| ▲ | neilv 2 hours ago | |
I'm sure you realize that confident assurances of a random new pseudonymous account on a Web site isn't sufficient for anything of importance. Is there an authoritative source of information about how a takeover like that isn't possible by design, which people can verify, analyze, hold parties accountable for the pieces that require it, etc.? | ||
| ▲ | HybridStatAnim8 an hour ago | parent [-] | |
I am a GrapheneOS user and community member, and I am active in the chat rooms. I made this account to assist with misinformation. As for how such a thing would not be possible; -GrapheneOS updates do not trust the network, so any compromise of update servers for OS and app updates would not be able to push malicious updates. Only those who hold the signing keys are capable of pushing updates that will be accepted. -Multiple people review the code that gets included in the OS. There is not one point of failure when it comes to social engineering. -GOS supports reproducible builds, so the code that is published can be verified to be the code that is built for the official builds. So in other words, you would need to convince multiple people who are consciously protecting against this, and who have a proven track record of burning the keys if the privacy and security of their users are in jeopardy. On top of that, you need to conceal this from every developer, moderator, and community member who would raise the alarm at the slightest indication of compromise. | ||