Infiltrate GOS

quepasabebe

Hello again!

Just curios. How can we as gos-users feel safe knowing that the graphene os team is secure etc.

Lets say for example, is there a possibilty that some FBI/DEA/CIA or something else infiltrates the team and joins as an "Developer" for example and infiltrates some sort of code which breaches the whole code and makes them be able to install some sort of "trojan/malware" which records all of the gos users or something.. do you get what i mean?
Sorry im not so technical with my question but i hope you get what im saying.

Is this a possibilty?

GrapheneOS

quepasabebe Only the 2 main developers have commit access to the OS repositories. The other developers and contributors must have their changes approved by one of those 2 developers. All code that's added to the project is reviewed. There's a long process of working towards gaining trust and responsibilities. Most governments are also not inherently against having a secure OS project and in fact may be interested in using it directly or building an OS based on it. There are certainly people who work for the US and other governments using GrapheneOS on their personal devices.

[deleted]

quepasabebe Of course this is possible, but I don't think its very likely. Firstly you have to remember that GOS is not the only "degoogled" OS. So would Feds plant people in all of the other privacy focused softwares? Signal, GOS, Tails, Tor, Proton, mullvad, etc etc. Me thinks not, although it would be a good idea that would require alot of man power and time.

quepasabebe "trojan/malware" which records all of the gos users or something.

I find it hard to believe that one person alone would have such unchecked access as to allow for this to happen. If it did happen, I believe that there is a high likelyhood that it would be caught by someone (whether it be a GOS dev or an everyday person). The privacy enthusiast community seems pretty good at calling out companies when they do something naughty that directly contradicts their stated goal. Make a reddit account and follow every privacy focused sub you can find, this is one way that you can stay up to date on things that are evolving with the tools and companies you are using.

What I will tell you is that "privacy phone" honey pots are a thing. Research the Anon phone, which was a Fed created fork of graphene that was backed doored and marketed to criminals. The Feds know about graphene (otherwise they wouldn't have forked it for their Fed phone), it's not like GOS is some deep underground naughty spook project.

While I understand your concern, I wouldn't worry about it too much. Many privacy experts (even the ones who question other "privacy focused" services) recommend Graphene. Remember, any service you use (not just graphene) is going to require a level of trust that you can't verify. When researching companies, look for things like: open source code, independent audits, their business model (how they make money), the "business" people envolved, their reputation among privacy enthusiast and privacy experts, how long they've been around, their mission behind their project, etc. It will help you get a feel of if you should use their product or not.

TLDR: While a possibility, I wouldn't worry too much (although that doesn't mean give blind unfettered trust). Reserach and vette your tools.

protonuser2

It's a valid concern.

However that is why the bare minimum for any software to even be considered private is that it needs to be public and open source.

The idea is if the software is viewable by anyone, then it follows that it should be under scrutiny from everyone and especially 3rd party auditors, which I know GOS has had some already.

That's not to say that just because software is public on github that it automatically is trustable, no, it is only the start for someone the be proven safe and private.