l3db3tt3r

Lockdown mode for websites and apps isn’t terrible to manage/configure on the fly, bonus is it makes you (re)consider if you should.

It may even save your wallet, and those expensive carbon rims! I happen to use the Vittoria’s Air-Liner insert for my rear tires. My use case is bikepacking, and mountain biking (hard tail). One of the first things I noticed was the additional side wall support - I haven’t burped a tire in a long while. They have probably also saved my rims on a number of occasions when I’ve hit a rock or root edge when sending it. I think it’s worth the piece of mind.

Also, they aren’t just pool noodles, they are made a bit different for use with tire sealant. You may also need to change out your tire stem, for one that will accommodate air passage/interference with the insert.

I’m of two minds. I agree. But there is also the need to go to where the people having these kinds of conversations are.

I think they see the slippery slope emerge, and they take that slope to the logical extreme. The centralized gatekeeper for attestation, play integrity, etc, the EU sees it as mitigating security risks with Google, the corporations see it as opportunity to change the centralized gatekeeper; to maximize capital. It isn’t just a (terrible) strategic move for security, it’s also a move to align capital. (also imagine the meta data network you could create with the attestation, another data point for surveillance. think Chat Control) I see GrapheneOS prioritize security; not capital. The people/groups/companies they are often at odds with prioritize the mechanisms of capital (or surveillance capitalism) over security.

Face Palm. Moving to an Open Education Resources (OER) framework would curtail this kind of BS. What is OER? Find out more here: https://guides.library.harvard.edu/OER

@rockstar1215@lemmy.world OP,
Suggestions:
1) Provide a couple real use case examples for why people may be asking for these PRs.
- Probably revolve around user familiarity with their current use cases using CalDAV and friends.
2) Build an import/export adapter.

• Link to relevant examples, resources, and/or documentation. It’s a call to action, so give readers a direction.

You make valid points.
I don’t know that the word apathy is strong enough in this context, shrug. I mean, why not just say the thing? “This needs to be fleshed out”. At least it provides direction and context, (go push sand somewhere else; the TAB) and would probably be quicker/easier to write then sling this tired narrative, and non-answer to what is actually being asked;

Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced.

(The TSEM LSM people aren’t trying to push a specific thing, they are asking for clarity of the process and particulars by witch a thing should be submitted; because from what I understand, their project (and others) keep hitting walls on the grounds of ‘formatting’ and ‘structure’; as a stop-gap, and thus an incomplete review, of the ideas and contents of the problem/solution set of the project. (Think: “It’s too difficult for me to read the thing, so I won’t until you fix it” – And not name with specifics to what is considered ‘fixed’, or what the process for re-submission is; It’s a backhand way of claiming “secret knowledge” over the thing and then saying “just fix it”. Fix what specifically ? )

That is to say; when outsiders see these kinds of roadblocks, and the responses/narratives of key figures in these spaces is “apathy” of this degree, it feels something to me akin to security theater.

“Yes, I know that security people always think they know best, and they all disagree with each other, which is why we already have tons of security modules. Ask ten people what model is the right one, and you get fifteen different answers.”

“I’m not in the least interested in becoming some kind of arbiter or voice of sanity in this.”

How do you even get to a consensus model to tease these things out; when your answer is a refusal to engage with “pointless” things?

It just seems contentious to me, that anyone when considering this kind of rhetoric, would make claims in regards to the level of security that Linux (may) provide. It just feels something akin to playing in the realm of security theater.

Maybe start here?
https://fightchatcontrol.eu/

A non-walled garden isn’t much help for you either.
There’s nothing stopping them from ‘requiring’ Client-Side - Device level scanning.
The technological ‘problem’ required to do that, isn’t too difficult to impose when you also create an environment where your device/provider ‘requirement’ in order to even use your technology, forces compliance, and it isn’t that far fetched of a technical problem to be solved.

If Signal leaves the official app stores

I know this is probably semantics; but I don’t think it will be completely on Signal, ie the app store owner is the one who is going to have the pressure to remove the apps: plural, as they will likely also remove any alternatives in the same vain. Same with any other service provider, store front, internet or cellular access, or device maker…
- There is no strictly defined “scope” of what ChatCountrol covers. It’s as broad as scanning “communications”.
And includes things like Client-Side Scanning.
- Pre-encryption scanning - Content is analyzed before it gets encrypted
- Device-level analysis - Scanning occurs on the sender’s device before transmission
- End-to-end encrypted services - Even encrypted communications are subject to scanning requirements

What I mean by Signal complying by leaving, is that they stop allowing registration of phone numbers ‘from’ these countries, and stop hosting any of their infrastructure (AWS) within these boarders.

Self-Hosted or Federated, is only a small portion of the battle. You have a bigger problem.

It isn’t criticism if it isn’t based on fact.
The U in FUD stands for Uncertainty; and what do you think “might” falls under, or it’s relation to sowing Doubt?

The law related to job postings, is a labor law, that also covers minimum wage, and uses the same definitions.
Labor Code Section 432.3 (Pay Transparency Law)
Labor Code Section 1197.5 - California Equal Pay Act (Fair Pay Act)
Labor Code Section 2750.3 (Employee vs Independent Contractor Classification)

Let me do the work for you; since you’d rather just spread FUD then look for facts.
1) https://www.linkedin.com/company/grapheneos/people/
- 0 California “employees” listed
2) https://www.dir.ca.gov/dlse/SB3_FAQ.htm (I just want to point out that there is a distinction; and I am not a lawyer)
“Any individual performing any kind of compensable work for the employer who is not a bona fide independent contractor would be considered and counted as an employee, including salaried executives, part-time workers, minors, and new hires.”

It also sounds like they are trying to fill a part-time role.
“Must be able to commit to spending 80 hours or more a month” = ~20 hours a week, but given the ebb and flow of release/bug/patch work needed…

FUD
1) GrapheneOS is a non-profit out of Canada.
2) It’s an “independent contractor” role. California has specific laws governing the classification of workers as employees versus independent contractors.

I don’t know if there’s really a better way to manage this need. They need a pretty niche specialized developer, so you have to cast a pretty wide net (globally, mind you) for remote work.
1) It’s a pretty small global team.
2) How would they financially/legally manage the burden of tax/benefit/workers rights across all boarders; especially as a non-profit.

Yes, people should know what they are getting into, with independent contractor work.
I just think there is (probably) some nuance to this particular case; where hiring people on as an employee doesn’t make a lot of sense.

I don’t see Signal complying, and it’s already a target for ‘breaking’ it’s encryption. I think it is more likely to leave the marketplace in which ChatControl is forced (it’s the only winning move); and I don’t think that necessarily means you ‘can’t’ use it; if anything ChatControl environments give a framework that allows them to force supporting network/service infrastructure into blocking or restricting the ‘ease’ in which these tools can be installed, accessed and used. I would focus efforts on how people can get around this vector, not just the specific tool in use.

I think you should think about this from a higher abstracted layer of things. The point being; how do you do this in a way that lets you be flexible, no lock in, ease of pivoting, and has the gift of allowing you to do things in stages as your skills/competencies grow. We also want to look to mitigate all sorts of setup/securing/maintenance/update infrastructure complexities and hassles.

1) You’re going to have to solve a ’network’ problem, how do you securely allow everything to communicate with each other. Managing things like Domain/HTTPS certificates/revers proxies/VPNs/tunnels etc. (Tailscale/Headscale as a solution is complex in and of itself; but the problem spaces it solves for are far more complex, and getting it wrong here can make you very vulnerable, catastrophically)
2) You’re going to have to solve a ‘user’ problem, how do you manage identities, and their ability to authenticate credentials, and use multifactor auth, as well as manage their access to #1 and #3) (IDP, IAM, SSO; is a hard problem, and again, getting it wrong here would be catastrophic)
3) What ‘services’ am I providing to this network of users/devices? (Storage of things through say Nextcloud/Immich, access to media server for streaming, etc)

For #1 I would lean into Tailscale, and it’s features like “Serve” and maybe “Funnel”. I don’t get the Enshittification vibe, but I suppose it is always a risk. The pivot point, would be to move your coordination server to Headscale. (you still use the tailscale clients, just reconfigured to point to the headscale coordinator).

For #2 Tailscale doesn’t do the IDP (Identity Provider) thus all the Logon options. To start like “stage 1” just pick one (my recommendation would be github of the choices available, but also to maybe start investigating git/VCS learning paths), IDP/IAM is a hard problem, you can self host one, but you’re adding a lot of complexity, and a huge security burden if you get it wrong. Consider doing this in a later stage; at stage X, work to selfhost something like Headscale/Traefik/Authelia; and then migrating to it to finally ditch all of ‘Big Tech’.

For #3 How to host your services; ie Podman or Docker? If your just starting, I’d lean more into Podman; from a security standpoint, as well as a staging things in a way that lets you jump into say Container Orchestration/Kubernetes, (but also if you’re worried about enshittification as Docker has shown some of) Adding tailscale to containerized services is fairly strait forward, making them securely available to your ’network’. The docker/podman paradigm is similar enough; learning to do things one way is very similar to the other’s way; there is just a nuance to how things actually work, different ‘gotcha’ things, but a lot of the same abstractions, I don’t think it’s too difficult to bounce between if necessary.

I don’t know that many of my adult friends even hit half the items talked about in this article.
What’s your own score?

Who benefits?

Who benefits from sowing a narrative around “drama”, “accusation”, and/or “paranoia”. Seriously.

I think given the following circumspect; GrapheneOS’s reaction, to move project pieces out of potential hostile environments/jurisdiction, is perfectly reasonable.

1) France’s Support for EU “Chat Control”, scanning proposals. France has been one of the governments most supportive of EU‑level proposals that would require scanning of communications and devices for illegal content.

2) The general French framing and approach to cybercrime. As in other EU countries, French authorities are pushing for: Expanded powers to compel cooperation from service providers, and developers. Strong rhetoric against tools that are seen as systematically obstructing investigations.