Looking to make a big impact? We are searching for a Grant Administrator to help us scale our operations. We are looking to fill the position in September 2024. Check out the job ad here: https://guardianproject.info/2024/08/05/seeking-part-time-grant-administrator/
Looking to make a big impact? We are searching for a Grant Administrator to help us scale our operations. We are looking to fill the position in September 2024. Check out the job ad here: https://guardianproject.info/2024/08/05/seeking-part-time-grant-administrator/
"#FreeSoftware compete with big tech (gatekeepers) not in scale but in principle by providing to end-users curated solutions that respect their rights. #DMA is important for non-profit as well"
@fsfe at the Digital Markets Conference
We have a new blog post about the Mobifree project and our role in it.
In short, it's a human-centered, ethical alternative, that champions privacy over profit and believes in collaboration, sustainability and inclusiveness.
Friendly reminder if you're an open source developer in the mobile ecosystem:
You still have time until 1st of June to apply for a #mobifree grant.
The F-Droid Board of Directors got an update with a few new faces, some remaining ones and one leaving.
#golang's core crypto/tls library merged client #ECH support! It should be included in the Go v1.23 release. Server-side support is still in the works.
➡️ It's a Big Freaking Deal when we can move any #UnitedNations organization away from #Microsoft.
The system-wide IT shop UNICC has announced its move to #Matrix:
https://www.techradar.com/pro/the-united-nations-ditches-big-tech-in-a-bid-for-security
The lack of direct funding to all the code maintainers the #gatekeeper monopoly companies rely on is a clear sign how little they actually care about security. They have massive profit margins, so they have the cash. And a company can just give cash to devs. I know this because #Google in early #Android days just handed @guardianproject $100,000 to do what we were doing. Among other things, we used that to work on IOCipher, our per-app encryption lib, back when Android stored files unencrypted.
Welcome to Stephen Farrell as #curl commit author 1260: https://github.com/curl/curl/pull/11922
Come work with us at @sovtechfund for a unique job opportunity where you'll be at the intersection of bug bounty programs and public interest.
As the BRP Manager, you'll spearhead our efforts to enhance bug resilience in FOSS projects, leveraging responsible bug bounty programs and more to make a meaningful impact in open source critical infrastructure.
Apply now at https://www.sovereigntechfund.de/jobs/bug-resilience-program-manager
(You're welcome to apply even if you don't meet 100% of the description, it's just a wishlist)
#Automattic just acquired #Texts and #Beeper, two #matrix chat apps that work with a bunch of bridges to popular apps :
* https://blog.beeper.com/2024/04/09/beeper-is-joining-automattic/
* https://automattic.com/2024/04/09/automattic-acquires-beeper/
I really hope they open source it.
Since they are going for a fee-for-service model like Wordpress, I'm optimistic. This is key for breaking the network effects that #gatekeeper companies rely on: #Apple #Meta #Facebook #WhatsApp #Discord #Telegram #Signal.
First more detailed analysis of the backdoor AFAIK, in this Bluesky thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b
So the backdoor’s intention isn’t compromising SSH sessions but rather executing arbitrary code on vulnerable Linux servers. The payload is hidden within the RSA key sent to the SSH server during authentication. This payload has to be signed with some unknown Ed448 key which only the attackers possess. If the signature is deemed correct, the payload is passed to system() (executes it as a shell command). Otherwise the code falls back to the default SSH behavior.
Had this backdoor been discovered a few months later, we would now have a lot of vulnerable servers all over the world. And only the attackers would be able to detect from outside which ones are vulnerable, because only they can send a correctly signed payload that would trigger command execution.
Planting a command execution backdoor into most Linux servers out there sounds too ambitious for someone driven by monetary interests, there are simpler ways to build a botnet. The level of sophistication and long-term planning indicates a state-level actor. Unfortunately, there isn’t a shortage of candidates. With quite a few Western governments pushing for lawful interception lately, I wouldn’t rule out any country at this point.
Are you experienced with GTK and Rust ? ❤️
We are looking to contract someone to work on the new GNOME Password Manager 🔑
We want it to become a core/default app and help secure millions of users.
You'll be working with the GNOME Foundation, a non-profit dedicated to building emancipatory technologies for everyone.
Please send resume / portfolio to stf@gnome.org
Boosts welcome
#GTK #Rust #rustlang #GNOME #Linux #Ubuntu #Linux #Fedora #OpenSUSE #Debian
Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
At this point, it is clear that a #VPN provider must accept payment in cash in order to provide a real #privacy tool. Cash is much easier to handle privately than crypto for most of the world, and a lot more people around the world have access to currency exchange and snail mail than places to safely buy crypto. Kudos to @mullvadnet and @protonvpn for providing that service.
In collaboration with @fdroidorg, the @fsfe prepared a study for the Japanese Competition Authority HDMC on how Apple's plans to comply with the #DMA represent a risk for #FreeSoftware and #DeviceNeutrality.
Key recommendations: 👇
- Full and unfettered side-loading
- No distribution via DRM encryption
- No residency or credit requirements for
3rd party app stores
- No interoperability request forms
- More competition on trustworthiness
https://download.fsfe.org/device-neutrality/fsfe-apple-report-final.pdf
#Sideloading apps and using alt stores like #Flathub is a major feature of elementary OS and a competitive edge over closed platforms that only let you install apps from a locked down store. In this release we’ve made several improvements to smooth out the experience of using alt stores based on your feedback and the latest #CrossPlatform standards.
People, apps and code you can trust