Hans-Christoph Steiner @eighthave@librem.one
#Tor Project maintains their tools in #Debian, giving them a base platform delivered with #ReproducibleBuilds and the rest of the Debian users get a better maintained Debian.
https://blog.torproject.org/built-with-purpose-puppet-debian/
I'd like to have something that automatically convert links to the #privacy preserving version in the browser. Like play #youtube links in #invidious, etc. There seems to be things like #UntrackMe but for me the question is which one to trust, is maintained, works well enough, etc. Once I find a tool that I think it generally applicable, then I work to get it into #Debian so its easy for others to make this decision. Is there a browser extension for this that is worth getting into Debian?
After using #NeXTSTEP/#macOS from 1994-2012, I reached the same conclusion as Ken Thompson: "I've become more and more depressed, and what #Apple is doing to something that should allow you to work is just atrocious... And I have come, within the last month or two, to say, even though I've invested, you know, a zillion years in Apple — I'm throwing it away. And I'm going to Linux. To #Raspbian in particular." https://www.youtube.com/watch?v=kaandEt_pKw&t=3473s
As a #Debian #Developer, I'd like to say: Welcome!
Just tagged v2.2.1 of #FDroid fdroidserver tools package, and uploaded it to pypi.org, #Debian, and our #Ubuntu PPA. This version has passed autopkgtest in Debian/bookworm, so it looks like it should make it into bookworm without further work https://tracker.debian.org/pkg/fdroidserver
#FreeSoftware was almost mentioned at #DMAWorkshop: one key point was that mobile operating systems in 2008 were in a race to get developers. #iOS and #Android were tiny newcomers with no developers. The idea from app stores came from free software and hackers. #Debian APT started in the 90s, #Cydia was on iOS when #Apple was still saying web apps were the only way. And of course, #Android used #OpenSource as a key strategy to get #developers interested in their platform.
Started syncing work on the #smali package between #Debian and #KaliLinux, bookworm's libsmali-java provides an update over Kali's own smali package, but there is still a bit more to be done. Hoping this is the start of more cooperation!
Just uploaded to #Debian the key #Android inspection tools #apktool 2.7.0 and the latest #smali from git, ahead of 2.5.2. All sorts of tools like #droidlysis #fdroid #kalilinux and more rely on these for inspecting Android APK files.
Just uploaded #droidlysis v3.4.0 to #Debian. It is an easy way to get started with analyzing #Android APK files to see what is in them.
#Debian and #FDroid require signature verification, and #FDroid is built on top of #Android's APK signing. This improves things a lot but does not mean they are immune. Debian and F-Droid repos can still override packages lower priority repos. It could make sense to have a "no overrides allowed" setting, but that would restrict useful features. Maybe F-Droid could implement "no new signing keys when overriding" rule by default, I wonder how much that would break what people are doing now? 2/2
I'm sad to say that my new #laptop still needs non-free firmware blobs for working WiFi, Bluetooth, audio, and power management. Now #Debian will include those in the installer. Are we losing this #FreeSoftware fight? At least the graphics driver is #free and included in upstream Linux, that is progress. I specifically avoided #nvidia for that purpose.
How are others feeling on the firmware blob fight?
@ljacomet I just saw your slides for your talk "Protecting your organization
against attacks via the
build system", a great overview! I'm a #Debian dev who has worked on packaging #Gradle. We'd love to make it as close to your version as possible. There is a proprietary build dependency that blocks that from happening. https://github.com/gradle/gradle/issues/16439
The #Debian #Android Tools Team now has a blog, including news about packaging #Gradle #Kotlin sdkmanager and related #FreeSoftware issues https://android-tools-team.pages.debian.net/blog/
Hosting code with automated publishing into well known namespaces is looking more and more like a broken model. A better approach is human verification of package names like in #Debian, @fdroidorg, #MavenCentral. Then other pieces can be safely automated https://www.bleepingcomputer.com/news/security/critical-cloudflare-cdn-flaw-allowed-compromise-of-12-percent-of-all-sites/
I'd love to see data on what verified boot actually stops. The ideal malware implants itself at the lowest level possible. Is there good public data on these kinds of exploits on #Android #Debian #Windows #iOS etc? Does standard spyware do that? Writing to /system requires a root exploit, lots of malware never gets root. How often there are vulns in #VerifiedBoot itself. Here's a real world full #exploit of verified boot:
https://threatpost.com/multiple-vulnerabilities-found-in-nvidia-qualcomm-huawei-bootloaders/127833/
#Debian created an ecosystem where the software available there is reviewed and trusted, so the system can prioritize flexibility over security. In #Google Play, there are many apps we feel forced to use, despite knowing they are unethical or are tracking us. Google responds by locking down #Android to reduce data leaks, which also reduces the system's flexibility. #FreeSoftware puts the user in control so we can build user-friendly systems without being forced into bad decisions.
If anyone is looking for a #ReproducibleBuilds #Java / #Android project to hack around with, jtorctl now builds with #Gradle (from gradle.org or #Debian), #Maven, and #Bazel with sketches of Ant. The idea is that if all the build tools make the same JAR, no need to trust the build tool.
https://GitLab.com/eighthave/jtorctl or https://GitHub.com/eighthave/jtorctl
Key parts of the #Debian #AndroidDev tools package suite no longer build on anything but x86. This is also true with the new 10.0.0 version. I'd love to see the #ARM and #MIPS packages make it into #bullseye. We need contributors! If you can help, see:
