saddening as it is is... stupid.

load more comments (2 replies)
[–] kenkenken@sh.itjust.works 10 points 3 months ago (5 children)

There are no non-toxic spaces these days.

[–] BearOfaTime@lemm.ee 4 points 3 months ago

Uggh, I even hate that word.

There are assholes everywhere, always have been, always will be.

load more comments (4 replies)
[–] BearOfaTime@lemm.ee 10 points 3 months ago* (last edited 3 months ago) (1 children)

Two words: Fuck Graphene

(More words): and the assholes who run it.

I've been flashing phones since my OG Droid in 2009. Done probably 200+ flashes across numerous phones.

I've been in IT since the early 90's.

Had an error with the Graphene flash on a clean Pixel. The way they talked to me would've gotten me a re-training session with my management, possibly fired, back when I was on a help desk.

Bunch of arrogant, condescending pricks. They need a Red Foreman boot up their ass.

[–] lord___vader@sh.itjust.works 8 points 3 months ago (2 children)

Oh brother tell me about it. They talk like they are the final word on computer security lol

[–] sunzu2@thebrainbin.org 11 points 3 months ago

That ego lol

Main guy got into a pissing match with Louis roassmann lol

Some people got no social skills

[–] possiblylinux127@lemmy.zip 4 points 3 months ago

To be fair Graphene OS is probably a big part of there personality

[–] LoveSausage@lemmy.ml 9 points 3 months ago* (last edited 3 months ago) (1 children)

I run graphene on several devices and recommend it. I do not participate in much discussion about it through. You can just use the best we got in android and be fine with that.

Discussion forums are the same all over I think. I don't see much difference around graphene here on Lemmy or XDA forum.

[–] lord___vader@sh.itjust.works 3 points 3 months ago (2 children)

For the love of God do not ever go to their community in any case.. If you need technical help literally ask anywhere else.. If you go there, you'll end up hating GOS you've been warned

[–] LoveSausage@lemmy.ml 6 points 3 months ago (2 children)

Was this recently? It was bad under micay but thought it had improved by now.

load more comments (2 replies)
[–] user@lemmy.world 2 points 3 months ago

I've always got help, and the moderators are really nice.

[–] MigratingtoLemmy@lemmy.world 6 points 3 months ago (3 children)

You can just join XDA. TBH if Graphene is not your thing and Lineage OS isn't supported on your device, you can just unlock the bootloader and install the patched kernel using KernelSU which will give you the control you want.

[–] refalo@programming.dev 4 points 3 months ago (2 children)
[–] MigratingtoLemmy@lemmy.world 4 points 3 months ago (2 children)
[–] exu@feditown.com 2 points 3 months ago (1 children)

It's based on Lineage, so lots

[–] MigratingtoLemmy@lemmy.world 3 points 3 months ago* (last edited 3 months ago) (1 children)

Most of them older devices. This is not the fault of the Lineage OS devs, but companies just aren't allowing it anymore. So if you have a new device, Lineage OS is not an option, if you're in the US

load more comments (1 replies)
load more comments (1 replies)
[–] lord___vader@sh.itjust.works 3 points 3 months ago (1 children)
[–] MigratingtoLemmy@lemmy.world 3 points 3 months ago

They have a forum

[–] Dark_Dragon@lemmy.dbzer0.com 3 points 3 months ago (1 children)
[–] MigratingtoLemmy@lemmy.world 2 points 3 months ago

Read KernelSU docs

[–] autonomoususer@lemmy.world 5 points 3 months ago* (last edited 3 months ago) (1 children)

'Just trust me bro' hardware, Google Play Integrity API, banned and GrapheneOS is still simping it.

Running away doesn't fix this.

[–] lord___vader@sh.itjust.works 4 points 3 months ago

At least they could like not be paranoid and hostile....

[–] CrypticCoffee@lemmy.ml 4 points 3 months ago

Doesn't tick all the boxes as it is on Lemmy, but feel free to join us at !degoogle@lemmy.ml

[–] Ilandar@aussie.zone 2 points 3 months ago

iodéOS has a Matrix server and the people there are pretty friendly, but discussion is mostly focused on bug reporting and features among beta testers and developers. Probably not what you're after but just throwing it out there anyway.

load more comments
view more: next ›