questions about updates and open source

workeronthewalls

23Sha-ger Then why not just wait the 90 days for the information to become public and therefore stay open source only, if it might take some time for low effort bad actors to weaponize vulnerabilities.
GrapheneOS could still come up with the patches earlier than the low effort bad actors, even if they stayed open source only. Is it more stressful and more work? Sure. But worth it in my opinion if GrapheneOS stays open source only.
(I know, I know, there is still the open source version out there and even in the closed source version, only the security patches are closed source, that will become open source after about 3 months. Let's leave that specific discussion behind already.)

GrapheneOS

workeronthewalls What you want already exists: don't opt-in to enabling the security preview releases. They're not enabled by default.

userofgos

workeronthewalls or maybe you are a bad faith actor afterall.

That is quite the accusation and I don't see how you can "in good faith" come to that conclusion.

workeronthewalls "trust me bro, we are not compromised by the intelligence agencies".

Well, to put it in your own words, you are basically saying the same thing "trust me bro, Google is sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs"

spring-onion

@workeronthewalls Your train of thought isn't cohesive and we've already gone to great lengths to discuss this matter with you. Implying GrapheneOS is compromised is where this discussion ends.

RandByte

workeronthewalls Problem is though, there is just no proof, that this is the case, and nice words are no proof.

workeronthewalls Again, in the end it's a trust issue, and for me personally, shipping closed source, whatever the circumstances might be, does make me trust you less.

Damn! The trouble here is the way you react. You're so overwhelmed by your emotions that you shut down your rationality completely. So let's get back to reality for a minute:

Early security patches are under embargo from Google (for understandable reasons as most manufacturers are big as sea tankers and very slow to move and update their OS) but accessible to the GOS team for them to incorporate in their releases.
These security patches get eventually published. (keep that information in mind as it's relevant in the next point)
GOS releases are reproducible and they have a cryptographic hash
Once the embargo is lifted, guess what? You can build a reproducible GOS with the published patches and check the cryptographic hash is identical

So... unless you're some out of this world wizard who can bend the laws of physics and mathematics to your will, your whole rent on this thread is moot, serves no purpose other than wasting GOS dev team precious time! They kindly and thoroughly answered everything but you're like a dog with a bone, you won't let go!

If one day you catch the GOS team lying about closed source patches being included in the GOS release, then on only then, unleash all your anger! But that (unlikely) day comes, please STFU and stop wasting everyone's time.

other8026

@workeronthewalls Please see the responses from the project account. They've responded to 8 of your posts out of a total of 14. People have been very clear about what the security preview releases were, why GrapheneOS has them in the first place, etc. Now your persistence has crossed the line into being disruptive, especially now that you're continuing after your last post was deleted and you were asked nicely to stop.

« Previous Page