Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bmicraft 5 days ago

> With it turned on, keys are on your device, Apple doesn't have them and can't use them and it covers all the main stuff - photos, messages, notes, etc.

Or so they say. Has that actually been proven?

NobodyNada 5 days ago | parent | next [-]

It's impossible to prove a negative, like "Apple doesn't have a backdoor". One can prove the existence of a backdoor by reverse-engineering suspicious code or network traffic, but not the nonexistence without poring over every byte of machine code, and quite a lot of the hardware too.

This is not unique to Apple, it's impossible to prove any system is free of a backdoor, including Linux distributions (see: the xz backdoor, or "Reflections on trusting trust"), unless you hand-crafted your whole smartphone from raw silicon.

gruez 5 days ago | parent | prev [-]

You can raise that gripe with even something like signal. Sure, it's open source, but when was the last time someone reproducibility built it?

tga_d 5 days ago | parent [-]

People reproducibly build Signal all the time. There's a bug right now that makes the play store version differ from the one you get by downloading off their website/build from source, but you can examine the differences to see they're minor.

gruez 5 days ago | parent [-]

>People reproducibly build Signal all the time

source? Is there a site that tracks this, or only shows up when someone raises an issue on github?

tga_d 5 days ago | parent [-]

Pick a decently up-to-date fork of Signal on GitHub and look at its Actions. You can also just do it yourself if you'd like, the process is effectively just doing a build in a docker container and comparing the result.

https://github.com/signalapp/Signal-Android/blob/main/reprod...

gruez 5 days ago | parent [-]

The github action finishing is not the same as "reproducibility built it", which implies verification against the official build.

tga_d 5 days ago | parent [-]

There is a dedicated reproducible builds action that verifies that it does match (currently failing because of the aforementioned bug). I'm not sure why you're still litigating this when, again, you can not only just go look at it, you can very much do it yourself.