Privacy

47127 readers

1207 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

Does anyone build GrapheneOS "from scratch"? (lemmy.ml)

submitted 2 days ago* (last edited 2 days ago) by liminal@lemmy.ml to c/privacy@lemmy.ml

12 comments fedilink hide all child comments

I'm wondering what would be necessary to build GrapheneOS releases yourself, and regularly update your phone from your own servers, with your builds. The server for apps.grapheneos.org should also be replaced. Has anyone done this?

The documentation for GrapheneOS has a section about how to reproduce builds:

https://grapheneos.org/build#reproducible-builds

But it would be more involved than that.

you are viewing a single comment's thread
view the rest of the comments

[–] utopiah@lemmy.ml 6 points 2 days ago* (last edited 2 days ago) (1 children)

I haven't but I did built relatively large projects before (e.g. browsers) and basically it depends mostly on 2 things :

are you in rush? If not just let it run over night, if you are then delegate it (if you can afford it and matches your threat model) to a cloud provider (rent a couple of instances for however long you need, that's where the hourly pricing matters)
is the build system properly setup for reproducibility, e.g runs in a single container on AMD64? if so just start it and move on, otherwise be prepared for an indefinite amount of tinkering

I think it's interesting to do but honestly as someone else mentioned, builds are signed. In fact at the end of https://grapheneos.org/install/web#verified-boot-key-hash you get the verified boot hash. The goal is precisely to check that you actually get what you are supposed to have running. Basically the big picture of reproducible builds is that you do NOT have to do it and can STILL verify that you have exactly, up to a single bit, what should have.

[–] liminal@lemmy.ml 6 points 2 days ago* (last edited 2 days ago) (2 children)

The fact that devs sign the builds doesn't protect you from a Jia Tan type of actor. Jia Tan had social-engineered they way to a maintainer and then dropped their backdoor in the .tar releases. If you had compiled from the tree you couldn't be affected. It's possible to fail to review malicious commits even in this case, but it is still more transparent than pre-packaged releases. And there's no point to reproducible builds if no one actually reproduces them.

[–] utopiah@lemmy.ml 1 points 1 day ago* (last edited 1 day ago)

a Jia Tan type of actor

Yes, absolutely, yet the fact that we even know who they are proves that it's definitely an odd case. It's important to remember it but it's definitely not a normal situation.

[–] Auli@lemmy.ca 0 points 1 day ago

You don't know anything about the lead developer.