Time to finally move to GrapheneOS. Hope they finish polishing it, including things like automated backups. I’m going to donate to them. They have consistently proved themselves to be a legitimate project.
GrapheneOS is ok but the people behind don’t have good reputation on open-source; They smear F-Droid, Firefox, Linux even uBlock Origin https://lemmy.zip/post/59060122
I would say there is a difference between constructive criticism and an “attack” and although the privsec article does bring up valid points* I would still regard it as the latter (despite their claims of objectivity), because they ultimately conclude that its premise is inherently flawed regardless of implementation details. They claim
This article aims to be purely technical. It is not an attack on F-Droid or their mission.
Yet while the authors claim to be “objective and technical” its not hard to notice all the “attacks on F-Droid’s mission” in this article, from the reference to F-Droid’s “ridiculous inclusion policy” to all the dismissive references to “ideology.” The message is clear, that F-Droid’s “mission” is Stupid and Ideological and the problems F-Droid aims to solve are not real. Thus, their suggested “alternatives” are just regular app stores that don’t enforce any of the guarantees that F-Droid does (namely, that the app corresponds to its source code and does not include proprietary components), because those guarantees aren’t worth anything** to the “Objective and Technical” people of privsec - you are Stupid and Ideological if you care about software freedom. In fact, Accrescent even says they allow proprietary software because free software “is not inherently more secure or private” - which is technically true, but very misleading, because free software never has claimed to be “more secure” - it has only ever offered the four freedoms, which as a user I feel entitled to on my own devices, so I only install apps that give me these four freedoms. Far from being “objective and non-ideological” the position of Privsec, Accrescent, and their advocates is that users neither deserve, need, or should want software freedom, as such I would characterize these organizations as hostile to the free software movement even if some of their points are factual.
I will add I am not entirely uncritical of F-Droid either, but my criticisms are more that they aren’t strict enough and should be building as much from source as possible instead of relying on prebuilt Maven dependencies as much as they do. I would also say although as a user I think F-Droid’s inclusion policy is a good thing and not “ridiculous” I agree it does put some amount of burden on developers who I imagine develop for the Google world first and the FOSS world second. It might be a good idea for F-Droid maintainers to take a more active role in, well, maintaining these apps instead of pushing the extra work onto the developers (this is typical in the GNU/Linux world, in which distro maintainers take up all the work to package upstreams, but F-Droid sometimes tries to cosplay as an “app store” despite it being a fundamentally different model).
* aside from a bizarre claim that F-Droid supporting multiple repositories is a Bad Thing because it interferes with, and I quote, “UserManager which can be used to prevent a user from installing third-party apps” - what does this have to do with privacy? I think this also speaks to a deeper conflict between security people and free software people, that being uncritical worship of “security models” even when they harm the user. Accrescent offers more or less the same justification for why it locks the user into their own store/repository, and I think it is subtly dangerous to suggest this is an “alternative” to F-Droid because it has very different values.
Just allow devs to upload their own build with their own keys like Accrescent. It’s not like the whole “audit” system is meaningful anyways.
Of course, characterizing it as an “audit system” is missing the point entirely, but I imagine he knows that. Reducing the four freedoms down to “you can look at the source code and audit it” to then follow it up with “you can’t/aren’t going to audit every app you download so why bother with FOSS anyway” is a favorite rhetorical tactic.
Yes, however, the article is titled “F-Droid Security Issues”, not “F-Droid FOSS Issues”. I’m not sure why anyone would read that and say “well what about the four freedoms?”. That’s not what the article is talking about.
ultimately conclude that its premise is inherently flawed regardless of implementation details
In terms of security, which is true.
aside from a bizarre claim that F-Droid supporting multiple repositories is a Bad Thing because it interferes with, and I quote, “UserManager which can be used to prevent a user from installing third-party apps” - what does this have to do with privacy?
It doesn’t. It’s a security issue.
Just allow devs to upload their own build with their own keys like Accrescent. It’s not like the whole “audit” system is meaningful anyways.
It’s true, F-droid’s signature doesn’t provide any meaningful security guarantees.
They have an amazing reputation on open source. I think you’re conflating reputation on open source with reputation because of their willingness to understand & criticize issues with some other open source products. The issues with F-Droid’s security model have long been known & discussed by other prominent developers. It is why Obtanium has become increasingly popular. Heck, it is even mentioned on Privacy Guides. Their criticism towards Firefox is to my knowledge more specific to the Android security model & the reality is that Chromium provides significantly better sandboxing there. That isn’t an attack on Firefox itself but design choices or lack or commitment to the fundamentals, which Mozilla has routinely engaged in with Pocket, reselling Mullvad while breaking their browser support for tab container VPN integration if a user has Mullvad installed, their recent AI push, etc. But again they are specifically evaluating & criticizing the security or technical decisions in such instances. Likewise, it is fair to hate on Manifestat v3 used in newer Chrome extensions because not all the v2 features were supported out of the box, but there is no question that the security model in Manifest v2 was significantly worse & would be very easy for a malicious developer to have intercepted & logged all the requests. Manifest v3 solves that & they have uBlock Origin Lite now. I hope to see further improvements in this area. But criticizing the decisions of an open source project, especially as it pertains to security, does not make them anti-open source.
What Google has been doing to Android the past few years puts the future of Graphene in jeopardy. Especially with closing off third-party access to the binary blobs needed to enable newer Pixel hardware.
Time to finally move to GrapheneOS. Hope they finish polishing it, including things like automated backups. I’m going to donate to them. They have consistently proved themselves to be a legitimate project.
GrapheneOS is ok but the people behind don’t have good reputation on open-source; They smear F-Droid, Firefox, Linux even uBlock Origin https://lemmy.zip/post/59060122
Yes, well, everything they say about F-Droid and Firefox is more or less true.
I would say there is a difference between constructive criticism and an “attack” and although the privsec article does bring up valid points* I would still regard it as the latter (despite their claims of objectivity), because they ultimately conclude that its premise is inherently flawed regardless of implementation details. They claim
Yet while the authors claim to be “objective and technical” its not hard to notice all the “attacks on F-Droid’s mission” in this article, from the reference to F-Droid’s “ridiculous inclusion policy” to all the dismissive references to “ideology.” The message is clear, that F-Droid’s “mission” is Stupid and Ideological and the problems F-Droid aims to solve are not real. Thus, their suggested “alternatives” are just regular app stores that don’t enforce any of the guarantees that F-Droid does (namely, that the app corresponds to its source code and does not include proprietary components), because those guarantees aren’t worth anything** to the “Objective and Technical” people of privsec - you are Stupid and Ideological if you care about software freedom. In fact, Accrescent even says they allow proprietary software because free software “is not inherently more secure or private” - which is technically true, but very misleading, because free software never has claimed to be “more secure” - it has only ever offered the four freedoms, which as a user I feel entitled to on my own devices, so I only install apps that give me these four freedoms. Far from being “objective and non-ideological” the position of Privsec, Accrescent, and their advocates is that users neither deserve, need, or should want software freedom, as such I would characterize these organizations as hostile to the free software movement even if some of their points are factual.
I will add I am not entirely uncritical of F-Droid either, but my criticisms are more that they aren’t strict enough and should be building as much from source as possible instead of relying on prebuilt Maven dependencies as much as they do. I would also say although as a user I think F-Droid’s inclusion policy is a good thing and not “ridiculous” I agree it does put some amount of burden on developers who I imagine develop for the Google world first and the FOSS world second. It might be a good idea for F-Droid maintainers to take a more active role in, well, maintaining these apps instead of pushing the extra work onto the developers (this is typical in the GNU/Linux world, in which distro maintainers take up all the work to package upstreams, but F-Droid sometimes tries to cosplay as an “app store” despite it being a fundamentally different model).
* aside from a bizarre claim that F-Droid supporting multiple repositories is a Bad Thing because it interferes with, and I quote, “UserManager which can be used to prevent a user from installing third-party apps” - what does this have to do with privacy? I think this also speaks to a deeper conflict between security people and free software people, that being uncritical worship of “security models” even when they harm the user. Accrescent offers more or less the same justification for why it locks the user into their own store/repository, and I think it is subtly dangerous to suggest this is an “alternative” to F-Droid because it has very different values.
** According to one of the writers of that article,
Of course, characterizing it as an “audit system” is missing the point entirely, but I imagine he knows that. Reducing the four freedoms down to “you can look at the source code and audit it” to then follow it up with “you can’t/aren’t going to audit every app you download so why bother with FOSS anyway” is a favorite rhetorical tactic.
Yes, however, the article is titled “F-Droid Security Issues”, not “F-Droid FOSS Issues”. I’m not sure why anyone would read that and say “well what about the four freedoms?”. That’s not what the article is talking about.
In terms of security, which is true.
It doesn’t. It’s a security issue.
It’s true, F-droid’s signature doesn’t provide any meaningful security guarantees.
They have an amazing reputation on open source. I think you’re conflating reputation on open source with reputation because of their willingness to understand & criticize issues with some other open source products. The issues with F-Droid’s security model have long been known & discussed by other prominent developers. It is why Obtanium has become increasingly popular. Heck, it is even mentioned on Privacy Guides. Their criticism towards Firefox is to my knowledge more specific to the Android security model & the reality is that Chromium provides significantly better sandboxing there. That isn’t an attack on Firefox itself but design choices or lack or commitment to the fundamentals, which Mozilla has routinely engaged in with Pocket, reselling Mullvad while breaking their browser support for tab container VPN integration if a user has Mullvad installed, their recent AI push, etc. But again they are specifically evaluating & criticizing the security or technical decisions in such instances. Likewise, it is fair to hate on Manifestat v3 used in newer Chrome extensions because not all the v2 features were supported out of the box, but there is no question that the security model in Manifest v2 was significantly worse & would be very easy for a malicious developer to have intercepted & logged all the requests. Manifest v3 solves that & they have uBlock Origin Lite now. I hope to see further improvements in this area. But criticizing the decisions of an open source project, especially as it pertains to security, does not make them anti-open source.
What Google has been doing to Android the past few years puts the future of Graphene in jeopardy. Especially with closing off third-party access to the binary blobs needed to enable newer Pixel hardware.
Is it possible to try Graphene out, like dual booting on PCs? Without throwing the existing Android setup away or bricking it?