Guardian Project @guardianproject@librem.one

We were busy last week!

In short:
- Our DNS entries were finally transferred to us as a legal entity: https://f-droid.org/2024/09/30/dns-security-and-bus-factor-improvements.html
- This week in #FDroid (TWIF) was published again with news about the next F-Droid client update with fixes for TetheredNet and many app news: https://f-droid.org/2024/10/03/twif.html
- And the website is now available in Czech: https://f-droid.org/cs/2024/10/04/czech-language.html

All the details are in the linked blog posts, so please feel free to read them ;)

@thisven We are exploring funding for litigation and lawyers, that is looking promising. Meetings like this require technical people to spend quality time reviewing documents and joining meetings. #FSFE @edri and other orgs like that do have lawyers and policy people, and are doing a good job engaging on these issues, especially given limited resources. If you're ready to donate now to support this specific work, I recommend giving money to FSFE and EDRi.

On my own time, I have to read a ~50 page document produced for the #EuropeanCommission in order to effectively participate in a two hour meeting where #FDroid is pitted against #BigTech on the #DigitalMarketsAct and its requirements around installing and allowing other #AppStore options.
Its all NDA'ed so I can't ask for help.
This game is really rigged for the megacorps. Wish me luck! Here's to fighting the good fight!

Looking to make a big impact? We are searching for a Grant Administrator to help us scale our operations. We are looking to fill the position in September 2024. Check out the job ad here: https://guardianproject.info/2024/08/05/seeking-part-time-grant-administrator/

#remotejob #freelancer

"#FreeSoftware compete with big tech (gatekeepers) not in scale but in principle by providing to end-users curated solutions that respect their rights. #DMA is important for non-profit as well"
@fsfe at the Digital Markets Conference

#SoftwareFreedom

We have a new blog post about the Mobifree project and our role in it.

In short, it's a human-centered, ethical alternative, that champions privacy over profit and believes in collaboration, sustainability and inclusiveness.

https://f-droid.org/2024/05/24/mobifree.html

#FDroid #mobifree

Friendly reminder if you're an open source developer in the mobile ecosystem:

You still have time until 1st of June to apply for a #mobifree grant.

https://nlnet.nl/mobifree/

The F-Droid Board of Directors got an update with a few new faces, some remaining ones and one leaving.

https://f-droid.org/2024/04/29/board-appointments-2024.html

#FDroid

➡️ It's a Big Freaking Deal when we can move any #UnitedNations organization away from #Microsoft.

The system-wide IT shop UNICC has announced its move to #Matrix:

https://www.techradar.com/pro/the-united-nations-ditches-big-tech-in-a-bid-for-security

The lack of direct funding to all the code maintainers the #gatekeeper monopoly companies rely on is a clear sign how little they actually care about security. They have massive profit margins, so they have the cash. And a company can just give cash to devs. I know this because #Google in early #Android days just handed @guardianproject $100,000 to do what we were doing. Among other things, we used that to work on IOCipher, our per-app encryption lib, back when Android stored files unencrypted.

Welcome to Stephen Farrell as #curl commit author 1260: https://github.com/curl/curl/pull/11922

Come work with us at @sovtechfund for a unique job opportunity where you'll be at the intersection of bug bounty programs and public interest.

As the BRP Manager, you'll spearhead our efforts to enhance bug resilience in FOSS projects, leveraging responsible bug bounty programs and more to make a meaningful impact in open source critical infrastructure.

Apply now at https://www.sovereigntechfund.de/jobs/bug-resilience-program-manager

(You're welcome to apply even if you don't meet 100% of the description, it's just a wishlist)

We tried to wreck Element Call but didn’t succeed! We can answer the most dreaded question in IT: it scales!

#Automattic just acquired #Texts and #Beeper, two #matrix chat apps that work with a bunch of bridges to popular apps :

* https://blog.beeper.com/2024/04/09/beeper-is-joining-automattic/
* https://automattic.com/2024/04/09/automattic-acquires-beeper/

I really hope they open source it.
Since they are going for a fee-for-service model like Wordpress, I'm optimistic. This is key for breaking the network effects that #gatekeeper companies rely on: #Apple #Meta #Facebook #WhatsApp #Discord #Telegram #Signal.

First more detailed analysis of the backdoor AFAIK, in this Bluesky thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

So the backdoor’s intention isn’t compromising SSH sessions but rather executing arbitrary code on vulnerable Linux servers. The payload is hidden within the RSA key sent to the SSH server during authentication. This payload has to be signed with some unknown Ed448 key which only the attackers possess. If the signature is deemed correct, the payload is passed to system() (executes it as a shell command). Otherwise the code falls back to the default SSH behavior.

Had this backdoor been discovered a few months later, we would now have a lot of vulnerable servers all over the world. And only the attackers would be able to detect from outside which ones are vulnerable, because only they can send a correctly signed payload that would trigger command execution.

Planting a command execution backdoor into most Linux servers out there sounds too ambitious for someone driven by monetary interests, there are simpler ways to build a botnet. The level of sophistication and long-term planning indicates a state-level actor. Unfortunately, there isn’t a shortage of candidates. With quite a few Western governments pushing for lawful interception lately, I wouldn’t rule out any country at this point.

Are you experienced with GTK and Rust ? ❤️

We are looking to contract someone to work on the new GNOME Password Manager 🔑

We want it to become a core/default app and help secure millions of users.

You'll be working with the GNOME Foundation, a non-profit dedicated to building emancipatory technologies for everyone.

Please send resume / portfolio to stf@gnome.org

Boosts welcome

#GTK #Rust #rustlang #GNOME #Linux #Ubuntu #Linux #Fedora #OpenSUSE #Debian

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html