@GrapheneOS @TrueAmPatriot86 Who is the verifier? How do they verified it? Where could one verify it? This is literally the gist of my questions too
English
Raphiel Rollerscaperers
553 posts
Raphiel Rollerscaperers
@raphielscape
The Funny | Backend Engineer and Data Engineer | Oh nyo.
Nightmare Realm Entrou em Temmuz 2018
76 Seguindo251 Seguidores
@raphielscape @TrueAmPatriot86 Security preview releases are reproducible and can be confirmed across multiple locations run by different people. The default are the regular non-security-preview releases which are what the web installer and releases page use. Security preview releases are completely optional.
English
It's kind of funny how @GrapheneOS wants to let everybody know about the "dangers" of "closed source operating systems" yet they themselves ship precompiled, presigned applications that are included in their OS and are NOT reproducible, the most you can do is compile them out of tree and include them manually.
And even then, this is still a MAJOR security risk as their precompiled apps have permissions that you really don't want apps to be granted implicitly.
I've attached a photo of all the permissions available to the Messaging app, which is included in GrapheneOS at build-time as a prebuilt application. I should mention this, the aforementioned Messaging application has no form of reproducible builds, meaning the only way to update these apps is for some developer to manually build this application on their build PC, sign it and then push it to a git repo. Imagine the security implications of that. (You can unzip the app yourself to check the manifest too.)
github.com/GrapheneOS/pla…
This is the module included into GrapheneOS. Meanwhile the actual messaging app is at github.com/GrapheneOS/Mes…. For reasons beyond me, GrapheneOS devs thought it fit to remove the Android blueprints from it, therefore making this app unbuildable inside the Android source itself.
#L378" target="_blank" rel="nofollow noopener">github.com/GrapheneOS/pla…
The inclusion of said prebuilt Messaging app.
It's not just this app either. The included App Store, the Camera app, hell, even the Auditor. All of these apps are presigned and precompiled, and granted implicit permissions to do whatever. Why not compile them in-tree? WHY go out of your way to make them unbuildable by removing the blueprints? It's not about adding one yourself and doing it yourself, that's completely besides the point. The point is, why is some OS claiming to be security focused, yet has the ability to infect devices with a theoretical malware spread with these prebuilt apps? Why are these apps not built in-tree in the first place!? There is literally no excuse, every other app is compiled in-tree except these GrapheneOS inclusions.
How does it feel to trust a random person with an app that can theoretically upload all your data to a remote server without your knowledge? Further more, besides doing such things, GrapheneOS devs have the _nerve_ to go forth and cement their beliefs on others? When they themselves don't commit to their standards? If this isn't an absolute form of hypocrisy, I really don't know what is.
Maybe this post will instill some form of awareness in die-hard GOS fans. Maybe I'll get to deal with insane backlash. Who knows. At least I'm putting it out there. Maybe one day we'll get to know that this entire project was a honeypot.
English
@GrapheneOS @TrueAmPatriot86 Lack of good faith? You're completely evading my questions here, I'm unrelated to OP or SailfishOS, I'm just giving my bread a dip on a coffee, if you say it's completely worthless, how is your inexistent solution be better than that?
English
@raphielscape @TrueAmPatriot86 No, it's completely worthless and irrelevant. It demonstrates a lack of good faith engagement on your part. It shows you're primarily here to support the person who made this thread to attack our project with fabrications to support SailfishOS. We're well aware of the context.
English
@GrapheneOS @TrueAmPatriot86 Publishing the logs will attest to the build hashes that used to build the images at time, as I said on the other thread, how would one attest reproducibility for builds that has embargoed changes? Logs can be a Proof-of-hash used to build prior when embargoed code slated to GA
English
@raphielscape @TrueAmPatriot86 It simply isn't useful to publish build logs and the claims both of you are making about CI infrastructure and build logs do not make any sense whatsoever. Publishing a build log from our build machines would not have any value for verifying anything. What do you think those are?
English
@GrapheneOS @TrueAmPatriot86 And how about the builds that has embargoed changes from your partners?
English
@GrapheneOS @TrueAmPatriot86 The scenarios I described is for pre-flash and pre-OTA installation, narrowing the scope a bit, do your Alpha and Beta testers tests the Reproducibility of the build they tested? If so, why don't you provide a way to easily attest to their build reproducibility results?
English
@GrapheneOS @TrueAmPatriot86 @TheVancedGamer I'm going to further extend to your collaboration too, you for sure can't apply reproducible build as an attestation for the build reproducibility until the embargo lifted up, how the build can be trusted before flashing until reproducibility can be tested externally?
English
@GrapheneOS @TrueAmPatriot86 @TheVancedGamer If users can trust the build from you and that you can attest that by making your build transparent to begin with without telling user to "Just build the OS like we described on #reproducible-builds" target="_blank" rel="nofollow noopener">grapheneos.org/build#reproduc…", for a pre-flash attest, why are you vehemently refused it?
English
@TrueAmPatriot86 @GrapheneOS @TheVancedGamer In a way the compiler can be swapped at build and it would be count as one
English
@TrueAmPatriot86 @GrapheneOS @TheVancedGamer I know that the term used strictly for compilers itself, but in this case, it can be slightly broadened to that
English
@TrueAmPatriot86 @GrapheneOS @TheVancedGamer Users is unlikely to verify the build directly (and let's be real no one verifies OTA before applying it) so this is a case of a possible Trusting Trust attack
English
@TrueAmPatriot86 @GrapheneOS @TheVancedGamer My question is legitimate, if you don't have any inputs here, you're the one who's trolling, in cases where the infiltration happens during build that is clearly opaque (malicious actor within the team itself), it can be hard to be quickly identified when OTA is served
English
@GrapheneOS @TrueAmPatriot86 @TheVancedGamer This would also require the user to trust everything too, especially for parts that you ships as prebuilt, how can we verify that you're not vulnerable to Trusting Trust attack?
English
@raphielscape @TrueAmPatriot86 @TheVancedGamer Read x.com/GrapheneOS/sta… in full which already addresses this. We have reproducible builds of our apps and OS which are going to be used for configurable client-side enforcement of enforcing matching results from multiple first and third party build locations. Read the post.
GrapheneOS@GrapheneOS
We've written this post as a thorough debunking of extraordinarily inaccurate and misinformed claims being made about GrapheneOS. The main post making these claims is linked at the bottom. A growing number of our apps are built and signed separately from the OS to provide out-of-band updates. Each of these apps has reproducible builds. The official standalone releases are included in the OS rather than making separate builds for each device as part of building the OS. This is the standard and most sensible way to do things. It means the apps bundled with the OS are the same builds as the standalone releases instead of having two separate types of builds with two separate build systems. Both forms of building the apps are reproducible. It makes far more sense to use Android's standard app build system and tooling for standalone apps. It makes it much easier to work with them and for people to contribute. Needing to build apps as part of building the whole OS is a major barrier to contributions and can be avoided. Android supports out-of-band updates for the vast majority of the OS. These out-of-band updates are a major advantage over iOS. Many people aren't aware of how much can be updated out-of-band for Android. It's gradually turning into the entire OS having quite modular out-of-band updates which are fully compatible with the verified boot system. It still makes sense to have regular full OS updates which update all of the bundled components. A huge portion of Android is shipped as APKs which can be updated out-of-band. These can be built with the OS for simplicity but can also be built separately with their own standalone releases. If they have their own standalone releases, those are supposed to be bundled with the OS as a prebuilt instead of using a separate build system for the OS updates and out-of-band updates. It would also not be reproducible if separate build systems and toolchains were being used for both. An even larger portion of the OS can be updated out-of-band via APEX components which are an APK containing a structured filesystem with native libraries, services, data, nested APKs and other arbitrary files. Both APEX components and APKs are fully compatible with verified boot. GrapheneOS enables enforced verified boot for system APK updates rather than only APEX components. Android also has out-of-band updates to images via chained vbmeta (verified boot metadata) images. This works by having a hash of a key for chained vbmetas stored in the main vbmeta where each vbmeta has separately enforced downgrade protection via the secure element. GrapheneOS has very frequent OS releases and doesn't need out-of-band updates as much as the stock Pixel OS or especially the broader Android ecosystem. We mainly use out-of-band updates for our own apps with standalone releases and include the official releases of those in the OS releases rather than making separate builds. That's the way it's supposed to be done. Google Mobile Services Android operating systems use Google Play system updates providing APEX updates via standard builds from the Google Play Store. This provides monthly updates to large portions of the OS across devices regardless of their OS update cycle. We have no use for their approach since we have consistent OS updates which are more frequent than monthly releases. We could still set up out-of-band APEX updates to enable shipping an urgent for a specific component without an OS release but we don't currently use them as it would only save build time rather than improving usability. Android uses prebuilts for the kernels and Chromium WebView which are built separately from the OS. The expected way to bundle most apps with the OS is to have standalone releases with the official releases bundled with it. This is how the stock Pixel OS handles APK and APEX components updated out-of-band. It doesn't interfere with reproducible builds. Building, signing and shipping updates to the OS via modular components instead of building the entire OS for every change is going to be increasingly important as GrapheneOS scales up to a larger development team and a larger number of supported devices. It makes it far easier for people to work on smaller parts of the OS and we can release smaller updates for specific components. We're using it on a case-by-case basis for components we need to update frequently such as our GmsCompatConfig APK shipping the text file setting up most of our sandboxed Google Play compatibility layer shims. We also plan to start shipping GmsCompatLib as a standalone app but it was delayed due to banking apps wrongly believing updating it out-of-band was tampering. The claims which are being made in the linked post are extremely misinformed and backwards. They're attacking us for using approaches focused on security while claiming doing things in a far less secure way would be much better. The motivation for it is quite clearly promoting non-hardened operating systems through desperate attempts at misleading people about GrapheneOS with poorly informed claims. They're claiming we should be doing builds and signing on cloud servers because they believe having CI web interface is a substitute for third parties reproducing and verifying builds. We make all of our official builds on local infrastructure under our physical control for clear security reasons. Our app and OS builds are both reproducible. We're gradually working on turning reproducible builds into a more useful feature by setting up a system of having alternate build locations and a system for verifying the results match across our locations and also third party locations. Our App Store and System Updater are eventually going to support verifying builds based on other official and third party build locations. Moving our builds and signing to cloud infrastructure would not reduce trust in us but would greatly expand attack surface and how much needs to be trusted. GrapheneOS is a serious privacy and security project which is in the process of greatly expanding by hiring many developers and other people. We're improving our overall organizational and development processes as part of expanding. Expanding our use of out-of-band updates to the extent that it makes sense is part of this. x.com/TheVancedGamer…
English
@TrueAmPatriot86 @GrapheneOS @TheVancedGamer It does not guarantee that the build can be trusted, though if update engine has a vulnerability (e.g signature parser buf overflow), both cros and android would be in a lot of pain, but there is a possibility of this might happen and unknown to even Google
English
@raphielscape @GrapheneOS @TheVancedGamer If somebody tampers with the OTA update artifact delivered to your phone, your phone refuses to install because the OTA artifact is signed with a key known to the phone.
Honestly, you should have fewer opinions and more time to read up on how things work.
English
@TrueAmPatriot86 @GrapheneOS @TheVancedGamer If you're part of Android Security or anywhere near Device and Services, we're doomed
English
@raphielscape @GrapheneOS @TheVancedGamer CI.android.com builds internally on Google servers owned by Google. They do not build on any third party cloud.
I worked for Google. I would know.
English
@GrapheneOS @TrueAmPatriot86 @TheVancedGamer In cases where the OTA is somehow intercepted (as in one somehow convinced update engine to accept the OTA), this would be your weak point if you didn't let users verify the build beforehand, before they accepted the OTA to be installed
English
@GrapheneOS @TrueAmPatriot86 @TheVancedGamer Stock Pixel verifies the OTA integrity too, and I didn't see you deviate far from it based on your changes on the update engine and your OTA app, this also assumes that the hash is a trusty and you verify the hash pre-OTA
English
@TrueAmPatriot86 @TheVancedGamer @GrapheneOS Logs are one point of truth, Point-of-time build logging is one of the truth, artifact, and the build itself would need to be verifiable too, as I said on the other thread, if the whole build flow is not verifiable, how would one trust the OTA builds?
English
@raphielscape @TheVancedGamer @GrapheneOS Well, if you think that looking at logs means that you have verified that a build reproduces to the published source code, then — respectfully — you are talking flatulence out of your anus, and you should not be in software engineering.
English