| ▲ | marmarama 4 hours ago |
| I think you've misunderstood. It's not an app problem. The problem is that it makes Free Software OSes unviable. The copy of Android you compile and install yourself - or your copy of desktop Linux where you upgraded the kernel yourself - will never pass remote attestation, and it gives both the attestation provider and software that checks attestation the ability to unilaterally shut out any OS they like with no workaround, even those that do pass attestation. In a world of deeply untrustworthy Big Tech, and trend of governments, banks and other basic services needed to exist in society relying on apps and in the future, websites that use remote attestation, that is very troubling. There are better ways of dealing with the bad actors problem, but Big Tech has chosen violence. |
|
| ▲ | floam 4 hours ago | parent | next [-] |
| I don’t see how it’s incompatible with open source, just because my development builds aren’t being blessed. |
| |
| ▲ | dpark 3 hours ago | parent | next [-] | | It’s not incompatible with open source. It’s incompatible with free software. If Apple or Google or Microsoft or the government needs to “bless” your build, then you have no freedom to actually use your build. | |
| ▲ | marmarama 3 hours ago | parent | prev [-] | | Your "development build" is another person's daily driver. Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware. Same goes for any desktop Linux. | | |
| ▲ | inigyou an hour ago | parent [-] | | GrapheneOS implements its own attestation so you can attest that it's real GrapheneOS. The valid approach they've chosen is to try and get on a level playing field with the big guys rather than destroy the playing field. They have a good argument their OS is very secure, so you should accept its attestation. This is how a user-friendly OS backdoors into the attestation system. I still think destroying the playing field is better, but less likely to succeed. | | |
| ▲ | matheusmoreira 18 minutes ago | parent | next [-] | | > so you can attest This isn't about you attesting anything though. It's about corporations attesting that your device is 100% corporate owned. Can't have you running software that impacts their bottom line after all. GrapheneOS could be the most secure operating system to ever exist, it doesn't matter to the corporation because it's still under your control. When they say "security", they mean "the corporation's security against the user", not "the user's security against the hostile world out there". | |
| ▲ | HybridStatAnim8 18 minutes ago | parent | prev [-] | | GrapheneOS doesnt implement its own attestation. It simply inherits the existing, generic attestation system provided in the android open source project. Any fork of AOSP can provide this, the keys would just need to be whitelisted per OS. |
|
|
|
|
| ▲ | charcircuit an hour ago | parent | prev [-] |
| You can apply my same comment 1 layer up. The hypervisor maintains isolation between operating systems, so a free operating system being installed doesn't mean an app that needs a high security operating system is compromised. |