Do they get a notification though
- 2 Posts
- 7 Comments
Joined 5 years ago
Cake day: January 21st, 2021
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Sorry, I meant personally identifiable. They found out the fingerprint is computer-specific.
What is the fireproof safe for?
(attempt to tag OP): [email protected]
I’m assuming GrapheneOS isn’t backdoored. If a new release were backdoored, I would have a non-zero chance to catch it while reviewing commit diffs, but the chance of catching it would be zero if I instead used auto-update and let the devs push whatever signed binary they wanted.
The fact that devs sign the builds doesn’t protect you from a Jia Tan type of actor. Jia Tan had social-engineered they way to a maintainer and then dropped their backdoor in the .tar releases. If you had compiled from the tree you couldn’t be affected. It’s possible to fail to review malicious commits even in this case, but it is still more transparent than pre-packaged releases. And there’s no point to reproducible builds if no one actually reproduces them.
They posted the findings here, I don’t know what you want.