Follow

periodic reminder that Signal has mandatory google play services in it which makes the whole thing completely useless

google can just read your messages after the app decrypts them. google is also part of PRISM

moxie has explicitly refused to make an f-droid build, which would mitigate this complete bypass of the e2ee security model by not including any untrusted google binaries. wonder why that is :thounking:

@haskal @grainloom honestly as someone who used to develop an open source Android app: fuck fdroid, caused me so many stupid support requests and so many headaches

@erincandescent @haskal @grainloom
The f-droid build was managed by the community though, and moxie explicitly said they were not allowed to communicate with his servers, basically shutting down the project.

It’s ”free software” but if you modify it you can’t use it.....

@erincandescent @haskal @grainloom On both sides projects where devs spend there sparetime and users contribute by tickets and testing, I guess a rude tone isn't anything appropriate ... 🙄

@haskal isn't it just because of gcm or does the code effect anything else?

@haskal wait, why does fucking ANYONE trust signal then?

@Ilian_Amarin @haskal because there are many super vocal people repeating that "signal was the most secure thigh on earth"

@haskal when are people gonna make a reimplementation of signal that doesn't depend on anything and just say fuck you to the original devs

@lunch @haskal It does exist. XMPP with Conversations on Android uses OMEMO encryption which is based on the Signal Protocol. It is even federated

@waweic @haskal other protocols exist but there's no way to talk to *existing signal users*

@lunch @haskal someone did, but that project was abandoned because Moxie Marlinspike said he was not OK with LibreSignal using the Open Whisper Systems servers and the name "Signal"

github.com/LibreSignal/LibreSi

@haskal they also explicitly forbid 3rd party clients

for your own safety, of course

@haskal warn me when someone decompiles google play services and shows that it can actually invade other programs' memory address space, okay?

@haskal Signal apparently still works with microG, so that's an option to cut out google

@uint8_t @haskal Not completely. A part of the play services is also built into each app that uses them.

@greyor @haskal AFAIK It doesn’t need google play services installed on your phone, but still bundles the services framework and loads it on launch...

@pheki I think Signal uses Google Play Services, when available, for push notifications

@greyor @haskal

@emacsomancer
@haskal @greyor
Yes, but with a fallback to its own background connection.

@pheki @emacsomancer @haskal Interesting, I didn't know that. I unfortunately am unable to put a Google-less OS on my current phone (locked bootloader), so I'll have to make do with the status quo for now.

@greyor @pheki @haskal Used Samsung S5s or One Plus Ones are like $50-$110 used, if you ever want to pick up something you could install a wider range of choices on. I really like my Samsung S5 (in the scheme of things, at least), and would like just buy another one if this one died. (I still don't see any other Android phone with the same feature set and 'pure' Linux phones don't quite have the software range yet.)

@emacsomancer I used to have a Galaxy Note 5 that was pretty upgradeable, but now it's a S9+ and unfortunately Verizon's is locked up. I'd prefer the next phone I get to be a PinePhone, but I am a little discouraged by what I've heard about performance and usability thus far. I'm going to run this one into the ground and then see if the PinePhone matures some more.

@haskal @pheki

@greyor Just as for laptops, don't discount older phone models though as possibilities for 'upgrades'. Sometimes they're better.

The problem about Pinephone is you're still likely to have some set of things that won't work, at least unless Anbox ever becomes fully viable, so you might *still* need an Android/iOS device as well. (Depending on your needs.) LineageOS at least is a more reasonable version fo Android.

@haskal @pheki

@emacsomancer I hear you there for sure. I dunno if I told you but I ended up getting a Lenovo Legion Y540, which is exciting!

True. I heard rumblings that ReplicantOS and Graphene are working on PinePhone builds, but not sure how progress has gone. I like LineageOS OK, but I wish it supported more models "out of the box." I may try to compile it from scratch on my new laptop for my tablet to see if that helps, as the tablet no longer updates or even installs new .apks.

@haskal @pheki

@greyor I've never tried compiling LineageOS for a non-supported device, but my impression is it's not trivial. The unfortunate thing about LineageOS builds is that it's dependent on there being someone with both the know-how and the interest to develop and maintain it. (I assume you've checked on XDA for unofficial builds for your device already?)

Yeah, Graphene or the like on PinePhone would probably be a decent interim solution, though it would be nice to be able to run proper Linux phone (with an Android 'chroot'/'VM' for needed things).

No, I didn't know that you picked up a Lenovo Legion Y540. My laptops are all Lenovos, though all in the ThinkPad line (which is really the one I'm familiar with). I looked up the Lgeion Y540 - it looks like it would be decent if you wanted to do same gaming. Do you have it already? If so, how is it working out?

@haskal @pheki

@emacsomancer Yeah, I am worried it would be non-trivial. I don't have the know-how to maintain a build; I just want to use it, you know? I got this unofficial build on XDA so maybe I'll look for an update.

Graphene would be nice. I just really like running Android but don't want all the Google tentacles.

Yeah, I finally bit the bullet last week. Looked at ThinkPads and IdeaPads but really wanted a machine that would be good for gaming. 4Gb GPU, 16Gb RAM, 1Tb HDD + 256Gb SSD.
@haskal @pheki

@greyor The other route with a ThinkPad might have been to use an external GPU, but then that is probably more fiddly.

Have you been gaming on it? Playing anything interesting?

@haskal @pheki

@emacsomancer Yeah, that's too much for me these days. Oh, sorry, I forgot to mention. They're still building it and it should ship next Friday, so I'll have it within a couple of weeks. I think it'll be snappier with games; I imagine bsnes will really fly! We'll see about everything else.

Haven't been doing much gaming lately though, mostly doing backups and preparing for the new laptop, and de-duping a lot of the cruft on the backup drive that's built up over time.

@haskal @pheki

@haskal Signal signs the builds published through their website and Play. F-Droid creates their own builds and publishes them with their own signature. Signal has to trust F-Droid to timely ship updates and take care of that signing key. Google can't just give a malicious version of to you specificly. The version of Play libs you get is the same Signal devs have tested with. Supporting multiple build flavors is too much support hassle for no practical security benefit.

@dadada @haskal Except that Google can trivially give you malicious versions, as finely targeted as they want and completely silently, since they also control the application that actually does the installations (not to mention the rest of the operating system).

@elomatreb @haskal If you have no Play services installed and have verified that there are no backdoors in AOSP I suppose you are fine. Then Play libs in any App would be an unnessasary attack surface from your perspective.

@elomatreb @haskal Not sure if Play services can replace an app that has been signed by signal devs.

@haskal isn't google play only required for location sharing? The app works just fine on my degoogled phone save for that

@dragon yeah but the point is signal includes the google library blobs in the app whether your phone OS is de-googled or not. the library code runs in the app context and has access to everything, including messages rendered on the screen

@haskal
Well, it is not mandatory... I downloaded it with Aurora so... No Google Play store or services on the device.

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Technology, privacy, security, signal, need help finding a replacement with specific requirements 

Sign in to participate in the conversation
Cybrespace

Cybrespace is an instance of Mastodon, a social network based on open web protocols and free, open-source software. It is decentralized like e-mail.