dlnb:
Anybody use shelter?
Nov 30 20:05
jp:
I moved to insular
Nov 30 20:18
dlnb:
Any reasons for that?
Ive heard about insular
Tommy:
shelter isolates contacts storage
insular does not
Nov 30 20:32
i kinda dont like the dependence on fdroid
tbh
Nov 30 20:34
I get that its pretty much the only solution rn but long term im really not a fan of the fact that they build and sign the apps instead of using the dev's builds
Nov 30 20:35
it has manifested in so many shit like app falling behind on updates and users not being able to update the apps on their own
Nov 30 20:36
and their build server being so old they were on EOL Debian LTS for awhile (and Debian LTS itself is EOL Debian)
Nov 30 20:37
it has manifested in so many shit like apps falling behind on updates and users not being able to update the apps on their own
jp:
there's no such thing as Debian LTS
Nov 30 20:42
SkewedZeppelin:
there is Debian LTS
Nov 30 20:44
https://en.wikipedia.org/wiki/Debian_versions#Release_table
Nov 30 20:45
it just isn't great
https://wiki.debian.org/LTS
they were on stretch? and are now on bullseye
https://gitlab.com/groups/fdroid/-/milestones/5#tab-issues
Nov 30 20:47
Tommy:
> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> they were on stretch? and are now on bullseye
> https://gitlab.com/groups/fdroid/-/milestones/5#tab-issues
Yeah the thing is they were on stretch after Debian LTS dropped it
Like
Nov 30 20:51
jp:
meanwhile I have to pay for every megabyte with my carrier
Nov 30 20:52
Tommy:
You really do not want that for your build system
They are on bullseye now
How long till their next update
SkewedZeppelin:
fennecbuild had multiple hacks to get it to compile on such an old version
Nov 30 20:53
Tommy:
Are they gonna sit on bulleyes for years again or are they planning to keeping up with updates now
SkewedZeppelin:
be the change you want to see
Nov 30 20:54
🙈️
Tommy:
Aaa
I just use github+RSS and izzyondroid cuz I really wanna avoid the fdroid repo lol
Nov 30 20:55
> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> yep
Look the coolpad cool s
Nov 30 21:21
Same hardware
$150
Nov 30 21:22
ninchuka:
> <@tommy:arcticfoxes.net> Yeah the thing is they were on stretch after Debian LTS dropped it
Mfw how
SkewedZeppelin:
be a 13 year old project with few people who both know how it really all works and have the time to update it
Nov 30 21:34
> No malware has been found in f-droid.org in its 7 years of operation.
This claim however is no longer
Nov 30 21:35
https://gitlab.com/fdroid/fdroiddata/-/issues/2753
wj25czxj47bu6q:
> the string/request in question is part of the apk downloaded from f-droid, not … part of the sources tarball on f-droid that is claimed to have been used to build that apk.
Well that seals the deal for me to immediately lose all trust in the F-Droid main repo
Nov 30 21:38
SkewedZeppelin:
it wasn't their fault
the library on jitpack had been hijacked and the app had no gradle filtering or gradle dependency verification
see https://github.com/nextcloud/news-android/issues/1109
Nov 30 21:39
they _should_ however in the future mandate those security features
Nov 30 21:40
wj25czxj47bu6q:
Yeah, reading more into it, it's quite a complex issue
SkewedZeppelin:
related: https://gitlab.com/fdroid/fdroidserver/-/merge_requests/989
Nov 30 21:42
wj25czxj47bu6q:
What is this terrible build system that allows pulling sources from places besides the original source code?
SkewedZeppelin:
gradle and it did because it was configured that way
by the app dev
Nov 30 21:43
wj25czxj47bu6q:
F-Droid build system should be blocked from internet access though
SkewedZeppelin:
https://github.com/nextcloud/news-android/issues/1109#issuecomment-1222193078
wj25czxj47bu6q (M), how else would it download dependenices?
Nov 30 21:44
wj25czxj47bu6q:
The dev should set up all dependencies as source code which goes into the build system on their end
SkewedZeppelin:
that doesn't work with the current workflows
wj25czxj47bu6q:
> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> that doesn't work with the current workflows
The current workflows are bad
SkewedZeppelin:
that is a much larger issue than f-droid
wj25czxj47bu6q:
You can't claim an app was built from a given source tarball and then pull in dependencies from outside that source tarball
Nov 30 21:45
I understand why that approach is broadly used, but F-Droid should be mandating stricter standards
F-Droid is already all about the idea that apps are fully open-source. So why allow pulling in random stuff in the build process?
Nov 30 21:46
jp:
if they mandate stricter standards then fewer ppl would publish to fdroid
Nov 30 21:49
wj25czxj47bu6q:
> <@_xmpp_jp=2fdivestos-mobile=40conference.konvers.me:matrix.org> if they mandate stricter standards then fewer ppl would publish to fdroid
That would be much better than the current situation of having many, many people place ultimate faith in a horribly insecure system
Nov 30 21:50
SkewedZeppelin:
in this case the only reason it didn't impact the official News app was because the developer had the library in their local cache
kuba_:
> if they mandate stricter standards then fewer ppl would publish to fdroid
perhaps 'strict' repo can do the thing
wj25czxj47bu6q:
> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> in this case the only reason it didn't impact the official News app was because the developer had the library in their local cache
Yeah I understand that this issue was an upstream problem. I'm upset because F-Droid has no protections against this. If you are going to provide a public build system for people to use, it should be quite well secured — better than what the average person would naïvely do.
Nov 30 21:52
This is not that. You can't even reliably trust the purported source tarball to match the apk.
Nov 30 21:53
SkewedZeppelin:
there is a very good leading paragraph here about it that largely summarizes why people don't use it: https://docs.gradle.org/current/userguide/dependency_verification.html
Nov 30 21:54
edgar.vincent:
ro
Nov 30 21:56
SkewedZeppelin:
🦁️
the jitpack issue was because the library developer didn't own the domain associated with its namespace
which is a topic Micay touched on the other day here
Nov 30 21:58
where Play doesn't have any requirements for app package IDs or permissions
Nov 30 21:59
wj25czxj47bu6q:
Am I wrong? Please tell me if I'm wrong
But the F-Droid build system doesn't seem to guarantee deterministic builds at all
Nov 30 22:02
SkewedZeppelin:
it doesn't
I don't think it ever claimed to either
Nov 30 22:03
wj25czxj47bu6q:
> It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.
Weasel language
Nov 30 22:04
SkewedZeppelin:
hm, that line should be reworded indeed
Nov 30 22:06
you gonna open the issue, or want me to?
Nov 30 22:07
Tommy:
yeah I really dont want to talk to f-droid people
I did once
not fun
Nov 30 22:09
risen:
What should it say without turning a sentence into a paragraph?
Tommy:
instead of fixing their misleading permission they went on a rant about how the android permission system doesn't work (???)
instead of fixing their misleading permission labels they went on a rant about how the android permission system doesn't work (???)
Nov 30 22:10
SkewedZeppelin:
risen, not too sure
wj25czxj47bu6q:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> What should it say without turning a sentence into a paragraph?
In an ideal world I would like the builds to actually be deterministic
SkewedZeppelin:
it requires some nuance
Tommy:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> What should it say without turning a sentence into a paragraph?
we compile the build from this tar ball
done
SkewedZeppelin:
Tommy, that still isn't accurate
wj25czxj47bu6q (A), what other distro has fullly determinitic builds?
nix?
wj25czxj47bu6q:
> <@tommy:arcticfoxes.net> we compile the build from this tar ball
This still does not convey that external deps can be pulled in
Nov 30 22:11
Tommy:
uhh
dont know about fully deterministic builds, but debian does try to be reproducible
but what good is it when the builds themselves are outdated asf xddd
Nov 30 22:12
wj25czxj47bu6q:
> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> wj25czxj47bu6q (A), what other distro has fullly determinitic builds?
Not too sure to be honest. NixOS has deterministic OS configuration and package installation, but I have no clue about the build system. F-Droid reproducible builds should be deterministic, no?
Tommy:
but what good does it do when the builds themselves are outdated asf xddd
SkewedZeppelin:
https://gitlab.com/fdroid/fdroid-website/-/issues/689
wj25czxj47bu6q:
> F-Droid reproducible builds should be deterministic, no?
Actually I now question if those are truly deterministic across time since there is apparently no restriction on pulling in external dependencies
Nov 30 22:14
SkewedZeppelin:
which is why I believe both git commit signing + gradle dependency verification should be the minimum required here
Nov 30 22:15
...
theanonymousejoker:
> This claim however is no longer
> https://gitlab.com/fdroid/fdroiddata/-/issues/2753
SkewedZeppelin: taken down within 24 hours https://gitlab.com/fdroid/fdroiddata/-/issues/2753#note_1072293686
Dec 1 08:28
> That would be much better than the current situation of having many, many people place ultimate faith in a horribly insecure system
wj25czxj47bu6q (M): there are people that trust Google services and phone hardware
Dec 1 08:30
> Saw this from CalyxOS re-nitter
> Only a third? Wow!
> https://www.wired.com/story/fbi-google-geofence-warrant-january-6/
risen:
https://www.apnews.com/828aefab64d4411bac257a07c1af0ecb/AP-Exclusive:-Google-tracks-your-movements,-like-it-or-not
https://www.theguardian.com/us-news/2021/sep/16/geofence-warrants-reverse-search-warrants-police-google
Dec 1 08:41
risen:
theanonymousejoker: How long from publish v 0.9.9.75 to takedown and publish 76, a month or so? We'll never know how many had or still have 75 installed.
Dec 1 08:42
theanonymousejoker:
Well since Fdroid does not track user installs, this is a downside of that
Dec 1 08:43
And the issue really is not on Fdroid as much as it is made to look like it or whatever
risen:
They can't claim never published malware in an app.
Dec 1 08:44
theanonymousejoker:
Unfortunate but it also means Fdroid userbase is larger than is thought of
Dec 1 08:45
risen:
Don't see how it means that
Dec 1 08:47
theanonymousejoker:
https://upload.yax.im/upload/2u2a5KgCUFdLnzvK/IMG_1132.jpg
Dec 1 08:48
https://github.com/nextcloud/news-android/issues/1109#issuecomment-1222033175
So if we look at timestamps, if the attack is possible on users, it has to happen on users theoretically somewhere between 2:53am 22 August and before afternoon of 22 August, because the domain returned 404 status later in the same day. And users have had to update the app during this specific timeframe.
The theoretically malicious thing is a DNS request, and it looks to have had no malicious intent. I see no reason how Fdroid pushed a malware if we follow the trail for 5 minutes.
Dec 1 08:52
risen:
Idk but they didn't change issue title.
FYI ceb2txt threw errors, maybe because I've been using monocles ( arne ) and ceb2txt isn't compatible, or ... Anyway, back burner for now, if things stay calm.
Dec 1 08:55
theanonymousejoker:
Its still theoretically a supply chain attack which carries a risk, but looks very complicated. If there are no victims from this instance, this cannot and should not be labelled as "omg fdroid = aptoide < playstore" brainrot
Its still theoretically a supply chain attack which carries a risk, but looks very complicated and clearly the onus is not largely on Fdroid team. If there are no victims from this instance, this cannot and should not be labelled as "omg fdroid = aptoide < playstore" brainrot
Dec 1 08:56
risen:
Donno who said that. 3rd party stores are still rounding error noise AFAIK anyway.
Dec 1 08:57
* 3rd tier stores
Dec 1 08:58
theanonymousejoker:
There are proponents who are sitting, eager to malign image of Fdroid build system in the name of security, only to tarnish privacy and anonymity efforts, and push Play Store as better.
People know no better than "there is play store and unknown app stores", and so this public notion is misused to allow to pull down legs of Fdroid
Dec 1 08:59
risen:
Anyway, have a great whatever December day.
Dec 1 09:04
> gallery app
https://github.com/k3b/APhotoManager
They say they can't get photo GPS data, but simple gallery still can display it. So is the issue something specific about how APhotomanager does things, or is there a way to get this app to live again?
Dec 1 09:37
Simple gallery can give a photo GPS coordinates to OsmAnd for mapping the location too. 🤔
Dec 1 09:42
risen:
> theanonymousejoker:
> There are proponents who are sitting, eager to malign image of Fdroid build system in the name of security, only to tarnish privacy and anonymity efforts, and push Play Store as better.
> People know no better than "there is play store and unknown app stores", and so this public notion is misused to allow to pull down legs of Fdroid
I agree with most of this, except I give the public more credit sometimes. I also believe I know where you're headed, and only disruption would come of that, here, IMO.
Dec 1 10:06
SkewedZeppelin:
theanonymousejoker, what are you on about it only being one day? it happened for over two weeks
Dec 1 11:35
theanonymousejoker:
> theanonymousejoker, what are you on about it only being one day? it happened for over two weeks
SkewedZeppelin: I have no idea, I assumed the timeline since I was not present here.
Dec 1 12:33
...
risen:
Too many options to consider. I install e with all the preset superior privacy modes
Dec 1 14:22
SkewedZeppelin:
yes, I just love how well /e/OS takes care of all those security and privacy aspects for me
Dec 1 14:24
risen:
> SkewedZeppelin:
> yes, I just love how well /e/OS takes care of all those ~security and~ privacy aspects for me
On your own for security.
Dec 1 14:29
Simpler, buy mur/e/na fp4 so it comes with correct cell settings for my location
Dec 1 14:31
90zhop:
Is divest os more secure then calyxos ? If so how ?
Dec 1 15:12
risen:
90zhop: There's an often posted comparison link somewhere, but CalyxOS is uhm said to be slower updating webview and important OS components, as well as using incorrect terminology about it.
Dec 1 15:16
IMO they include too much stuff I don't need, even with minimal install, and that can't possibly be good, though may be insignificant for security.
Dec 1 15:18
That said, I'm running CalyxOS, happy with it, and my wallet is as full as ever. I'd switch to Dos in a heartbeat if I could.
Dec 1 15:21
90zhop:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> That said, I'm running CalyxOS, happy with it, and my wallet is as full as ever. I'd switch to Dos in a heartbeat if I could.
Would you recommend calyxos gor crypyo trading or divest os or another ?
Dec 1 15:23
risen:
I wouldn't recommend ~anything for~ crypto trading, based mainly on what the US treasury Secretary said on Colbert yesterday, so don't listen to me about anything. 😂
Dec 1 15:25
SkewedZeppelin:
I thought we already talked about this
The bigger issue is using a proprietary noncustodial wallet
Than the OS
Custodial*
Dec 1 15:26
https://divestos.org/index.php?page=patch_levels#osSecurity
Dec 1 15:28
...
risen:
No one seems to measure "safeness". I argue you are safe or not safe. My money is on not safe.
Dec 1 15:35
> 90zhop:
>> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> Including dependencies from who?
>
> Well i trust the app been using it for years on other os devices ios should be good to go on divest os then
Why not go all the way to a pixel 6a or even 7?
Dec 1 15:49
90zhop:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> > 90zhop:
> >> <@_xmpp_SkewedZeppelin=2fdivestos-mobile=40conference.konvers.me:matrix.org> Including dependencies from who?
> >
> > Well i trust the app been using it for years on other os devices ios should be good to go on divest os then
> Why not go all the way to a pixel 6a or even 7?
And use graphene instead ?
Dec 1 15:54
matchboxbananasynergy!:
I mean yeah, if you can afford a Pixel, GrapheneOS is the way to go
The 6a should be relatively cheap, but it depends on where you're from etc.
Dec 1 15:55
risen:
I went with CalyxOS, but you do you. :)
90zhop:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> I went with CalyxOS, but you do you. :)
Calyxos secure for crypto as well ?
Dec 1 15:56
matchboxbananasynergy!:
I don't know why we're hyperfixating on crypto tbh :p
It's not a matter of "secure for crypto" or "not secure for crypto"
Dec 1 15:57
risen:
> Me:
> No one seems to measure "safeness". I argue you are safe or not safe. My money is on not safe.
wgreenhouse:
90zhop: SkewedZeppelin already addressed this. for cryptocurrency, use an open source wallet that actually holds your coins, instead of a proprietary one where they are held on an exchange
Dec 1 15:58
matchboxbananasynergy!:
From my perspective, GrapheneOS is far more secure, and it gets updates/ports to new versions much faster
So if you're going to get a Pixel, I'd start with GrapheneOS and see how you like it
90zhop:
> <@_xmpp_wgreenhouse=2fdivestos-mobile=40conference.konvers.me:matrix.org> 90zhop: SkewedZeppelin already addressed this. for cryptocurrency, use an open source wallet that actually holds your coins, instead of a proprietary one where they are held on an exchange
This is good advice thanks
Dec 1 16:00
risen:
> matchboxbananasynergy!:
> From my perspective,
Completely impartial?
> GrapheneOS is far more secure, and it gets updates/ports to new versions much faster
Some assumptions about user behavior built in there, but would mostly agree.
Dec 1 16:01
matchboxbananasynergy!:
I said from my perspective. I'm a moderator in the GrapheneOS community, so my perspective cannot be impartial, although I like to think that I look at the facts and base my decisions on that
Dec 1 16:03
>Some assumptions about user behavior built in there, but would mostly agree.
Not sure what you mean, but I was just offering my opinion, and the fact that GrapheneOS is more secure overall and gets updates much faster is very well documented
I don't think that part is an assumption of any sort
Dec 1 16:04
But anyway, like it was mentioned a couple of days ago, this is the DivestOS room. I was just offering my opinion. Not interested in any drawn-out debates or anything
risen:
A bad user like me turns off auto updates. I only got them if/when I remembered to check.
Dec 1 16:05
matchboxbananasynergy!:
Well, that sounds like you a thing
Even with auto-updates turned off, it's a fact that GrapheneOS has new updates available faster in the first place :)
Dec 1 16:06
risen:
No offense, just pointing out assumptions
matchboxbananasynergy!:
So even if you're manually updating (I don't see why, tbh), they'd be there much faster on GrapheneOS in my experience
I'm curious actually
Any reason why you don't do auto-updates?
Are you on a metered network 24/7 or something?
Dec 1 16:07
risen:
Not interested in fine point pen semantics either.
Dec 1 16:08
matchboxbananasynergy!:
I'm confused... what semantics are we talking about here
risen:
> matchboxbananasynergy!:
> Even with auto-updates turned off, it's a fact that GrapheneOS has new updates available faster in the first place :)
Available vs installed type semantics
Dec 1 16:09
matchboxbananasynergy!:
I only said that because you seemed to discount the importance of quick updates because you personally don't auto-update, lol
Dec 1 16:10
risen:
Not bandwidth primarily
matchboxbananasynergy!:
I'm just having a discussion with you
It's not a debate or anything
risen:
I hate that I can't be fully honest. Let's stay casual if possible.
Anyway, too frequent updates get annoying. Frequent checks are annoying. Sometimes, in general not specific to Gos, updates break stuff. There are times in busy life you may trade that off and delay updates to be sure to have a working phone.
Dec 1 16:17
I dislike things that query or call home frequently
Dec 1 16:19
matchboxbananasynergy!:
I haven't really experienced breakage as a result of updates, to be honest, but even if you want to delay updates for your own personal reasons, that's possible on GrapheneOS, but the updates are there for when you want to actually update
Dec 1 16:20
risen:
Dos has a use Tor for updates, as well as check frequency settings. I like it.
Dec 1 16:21
matchboxbananasynergy!:
That's nice
Does it have .onion repos?
Or just routes the checks through Orbot or something
risen:
There is onion for f-droid repo maybe, not sure on OS.
Dec 1 16:23
SkewedZeppelin:
The patch has some onion handling, but I never added the allowcleartext exceptions so it just uses the non onion
But is a .onion for it
matchboxbananasynergy!:
Gotcha
SkewedZeppelin:
Used by fdroid and when visiting via tor browser
risen:
CalyxOS is worse in a way, or you might feel better, because they don't give notification of OS update checks
Dec 1 16:25
matchboxbananasynergy!:
I mean, if you don't want to see a specific notification, Android allows you to disable specific notification channels
so for example, if you don't want to see the "OS is up to date" notification specifically, that can be disabled
Dec 1 16:26
I like to have it on so that I know the check happened, but others may not
risen:
Had to go too far to disable the updater completely, on both, but not on Dos
Dec 1 16:27
SkewedZeppelin:
I wish I could do more frequent updates
...
risen:
I was concerned what might happen on Gos if I missed updates while not paying attention. Monthly is 3 bears right imo
Dec 1 16:29
.matchboxbananasynergy!:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> I was concerned what might happen on Gos if I missed updates while not paying attention. Monthly is 3 bears right imo
In what sense?
Dec 1 16:30
risen:
They are incremental iiuc, which is good. It probably handles skips fine, but I didn't want to find out
Dec 1 16:31
SkewedZeppelin:
how many incrementals back are actually generated by gos?
Dec 1 16:32
matchboxbananasynergy!:
> <@_xmpp_risen=2fdivestos-mobile=40conference.konvers.me:matrix.org> They are incremental iiuc, which is good. It probably handles skips fine, but I didn't want to find out
You'd just have to download the entire update instead of the delta
Dec 1 16:36
wj25czxj47bu6q:
> <@_xmpp_theanonymousejoker=2fdivestos-mobile=40conference.konvers.me:matrix.org> There are proponents who are sitting, eager to malign image of Fdroid build system in the name of security, only to tarnish privacy and anonymity efforts, and push Play Store as better.
> People know no better than "there is play store and unknown app stores", and so this public notion is misused to allow to pull down legs of Fdroid
Is it so wrong to want better security? Who is criticizing F-Droid's efforts to promote privacy and anonymity? What are you on about?
Dec 1 16:57
> <@_xmpp_theanonymousejoker=2fdivestos-mobile=40conference.konvers.me:matrix.org> Its still theoretically a supply chain attack which carries a risk, but looks very complicated and clearly the onus is not largely on Fdroid team. If there are no victims from this instance, this cannot and should not be labelled as "omg fdroid = aptoide < playstore" brainrot
Please read the entire conversation before commenting.
Dec 1 16:58
darhma:
wtf over 600 posts to read in a few hours!?! SkewedZeppelin maybe should think about creating another muc with the news only strictly about divestos and its development?
Dec 1 17:00
wj25czxj47bu6q:
> <@_xmpp_theanonymousejoker=2fdivestos-mobile=40conference.konvers.me:matrix.org> > That would be much better than the current situation of having many, many people place ultimate faith in a horribly insecure system
> wj25czxj47bu6q (M): there are people that trust Google services and phone hardware
If you don't trust Google, go use an iPhone. Simple as that. Android Open Source Project is Google code and a much easier vector for a backdoor than anything hardware-level.
risen:
darhma: News only:
https://divestos.org/index.php?page=news
Dec 1 17:04
Copyright 2022