Privacy

31224 readers

944 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

Non toxic mobile privacy community (sh.itjust.works)

submitted 1 month ago by lord___vader@sh.itjust.works to c/privacy@lemmy.ml

64 comments fedilink hide all child comments

So I've been in the rabbit hole of android privacy for some time, last I joined the GrapheneOS community but let's just say that they doesn't have a "healthy" opinion about other projects like f-droid.

So I am looking for generic communities that focus on mobile privacy that doesn't have drama or toxicity or "extreme opinions". Any suggestions? I prefer chat based communities like matrix or simplex instead of like reddit or lemmy.

you are viewing a single comment's thread
view the rest of the comments

[–] jet@hackertalks.com 20 points 1 month ago* (last edited 1 month ago) (4 children)

Fdroid is introducing another trusted party to your supply chain, which should be a factor in anyone's threat molding.

https://f-droid.org/docs/Reproducible_Builds/ However, with reproducible builds now a package is built and signed by both fdroid and the original developer, so you get a net security benefit of having a third party attesting they can independently reproduce the binary from source. Problem solved right? Well, yes but mostly no. Most projects and packages don't have reproducible builds, so if your using fdroid for most packages your still trusting droid.

I think a lot of the online hate comes from people making assumptions that their use case and threat model applies to everyone. That's why I prefer discourse where we just talk about the attributes and not "you should"

[–] beyond@linkage.ds8.zone 12 points 1 month ago* (last edited 1 month ago) (1 children)

I feel like there's a lot of FUD around this subject, because people bring it up as if it's purely a negative without talking about the reasons why it's done the way it is. The whole point of F-Droid is that it's a repository (not a store) of free software applications. They have an inclusion policy forbidding proprietary code and dependencies, and in order to enforce this policy they have to build from publicly available source code, and in order to do so they need to sign the builds themselves. This means, yes, you are trusting F-Droid instead of the upstream developer - but given F-Droid has higher standards than upstream developers this is a tradeoff I am willing to make.

Reproducible builds solves this in a way that preserves the standards of F-Droid, however, "security peoples'" favored "alternatives" (such as Accrescent, Obtainium, and Google Play Store/Aurora Store) forego this entirely, showing they don't either have a viable solution to offer or that they don't really care about the problem that F-Droid is addressing to begin with.

[–] jet@hackertalks.com 3 points 1 month ago

Really well said!

[–] refalo@programming.dev 4 points 1 month ago* (last edited 1 month ago) (2 children)

Do you know of an equivalent to https://reproducible-builds.org/citests/ for Android/F-Droid packages? I'd like to see some public verification of these reproducible builds, especially Signal.

[–] jet@hackertalks.com 2 points 1 month ago (1 children)

the public verification is that the developer signed binary matches the fdroid built binary

[–] refalo@programming.dev 3 points 1 month ago

Yes, but this is often not an option for non-developers

[–] possiblylinux127@lemmy.zip 2 points 1 month ago (1 children)

Signal isn't on F-droid. You need to use Molly for that.

[–] refalo@programming.dev 2 points 1 month ago

Indeed... I was not trying to imply that it was.

[–] lord___vader@sh.itjust.works 4 points 1 month ago (1 children)

I completely understand, but this only adversely affects you if f-droid getting hacked is in your threat model. And not everyone have that.

[–] jet@hackertalks.com 2 points 1 month ago (1 children)

Yeah exactly. So pointing that out is sufficient, and it's up to every user to decide if the benefit is worth the risk. And I'm sure for most people fdroid is a net positive.

Now, I want to change gears, and talk about annoying personalities also being really beneficial. Crazy principled people drive change in the world. The open BSD founder, RMS, the graphene founder, these are crazy unreasonable uncompromising people which are difficult to get along, but they drive change. Sometimes we need those uncompromising people. I think putting up with them is the cost of a vibrant ecosystem.

[–] BearOfaTime@lemm.ee 1 points 1 month ago* (last edited 1 month ago)

I disagree.

If you're an asshole, people don't want to work with you, and will actively avoid you.

I'm the IT guru in my family and extended circle. Of the probably 100+ people I advise, none will ever use Graphene now.

They alienate people with their hubris and condescension. Rather than help people understand their perspective, they act like it's "the only answer".

That's never a solution. Discussing pros and cons of different approaches moves us forward, not the Graphene "us VS them" mentality.

[–] possiblylinux127@lemmy.zip 2 points 1 month ago

There isn't anything better than F-droid as far as I can tell