cdesai: *OT*, but *poke*, hope things are okay there given the lockdowns and such

:)

JTL: thanks :) - all good here, hope things are okay on your end too!

Yeah

Thanks

cdesai: yeah I'm not even sure they do

You can make up nonsensical names

As long as they start with avb fastboot just seems to return success

I can't confirm if the keys are stored

well, even if they are, what you said means they aren't used for any checks which I'd argue ends up being the same as not storing them

I've sent it to a couple more people to test

The fastboot zip only includes a boot.img

not sure if this was discussed here already, but kiwi browser with extension support for android is now oss

sadly chromium 77, but it's still a good start

You flash the boot.img and load up the lineage recovery from where you sideload

Yeah no

Like just put energized in your unbound config

Now you got adblock

Man riot sucks

Like who'd want to put their actual face up?

Ah finally

Now I can look like a weirdo

<anupritaisno1[m] "Now I can look like a weirdo"> As if you already didn't

madaidan.: shhhhh

Does Auditor app serve any function on installed device or is it just for checking other devices?

pretty sure you can use auditor to check your local device against a remote server

Yes

OK, but not necessary to have running all the time, manual check only right?

nickcalyx: hey quick question. I saw the website for calyx looks like there hasn't been a new image lately. Is it still frequently updated?

we generally have an update every month but we may not have one for april 2020

> we generally have an update every month but we may not have one for april 2020

Thanks. Good work. Would you guys be open to adding a notice of the patches? It looks a little like the project is unmaintained at first blush.

No offense at all, I understand it's easier to OTA and not build a new image everytime.

We do build new images every time

I don't see them on the site. I might be missing it

Sorry to jump in here with a different topic, but which option is preferred? Shelter app from fdriod or just creating a different profile under Multiple Users? Use case is for work/uni aka apps like Microsoft excel, fb etc or apps that might have trackers.

Separate profiles, according to Daniel.

Device admin and accessibility services aren't recommended.

How bad would that be to have Working Gcam on a separate profile? Installing microg gives me shivers

Thank you cyborgninjaneer for your helpful response.

> How bad would that be to have Working Gcam on a separate profile? Installing microg gives me shivers

microg is safe as an apk. It's the install process. If it fools an app like gcam you're fine

The bigger risk is Google Camera's selinux domain. microG is just an app. Signature spoofing to get it to work in 99% of cases is the scary

Right. It won't work with network disabled. Nevermind. Won't install this snake oil of an app

> Right. It won't work with network disabled. Nevermind. Won't install this snake oil of an app

Google Camera works without network

It just has too much access to the hardware via loosened SELinux domain

Yeah. It's currently only working because of a loophole in the policy. This is likely to change soon to further mitigate potential exploits, and could change before then if Google decides to take their ball and go home. So it's likely to break at any moment.

Apps can only fake one permission

They must do so ahead of time

They cannot choose what signature to fake during runtime

<TheJollyRoger "Yeah. It's currently only workin"> Hopefully the same isn't true for Snapseed? That would be a pretty big bummer.

Has it happened to anyone trying to uninstall a app and it wont unistall?

Im tryung to uninstall Jami and it just wont

The phone just freezes

Never happened.

I just have the problem that I still have the apps I've debugged on my phone are still installed but "Not installed for this user" (even though there's no other user) and they just rot in my app's list.

rip sentence lol

limitless0[m]: Try going to its "App info". First 'force stop' and then 'uninstall'.

<limitless0[m] "Has it happened to anyone trying"> limitless0: on grapheneos?

TheJollyRoger: this?

Anyway @strcat want me to drop another thing on oneplus?

They released android Q on top of a P BSP

For the oneplus 7

You can even confirm this yourself by matching the caf tags

<anupritaisno1[m] "limitless0: on grapheneos?"> Yes on graphene

<nscnt "limitless0: Try going to its "Ap"> I tried that and same result it just frerzes

Harvey Norman has unlocked Pixel 3 (64G) for $488

Harvey Norman has unlocked Pixel 3 (128G) for $538.

limitless0: has something a bit like that a few years ago, but not seen anything recently. Have you turned it off and on again.....

Harvey Norman has unlocked Pixel 3 XL (64 or 128G) for $588.

Clearance Sale.

AUD $$$

Am I allowed to link that?

swappa.com. has them for a lot cheaper, albeit used. That said, they have a relatively strong reputation with phones that are purchased off of that site.

These are new.

Network unlocked.

Cheap for Aussie phones :P

hahaha.... yeah you right

That particular store makes its money from ripping off grandma.

Harvey Norman I mean,

do they force paypal as a payment method?

No idea. I will look.

I think so, there is an icon at the bottom.

geezus.... they are attempting to sell Pixel4XL for almost $1500 🤣

See what I mean,

But it is probably the Pixel 4 that has made these Pixel 3's cheap.

Coz people upgrade every month,

I am not shilling them or anything - feel free to buy me one for Xmas. :p

I would actually pull the trigger if it weren't so cheap to grab up phones off of swappa... plus the shipping fees probably aren't terribly reasonable.

Do they ship outside of US?

the Swappa

about the current situation and future of the project

I will have increasingly less time and energy available for it due to the attacks from Copperhead and also others to a lesser extent

need the community to step up and help with defending the project from the people trying to destroy it

along with making substantial contributions and taking over the work that I used to do and am no longer doing

and more work that I need to stop doing

there are a lot of things that I used to do which are now no longer happening leading to shrinking viability of the project

since people aren't stepping up enough

will be making a major announcement soon about the escalation of attacks on the project by Copperhead

let me check on these domain name scammers

The decision for the future device support is a proper step.

paste.xinu.at/xVz look at these motherfuckers trying to extort us

Wonder if there's a way to file criminal charges against that copperhead guy

cyborgninjaneer[: people who had their donations stolen

can do that

doesn't need to be me, can be the people who had their money stolen rather than going to me

ANYONE who donated BTC to CopperheadOS where the site / communications said it was going to the open source project / developers

NONE of it did

James personally embezzled / stolen all of it

and a LOT of the other donations

most of the Stripe donations

I hate how mutt wraps lines can I turn that off

hmm

*squirrel

So someone needs to contact your old donors and offer them free legal services perhaps? If there is a bored/willing attorney lurking in here, please speak up.

Why offering them something? They wanted to donate to Daniel's work. If they don't care it got stolen...? huh

as far as the DNS registrar... I wouldn't even remotely bother with that.... not even a little bit.

If someone wanted to take on tasks like a device maintainer, what would be the first thing they could do right now? Pixel 3a as an example.

Hell I could jump on godaddy, collect all of the TLDs and fire off the same email to damn near anyone.

cx2[m]: they're trying to extory me

extort me*

it's a scam

they are basically threatening to register those names if I don't pay them for it

scumbags

cx2[m]: I don't think they registered them yet

they're THREATENING to do it

it is not clear if they will actually do it

I don't want a bunch of useless chinese domain names anyway

grapheneos.net.cn

grapheneos.org.cn

why the hell would I want those

lol

grapheneos.cn

at least that one is stop stupid as hell

imagine registering grapheneos.org.com grapheneos.com.org

That's what I'm saying.... ignore the shit out of it.

it makes no sense...

I don't believe that org.cn and net.cn are free domain names

haha

cx2[m]: they're a scam company

I looked it up and it's a real company that scams people

cx2[m]: I told them to fuck off and threatened them

I don't even know how people fall for this sort of scan, are you supposed to own every possible domain that contains grapheneos in the name? lol

I'm going to go spend an hour collecting 20 TLDs for Chase Bank....then send them an email.... see how that works out for me.

strcat: If someone wanted to take on tasks like an equipment attendant, what would be the first thing they could do right now?

wrote up some copypasta-type thing about how we have elite team of hackers and security researchers tracking them down

So stupid

they stopped bothering me now

woof.... what a waste of time.

Zenithium[m]: lol yeah grapheneos.org is enough why would I buy other domains

I can't possibly buy every variant of it

Zenithium[m]: also how can they even claim to be buying grapheneos.org.cn

that makes no fucking sense

unless there is a registrar for org.cn

i.e. if it's a public suffix

I seriously doubt that? let me check

ok it actually *is* a public suffix

that's stupid as hell lol

I think .cn domains need to be approved by the Chinese government or something like that, I remember that the process is different than usual

so you can buy grapheneos.cn

but you can also buy grapheneos.org.cn

why would you even WANT org.cn

strcat: google.org.cn

cx2[m]: yeah I checked

cx2[m]: publicsuffix.org/list/public_suffix_list.dat

strcat: turns out google is in trouble too...

You should get grapheneos.com.org.cn just to cover your bases

Zenithium[m]: lol that wouldn't be available

someone likely has com.org.cn

but yeah

Or maybe grapheneos.com.org.net.cn

it's so dumb

Zenithium[m]: en.wikipedia.org/wiki/.cn

look at

Generic second-level domains

Any individual may register for second-level domain names. However, the registry has created a set of predefined second-level domains for certain types of organizations and geographic locations. Registrations for such third-level domains were available before second-level domains became available in 2003, and registrants of third-level domains were given priority for names at the second level.

how does that make any sense?

Zenithium[m]: I guess it's a legacy thing

since they started selling *.com.cn before *.cn

yeah mutt is fucking stupid how do I disable line wrapping doesn't seem possible

set wrap=0 still wraps at terminal width

just going to set pager to less probablt

I hate email so much

It must be possible, it's mutt lol

google.tw is also available it seems.

strcat seems i've stumbled upon a money pit here... just redirect that email to google. I KNOW they are good for the money.

Zenithium[m]: no it's not possible without patching I found multiple clear answers

Zenithium[m]: so basically 'wrap' makes it wrap at some fixed value

but even disabling that

it ALWAYS wraps at terminal width

so it breaks the lines

I could disable 'markers' and it'd stop putting + when wrapping but...

that isn't helpful since it still wraps them and then it just looks like the person who sent the email wrapped it

anyway I did 'set pager=less'

it's just annoying because then you can't do stuff like replying to the email with 'r'

you have to exit pager first

I already use vim as the editor instead of mutt's horrific editor

ofc

speaking of mutt... anyone have /.muttrc they care to share? I need a little kickstart

with 'set edit_headers' to just manually edit those

You could probably improve your email workflow but it's a time sink lol

cx2[m]: I had an old one for IMAP with Gmail but I started over

since I'm just using mutt on mail.grapheneos.org

I set up IMAP/SMTP auth but it's easier to just login with ssh and use mutt

cx2[m]: renlord's github.com/renlord/dotfiles/blob/master/HOME-STOW/mutt/.muttrc

because to use IMAP/SMTP I'd have to send all this mail to some dovecot virtual account

Id imagine the same one for gmail would work for fastmail

instead of just using root

so I'll probably just use the external IMAP/SMTP for other people

ah... yeah good point

also I need to set up postfix to disallow people who authenticate to send mail with arbitrary from headers

it was so much easier to configure OpenSMTPD but it lacks SPF verification for inbound mail, DANE verification for outbound mail and MTA-STS verification for outbound mail

so I had to switch to postfix

it's a PITA to configure postfix properly

cx2[m]: I'm not gonna using GPG anymore it's fucking terrible

been stripping away my last uses of it

it's insecure and just awful

strcat: TheJollyRoger has me on a warpath to learn AGE

or in my case RAGE

Email is just crap in general lol

age + signify is the way to go

age provides encryption with integrity

if you want to prove it came from you, sign with signify

but you don't need to use signify to prevent tampering

wonder if there's a thunderbird plugin for signify

it would be nice if age had to option to specify / verify the identity of the person encrypting but it leaves that to signify

would just be easier to use if it was an extra switch

yeah... `unstable`

strcat: do you have a list of mailing lists you're subscribed to? I'm curious because I started looking into them recently since I wasn't following any but I feel like a lot of security stuff is on there

strcat: I'm guessing the ones from oss-security.openwall.org/wiki/welcome that you mentioned somewhere are a good start

I unsubscribed from all mailing lists

not subscribed to any people just CC on random shit and it spams me with emails

Because of the spam?

to any mailing lists*

Zenithium[m]: no

Oh

they are too high traffic, boring and anger inducing

I don't want to subscribe to oss-security and see more people reporting stuff like exploiting a kernel through control of the kernel command line (doesn't make any fucking sense, not interested in the security theatre desktop linux lockdown nonsense)

I'm just looking for knowledgeable people to learn from but it's hard to find where they congregate lol

Seems like most people don't know what they're talking about

there aren't enough knowledgeable people that are active in that sense

to have a mailing list of them

oss-security is silly

lots of silliness

and it's mostly just vulnerabilities

I remember you saying Twitter has a lot of the security community on there but I dislike Twitter because any good stuff gets overshadowed and buried under a mountain of stupidity

Zenithium[m]: well the way you have to use twitter is follow people who post good content

Twitter uses stupid timeline features where posts aren't chronological and posts from people you don't even follow show up constantly etc. it's just annoying

you certainly never look at "hashtags" or whatever

Zenithium[m]: you can disable those things

you can set it to chronological and if you don't want to see tweets liked by people who you follow, you can disable that

You don't even need Twitter. You could use a rss reader.

you need twitter to properly set up following and control which types of things you see

jesus christ the privacy community is cancer

enough reddit for today

strcat: Suggestions of people?

<algebro[m] "jesus christ the privacy communi"> Reddit is cancer

while you aren't wrong, i dont know if it's just reddit

Reddit is like... A colon polyp. Other social media is leukemia.

nscnt: follow everyone I follow and maybe remove the few that aren't infosec people

nscnt: make a twitter account, follow every single account I follow, and you'll have a good infosec news feed

remove the few that aren't infosec

I don't have a Twitter account. I can't see who you're following.

make an anonymous one then

infosec community is on twitter

nowhere else can you find public discussion by the core infosec community really

I follow 242 people, I'd say it's 90%+ infosec

some is android, compilers, language design, etc.

software verification

there are probably only like 5 accounts that are not computer-related

oh and some is bitcoin

Ooh.

What's the most private way to access twitter?

just make an account anonymously? it probably just needs an email address

I would use a real email address you can continue accessing but you could make a unique one for it

if you want a good feed of infosec stuff I'd say you pretty much need to use twitter

or some third party site that lets you follow people perhaps but I'd guess that twitter's API makes it worse than using twitter

and it's better if you can actually reply and DM people

<strcat "I don't want to subscribe to oss"> I remember that thread lol

Can't wait for the `nosmap` CVE too

madaidan[m]: it makes no sense

basically

I guess I shouldn't worry overly much about what's in Twitter's site code.

they are okay with being able to boot a different userspace, disable verified boot for userspace

the kernel does NOTHING useful itself

it serves userspace

it makes no fucking sense

cyborgninjaneer[: I use twitter to set up talking to people on Signal

I have a lot of public discussions with the infosec community

<cyborgninjaneer[ "What's the most private way to a"> You can make an account through Tor (I did) but they make you jump through hoops and you have to contact support to unlock your account etc. if you don't give them any personal data

and then via DMs I set up talking via Signal

Zenithium[m]: I think you can use it tho

just not post stuff people can see etc.?

They wouldn't let me create an account through Tor :(

Might try it again

use a VPN?

I don't really use Tor in practice much

Yeah, they can't get your IP. That's all tor hides anyway

it's too slow and I don't want my traffic going through malicious exit nodes really, just increases attack surface

Neither do I.

I trust my ISP more than Tor exit nodes

software is terrible and I don't trust it not to leak data

or get exploited

I don't think I really do much that leads to unencrypted connections but still

When I do, I run tor through my VPN (so the ISP doesn't see it) and never log into anything.

It is NOT secure.

Most stuff is HTTPS nowadays so it's fine

Zenithium[m]: MOST stuff

<strcat "use a VPN?"> I prefer Tor than paying for a VPN

madaidan[m]: tor is so slow

I have gigabit internet and want high bandwidth + low latency

I can max out my connection with PIA

I don't really feel that it's slow unless I want to stream HD video or something, just browsing the internet is fine

madaidan.: if you simply cannot pay for a VPN, perhaps run Proton's free one. It's possibly the best free option, faster than tor and more trustworthy unless you have just something against the company

<strcat "Zenithium: MOST stuff"> I'd take my chances when 90% of visited websites are https

my threat model is I don't want sites tracking my interests etc.

Maybe I'm just used to it lol

ok like right now

I'm watching a 4k youtube video

there is 500mbit+ of downloads going

separately

and I'm browsing the web and expecting that to be fast/painless

expecting pages to load in 200ms

<cyborgninjaneer[ "madaidan.: if you simply cannot "> I use that sometimes and it's slow as shit. Tor is faster most of the time.

and I need to be able to upload stuff at near 1gbit

it's like $2/month

Yeah watching 4K video is not happening over Tor lmao

oh no my first spam email to mail.grapheneos.org

Aw crap

strcat: it's domain registrar!

<Zenithium[m] "Yeah watching 4K video is not ha"> Maybe over the span of a few years

mutt is seriously terrible

like

why is there a sleep_time option

and why is it 1 second by default

what the FUCK

they literally have an option that delays things by default by 1 second

like changing folders

lol

it just sits there for 1 second

k that's better now it switches instantly

using less as the pager sucks can't toggle showing all headers etc

To: Undisclosed recipients: ;

why does postfix even accept this email

and give it to root

Reminds me of a post I read about a guy using sleep() all of the place in his code and then removing a bit from time to time to impress managment by speed increase

i tried to submit patches to the linux kernel but mutt couldn't get it formatted well enough for greg kh to tolerate them

algebro[m]: use git send-email

always

git is so fucked up it has email handling built into it

sending and receiving

Zenithium[m]: yeah so

hahaha, thanks for the tip, i'll keep it in mind once i feel up to trying again

when you switch folders in mutt, etc.

it sleeps for $sleep_time

which is 1s by default

why???

so basically you add 'set sleep_time=0' and now it's not unnecessarily slow

> Specifies time, in seconds, to pause while displaying certain informational messages, while moving from folder to folder and after expunging messages from the current folder.

From the docs

So I guess you're gonna miss out on some "informational messages" strcat hahah

I can't read those in 1s anyway

I won't be expecting a message

what kind of messages lol

lemme try deleting a mail and doing it with sleep_time

Zenithium[m]: yeah so it shows the number of purged mails in status bar

but really

that is not a valid way for me to consume that info

I'm not really going to process that and I don't care anyway

it's line noise

I think it's worth losing some not-that-useful info for getting rid of the delay while switching folders :P

Well, I don't know everything that's included in "informational messages" but going by the name I don't think it's anything important/essential

Wont the sites track your habit even if you are on vpn via trackers and cookies?

<limitless0[m] "Wont the sites track your habit "> Hundreds, if not thousands are users are potentially using the same server. In addition you could change servers from time to time depending on the time service youre using

Not to getinto a vpn discussion here....

<strcat "I trust my ISP more than Tor exi"> Is it better for privacy or security to use signal through a Vpn or Orbot?

<cx2[m] "Hundreds, if not thousands are u"> But cookies and trackers are device specific, Ip its less relevant

sure so use browser settings that purge cookies, etc.

strcat probably trusts his ISP more than a vpn provider based on that comment

but also privacy and anonymity arent the same thing so tor has nothing to do with privacy

* but also privacy and anonymity arent the same thing so tor has nothing to do with making signal more private

<cx2[m] "sure so use browser settings tha"> It doesn't matter, your browser is fingerprintable in countless ways unless you have JS disabled

Rabbit hole

Eh... regarding the trust of any number of potential exit nodes vs a truly vetted (I know there are few) VPN, I would probably err on the side of the vpn.

In theory every single exit node is independantly hosted. and there are a LOT of them. In contrast, a good VPN provider at owns their servers.

Zenithium:

I don't trust any VPN provider, I can't verify that they don't keep logs etc. and they're a prime target for government surveillance

Comments, too:

What a one line change did to the Chrome sandbox news.ycombinator.com/item?id=22945630

VPNs are pointless unless you want to sidestep region blocks or torrent illegally. Otherwise just use ISP or Tor traffic

I don't trust Tor

it can be flooded with malicious nodes

Zenithium: First, that statement was regarding cookies. Not browser fingerprinting. Second, I don't disagree...that's why attempting to limit add-ons is relatively important. the "Blending in" is a real thing.

Third - Ok. I'm not attempting to change your mind here.

Zenithium: nor did i want to have a protracted discussion of VPNs. Although you ARE on the web so you must have your trust in someone...

Sybil attacks are a real issue

While infosec is WILDLY subjective in nature, I can assure you there are some relatively hard and fast rules....but because most have subscribed to a line of thinking already, and then did a small bit of "research" on their own, there's rarely any mind changing in the infosec world.

It's always, "Nah, you're shit is flawed, mines better... " And in nearly every case it's without context.

<strcat "I don't trust Tor"> What do you think of other networks like I2P?

i2p sucks

Fair enough

<strcat "i2p sucks"> While we (seemingly) are on the topic, IPFS?

Chanced upon this post: old.reddit.com/r/GrapheneOS/comments/g4s35n/pixel_4

Are there plans to discontinue pixel 3 support anytime soon?

grapheneuser: no devices have maintainers yet

all devices without maintainers will need to be dropped

we need the community to step up and start making substantial contributions

grapheneuser: the plan is for the community to step up and for each currently supported device to have at least one person actively doing testing and development/maintenance for it

the *plan* is not to drop any devices, that's what will happen if the plan fails

What areas of knowledge are needed to become a device maintainer?

I'm guessing the legacy pixel 2 devices will be dropped first?

Yeah, the support from Google ends for the 2's later this year. It'd be better for someone to jump on the 3a or 4a.

What about the pixel 3 lineup? Do you see the possibility of the pixel 3(xl) being dropped on favour of the 3a(xl) to minimize the workload? Or the other way around?

In favour*

grapheneuser: every device without a maintainer has to be dropped

up the community which devices remain supported

ideally people will help with all of it and nothing has to be dropped

that's the plan

<grapheneuser "What about the pixel 3 lineup? D"> I think it'd be more likely for the 3a to be dropped

I'm deciding between the 3/3a ATM. Thought I'll ask

strcat (@freenode_strcat:matrix.org): What sort of skills does a device maintainer need? What is the workload like? An article about becoming a maintainer might be a good idea. There are a lot of bright people here. Smartphones are just a little obtuse at first.

Something along the lines of, "Google this and this, learn how x y and z work, then start working toward x y and z goals on a specific device."

Then the community can point to that, and help people find resources.

I did a couple of uninformed DDG searches just now and I'm just as clueless as before about what a device maintainer does or what skills are needed. We need an accessible starting point to get people on board.

Are there any promising alternatives for push notifications on the horizon?

I saw one mentioned somewhere but it hasn't had a commit in 8 months so I assume it stalled

algebro[m]: what do you mean?

apps can easily do it properly on their own

I asked about the absolute next steps to maintain a device (like, what to do right *now*), but it got no response.

start by building and testing on that device

and working on device support and issues filed that are specific to the device

you need a dedicated dev device

to be a maintainer

Like some sort of drop in alternative for Google's push notification library. I don't know how it works at a fundamental level so that might not be possible but I was just curious

it can't really be your personal device

algebro[m]: that's not at all possible if you mean without the app changing their server

You can get somewhat cheap pixels on eBay it you look

algebro[m]: the app's server connects to FCM and sends a push through it

Damn, was afraid of that...thanks

strcat: I don't know if this matters, BUT I would be willing to purchase and ship a specific device for dev to someone that can "maintain" a device....

Okay, so that will have to wait until I've got dough in my pocket for an extra piece of hardware. Maybe by the time the 4a is out I'll have funds. Not sure about time.

> I don't know how it works at a fundamental level so that might not be possible but I was just curious

Think the question is "what functionality are you asking about/what are you missing right now?"

I think he means a unified way so each up doesn't wake the device on its own draining battery by all the apps combined causing more wakes than necessary. I remember someone working on a prototype using the matrix protocol but I forget the name and it still needed work last I heard about it.

<Nikos[m] "I think he means a unified way s"> up=app dumb autocorrect

algebro: github.com/cnyanghm/openpush

I was just asking if there was a way to mock fcm yeah

old but allegedly in the works?

the project has paid for 2 contributors to get Pixel 3a dev devices

if people contribute the project will get them a dev device

perhaps multiple dev devices

perhaps a workstation

it has to be someone actively contributing that I trust enough to give money

I'm not buying the phone for them just giving them money to buy it

Good policy

when I send mail with external SMTP postfix sticks my IP address on it

nice

ok.... i see my money is no good here... kidding.

What level of proficiency is required to be a maintainer versus a developer? And what languages, etc.

<cx2[m] "What level of proficiency is req"> I'd assume mainly C, C++ and Java

safe assessment

yeah but learning Java is trivial

<cx2[m] "What level of proficiency is req"> Please visit grapheneos.org and actually read the documentation =]

There's more to it than knowing a language as well.

so I would say knowing C and C++ and being willing to learn Java

lol....ok let me rephrase.... Can we put in this room some information that passerbys might possibly see and be interested?

JollyRoger: Is this account in use? Would like to catch up with you, bud

IRC bridged Direct Message keeps dying/seems unreliable =]

ok nice got that Received header filtered out with postfix

cat /etc/postfix/submission_header_checks

/^Received:/ IGNOR

cat /etc/postfix/submission_header_checks

/^Received:/ IGNORE

and then setting that up for the submission services

subcleanup unix n - - - 0 cleanup

-o header_checks=regexp:/etc/postfix/submission_header_checks

and for both submission services:

-o cleanup_service_name=subcleanup

really annoying

I hate email

3.1. Message-Id: headers

Message-Id: headers contain a local part that is to be created in a unique fashion. In order to do so, Mutt will “leak” some information to the outside world when sending messages: the generation of this header includes a step counter which is increased (and rotated) with every message sent. Other parts include the date, time, PID of mutt, and $hostname. In a longer running mutt session, others can make assumptions

about your mailing habits depending on the number of messages sent. If this is not desired, the header can be manually provided using $edit_headers (though not recommended).

why does mutt do this shit

instead of generating a random number

cx2[m]: anyone that has the knowledge to become a device maintainer can easily get a very well paid job right now in the industry

but a full time job doesn't left you much free time for contributing

there are exceptions for sure, like university researcher, or talented people that can get a sponsor

or have fixed incomes

you cannot spend too much time on training and helping people to onboard on technical stuff because the risk of leaving later is high :/

true... but if someone has the abilitiy to at least do a menial, but needed task, then it's better than not. Especially for someone that already has a day job

I don't even know if that's a thing

cx2[m]: the problem is Daniel's time is very valuable and scarce

we should find somehow tasks that doesn't require time from him

Oh for fucks, sake.... I understand that... we ALL understand that.... that's where others in the channel that know what needs to be done, can help point those things out.

Solutions. Not more problems. I am, for one, do not have the background. But I am certain there is a way that I can assist. Given that criteria, I would expect someone to say, "Hey, cx2 (or anyone else for that . matter), go download and do this thing.... or modifiy this page..... or whatever"

I cannot help to much on this... I've just arrived

I'm going to need some help to debug some nasty bugs near soon

for the Pixel 3a

Ok.. are they from the developer side? or Production side.

> I'm deciding between the 3/3a ATM. Thought I'll ask

There's a device section on the sites. The main thing is the 3a has longer guaranteed support and the 3 has a much better camera in Graphene

cx2[m]: bluetooth and camera issues

There's no "possibly" about it. Google releases schedule dictates pretty much everything, haha.

If you're coming from a 6P or similar, the 3a is off the fucking chain in every way, and I'm baffled/unanswered as to what, for example, people are lacking when it comes to the "shittier" camera, lol

josh.man: Agreed... Pretty big fan of the 3a. Actually a huge fan. But the 3 edges it out a bit in my opinion.

That said, the the rear camera is the exact same across ALL of the 3a/3 series.... this includes the XL models.

<valldrac "there are exceptions for sure, l"> Or, Uni student looking for a co-op/internship credit in lieu of sitting in class learning MS Access or some whack shit, lmao

Danny@WorkOrderPro: The camera itself is literally the exact same... it's the software that's different.

Maybe someone can answer as to wether or not GOS takes advantage of Pixel Visual Core..... because if not? there is no different.

All of that said, can't go wrong with the 3a though. I would also add that the Spiegen Tough Armor case is one of the best looking/feeling cases I've used on any handset, and is a great compliment to the 3a.

3a XL seems good too

6" screen no notch

That one I can't attest to... I have the 3a and 3.... Was really tempted to spring for the XL, but for years I have been wanting phones to come back down in size a bit and the 3's in my opinion really hit the mark. MAYBE a touch wider would have been nice a la iPhoneXR-ish

twitter

my attempt so far at making mutt sane: paste.xinu.at/loYvJ

strcat (@freenode_strcat:matrix.org): so what's the whole problem?

Just buy grapheneos.cn yourself

If they can't even buy it

not buying a bunch of domains I don't want

They don't have a case against you

just bothers me they're trying to extort me

for money

Who

that "domain registrar" emailing me

The Chinese domain registrars do that to everone

They always bug me to buy calyx.cn but I don't want to do business in China anyway so...

Grapheneos website came up way before that

<strcat "that "domain registrar" emailing"> strcat (@freenode_strcat:matrix.org): but that's impossible

anupritaisno1: google doesn't even own all of the google.XXX TLDs... Including google.cn. its a redirect.

strcat (@freenode_strcat:matrix.org): I'm looking for documentation on Linux secure boot you got some?

Can't find it and need to know why the lockdown LSM is forced on secure boot

And how Linux does secure boot in general

because the desktop Linux people pushed a security theatre approach to secure boot that's meaningless

inherited from the legacy form of desktop Windows secure boot

It's garbage

I'd look at chromiumos for non android boot protection

it's very similar cdesai

the android one is actually more modern now with AVB

strcat: I figured, given all the other similarities.

but I guess what I meant was more you might be able to take that and plug it in with the rest of the linux stack

ChromeOS uses ugly TPM stuff

instead of the nicer approach of the Titan M

No you can't cdesai

cdesai: traditional linux distributions are incompatible with verified boot, sandboxing for all third party code, proper full system MAC, etc.

cdesai: the approach they take to the base system, updates, packages just doesn't work with that

can't just drop anything in

true

Porting Android to PC doesn't work since SELinux rules are not even remotely close to being decent. Wait for Fuchsia

not sure what you mean by that

BlissOS and Android-x86 have had a hard time getting anywhere with functioning security at all on PC with Android. I am not sure that's an option either

they approach it wrong

Android-x86 doesn't understand the security model, update model, etc.

they fork the OS and do a bunch of stuff counter to how it's supposed to work / required to work

AOSP runs fine on x86

They don't even get security patches out, at least BlissOS does that. However the no sandboxing is bad

ok but those are not AOSP

> AOSP runs fine on x86

Of course it's just a lot of work no?

and they are also not Android

<anupritaisno1[m] "Can't find it and need to know w"> They're tied together which is stupid.

rutxonboard[m]: no

rutxonboard[m]: you're talking about forks of AOSP which are *not* Android anymore

and trying to use that to talk about AOSP / Android

it doesn't make sense

You could just get AOSP to boot on a laptop without the level of effort they have to put into it?

yes

they don't know what they're doing and don't understand the OS or security

a lot of what they're doing is just reinventing it into something they're more familiar with and making it not Android

Interesting, I have tried doing some logging and selinux testing, but the whole system was designed like crap

AOSP runs fine on x86 and I don't know where you get the idea that it doesn't

rutxonboard[m]: that's not AOSP / Android

they're forks turning it into something totally different

see FirefoxOS/KaiOS as other more extreme examples

you're talking about a different OS and trying to apply stuff about that to AOSP - it's not correct

AOSP x86 support works fine

AOSP SELinux integration on x86 works fine

I didn't imagine it was that bad. I will have to mess with that, could be interesting. Writing SELinux rules are something I am comfortable with, but Android-x86 was so crap

AOSP runs on x86

don't use Android-x86

Thanks for correcting me

that's a fork that's not AOSP and not actually Android per CTS/CDD

it's like someone making GrapheneOS-arm64

rolling back a bunch of security features

making some weird installer

Interesting I really gave up too early I guess

<strcat "AOSP runs on x86"> Thanks, this is news to me also. SEO etc is ruining the web =\

GrapheneOS runs on x86

in fact I make prebuilt Vanadium for x86_64 to make it easier to build

no promises that it runs particularly well and doesn't discover assorted memory corruption bugs in mesa, etc.

but it runs

I have that built and ran that on an emulator. I never tried that on a real PC

07:15 <@strcat> paste.xinu.at/xVz look at these motherfuckers trying to extort us

I wouldn't even have responded tbh

Gotten those before for companies I've worked with in the past. Unless there's more to it it just goes in the "lol" box

strcat (@freenode_strcat:matrix.org): so how to do an aosp build and boot it off an emulator?

On x86

That'd actually be a lot of help to know where certain errors come from

<rutxonboard[m] "I have that built and ran that o"> Though bare metal might be better

anupritaisno1[m]: covered in the GrapheneOS build instructions

Though bare metal might be better

choosecombo release sdk_phone_x86_64 user

make -j20

and to run the emulator, just use the emulator command

that's it

AOSP sets it all up for you

/home/strcat/sdk/tools/emulator

er

Hi guys. Sorry about the delay and sluggishness - I'm experiencing a few uh... uh... "technical difficulties" involving graphics cards and Xorg and amdgpu not getting along (the usual suspects) and elogind and other various dumb stuff. I'll try to get back to anyone who pinged me earlier as soon as the darn computer's working again.

Mandatory Wayland reminder

Just kidding

Heh. don't know if that's tested and keyworded for my architecture.

Otherwise, I would want to give it a try.

strcat (@freenode_strcat:matrix.org): I don't think I have choosecombo. Is it included in your scripts?

no

it's an AOSP thing

anupritaisno1[m]: you need to 'source build/envsetup.sh'

Ah yes forgot

our envsetup.sh is just a wrapper around that setting some environment variables and enabling batch scheduling

instead of the usual interactive scheduling

batch scheduling uses long time slices

You mean the chrt?

yes

makes builds faster and disrupts interactive usage less

tells the kernel to optimize it for throughput, not latency

That's sensible

uses really long time slices and won't mess up interactive usage nearly as much

makes build faster while disrupting your usage less

worth doing

although if you run the emulator inside that shell you wouldn't want it...

maybe I should put it inside soong or w/e

What if I don't mind disruptions?

Because I build on a computer dedicated to just building android and nothing else

batch scheduling is still faster

if you use the normal scheduler it thinks it's interactive and keeps context switching quickly

to provide good latency

which is useless

wastes a lot of resources especially after all the CPU side channel mitigations

So do all children of that process inherit the scheduling change?

That process = the shell

yes

it could also be used to run make instead

the way I did it sets it on the shell you use to run it

chrt -b -p 0 $$

the alternative would be

chrt -b make -j20

might be better to suggest that, think I will

chrt -b 0 make -j20

or teach soong or w/e to set it

strcat@thinktank i ~ master % bash

[strcat@thinktank ~]$ chrt -p $$

pid 225914's current scheduling policy: SCHED_OTHER

Hey strcat, could I poke you for a sec (about GrapheneOS)

pid 225914's current scheduling priority: 0

[strcat@thinktank ~]$ chrt -bp 0 $$

[strcat@thinktank ~]$ chrt -p $$

pid 225914's current scheduling policy: SCHED_BATCH

pid 225914's current scheduling priority: 0

JTL: yes

And then he never asked

Hello ladies and gentlemen

<mrxx_0[m] "Hello ladies and gentlemen "> mrxx_0: no

anupritaisno1 ?

<mrxx_0[m] "Hello ladies and gentlemen "> I sexually identify as an arch user. Please use the proper pronouns.

mrxx_0: this is the hardened chat

There are no gentlemen here

<madaidan[m] "I sexually identify as an arch u"> You're a pacman

arche/archim

Zenithium: I use arch btw

<anupritaisno1[m] "There are no gentlemen here"> But how is it hardened then :(

To be honest there'd be many arch users here

Installed on blueline and relocked oem+bootloader

Because that's the only distribution to ship the hardened kernel officially

But the "your device is booting a different os" stayed. That normal, forever?

TheJollyRoger: crack open a cold one for the boys

Hey were should I look to start Android ? I am frustrated by my lack OK knowledge on the platform

Finally installed on blueline and relocked bootloader/oem but “your device is booting a different OS” stayed

Is that normal to have forevah?

anupritaisno1[m]: arr!

bseeinu[m]: yes, that's normal and that's a good sign!

By reading

<anupritaisno1[m] "Zenithium: I use arch btw"> I also use arch btw

You shall go to the Himalayas for 10 years

Under a waterfall

<anupritaisno1[m] "To be honest there'd be many arc"> Strcat is an arch user

You shall read android and Linux kernel documentation

Then come back and learn programming

If you see that yellow warning sign, that means that the Verified boot is on and enforcing, and it's not loading Google's operating system, but one that's been signed by a different key -- but that it has been signed.

Nice, I love good signs. Seriously though? :D

<madaidan[m] "Strcat is an arch user"> madaidan.: everybody use arch

You should visit attestation.app and try the remote auditor.

*remote attestation.

That'll allow you to prove that the root of trust is legit.

Ok cool, thanks for that

TheJollyRoger: let's steal Google's key

As long as you see that yellow warning screen, you are good. It's if that screen turns *orange* that you should start to worry. If that screen ever becomes orange, your bootloader has been unlocked and the verified boot has been disabled.

I'll read that, hpping I don't need anything mounted on a server or other android phone :)

<anupritaisno1[m] "TheJollyRoger: let's steal Googl"> Replace all OSes with GlassROM

Oh I can put that on a 6P I Guess

bseeinu[m]: all you need is another device you can trust that won't lie to you.

*that you can trust not to lie to you.

The operating system running on the handset can lie to the display, but the operating system can't lie to the hardware-backed keystore and remote attestation.

Took 12 days to arrive but it's a new Pixel 3. Finally

I love the Pixel 3!

Just for the camera and wireless, I have wireless chargers everywhere since the launch of iPhone X

Bit of trivia you may find cool about Auditor: some rootkits (like magisk) are capable of lying to Android Debug Bridge, but Auditor can catch them red-handed. It's really neat.

uhuh

nice

IPhone bad

TheJollyRoger: magisk bad

Worse than iPhone

Agreed! >P

*>_<

"Yeah let's just break the entire android security model, what could go wrong?"

<anupritaisno1[m] "IPhone bad"> is this an ironic statement I just can't tell

When I see magisk in logs

Now I have to convince everyone that my green bubbles are not the end of the world

shred -r log.txt

bseeinu[m]: just uh... be very careful with the Pixel 3 and water. I know that Google advertises the Pixel 3 as "IP68 2m water resistant" but the USB slot is the weak point. Exposure to water repeatedly will likely kill the USB slot and the wear and tear on the USB slot is not covered by warranty.

I learned that $150 lesson the hard way.

TheJollyRoger: just open the phone

Water resistance gone

Wow 150?

I wouldn't pay more than $30 for that garbage

nicer place to do it

`> 12:56 <@strcat> although if you run the emulator inside that shell you wouldn't want it...

Heh. Noticed that myself

<bseeinu[m] "Now I have to convince everyone "> Convince everyone to use signal....

cx2: no

Bad app

They do not allow custom builds

They are unfriendly towards open source

The app forces you to update

Analytics are forced

Signal is just an open source WhatsApp

anupritaisno1: Given that it's most likely to have the widest adoption, and most of my circle, and even extended circle are more likly to use Signal than anything else? I'm going to have to disagree.

cx2: telegram would be a better idea, yes

What's wrong with matrix?

Both of these do not do the bs signal does

<anupritaisno1[m] "Signal is just an open source Wh"> Maybe.... but try to backup WhatsApp.... For one, you can only do so to google drive. What's worse? The openly tell you that not only is it getting backed up to Google Drive, but it's going to be backed up **unncrypted** to Google Drive.

I should probably update it to start using `m` instead of `make`

cause it doesn't actually use `make` anymore and that just goes through a totally pointless thing

Just add a redirect

I thought it did?

<JTL "I thought it did?"> No

Uh okay

We also have idiots who say mka is a thing on Q

Even though it's just an alias to m

And then there's custom build targets for no reason

and passing -j is pointless now

since it's not used anyway

does that itself

m dist target-files-package

don't usually need dist

strcat (@freenode_strcat:matrix.org): huh

Seems to work here

yeah but don't usually need that target

makes a bunch of pointless stuff

just do target-files-package alone

Maybe that's a lineage addition

But just m uses 6 threads and -j does allow me to control how many I want to use

Yeah I just find it convenient the file name is constant

It does?

I've only ever seen it be like Dist: out/dist.... for 3 seconds and done

for debug builds I would just use `m`

And yeah I also keep otatools

not a specific target, don't need target-files-package

Maybe I should remove that

debug builds -> `m`

release builds that will be signed -> `m target-files-package` and then a release signing script

That's a remnant from when brotli was being a mess

And bro wasn't a thing

Is brotli fixed now BTW?

Or does it still throw file not found

is what fixed?

the modern command is called brotli

there are no issues with it now

Oh boy, swipe gestures for navigation and dark mode are two simple things that make the UX experience coming from iOS much more bearable

Especially gesture navigation. After almost 3 years on iPhone X, it's hard to go back

It's annoying that the white line actually occupies the screen up to the edges; it's still a bar. I like it better on iOS.

It actually takes up barely the speaker witdth on mine..?

<anupritaisno1[m] "They do not allow custom builds"> That's bullshit. They do allow custom builds. They just don't like random forks piggybacking off their server.

madaidan[m]: ^^

I've seen no evidence of client or account bans for third party clients/builds

Just a bunch of vague hand waving and some fuss on GitHub

I need a Spotlight replacement :D

bseeinu[m]: The white line has only speaker width. Take a closer look in different apps.

The bar still takes up the whole screen width.

Yeah exaclty, at least in dark mode it;s basically like iOS except that on blueline the device is not all-screen

madaidan[m]: True, I've never an issue with my Signal fork

Is it advisable to use adb to uninstall a app ? It wont uninstall otherwise either from settings menu or the app info uninstall

Signal is not community driven... they just published the source code. But regarding custom builds, they don't want people making business on top on their infrastructure. Just that

I think the hostility towards the community is somewhat short sighted

Obviously we can't have anarchy and merging in PRs from random folks unaudited monkeying with cryptography code, but the status quo isn't ideal

especially when looking at what they bring to the table

cx2[m]: what do you mean?

Loki will use an onion-routed version of the Signal protocol, but won't be cross-compatible with the Signal Foundation infrastructure. We'll have to see how Loki turns out. It could be really good.

It's a good concept anyway.

an application that makes it harder and harder for the average consumer to say no.

Ive successfully got most of my family on it now.

cyborgninjaneer: Loki is now "Session".... it's a bit rough at the moment, but I have it

Well, I'm not referring strictly to the messaging app. The whole network and the currency is a nice concept.

052b524d8ccbcd29e68169ecb84a43ccee2334b42f1e138e5e92774f8a1e107020

Oh, is that your Loki public key or whatever?

right

I'll get session when it's on Fdroid.

Michael Bazzell interviewed these guys not too long ago

<cx2[m] "Michael Bazzell interviewed thes"> They also had a presentation for Session in some sort of convention when it came out day one.

also, you should read getsession.org/wp-content/uploads/2020/02/Session-Whitepaper.pdf

there's many things that haven't been implemented yet

on paper it looks good but right now I wouldn't use it as my form of direct messaging

right, the routing protocol is not working yet

no not at all. But it could be pretty slick in the not too distant future.

<bseeinu[m] "Now I have to convince everyone "> 80+% of the world is on Android, fuck your social circle, honestly.

I'll forward that to my mom

😝

Forward a 3aXL to her instead, preloaded with m.facebook.com pre-logged in, and a Riot account with a direct chat to yours. Worked for me!

Oh i do like that Idea

She has signal actually :)

Theres been some chat over the months about setting up a community wiki.

For GrapheneOS

I'm thinking I'd like to do this

Somewhere for community to work on documentation - some of which could maybe end up on grapheneos.org Also somewhere for other stuff thats less likely to be suitable for inclusion there.

Anyone got any thoughts

Particularly strcat

I'd be very happy to share admin of the wiki with other long term members of this channel/community

Alternatives to reddit could be Lemmy, or even Discourse.

Discourse has extensions for Kanban/tickets

dazinism: Talk to JollyRoger, he's done the most preexisting work there

JTL: yeah, done that, TJR is up for being involved

Alright

My fear is we're going to have multiple seperate projects with the same goal but different people and duplicated the work involved

I might discuss with him some more later

<JTL "My fear is we're going to have m"> What you mean?

Working on community space for GrapheneOS

Or multiple projects, GrapheneOS & other similar??

I mean without coordination other people would start a documentation/wiki project and have twice the effort towards the same goal

Well I guess thats part why I mention it, to start coordinating with folks

Of course

I often work on projects with open organizing groups

Of course

JTL: I remember some chat some months ago, but nothing materialized.

Yeah okay

I might have some more discussions with JollyRoger later

Is anyone still working on anything?

Jolly has some public drafs

drafts