a development security proposal

hatchback_curry

a proposal for heightened resistance to human compromise in the graphene os project

the problem:

graphene os has become a thorn in the side of state level adversaries who wish they had access to the content of graphene os devices. this is a sign that the hardening done by the graphene os project is having a positive effect against even highly resourced adversaries. however this brings heightened relevance to the threat of human compromise. law enforcement and state security arms of various governments may attempt to entrap or otherwise gain leverage over and subsequently pressure one or more developers into putting compromised code into the project. this has happened with several for profit mobile os and handset companied targetted at organized crime. while it would be a significant escalation for a western policing agency to target an open source project working on a legitimate security system, it does not seem out of the realm of possibility. solving this problem is difficult as policing agencies are notoriously skilled at compromising people. however, states are limited by geopolitics, sectioning the world into zones that generally have strained or limited cooperation with each other. france for example is in a different geopolitical zone than india, which is in a different geopolitical zone than russia. this is a reductive analysis, but could be somewhat more intensely examined to more effectively achieve the outcome in the next paragraph

my proposed solution:

All PRs must be reviewed by at least one maybe two developes in a diffferent geopolitical zone than the developer making it. additionally all release builds must be reproduced by developers in 3 different geopolitical zones, each of which has a public way to confirm successful reproduction of the release. this could be as simple as a pgp (or other better system) signed message with a date, confirmation of the release, and recent a news story, by a key solely controlled by each developerand published on the graphene os forums. ideally each developer would sign a message containing the key fingerprints of the other developers, and an expiration date, all of which could be included in the website and the graphene os info app.

end note

this suggestion is from the hip and unrefined, and I don't mean it to be a uncritiqueable text. if people in good faith want to tear it apart and build a better piece of social technology I welcome it, but please at least be kind in the process.

de0u

hatchback_curry The GrapheneOS code base definitely contains security vulnerabilities. We know this because it includes a large amount of AOSP code, and Google divulges vulnerabilities in that code on a monthly basis. I presume 100% of those vulnerabilities are accidental. One way to shrink that large landscape of accidental vulnerabilities would be for concerned users to hire security researchers to find security problems in the AOSP code base and disclose them to Google.

If there is specific concern about the potential of some members of the GrapheneOS team being coerced into adding vulnerabilities, as opposed to the general problem of many vulnerabilities existing in AOSP, it would be possible for concerned users to hire security researchers to audit the GrapheneOS-specific code. It would even be possible to hire people to audit the differences between the regular open-source releases and the closed-source "security preview" releases that Google has imposed.

If the end goal is the security of the code, protocols for reviews by hypothetically compromised people, and protocols for signing by hypothetically compromised people, seem not to directly address the end goal.