Press communication in France about GrapheneOS

simplenot

Maketrades I guess even bad press is good press :)
This will definitely make GOS more visible.

Eirikr70

simplenot That was my first feeling, but it also presents drawbacks!

de0u

Maketrades I have a question regarding the functionality of the servers.. How big or how small is the chance that they be able to attack the servers of GOS to add or to modify something to add on a update pushed from the server like they did in the case of encrochat?

Each GrapheneOS device contains the public half of the GrapheneOS release signing key, and uses that to check that each OS release is signed by the private half of the key. If somebody corrupts a GrapheneOS update server and installs an update that is not signed by that key, GrapheneOS devices will download the update and delete it when the signature check fails.

Maketrades

de0u Each GrapheneOS device contains the public half of the GrapheneOS release signing key, and uses that to check that each OS release is signed by the private half of the key. If somebody corrupts a GrapheneOS update server and installs an update that is not signed by that key, GrapheneOS devices will download the update and delete it when the signature check fails.

Thanks that's already a bit less concerning but what about this?

jasejok What's the most concerning to me is the possibility to infiltrate the project from within, as has happened with a lot of projects that were "not convenient" for the governement.
I think graphene leadership owes it to the community to explain how they are ensuring that they won't be compromised from an insider if pressed (imagine being a developer and law enforcement is threatening you with jail time if you don't collaborate).

Asswell a legit question he or she actually took the words out of my brains.

Eirikr70

Xtreix Thanks for your good job about the Wikipedia page. I am in the process of revising it and there is one aspect I would like to share. While introducing the history of the GrapheneOS, you enter in very technical details with concepts that the lay-person I am doesn't understand (Malloc, Bionic libc library, PaX kernel). As much as I understand the interest of giving technical precisions, I think it makes the article harder to read for the non-techie, which would - to my eyes - be a pity because any user can benefit from GrapheneOS even though you can't enter into these details. So I think that tayloring the paragraph to a more common public would be useful. I might help if you explain to me what are the benefits of these technical choices of course.

Xtreix

Eirikr70 This is the source comes from the official GOS website translated into French. I can see if it is possible to provide external links for technical terms such as hardened_malloc, which is a hardened replacement for glibc's malloc.

I see that improvements have been made. I think the screenshots should also be replaced with more recent ones. Thank you for your feedback and contribution.

de0u

jasejok Maketrades What's the most concerning to me is the possibility to infiltrate the project from within, as has happened with a lot of projects that were "not convenient" for the governement.

A lot of projects? Is a list available?

The same question applies to Google, Apple, also any other security/privacy project: how can one know for sure that nobody is compromised, ever?

de0u

jasejok Maketrades I think graphene leadership owes it to the community to explain how they are ensuring that they won't be compromised from an insider if pressed (imagine being a developer and law enforcement is threatening you with jail time if you don't collaborate).

I am curious as to what forms of assurance might be deemed credible. "I promise that if I am threatened with execution if I reveal that I was forced to ship a back door I will reveal it anyway"? Would that be believed? If not, what would be?
I do not speak for the GrapheneOS project, but I don't see what they "owe" to whom. Is it possible to explain what obligation was incurred, and how?
https://discuss.grapheneos.org/d/18927-on-open-source-and-complaining-to-the-manager

Blank

GrapheneOS Hello, I juste want to clarify something. Since GrapheneOs won't operate in France anymore, does it mean that French people won't be able to use GrapheneOs anymore ? What about people who already has grapheneOs installed ?

M_2_Sade

__Blank__ you will be able to use graphene juste fine

Eirikr70

__Blank__ No, it doesn't change anything for the French residents. "GrapheneOS not operating in France anymore" means that they will operate with infrastructure abroad and not depending from French companies. Unless contradicted.

Blank

M_2_Sade thanks

Blank

Eirikr70 okay fine ! Thanks a lot... I was really worried.
I sincerely regret that France is likely to turn into a dictatorship hiding its true intentions behind lies...

Maketrades

de0u

de0u A lot of projects? Is a list available?

Did you read the last 10-15 messages of this topic or you just come in here bashing people who having a serious question and point out there concerns here? They been mentioned a couple times here above!!

de0u I do not speak for the GrapheneOS project, but I don't see what they "owe" to whom. Is it possible to explain what obligation was incurred, and how?

They don't owe nothing to nobady!!

The thing what bother me the most is that everybody here on the forum who has a bit of technical know how or at least Lett it appears they have by jumping on all kind of topics with answers and solutions when it comes to this kind of questions stay quite or start attacking or bashing the once with the concerns. I am not here to get in endless discussions just asked a serious question and also explained why they concern. Peace out!!

de0u

de0u A lot of projects? Is a list available?

Maketrades Did you read the last 10-15 messages of this topic or you just come in here bashing people who having a serious question and point out there concerns here? They been mentioned a couple times here above!!

I'd prefer to avoid jumping to conclusions. By "a lot of projects", do you mean:

Wikipedia has a list of projects "similar" to EncroChat. I wouldn't want to put words into other people's mouths, but if that is similar to what is meant by "a lot of projects", to my eyes that list looks like businesses (not open-source free software), and businesses that were focused on proprietary messaging apps. That seems potentially different from an open-source operating system that doesn't ship with a proprietary messaging app. We'll see what plays out, I guess.

jasejok

de0u

The assurance can come first from acknowledging the seriousness of the threat, and explaining what sort of measures are taken to mitigate the risk. Sounds pretty normal to me, considering there is a threat looming that threatens the integrity of the product.

The grapheneos is a community project. It is as successful as is to a big part because of the effort of the community. People are spending resources to help the project (money, time, promotion, etc.). There has to be some level of obligation towards the community, no?

de0u

jasejok The assurance can come first from acknowledging the seriousness of the threat, and explaining what sort of measures are taken to mitigate the risk. Sounds pretty normal to me, considering there is a threat looming that threatens the integrity of the product.

I think I'm aware of one case of a project describing a specific measure for mitigating "insider attack": Google built a very specific "insider attack resistance" measure into the firmware-upgrade path. That measure is inherently deployed on GrapheneOS devices. I am not personally aware of Google, Apple, etc., documenting what measures they take against government coercion of individual developers.

But, again, it's also -- honestly -- not clear what assurances people would find credible. It's difficult for me to imagine anything that the GrapheneOS team could say that wouldn't cause people to respond with things like:

Maybe you're being paid to say that,
Maybe you say that now, but what about when you're threatened with jail,
etc.

Perhaps it might make sense for concerned individuals to join together to hire independent auditors?

Eirikr70

Xtreix This is the source comes from the official GOS website translated into French.

Oops, my bad!

Xtreix

Eirikr70 Don't worry, haha, I understand that there are technical terms and I don't really see how I could simplify it without making mistakes. I'll try to shorten the sentences a little if it makes sense, but if it sounds awkward, I'll give up. That's why I suggested including external links if possible, which will appear at the bottom of the page.

vine

GrapheneOS Elena Constantinescu wrote a post on Proton blog about this earlier today.

https://proton.me/blog/grapheneos-france

« Previous Page