strcat: is there anything I can try testing out in the development branch to help out with? i checked the issues and didn't see anything new?

* strcat: is there anything I can try testing out in the development branch to help out with? i checked the Github issues page and didn't see anything new.

should I just try syncing again with the changes and troubleshooting from there?

wow, my ovh vps just went kaput

for a good 6 hours

no outage notice, nothing

thats horrible

sorry #

* sorry renlord

renlord: Which location?

SGP

That's a more recent location

and knowing how OVH works, that doesn't surprise me

I seem to recall hearing of similar issues when OVH's Quebec location was newer

cant even do a soft reboot in the panel

and there's this banner sayting my vps is being upgraded when i didnt even ask for an upgrade

and they didnt even announce maintenance or anything

ffs

aeonsolution: it's thoroughly broken

and yes I need help

always do

lots of people

nice

how do i get a arch user cloak?

ask the right people

not sure they give them out anymore though but i could be wrong

strcat: got it, I'm "Extracting vendor files for Pixel devices" step

aeonsolution[m]: there's like 74 pending issues

Sorry, I wasn't being clear renlord. I understood the message as something broke when the changes were pulled into android-prepare-vendor

so i looked for new issues on the os-issue tracker or android-prepare-vendor repos and didn't see any

no

something broke in general

the cause is not known

there are already problems even if something hadn't broke recently

I said I would be rolling back recent changes since the past release

noted, thank you for clarifying

if there were other people working on the project someone would have noticed the dev branch wasn't working for a while

i was able to build 10 for the pixel 3a over the weekend, I can't build it now

it still builds fine

and maybe you built it but did you TEST it?

i didn't do the CTS tests, I started trying to rebuild the dev branch today

did you flash it and use it including connecting to a network?

aeonsolution[m]: it still builds fine

i did flash it, but i didn't connect to a network

there hasn't been any issue like that - just means you're doing something wrong building it

instructions are the same, code is the same

if it doesn't build now it's you doing something wrong

if there's an error, there's an error message

TheJollyRoger: ping

valldrac: I think your VPN lockdown change is broken when there isn't a VPN

let me restart then; it doesn't error out, this just doesn't work now: `mv vendor/android-prepare-vendor/sargo/QQ2A.200501.001.B2/vendor/google_devices/* vendor/google_devices/`

I don't know what you mean by doesn't work

renlord: ahoy! Sorry about that. I've been away from the PC a lot today >_<. What can I do for you...?

if there's an error there's an error message

I haven't had much luck with Protobuf yet unfortunately, still fighting with my computer.

mv: cannot stat 'vendor/android-prepare-vendor/sargo/QQ2A.200501.001.B2/vendor/google_devices/*': No such file or directory

ok so you did something wrong there's no directory there

(cue that gif of Chris Benoit jumping off the top of the cage to try to headbutt Kurt Angle and instead crashing onto his face)

the build instructions work and they're the same as before

you're just doing something wrong now - do what it says and it'll work

kk

you shouldn't need to run android-prepare-vendor again if you already had the vendor files for the build id but it WILL WORK if you do it right

Got it. I'm just missing some dependencies, it seems. Think Python's being picky about google.protobuf and I'm not sure where that's hitting an error so I'm going to try it on a different OS.

TheJollyRoger: I should be working on a public "container" setup or something for building GrapheneOS within the next 10,000 days

:D

^_^

it's not really that many dependencies

Right now I'm thinking if I can build it in a KVM virtual machine, what if I posted the QEMU image somewhere?

if people can't get it to build I don't expect them to be able to help

building it is the easy part

Sorry. I'm trying, I'm trying >_<.

is the protobuf issue related to removing python2 as a dependency?

TheJollyRoger: did you switch to Manjaro

i can help look into that

aeonsolution[m]: sorry, not yet. I've been out all day >_< and getting back to work on it now. I tried a few other combinations with Fedora but no success yet, so I'm going to move the VM image.

strcat: do we track aosp_alliance avp now as upstream?

renlord: yes

ok sweet

i guess the only missing bit is finding a FT maintainer for the pixel4 kernel?

for supporting pixel4?

more than the kernel

window of opportunity for Pixel 4 / 4 XL / 4a support is closing though

oh? but cdesai and danv now use sources available in the aosp tree now for things that already exist in the aosp tree though

can't add new devices so close to Android 11

renlord: not all things

just some

renlord: I'm uh... I'm not sure what it is. I've got the error message here: jollyrogers.ca/public/protobuf.txt . I later tried uninstalling `google`, `google-cloud`, and `protobuf` and then installing them system wide as root. I cleaned out the tmp directory and that fixed the out of space error.

you don't need anything called 'google' or 'google-cloud'

ImportError: No module named google.protobuf

the google namespace exists when you install protobuf

there's the error

you don't have protobuf for the python being used to run android-prepare-vendor

supposedly, but not since the latest debian package

TheJollyRoger: the main namespace of a python package != the package name

OH. Oh wait so... so it's using the wrong interpreter, not finding protobuf, and then erroring out? Like using 3.7 when I have 3.8?

TheJollyRoger: and you have the wrong one that's why it doesn't work

TheJollyRoger: android-prepare-vendor uses python2

whoops, maybe i jumped ahead of myself

I... oh. Th-th-that... that explains a lot...

i thought you're trying to remove python2

py2 should just go away

it is

it's dead

projects using it need to move instead of using a dead project without security updates

Agreed

The writings been on the wall for a *long time*

there is python3-protobuf

AOSP has moved already just not retroactively for existing releases

renlord: yes the issue is android-prepare-vendor

not that

should probably look into avp to see if can just patch it

So now all I gotta figure out is to find protobuf for python2 and install it... let's see..

just install a distro package for it

it's a common package

python2-protobuf

on ubuntu

there are not that many build dependencies

fewer than most small projects

fewer than a typical rust project lulz

android-prepare-vendor itself has some prebuilts to make it easier

strcat: did you have an opinion about cargo when you were a rust contributor?

wasn't a fan of it or the people who made it

pretty hard-wired into the existence of it now

i thought so

Hmm. Looks like we might have to rule out Fedora 32 for building until AOSP fully depreciates python2. Fortunately, for the one month I have left I think I can just spin up 30...

yeah

TheJollyRoger: this isn't a dependency of AOSP on python2

android-prepare-vendor isn't AOSP

Oh.

i forgot to turn on my swap lol

nice

XP Oops

I'm just backing up the VM image and then switching it over to Manjaro.

nice, let me know if you need anything

Thanks! I'll use your package list, hopefully I should be able to get everything set here. I think if this goes well I want to publish the VM image somewhere.

manjaro is really difficult to use

Well, heh, looks like I'll be getting this headfirst XP.

how so?

BrokenCog: I've never used Arch or any sort of Arch-Like system before. Hopefully it shouldn't make too much difference in the end though.

I was wondeirng why renlord said difficult to use ... I think you'll be fine.

Whew.

its way harder than archlinux

and probably linux from scratch

i dont even know how to use it

the community also consistently provides the wrong advice and insecure methods to solving problems

Ok like... I had to read a little bit about LFS to understand the theory of what I was doing when I set up my system because we didn't have everything available at the time but like...

that was like...

its arch with an installer? he's just using it as a vm not his main os

If it's gonna be harder than THAT aaaaaaa

archlinux is so easy, you can install without a fkin installer

Didn't they just tell people to roll back the clock when a certificate expired?

</snark>

i dont even know how to use the debian/ubuntu installer

do you have a script you can share?

renlord: I still remember the time I installed Gentoo on an old Pentium M laptop about 10 years ago

Forgot to compile in the IDE driver

aeonsolution[m]: what script, its just arch-chroot, pacman -S base done.

lol

...oh good gravy

recovery is so easy with archlinux also

is arch-chroot a package?

let me check this out

OK whew. As long as I can get ssh into the VM then I'm fine.

Should be able to take it from here.

should come with the bootable usb

but you can install it also

arch-install-tools or something

I left the keymap as "US" so I don't want to bother using it much more than I can, typing in QWERTY feels like walking around with your pants on backwards...

when asking for help in manjaro, it always involves steps that require you to bend over backwards

Oh good gravy.

and does not even solve the underlying issue at the first place

renlord: Sounds like your describing Debian/Ubuntu people

i remember someone telling me one scenario -- cert expiration, they ask you to rollback your OS clock

sadtrombone.com

wtf

renlord: Yes that's right

(as in the event)

does anyone happen to recognize this error:

FAILED: ninja: 'external/vanadium/prebuilt/arm/TrichromeChrome.apk', needed by 'out/target/product/generic/obj/APPS/TrichromeChrome_intermediates/package.apk', missing and no known rule to make it

BrokenCog: the prebuilt should be included

via repo sync?

when "m target-files-package

starts I get this message:

external/vanadium/Android.mk was modified, regenerating...

and then that error at the very end.

i think so

yes

they are included

renlord: how long does it take you to setup arch linux from scratch?

strange that repo sync didn't pick it up.

a working copy?

probably 5 mins?

then clone my dotfiles, pacman -Syu pkglist.txt done

probably all up and running by 30 mins

you know all the steps to partition from memory like that?

Heh, "Arch Linux From Scratch" XP.

I struggle to set up a Stage 2 :P.

Er, Stage 3.

btw nytimes is officially dropping third party advertising / tracking... since they are moving to first party advertising / tracking and explicitly selling the user data they gather, lol

you don't get ads if you have a subscription.

Ha, well I guess that makes sense...

>_<.

I'm just imagining trying to reproduce Arch using LFS and I'm like "oooooh baby, that's for folks braver than I :P"

strcat[m]: heh I saw that

BrokenCog: which just makes it even easier for them to track you

not seeing ads != not being tracked

especially since the nytimes does first party data collection / profile building and then sells your data (so they are worse than facebook)

it's a different type of tracking, true.

not a different type of tracking

it's more thorough and integrated

sure

the type of data valuable for resale is predicated on the data being useful for marketing/profit. If ad's aren't being placed, then the commercial benefit of tracking a person falls to zero. as long as we like free services (aka: services paid by ad revenue) then we'll have our marketing relevant data tracked and sold.

this is part and parcel of a Consumerist based economy, but it crosses over into security, privacy, politics, etc.

the data is definitely valuable without ads and blocking the ads doesn't mean they don't record and sell it

aeonsolution[m]: disk partitioning?

not sure how you can claim that the commercial benefit of tracking people is zero without advertising

<renlord "aeonsolution: disk partitioning?"> yeah

ya, just use fdisk?

then mkfs.(type) partition?

i know the steps, im just want to point out that it may not be realistic to tell people to do that

renlord: the apk is present: ./grapheneos-10/external/vanadium/prebuilt/arm64/TrichromeChrome.apk

its an unnecessary barrier to development for some

BrokenCog: did you set to the correct device?

an arm64 device?

in choosecombo

so, choosecombo: TARGET_ARCH=arm but sync only pulled the 64bits. okay, that explains the missing file. need to figure out what happened with sync.

thanks.

we dont ship arm prebuilts

sorry

only arm64

arm64 and x86_64

if you want 32bits, you have to build your own

then copy into that directory

wouldn't expect them. what was the last Pixel 32bit?

did pixel gen 1 use armv7?

don't know. never messed with pixel until this one.

3a

3a supports 64bit, why do you even bother with arm?

just use arm64

choosecombo release aosp_sargo user

close your shell and start again

$ source script/envsetup.sh

$ choosecombo release aosp_sargo user

I wasn't choosing arm. tha'ts what I need to figure out. How did choosecombo get something different.

ahhh.. mistype. Not figure out what happened with sync. what happened with choosecombo.

there was never a 32-bit Pixel

well, there you go.

Nexus 5X and 6P were 64-bit, as was the Nexus 9 from a year before those

Nexus 6 was the last 32-bit Nexus phone

GrapheneOS never supported the Nexus 6 officially

so the Nexus 5 was the last 32-bit device for it

which was also the initial device

BrokenCog: why are you building for 32-bit arm is the real question

we have arm64 and x86_64 prebuilts for Vanadium

you can build it for 32-bit but there just isn't a good reason to do it

I never claimed to be making 32bit nor asking for.

choosecombo claimed it. not me.

Authentication-Results: mail.grapheneos.org; dmarc=fail (p=none dis=none) header.from=gmail.com

renlord: opendmarc passes through mails that fail

It might take some time for rsync to copy everything back to the VM... really glad I don't have to completely set the whole thing back up again from scratch.

even though it's set to reject

wtf

I don't really recommend using a VM just more things that can go wrong

build with a normal setup first

install / build docs list officially supported distros where it's known to work properly

and the instructions are pretty painless, I regularly test them

yeah, opendmarc doesnt work very well

even opendkim exemptdomains dont work well

i exempted the linuxfoundation mailing lists but its still rejecting them

renlord: remember it's for FROM addresses

it's not for mail servers

it doesn't exempt their server

so you'd need to whitelist every address of people using broken mailing lists

the FROM address is the mailing list address

it's really up to them to NOT use broken mailing lists forging emails if they do

renlord: and they don't do dkim properly?

from *@lists.linuxfoundation.org

i suppose not

lol

i dont keep bounced emails

strcat: okay :(. Got it >_<.

why can't you just build on whatever your normal OS is

because if your host machine is involved with X number of projects, with conflicting library/versions/firmware/configuration overlaps, it becomes impossible.

there are hardly any build dependencies on the host

Crap. Well, I'll go and try to find python2-protobuf for this thing.

hardly. but a few.

THat's the only thing that this thing is choking on so far.

AOSP builds in a sandbox with namespaces and doesn't leak that much from the host

TheJollyRoger: what distro?

If not though, I've got one more 1TB SSD left, and I can just throw Debian Busted-- uh, sorry, I mean Debian Buster onto this thing.

Gentoo. T_T

and you can build in your own container too

there is no good reason to make things so complicated

stop making things overcomplicated as step one

follow the instructions as written

Okay!

there was a time when GrapheneOS releases were not available, just sources

and many people including many non-programmers built it successfully via instructions inferior to what's there now

the instructions are far better now and there are *far fewer* build dependencies

i just use a container now

so i dont need all the extra baggage on my host OS

not that its alot to begin with

just make a fresh arch container (pacstrap -c build base)

only setup I did is enabling/generating en_US.UTF-8 locale and making a grapheneos user

step one installed repo, python3, git to init/sync

there it goes

can literally copy-paste the 4 sync commands

I have fiber so it goes pretty fast

i just use the debian buster image

renlord: I just install arch-install-scripts and use pacstrap -c dir base

renlord: it uses your existing package cache and mirrorlist

renlord: then, systemd-nspawn -D dir, do the setup as root

then switch to the non-root user

but your host package cache shouldnt have the build dependencies at the first place?

I mean it uses your host package cache for pacstrap

i see you use lxc directly

i still use docker

why does it matter if not everything is there

renlord: systemd-nspawn isn't lxc

could use something else but that works directly with an OS tree

nothing special

could also use debootstrap if you wanted debian but this is faster and I don't have to deal with debian

what's the size?

600M for base but you don't really need all of base

<renlord "i just use a container now"> Is your container's creation script anywhere?

don't need linux, etc.

DannyWorkOrderPr: no its in my local

pacstrap -c build-tree base python3 git gcc binutils bc diffutils freetype2 ttf-dejavu m4 rsync unzip zip signify

and install ncurses5-compat-libs

and the lib for android-prepare-vendor

it's pretty straightforward

<renlord "Danny@WorkOrderPro: no its in my"> What I mean is, would you be willing to share a script to make your Docker environment, a la DockerHub or whatever hotness is these days?

we could rebuild the renderscript clang to avoid the ncurses5 dep

you don't need some fancy environment

the build environment is not complicated

look at what I just posted

DannyWorkOrderPr: i can probably submit a PR for it, but its quite basic

Okay!

but just use strcat's systemd-nspawn approac

either make an arch (pacstrap) or debian (debootstrap) container and systemd-nspawn

if you really want to build in a container

you need a dozen packages, that's it

if you want to build how I build use pacstrap

since people always want to do that for some reason even though the build requirements are really minimal

alright it finished syncing a while ago

building bonito kernel

til, there's a slub and slab allocator

<strcat "if you really want to build in a"> I'd really like to be able to script setting up the environment, one way or another (Docker popular for this) so I could switch to new hardware regularly with minimal friction

always thought they referred to different type of data structures

DannyWorkOrderPr: script/envsetup.sh does setup the environment

and choosecombo too

<renlord "Danny@WorkOrderPro: script/envse"> Dope, thanks. I need to take a closer look at the instructions. Only page I haven't read every single bit of, yet.

is openprivacy.ca a credible research group?

(on GrapheneOS.org)

renlord: Based in Western Canada

i figured out the issue, i didnt lower case the build id in the mv command

im building now

renlord: What exactly are you concerned with?

just curious

i want to say that the envsetup script, would lowercase the build_id before

no

it's android-prepare-vendor that lowercases it

for the output

but you can just autocomplete it anyway

right

thank you

Little wallpaper :)

(From Techlore video)

Techlore banned me I think. I didn't even say anything probably since I'm in the pro security gang

<cyredanthem[m] "Techlore banned me I think. I di"> Wut ? From his irc ? Because he has a telegram channel too

The matrix group

I dunno

Update so far: if tried to reach out to purism two days ago regarding severe security issues with their librem.one service

blacklight447[m]: What now?

So far, i have yet to get any response whatsoever

Can't say I'm too surprised since it seems Purism scared off the actually competent people from working for them

<JTL "blacklight447: What now?"> Their email server fails minimum security requirements

Right

They dont support dkim and dmarc, making it super easy to spoof

Unsurprising really

JTL: I noticed they don't have authenticated encryption for TLS (no DANE or even MTA-STS), DNSSEC, DKIM/DMARC, etc

That doesn't surprise me :|

they call crappy opt-in, optional GPG integration 'bleeding edge' encryption lol

They don't have dnssec, dane or mta sts, making it damn easy to mitm and force them to send all mails via unencrypted smtp

GPG is a joke and they don't even do a good job of it

I've noticed

and it barely covers any emails in practice

Their starttls policy has some weird choices

it has some outdated SSL3 protocol enabled

for TLS1.2

weird stuff

Like who the hell uses/allows TLS_DH_ANON

Not me

blacklight447[m]: dunno never seen a setup like that

it's pretty weird

I guess thats what you get when you just slap Debian on a server and follow random guides from the internet? :P

strcat how did you start in security and android ?

bare minimum is MTA-STS + DKIM + DMARC quarantine + SPF + inbound DMARC enforcement

making it good requires more work including DANE - both inbound and outbound, and other things

Lmao, the only thing they did correctly is configuring spf

and ofc keeping things properly is part of that baseline bare minimum

blacklight447[m]: SPF without DNSSEC is not correct

But as they dont do dnssec, they can be completely subverted

and you have to put an SPF record for every A / AAAA / MX record

every subdomain needs an SPF record

it doesn't apply to subdomains

Right

lets say you have bar.com with an SPF record at the top level

Heh, didnt even notice that one

but you have a.bar.com, b.bar.com, c.b.bar.com

well, someone can send fake emails from all 3 of those bypassing SPF

since SPF only applies to top level

and without DMARC, SPF is basically useless anyway

it's not enforced in practice even with a hard fail policy

I see

and if it's not a hard fail policy *and* no DMARC... it's even more useless

soft fail doesn't matter if you use DMARC since it's DMARC doing any enforcement

But yeah, im just gonna try and reach out to them via some other channels

but I think it should be hard fail just so SPF alone provides basic protection - but it's annoying cause you have to add a record for each A / AAAA / MX record

every single subdomain needs an SPF record

If i don't get any response, an article on privacytools is going up exposing their wrong doing

if you have CNAME record, that DELEGATES to where it points which is problematic

the place it points needs an SPF record

They claim security, therefore atrracting folks with high security models to their service

blacklight447[m]: I mean as far as I'm concerned that's their overall approach to EVERYTHING

they are scammers imo

Good luck getting "random vendor" to proeprly setup SPF record for their CNAME

But as they lack these minimum security requirements, they are truly endangering people

they never gave a shit about issues I reported to them

JTL: yeah best to not point CNAMES at anything to avoid delegating

I wonder if they realise the magnitude and impact of their terrible decisions

JTL: so for example bing webmaster tools for some reason uses a CNAME record to verify

instead of a TXT record

it's dumb

strcat: Like I've mentioned, the actual competent people left or were fired over a year ago so I'd expeect nothing from them

instead of making _bing-webmaster-tools.site.com TXT record

strcat: that is so dumb

they have you make

adsgjsdalgjls9482yt894ygpwernjserjioghr23490.site.com CNAME pointing to verify.bing.com

makes NO SENSE

<strcat "JTL: so for example bing webmast"> But... Then you completely fall outside of the spf standard right?

As far as i know, it needs to be a txt

blacklight447[m]: this is not tied to email

just how they verify ownership of a domain for bing webmaster tools

blacklight447[m]: the issue is that if you have a CNAME pointing elsewhere

it *delegates* SPF to them

blacklight447[m]: so there will be a lookup of where it points

to see if they have a TXT record

for spf

blacklight447[m]: which bing does not have on that subdomain

Aaah

blacklight447[m]: and even if it did I don't want to delegate trust to them like that

fair

blacklight447[m]: also by default with normal DMARC

blacklight447[m]: it uses relaxed SPF and DKIM enforcement

if you don't opt-in to strict

with strict they can only send mail as adsgjsdalgjls9482yt894ygpwernjserjioghr23490.site.com

blacklight447[m]: i.e. despite having DMARC bing can send email as you since you pointed a CNAME at them

but without STRICT policy for DMARC

they can also send email as site.com at least for SPF

;; ANSWER SECTION:

_dmarc.grapheneos.org. 3600 IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; pct=100; rua=mailto:dmarc⊙go; ruf=mailto:dmarc⊙go"

blacklight447[m]: adkim=s; aspf=s makes it strict

blacklight447[m]: anyways important to understand how *fucked* email is

blacklight447[m]: running an email server securely requires a fair bit of knowledge / setup

postfix is the best way

mail provider can almost never do strict enformcenent for dkim

their users will miss out on too many emails

for inbound especially.

<strcat "blacklight447: running an email "> Fun fact, im a guy barely out of college, but im giving you a fair bet that if i were to run an email service, it would have been done way more properly then purism has done now

renlord: DMARC deals with that

if they say reject you should reject

renlord: opendmarc doesn't work properly tho

I need to figure that out

ya, but people say reject when they dont mean to

lol

Its like they threw up a digital ocean droplet and bought the librem.one domain

broken dmarc policies everywhere

blacklight447[m]: pretty much

blacklight447[m]: and put some insecure mail server + put SPF record for top level domain

no inbound SPF/DKIM/DMARC enforcement

no DKIM/DMARC for their mails

and opendkim ignores dmarc no? if there's a invalidated dkim signature, it'll just reject

improper TLS setup

And never dealt with any proper configuration, and called it a day

lol

no TLS authentication (no MTA-STS, no DANE)

no DNSSEC

I bet it has more issues than this

this is just the surface of it

"We did it guys, we now have a secure email service"! (Just only pray and hope nobody actually tries to audit us)

secure email is tough to pull off, because your neighbour MTAs might not even co-operate with you

decentralized network yo

Email is stupid and should never be used

Do you think they even update their server properly?

renlord: you don't need to enable reject for opendkim if DMARC is properly implemented

cause basically

I'm tempted to go Gmail I trust them most to not fuck up security

the DMARC implementation is supposed to reject if the policy is reject

<renlord "secure email is tough to pull of"> Yeah, email is as secure as the weakest link in the chain

strcat: does your opendmarc work to expectation?

renlord: DMARC adds alignment checks + enforcement for SPF and DKIM

renlord: kinda

it fails when it should

passes when it should

but...

havent had a fail case so far

it does not reject emails it's like it ignores my configuration

for dmarc

renlord: if DKIM fails, DMARC will fail if there is a DMARC policy, etc.

same for SPF

renlord: btw DMARC needs *either* SPF or DKIM

I dunno if there's a way to make it force both

shouldnt it be both?

renlord: I think it requires that EITHER is valid

and aligned to the FROM address

If one party fucks up, all is fucked up

Question: if two mail servers sending email to eachother both have dane and starttls, and spf configured, would dkim still be of much use?

blacklight447[m]: well DMARC is mandatory

you need DMARC + SPF or DMARC + DKIM

I mean if mail is sended over tls anyway, any alterations will turn to email into jibberish right?

blacklight447[m]: but someone else can send mail *as you*

blacklight447[m]: DANE and MTA-STS are enforced by the MTA sending mail

blacklight447[m]: the server never validates the client with TLS

I see

Email is so very dumb

Good point

there is no client cert

DANE / MTA-STS don't let the server receiving mail check client

the only check for the client is SPF / DKIM

and someone could fake a connection from you and bypass SPF

I was only considering the "proving the email has been altered in transit" part of dkim here

email is FUCKED

blacklight447[m]: I've been thinking that it may make sense to only use DKIM + DMARC instead of SPF + DKIM + DMARC

<cyredanthem[m] "Email is so very dumb"> What did you expact, its a protocal from the 80s

blacklight447[m]: but some places may enforce SPF but not DMARC

so...

that would be bad

Its like trying to make sms secure, its almost impossible

blacklight447[m]: but afaik DMARC enforces having EITHER valid SPF or DKIM

and SPF is not very secure

School supplied email. Gmail for anything government based. Outlook for anything work related. Fuck off if you aren't one of them

<strcat "blacklight447: but some places m"> So, basically, its just like with choosing to support dane or mta sts

Dkim with dmarc is fine

But as some folks may not support dkim, we better support spf as well

ok i changed it around again

i'll let dmarc do the rejecting

blacklight447[m]: DANE / MTA-STS is authenticated encryption - avoids leaking message or tampering with it along the way

Similarly, dane is better, but some folks only do mta sts, so we may better support that as well

the testing flag does not even work properly in opendkim

it just behaves like reject

blacklight447[m]: DKIM is authentication for the message but without a way to mandate it so someone could send a non-DKIM signed message which would at best be a spam signal for a spam filter

AT BEST

blacklight447[m]: SPF in hard fail validates it APPEARS to come from a certain IP address

<renlord "it just behaves like reject"> Its a but buggy in my experience as well

but that's not secure vs MITM

DMARC enforces that either SPF or DKIM matches the domain and is valid

I want a way to force both but I don't think that is supported

Makes you wonder why though

strcat: if you want both, you can always tell dkim to reject bad signatures

Seems like such a straight forward thing to support

renlord: DKIM is not mandatory

sure, then emails without dkim will fallback to spf checks only using dmarc

renlord: I have SPF enforcement (rejects hard fail, tempfails failure to get policy, etc.)

note: only rejecting bad dkim signatures

and DKIM enforcement

and DMARC enforcement

Then again, even if you find a way to set your dmarc policy to require both, you need other MTA s recieving it to actually listen to it

but DKIM is not mandatory - there isn't a record saying 'must be dkim signed'

and DMARC allows either SPF or DKIM - doesn't force both

so I am concerned that someone able to MITM can send spoofed mails with 'valid' SPF

hmm

strcat: do you mean you only want to receive dkim-signed emails?

renlord: no I want to prevent people sending spoofed mails

via MITM

renlord: if they can pretend the message came from the IP of mail.grapheneos.org it will pass SPF

renlord: and they can just not DKIM sign it

and afaik that will pass DMARC

<strcat "but DKIM is not mandatory - ther"> So your dkim record cannot state that its mandatory, do i understand that right?

blacklight447[m]: yes because there is not really "a DKIM record"

how do you do that? dont you need to do the HELO/OLEH Challenge response with a SMTP server?

blacklight447[m]: the signed emails refer to a record

blacklight447[m]: if they aren't signed, there is nothing to refer to

then when they do the PTR checks and what not, the ip spoofer will fail

Ah, right, forgot about that

renlord: is that TLS authenticated via MTA-STS / DANE?

I guess so

Wonder why they implemented it that way

yes, if they talk with smtps

yeah that makes sense

if not, helo/oleh into starttls

still interactive

Why didnt they just implement it that if the mta recieves an email, it just checks that @domain s dns records for dkim or spf

blacklight447[m]: b/c people have super complex email setups

Doesnt that make more sense then relying on what headers are in the email to see what to look up?

blacklight447[m]: basically with SPF enforcement -> receive email -> check subdomain for SPF policy -> enforce if hard fail (or maybe mark it if soft fail)

blacklight447[m]: DKIM is an OPTION to sign emails

blacklight447[m]: if the email is signed

blacklight447[m]: i can strip your headers along the way

it refers to where to get the key

lol

Great, just what we need, more complexity...

blacklight447[m]: it's possible to have multiple DKIM signatures

or relays might replace / remove it

as they change the email and so on

When learning about these email security measures, i was so hopefull

it's complicated

blacklight447[m]: but yeah need DANE / MTA-STS + SPF + DKIM + DMARC to prevent spoofing I guess

But my hopes are getting lower by the day

having just SPF + DKIM + DMARC does not prevent spoofing by a MITM attacker

need DANE / MTA-STS too

strcat: i havent been getting mta-sts reports

and then you need all of this for the other way around

does that mean people are not using it to contact me using smpts?

renlord: send yourself an email from gmail

renlord: only google sends them

i receive many mail from gmail.com

but i dont get any reports

renlord: you should get mta-sts reports if you set up tls reporting then

i do have tls reporting!

I get reports

renlord: double check that you can receive that that address

renlord: check with aykevl.nl/apps/mta-sts

that your policy works

ya i passed 100% all these tests

put grapheneos.org there

Policy: v=TLSRPTv1; rua=mailto:tls-rpt⊙go

I get mails there

Fun how, even if we configure everything right, if you were to send an email to librem.one, moest of your efforts go into the trash :D

blacklight447[m]: yep no authenticated TLS

blacklight447[m]: but also

v=TLSRPTv1; rua=mailto:email-security⊙rc

blacklight447[m]: if people spoof @grapheneos.org they can send mail there and they won't reject it

dont get any :(

root@mail:/home/tls-rpt# ls Maildir/new/

1589624383.V801I40b92M915367.mail 1589710599.V801I40febM508375.mail 1589796300.V801I400d2M864633.mail 1589884659.V801I400ddM819529.mail

1589624588.V801I40b94M115647.mail 1589710602.V801I40fedM971138.mail 1589884022.V801I400dcM451188.mail

I don't have mutt set up to check tls-rpt@ and dmarc@

I split them into separate users

Btw, i though smtps was just used to start a secure connection to your mta from your mua, and then starttls is used to make a secure connection for smtp to send the email to from your mta to another

i have virtual that routes them all to my main

security@ contact@ root@ postmaster@ etc. all go to daniel.micay@

renlord: well I have aliases for those

I just use /etc/aliases lol

Is this not how this works?

I don't have virtual mails and I just use maildir

another option is just letting dovecot store mails itself

by using deliver to dovecot and using the dovecot db

probably more efficient than maildir but I like not being tied to dovecot

virtual storing using maildir format

dovecot is quite complicated

renlord: where does virtual store stuff

vmail

where is that?

/home/vmail on disk?

ah

I guess I could set up virtual but meh

so yeah, maildir format

renlord: well I alias everything to daniel.micay@ and that's a user

so it mostly goes into /home/daniel.micay

then i used imap sync to push my current folder layout into my mail host

so the setup now is very compatible with my old mail provider

root: daniel.micay

contact: root

caa: root

renlord: at the top of /etc/aliases

and I run 'newaliases' to update /etc/aliases.db

renlord: and it already has the standard ones like abuse, noc, security, postmaster, hostmaster, webmaster, www

dont like to use aliases since i need to create users for each

virtual is easier

renlord: you don't need users for each

aliases work without users

my mail host also supports 2 different domains

so virtual actually fits better for me

renlord: /etc/aliases is a mapping from address@ (on every host) -> username

Lmao see this dude

I called him out on his purism librem recommendation, naming their lack of microcode updates a security risk

if you do a look up on me my MX provider is actually katmail.xyz lol

so since I have contact@ there, it maps contact⊙aa, contact⊙go, contact⊙sa, contact⊙mgo -> daniel.micay user

Apperently his "proffesional opinion" is that because microcode updates are a responsive measure, they dont matter

the nightmare ovh this morning made me consider setting up a 2nd fallback mail hos

fkin hell, all of the sudden cant even boot into rescue/soft reboot the vps

out for a good 6 hours

blacklight447[m]: microcode updates fix various vulnerabilities

not just spectre issues

not having microcode code == bunch of serious vulnerabilities unpatched

and the microcode is there either way

Then why install any security updates at all, those are responsive as well, the argument doesn't add up at all

unless librem plan to design their own SoC, i dont think their marketing is honest at all

Blacklight please fix ptio it's broken

lets say there WAS a microcode backdoor - a microcode might be able to fix it if it doesn't stop updating microcode

renlord: their laptops don't have open source schematics, boards, etc.

it's not just the components that are closed source

CPU, GPU, Wi-Fi, motherboard, etc. all closed source

not just that

<cyredanthem[m] "Blacklight please fix ptio it's "> Im gonna need a few more details, lol

even the case itself, etc. are closed source

there is nothing open about it

lol

the least they can do is let me 3d print the fkin case

on thingverse or someshit

96boards boards are at least open source boards

not components ON the boards

and btw that's enough for something to quality as 'open hardware' per that stupid org

it's dumb

<renlord "unless librem plan to design the"> Fun fact, they could have chosen to go with RISC-v and design their own soc, its a free isa and is designed to be easily scaled down to small devices

the kirin960 SoC is not open source is it?

it's not open

no ARM SoC is open

> > <@cyredanthem:synapse.travnewmatic.com> Blacklight please fix ptio it's broken

> Im gonna need a few more details, lol

Bromite should be at the top of mobile. Lineage should have a warning due to misleading practices. Chromium should be recommended with a few privacy tweaks. Safari should be recommended. Replicant should be removed

Yet they went the easy way choose an arm platform from nxp

well yeah exactly

blacklight447[m]: a super low quality / insecure one compared to status quo

Lineage should be worth mentioning not recommended

<cyredanthem[m] "Lineage should be worth mentioni"> Ive tried bringing that up to the team but couldn't convince them to remove it

CalyxOS should be recommended due to Pixel 4 support being on the way which gives it a use case where it can be usable when GrapheneOS is not

Gotcha well thanks for trying

cyredanthem[m]: 'on the way' is the same status as GrapheneOS support for it

calyx, rattlesnake and graphene are all tracking the work in aosp_alliance

and the intention is that people purchase a device for GrapheneOS anyway

I don't think a group that actively lies about security patches should be on a privacy website at all

Im firdt gonna try and add a warninf label

That's a start

Glad to hear it

Any chance of a Chromium based option on desktop? blacklight447

> cyredanthem: 'on the way' is the same status as GrapheneOS support for it

I thought they were going to try to get it out this week?

blacklight447[m]: also disabling multi-threading is not good enough lol

clueless person

how do they expect to disabling multi-threading

i.e. run an OS with 1 thread?

makes no sense

I purchased one for GrapheneOS no regrets

they are going to use a cooperatively scheduled OS in a single process in 2020?

> calyx, rattlesnake and graphene are all tracking the work in aosp_alliance

What's that?

I think they mean disabling multicore/HT but that is not at all good enough

do a tlb/cache flush every context switch

lol

<strcat "clueless person"> You d be surprised how many folks see them selves as security experts these days

bunch of ignorant / dishonest people everywhere, yeah

on tons of topics

not just this

Im at the ptio team, ive studied security and networking and are working with it daily, yet i don't even consider myself an expert yet

internet is just making people more ignorant / clueless

access to more information does not make people more informed cause they just pick and choose information aligning with their bias / beliefs

and make themselves more and more clueless

there are people out there who think that if they can read an abstract of a security paper and understand what is being written, they qualify as a security expert

pretty much destroying our fragile societies lol

There is just so much shit out there

Im surprised the internet even works as it does currently

apparently the internet will be what kills human civilization through misinformation

I'm a pentester and a cyber security grad who has read every Reddit post strcat has ever made and I don't consider myself more than a novice. My knowledge is shallow

I can't imagine what an expert sees

I can't stand Reddit

<strcat "access to more information does "> You can thank search engines for that, giving people "relevent" results

I would consider myself a novice as well

Is Firefox secure? Germany says it's the most secure! Done. Is Ubuntu secure? UK says it's the most secure! Done.

Now I'm officially a dumbass

Thanks Google

> I would consider myself a novice as well

I used to work on Lineage. *now that's scary*

Purism is the most secure as they "designed their systems, chip by chip, to respect your privacy and security"

Firefox is private since we ship ads, have telemetry you can't turn off, we have useless privacy features, and we have terrible security

Well, one point for firefix: i can configure it to not save anything

blacklight447[m]: don't understand how purism gets away with so much blatant lying

constantly lying

people WANT to be lied to, I think

purism's laptops are LESS open source than a chromebook lol

and vastly less secure

> Well, one point for firefix: i can configure it to not save anything

Brave, Edge, or make your profile read only

<strcat "blacklight447: don't understand "> Because most folks do not know anything about security

Thats the point

They cash in on people who are unable to verify their claims

> purism's laptops are LESS open source than a chromebook lol

I just can't get over the forced Google account

I cant even make one when I tried to use a ChromiumOS rom

I rather use Linux

Desktop*

cyredanthem[m]: I'm talking about Chromebooks as hardware

you aren't forced to use ChromeOS on them

Bromite has always on incognito

> cyredanthem: I'm talking about Chromebooks as hardware

My bad sorry

That's a good point

An Intel is safer than an arm one right? I see a bunch of random companies making the ARM chips and I have no idea how trustworthy they are compared to Intel which at least is pretty good about patching

Purely Chromebook hardware I mean

I see ARM Chromebooks recommended and I feel like I wouldn't risk it unless it was Qualcomm

yandex is the worst search engine btw

my webmaster account with them expired and it seems like that wiped all knowledge it had of the site

good stuff

Oh good effing gravy.

<cyredanthem[m] "An Intel is safer than an arm on"> that's a very good question. Hard to access how well a hardware maker audits and patches when they are small

blacklight447[m]: "firefix" XD.

That's glorious.

I love it.

I'm going to use that along with "Fireflops"

"Firefix!"

Fireflops I do like they

that*

Hehehehe

<TheJollyRoger "blacklight447: "firefix" XD."> Finally someone caught it

I miss Firefox

They can Fix the dumpster Fire of a browser: firefix

<cn3m[m] "I miss Firefox"> Same

Improves though

If they fix their sandboxing on all platforms, and implement tab isolation, it will already be a lot better

Sadly they are still stuck in 2012, browser security wise

they are stuck older than that

Ahahaha X3.

They have so much work to do though. over a thousand win32k lockdown rules to add. They need to rework the x server and tighten seccomp rules. They need to get anything remotely like a sandbox on Android

then they need to add security hardening for anti exploit

they probably are a good 10 years off from catching up at this pace

Microsoft is right Firefox should be based on Chromium. They could stick to research

The thing is though, do we want a single web render engine

If gecko dies, then all thats really left is safari

gecko is 4% and is slow and broken

it's effectively dead

Something being small doesnt mean insignificant

4% on global scale is stilll tens of millions of people

i thought they gave up on firefox

and they are focusing their efforts on servo?

Iirc, servo is their expirement where they can build a new engine in rust

Then once something from it works, the plug it into gecko

strcat: No, people don't want to be lied to. But for most non security experts, it's really hard where to search for information. If I search around the internet for a few hours how to increase my privacy and security, I end up with Linux, Firefox, an iPhone and Purism.

Bitwarden for graphene - they only offer Google Play which I don't use. Can't find an APK on their site. Is it safe to download from APKPure?

* Bitwarden for graphene - they only offer Google Play which I don't use. Can't find an APK on their site. Is it safe to download from APKPure? (can't find on fdroid either which I found a bit strange)

yekip: bitwarden has their own fdroid compatible repo

sorry, not sure what that means.

where do i go to download bitwarden android app on graphene?

thanks. never really understood github either but i see it says "get it on fdroid". weird that it didn't come up in search on fdroid app

yekip: do you have fdroid or auroradroid installed?

i have fdroid installed

Because it's not in fdroids own repository of apps

ok i guess i dont really understand what this repository stuff means, or is.

i see that last link thanks

Bitwarden has their own repository that you need to add to fdroid

qr codes. never used those either

can i do that via fdroid app? do i have to turn camera on or something?

<dallemon[m] "Bitwarden has their own reposito"> so thats like a sub-area of fdroid owned by bitwarden/

> <@dallemon:matrix.org> Bitwarden has their own repository that you need to add to fdroid

* so thats like a sub-area of fdroid owned by bitwarden?

i can see in FDroid settings, i can add a repo using url and fingerprint. not sure how to do QR. will have to open this page on phone (not on phone here) to copy paste the info. should get it working i think, thanks

really must install riot on graphene, that's next!

installing. thanks dallemon

(it says my bitwarden repo in fdroid is "unverified". i inserted the fingerprint)

Sync repos. Maybe force close fdroid and open again

trying that. thanks

what is this place? I'm looking for help installing GrapheneOS

you're in the right place

see top: "Official IRC / Matrix channel for GrapheneOS"

have you seen the help info put on github? i don't have the link but may be able to find it if you haven't seen it

installation help/script by JollyRoger in here

(named Peter Easton on github, iirc)

what github page?

is it this one? github.com/Peter-Easton/GrapheneOS-Knowledge

thats the ticket

I'm looking for help running the flash.bat file (it gives errors each time), where could that be?

speak of the devil, google sent me my MTA STS report

lol

user48: First thing: I hope you follow grapheneos.org/install

user48: If you provide us some more information, we could give you better support for your issue.

This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

<yekip[m] "Bitwarden for graphene - they on"> I believe they also distribute it via github

Anyway, you can also download it from the playstore with the aurora app

oh, figured it out, booted and set it up, now i just gotta figure out how android works (never used it before)

The first thing you want to do is probbaly install fdroid

Its an appstore with only foss apps

user48: That's good to hear. Here are a lot of members willing to help if you have questions.

What apps do you usually use?

(Do you use stuff like spotify or signal?)

Is ungoogled chromium a good option for desktop browsing?

how does the default browser work?

user48: What exactly? You can use it just like any other browser. If you want more information about it, you could take a look at grapheneos.org/usage#web-browsing

yeah that was a dumb question, what should I use for music, I currently use iTunes (not apple music) since I'd never needed to move away, I've wanted to find an alternative that syncs with various platforms

how much should I research each app before I install it (through f-droid)? Would the OS warn me if it tried to do anything that could compromise security?

user48: I'm not familiar with iTunes. There are of course music players, but I don't have a recommendation as I'm using Spotify myself. If you want to sync files, I recommend Syncthing. It syncs files directly from device to device.

yeah I was planning on doing that (syncthing)

user48: Pay attention whether the app your planning to get through F-Droid is maintained and not "Updated 2 years ago" or something. Keep your apps up to date. It's just common sense. If an app doesn't really need permission X, deny it.

*you're planning

mxnorvak: what would "ungoogled chromium" be?

You mean ungoogled chrome = chromium?

user48: But no, the OS doesn't warn you if it could do something that would compromise security.

user48: GrapheneOS provides Auditor, though. It checks your device integrity. attestation.app/about

hmm, for example the app 'Noice: Ad-free indefinite background noises' in permissions requests 'view network connections', could that compromise security and would there be a way to prevent in having those permissions and hope it works anyway?

Ive made a few Grapheneos handsets, about to make another strictly for CTS. Has anyone been successful with the instructions at grapheneos.org/install on Fedora 32? Going to give it a shot as it’s my distro of choice...just wanted to get any insight from guys that have done in this environment perform

but the Auditor app is on the play store lol

cx2: yea, successfully installed graphene with fedora but with downloaded fastboot, not the one from repos. Only adding to $PATH needed, no udev rules necessary

Ok.... did you rm android-tools? It’s I’m getting version 20180828*

recommendations for which android keepass variant is the best?

user48: Auditor is shipped with a GrapheneOS install.

ahhh...

user48: keepassdx is pretty great and probably has the most active development

user48: You're able to deny the Network permission on GrapheneOS, but if the app needs an internet connection to work, it won't run.

Hmmm...can't remember if I did rm. Might ve been that adding to $PATH just made it use the downloaded version

Adding requires a relog though iirc

nscnt: thx

Also: if I removed I probably did dnf remove instead of RM ;)

<fll[m] "Hmmm...can't remember if I did r"> Got it. I’ll see what happens. I remember some time back Linux (don’t remember the distro) was complaining about the repo version

<fll[m] "Also: if I removed I probably di"> Haha... got me! I am switching back from a machine running SIlverblue (no dnf), and macOS

Well that’s not true.... dnf if inside of a toolbox

But you get the idea

:D

<fll[m] "You mean ungoogled chrome = chro"> github.com/Eloston/ungoogled-chromium/blob/master/README.md

This

what's the best practices for playing around with android themes?

mxnorvak: ah thx. Didn't know that was a thing. I'll check that out later

Yeah its great that its degoogled and it's based on chromium but idk if the developer applied the necessary patches and security updates that the regular chrome browser gets

Was wondering if anyone knows about it or has used it

can you connect usbs to pixels?

i saw on a website that it works if the storage type is fat32 which seems weird...

<blacklight447[m] "Anyway, you can also download it"> thanks BL. heard of aurora but not tried it yet.

<user48 "yeah that was a dumb question, w"> have you heard of quod libret? not sure if they have a version for android but i am about to find out as I am looking for a non apple player for mac OS. I use Vinyl player on graphene. also SimpleCamera, Open Camera, and Simple Gallery is nice. Transistor - I use for internet radio, lovely simple app turns phone into radio which works in standy nicely.Signal, Omni Notes,

DuckDuckGo browser, Scrambled Exif. Thats about all the apps I have right now, in case any are useful to look at. All are good for privacy (according to my own research, always do your own though!)

If you're looking for NTFS support, that might have prohibitive licensing. At least most Linux distros don't offer it via their main repos...

<user48 "can you connect usbs to pixels?"> afaik you can, but I haven't tried yet myself. I could be wrong, but I think someone told me you can. I think JollyRoger said you can take a backup to USB Stick that way. I _think_

A very quick (unthorough) search suggests that NTFS is not available on Android. Would require root + installation of support. I guess besides fat32 ext4 should work too?

Can anyone please suggest a good office suite app that works with GrapheneOS? Still struggling with finding something suitable, was using WPS but seems it is unhappy when too many permissions restricted.

I would have to suggest a desktop computer :D

sorry! email on my phone is modern enough for me, can't imagine trying to write a spreadsheet!

* sorry! email on my phone is modern enough for me, can't imagine trying to write a spreadsheet with my thumbs!

* sorry! email on my phone is modern enough for me, can't imagine trying to write a spreadsheet with my thumbs!

i wanted to give Eddie (AirVPN) a go on graphene. airvpn.org/android - Their app is pretty good I think (security wise). Is there any advantage to choosing app over openVPN, or vice versa?

<yekip[m] " * sorry! email on my phone is m"> Agree but nice to at least have an app that will read and edit a docx for example when away from desktop.

Mullvad much more stable than Eddie

On graphene

Thanks, I don't want Mullvad, PIA was excellent in t erms of app performance, widget too and way faster connections. I got Eddie installed and it's horrible. Constant alerts. No idea what encryption algorithm to use either. But worst of all, speed test gives me 0.5mbps. Not sure what's wrong, could be bad signal although I ws getting 5-10mbps without VPN turned on. And Air servers are very fast usually. weird. i may dump

it and go back to PIA

:) OK, curious why no mullvad

mainly price. i am very confident in it's performance and privacy etc. just price really

i already have 3 subs to VPNs, dont need another one especially at a fiver a month. times are hard ya know :D

big respect for mullvad all the same

user48: you can connect an usb stick with the otg adapter (one comes in the box). exfat is also supported if you need it for files bigger than 4gb.

if you want some cunstomisation get xscreensaver from fdroid for some tweakable live wallpapers. uses surprisingly little battery.

* user48: you can plug in a usb stick with the otg adapter (one comes in the box). exfat is also supported if you need it for files bigger than 4gb.

if you want some cunstomisation get xscreensaver from fdroid for some tweakable live wallpapers. uses surprisingly little battery.

* user48: you can plug in a usb stick with the otg adapter (one comes in the box). exfat is also supported if you need it for files bigger than 4gb.

if you want some customization get xscreensaver from fdroid for some tweakable live wallpapers. uses surprisingly little battery.

I notice PIA (and others) have a builit in kill switch. I always use that, but is there any point as I see Graphene settings offer the options in there, always on and block traffic outside VPN. I have both turned on, so shall i bother with the VPN app's own kill switch or is that 'over kill'. tee hee

Does anyone have a view on allowing BitWarden to have access to autofill password fields?

It's a matter of trust. Do you trust Bitwarden? I do.

I do have it on too

user48: have a look at hub.libranet.de/wiki/graphene-os/wiki/Apps

bseeinu: Collabora office is the only functional on device office suite I've found. Its a split apk so had to mess about a bit to install

Possibly Aurora store handles split apks now?

Using nextcloud via web browser with only office used to work on mobile, but they recently broke it!

I used f-droid.org/app/com.aefyr.sai.fdroid to install the split apk

cryptopad.fr stuff kinda works ok on device.

*on mobile devices

I've never tried any commercial/proprietary office suites on mobile

Actually scratch commercial, blatantly all the things I just mentioned are....

fll: did you have permissions problems on fedora? I can see the handset, but “no permissions”

cx2: have you set up the path?

cx2: hmm...can't remember tbh. You did try sudo I guess?

Yes

adb? Given permission on device?

dazinism: path set for platform tools adb devices lists the hand self, with “no permissions”

Nvm... FINALLY it decided to pop up on the handset

fastboot --version shows the new one now?

Ah ok

<flabbergasted "It's a matter of trust. Do you t"> thanks

So that was a lie...

$PATH is correct... fastboot version is also correct. Still getting “no permissions”

<yekip[m] "ok i guess i dont really underst"> You should probably learn these! Sent you an invite to that room because there's a lot of questions being asked in there similar to yours (some of which are mildly OT for this room =] )

<DannyWorkOrderPr "You should probably learn these!"> OT?

Ah, I had a load of spam invites so i rejected all quickly but thought i saw a username i recognised! feel free to send again, in fact please do :)

yekip: Sent!

thanks. will accept and jump in later, just off out here.

fll: so it seems there are two versions of fastboot installed. Will sees my device just fine, but I believe it’s out of date. The other is definitely updated to 30.XX, with it in my $PATH it still says “no permission”

I'd try and get rid of the old one

Why doesn't Google just announce pixel 4a, leaks used to be blurry pics, now it seem like every other day there is a whole new 10 min video showing a feature of pixel 4a in depth

cx2: guess worth trying different leads / usb ports alsp

dazinism: did that, current version still doesn’t have permission

Platform-tools is living in /home/....$PATH is set.... still, no permissions

Here we fuckin go again, with the discrediting Graphene.

Feel free to state your experience and understanding of the GrapheneOS project and its lead dev here: matrix.to/#/!GibBpYxFGNraRsZOyl:mat…axfaqrRVmzZD-mPgXXHsjk5LGopylkebtBU

DannyWorkOrderPr: in which channel

Techlore, mods no less.

That’s because techlore is a bitch

DannyWorkOrderPr: what are they doing

Fuckin cocksuckers are insufferable.

I thought that community supported the project?

He’s called up out a while back when the channel was trashing grapheneos, he said “I supportED the device, not the developer...blah blah crybaby shit”

I don't understand

He needs to reign in his mods before he loses mindshare in that room.

what exactly is happening? why are people attacking myself and the project there?

don't understand

never had any conflict with them afaik

<strcat "I thought that community support"> Thought so too until techlore actual chimed in and was whining because apparently he asked you about the video he made re: GrapheneOS install / review. And he didn’t receive the response he wanted.

Like I said, on the topic of GrapheneOS, techlore himself has whined about it. I’m sure he encourages his mods to do the same.

I don't understand

never did anything to them

James apparently contacted him

wonder if that has anything to do with it

Techlore stated that he asked you if there was a certain way you wanted the video done, or anything that you wanted added. He said he didn’t receive a good response. Also stated that he believes that the project management is toxic

I didn't want people relying on a video that is frozen in time

and you see the results of people relying on some old fastboot version on Windows

I need to merge the changes to flash-all.bat but they weren't submitted as a pull request

so I lost track of that

maybe JTL knows?

I think it was JTL and someone else working on it?

can't remember

@strcat This might be a stupid question, and completely unrelated to GOS, but when I plug in the charger, it takes a couple of seconds before it starts to charge, and then it vibrabes another time a little later indicating charging is in process. Is this related to GOS/hardware or AOSP? Pixel 3a XL

don't know

strcat: I don't use this term lightly. In fact, first time. But this is pure FUD.

strcat: the mods there are privacy > security.

strcat: I linked you to the discussion above. And will be posting more screenshots here.

Well regarding a video, I dont’ disagree to a point. As long as it explicitly states that “this video is current as of today, this will likely not work with future releases, etc.”

Where I take issue is just with him being annoying and whining

DannyWorkOrderPr: I'd guess James is involved in this

But they're already retracting messages due to being called onto the carpet.

I left Techlore after 10 seconds after I joined it. It's a bunch of bull.

DannyWorkOrderPr: techlore said at one point James contacted him and this is what James likes to do

and it's such BS to say I don't accept help from others - I just didn't want to have that kind of installation video

and I have not had the time / energy to do interviews or things like that largely due to what James is doing

He removed the post i think

it's not at all true that I "don't accept help"

doesn't make any sense

why are these people spreading BS and attacking me

never did anything to them

Should just remove the matrix channel and stick to irc. Since Techlore is pretty high up in suggestions in matrix in that category.

I just don't understand this

he told me at one point James contacted him and I think that explains a lot

you can see what happened with the Samourai Wallet community

and he has caused the same problems elsewhere

people are so easily manipulated

<strcat "never did anything to them"> It's not about you, Daniel. It usually never is. It's about control over a topic - how people should protect themselves in tech. And the "nice, privacy" crowd don't like when actual security enters the ring and boxes their ears.

Surely my messages will eventually go through, ( Matrix.org homeserver sucks today), but, strcat, It's not about you, Daniel. It usually never is. It's about control over a topic - how people should protect themselves in tech. And the "nice, privacy" crowd don't like when actual security enters the ring and boxes their ears.

<flabbergasted "Should just remove the matrix ch"> That's exactly why the Matrix channel *shouldn't* be removed!

no plans to remove the Matrix channel

but it is really slow

and unreliable

Do you guys know any advantages on using LTE Mode only?

Is it better to use irc on mobile? I have never used irc before

For this channel

Unless your carrier supports VoLTE you should not use LTE only.

* Do you guys know any advantages on using LTE Mode only? Like maybe better battery life or maybe some security advantages?

<strcat[m] "and unreliable"> Matrix.org is unreliable. Wonder how bad the hit to the userbase would be if this room moved to another homeserver.

<flabbergasted "Unless your carrier supports VoL"> My carrier does not support. Why shouldn't I use it?

If you rely on regular calls and texts you shouldn't use it.

Regular calls and texts are far in the 90s for me

For you maybe, but not for the gen pop.

Danny@WorkOrderPro: well does it have to move

or could there just be a new room that would see the other matrix users via irc bridge?

if there was another server bridged to it would the matrix users here just see them as irc users

which seems fine

Yeah, I mean, if you just made a new room with a tchncs.de matrix account, it'd be on that homeserver, for example

this bridge system is also annoying because I don't fully control this room, the irc service does

really annoying

and it kicks 'inactive' users

tchncs.de (for example)**

which sucks

Danny@WorkOrderPro: I don't understand why that techlore community is being nasty

also GrapheneOS does a lot of work on privacy not just security enhancements

the privacy also depends on the security

so security enhancements reinforce privacy

but we do a lot of work on privacy improvements

FYI rooms are not tied to a particular homeserver

this room is already "on" matrix.org and tchncs.de

and have landed a lot of stuff upstream in that area

benpa: but this one is tied to the irc service

federation means that the content of this room is seen by both servers

benpa: the irc service thing owns it not me

and the main lag issue is with the irc service thing I think

I also don't like how aggressively it kicks people

<strcat[m] "the privacy also depends on the "> We've told them 200 times. They're willfully ignorant.

it kicked people that were pretty core community members and just inactive for a few months

Danny@WorkOrderPro: do they understand we do a lot of work on privacy and work to fill in gaps from not having Play Services

benpa: So what's the fix, ask everyone to move their accounts to another Homeserver?

Danny@WorkOrderPro: sandbox improvements restricting what apps can do, permission system improvements (features like Network and Sensors permissions), MAC randomization improvements, all kinds of other things

tons of stuff we've landed upstream

<DannyWorkOrderPr "benpa: So what's the fix, ask ev"> that's one benefit of Matrix - messages are shared (per room between servers)

it sounds like the big problem you're having is that the Freenode bridge is laggy

benpa: I think the main issue is the irc service thing since I don't actually own this room

benpa: since matrix.org server has rooms for irc channels we used the existing room thinking it was the best approach to avoid people split across multiple rooms bridged to the same irc channel

benpa At this stage, the lack of performance of Matrix.org is a detriment to the mindshare of Matrix, as evidenced by this community.

<strcat[m] "Danny@WorkOrderPro: I don't unde"> strcat, It's not about you, Daniel. It usually never is. It's about control over a topic - how people should protect themselves in tech. And the "nice, privacy" crowd (Techlore mods, Mozilla, etc) don't like when actual security enters the ring and boxes their ears.

I'm not sure it was the best approach since this way we're stuck with the irc service

<DannyWorkOrderPr "benpa At this stage, the lack of"> we are aware of that

can't replace it with another and it won't give me full control of this room

even though I own the irc channel

ideally I could get admin in this room

ok, let's see if we can solve that wrt adminship

I have founder access for the irc channel although I don't think freenode will actually give you an 'sop' status in the channel

it just works via chanserv

I think think &user exists on freenode or oftc

I hadn't realised you were having these problems - just happened to look in here by chance...

lol I'm always having problems with everything

I am used to it

not specific to matrix

<benpa[m] "I hadn't realised you were havin"> We'd really appreciate any insight you can give from the Matrix side, this community needs to continue to spread its wings!!

No help with reboot, open camera, clearing caches etc

Wth??

Blueline

Doesn't work in any app, rear camera

bseeinu: try turning it off instead of a reboot

<DannyWorkOrderPr "We'd really appreciate any insig"> basically bridging Matrix and Freenode is an ongoing, endless struggle

^ gives a little context

benpa: so basically it'd be nice if there was some way to show the bot I own the channel and get owner privs

yeah I'm working on that now

the way it does privs is a little bit weird since if it ever sees you get +o it gives you persistent +o here

mod, w/e

so the way I gave myself privs is I did +o on my matrix username in the channel

but I could register my matrix username and identify as it

you can group nicknames on freenode so it'd have founder status

so if the bot could check with NickServ that would probably be enough

and maybe that's also a better way to handle giving mod status really

NickServ/ChanServ

vs just seeing who has +o atm

<strcat[m] "bseeinu: try turning it off inst"> Same thing. Framerate drops to crazy low when opening any camera apps. Only 1 of 2 selfie cams works, only with open camera

it's normal that only 1 front camera is supported by most apps

<strcat[m] "Danny@WorkOrderPro: I don't unde"> The Techlore community has went seriously downhill. I'm even being personally slandered by them now.

bseeinu[m]: don't know why that's happening

madaidan[m]: yeah I just don't understand why this stuff happens

upsetting for me

Open camera could switch between both front cameras

Ugh dude

No camera app can access it

on which device, Pixel 3?

I'll just have no camera on a new pixel 3 for now I guess

Whyyyy

<cx2[m] "Ive made a few Grapheneos handse"> Guys, just rolling this forward to see if I can get an assist please

<strcat "madaidan.: yeah I just don't und"> The mods and members there are really incompetent

<strcat "upsetting for me"> Not my intention, just wanted to mobilize the community

<bseeinu[m] "No camera app can access it "> I've had the camera module cable come off the board and permanently cause this error.

I was countering bullshit there all the time until I was eventually banned for nothing

And I'm still being harassed by them

<DannyWorkOrderPr "I've had the camera module cable"> Jesus, I bumped it lightly this morning

Like 1/100th of what happened to my iPhone

Might have also just fucked the module itself, cable could be fine, haha

Had that happen, too

Camera sensors are finnicky

Do I need to open the frigging phone

For one small bump with case?

Adb devices “no permission”

Didn't realize pixel 3 could have this much industrial design garbage

<bseeinu[m] "Do I need to open the frigging p"> Do you want to ensure the camera will work? haha

Have you ever fixed it? Danny@WorkOrderPro

Luckily, the one of mine I cared about started working again on its own, the one that was damaged by a crushing issue lol

Unofficial advice, knock it around again! 😂

I hate this so much

it's different than problems other people have

so 99% chance it's a hardware issue

Yeah so

you could factory reset to make it a 99.99% chance but you probably have data you don't want to lose

Hear this

I slabbed the phone on the table

It works again

This is some high level garbage QA and design

well I don't think they have any real QA issues

but some devices have issues like any other product

Thanks for the butchering advice Danny@WorkOrderPro . apparently I need to slap my phone or be very gentle

don't think it's more than usual

Then it's ID

iphones since 2007

Never has anything similar ever happened

I guess I had exhausted my luck :)

<bseeinu[m] "Thanks for the butchering advice"> maybe it just has an attitude, mate 😂😂😂 Nah, you likely have a lose cable.

bseeinu[m]: maybe was shipped extremely roughly but I doubt that's the issue

since I wouldn't expect that to happen if nothing was wrong in the first place

Thx for the help. Next releases I look forward Bluetooth audio and no dramatic SERIOUS CAMERA ERROR HELP HELP from open cam :)

next release fixes the upstream bluetooth audio bug

Danny@WorkOrderPro: btw I've heard the same mental health shit from another person. I wonder if they're linked.

it means they have been talking to James

<madaidan[m] "Danny@WorkOrderPro: btw I've hea"> madaidan. I wouldn't waste time looking for the conspiracy, albeit likely to be one - it's just as likely that people are parroting shit (I just called one of them Polly recently, lol). They tend to do that.

It was just a few days ago too

Something might've happened recently (*cough* James cough*)

<DannyWorkOrderPr "madaidan. I wouldn't waste time "> It was a different person in a different room that Valynor isn't in.

Oh, I've got you

madaidan[m]: James is actively attacking me across the board and reaching out to lots of people

so it's to be expected

this is what he does

need him to be stopped somehow

Is James active on matrix (that you know of)?

I've never seen him here

madaidan. You don't think he'd be here under his own name, do you?

<DannyWorkOrderPr "madaidan. You don't think he'd b"> He is on other platforms

On reddit? Or chatrooms?

<madaidan[m] "Is James active on matrix (that "> Hes 100% lurking in this chat

IRC?

<blacklight447[m] "Hes 100% lurking in this chat"> He can just use the log bot or view.matrix.org. Doesn't need an account.

Anyway, not a good topic to persist here

Both

<DannyWorkOrderPr "On reddit? Or chatrooms?"> A bunch of stuff. Reddit, Telegram, emails etc.

The dude is a maniac

Yes. “Older fastboot” in that I was able to list my device without issue.

Installed platform tools with fastboot 30.XX and now I am getting “no permissions”

I am also not being prompted by the handset to “trust this device” either.

Maybe wrong chmod on the the platform tools?

Already `chmod -R 755 platform-tools1

* Already `chmod -R 755 platform-tools`

Again, worked fine with the older fastboot.... but i didnt’ want to continue with the older version since i figured it would cause issues down the road

remove it

start over

don't chmod or change anything

follow instructions to the letter

Fastboot version prints correctly with the up-to-date version.

This tells me that my $PATH is correct

When querying the device `adb devices` it prints `xxxmydevice. no permissions;...`

did you remove it and start over

cx2[m]: did you try invoking fastboot with sudo? It would point you in the correct direction to figure out the problem.

Yes. I have started over a few times now.

Of note, I am on fedora, with android-tools, I was able to successfully query the handset. But did not proceed further due to the instructions stating that it’s out of date and broken on Ubuntu and Debian (Fedora wasn’t covered, but given that the android-tools version was from 2018, I figured it applied here as well. ) Therefore I removed android-tools, and instead opted for platform-tools.

But, as noted, adb in platform tools prints “no permissions”

also, what is output of 'which fastboot'

`~/platform-tools/fastboot`

$ fastboot devices

no permissions fastboot

is that the error?

and, did you try 'sudo fastboot' ?

That’s the printout of “which fastboot”

yes, I understood that. Is the message from "fastboot devices" looking like:

Command not found when “sudo fastboot”

no permissions fastboot

BrokenCog:

cx2[m]: yeah, you need to 'sudo $(which fastboot)' ...

because your PATh isn't in root's

I think that’s definitely my issue, so the question would be how to correctly set my path. I copy and pasted from the documentation, which at least gets me into platform tools

it's not a path issue. did you run the command as sudo? and what was hte result?

btw you shouldn't generally use the `which` command

$(which fastboot) prints `fastboot: usage: no command`

cx2[m]: yes, you need to put the options after it ... 'sudo $(which fastboot) devices' for intsance

cx2[m]: yes, you need to put the options after it ... 'sudo $(which fastboot) -l devices' for intsance

strcat: he needs which here because root doesn't have his user's ~/android-tools stored in roots $PATH. once he figures out the permissions issue, he won't need sudo, and thus won't need to use which.

yeah but you shouldn't use which

it's an obsolete / bad command

Learning is occurring... haha

Ok... does not print anything.

BrokenCog: which doesn't match how the shell looks up commands

but the device is connected? and, developer options USB Debugging is enabled?

Yes.

strcat: it's close enough in this case.

cx2[m]: does 'adb devices' show the device?

`adb devices` proves this.

The problem is, it also prints `mydevice No permissions;`

fastboot is not adb

the install instructions don't use adb

fastboot does not connect to a device booted into the OS

you're making things way more complicated than they need to be by doing stuff not in the instructions

cx2[m]: is your device at the bootloader screen?

There's `type` instead of `which`

Ok...swapped cables and ports.

Sudo `$(which fastboot) -l devices` prints `myxxdevicexx. Fastboot usb:1-3`

cx2[m]: and as non-root user?

`no permissions`

I’m sorry.... `fastboot devices` prints `no permissions`

And yes I’m at the boot loader screen

I don’t think i answered that before

as non-root. I suspect it's a udev issue, try this fix: stackoverflow.com/questions/2701745…tboot-and-adb-not-working-with-sudo

cx2[m]: when you talked about fastboot, it was probably assumed.

cx2[m]: your distro is making things way more complicated than they need to be, just do it again from the start as root

or fix udev permissions.

you don't gain anything not doing it as root when you are freely transitioning to root with sudo anyway

might as well just be doing it as root

no advantage to overcomplicating it

not security

<BrokenCog "cx2: when you talked about fastb"> Ok, i just wanted to make sure I was answering you correctly

if he fixes the udev permissions, he won't be doing it as root.

don't overcomplicate it

this could all be done in 5 minutes

instead of making it way harder than it has to be

the instructions don't use adb, only fastboot

if you're on a distribution that does not permit accessing usb devices as non-root just do it as root

start over again and do it as root

don't make things overcomplicated, this process takes 5 mins

start at grapheneos.org/install#obtaining-fastboot and do it as root

strcat: macOS was a breeze.... I am ok with the distro “making it difficult” Again. This device is purely going to be used purely for CTS. So if that means I can ALSO hang a note about “Fedora being difficult, and here’s the workaround” then I want to do that as well

cx2[m]: try that udev perm's adjustment in the link, it should then work as a non-root user.

cx2[m]: the problem is udev doesn't include rules for lots of things by default

you aren't allowed to access random kinds of devices as non-root on a traditional linux distro

even though it doesn't make much sense

that's the nature of udev/usb/world-full-of-manufacturers miking with various security intrepretations.

if you EVER run sudo from your user account

or enter your password ever

and have sudo enabled with unrestricted use

your account is equivalent to root

Yeah, someone can trivially intercept/keylog the password.

or make your commands do something else

when you enter them

if you use sudo to run things as root then your account is basically root

what's the distinction?

and I'm sure all the important data is in your user account

it is not a security model that makes any sense

Ok. The goal here isn’t to ultimately add to my collection of devices. The goal is to troubleshoot, correctly, “installing GrapheneOS for Fedora users”

Since it’s not in the documentation, I can hopefully add it to the unofficial

run

sudo -i

do the entire process from grapheneos.org/install#obtaining-fastboot

did the udev perms work? you'll probably need to reboot for them to take affect.

So what is the ROOT problem then? What I’m trying to get to the bottom of, is why Fastboot will not run on fedora without root

restarting udev is fraught with Usually and Frequently leading to Doesn't.

cx2[m]: because linux distros don't let you access usb devices without root

it doesn't need root, it needs udev to have non-root permissions to the USB device.

read that link.

cx2[m]: they have special cases for certain kinds of things like usb flash drives

cx2[m]: they don't include a standard special case for things they don't know about

Google's AOSP has a udev rule to add for their devices to solve this.

so if you plug in a serial debug cable or anything else

It's incredibly easy

it's totally useless

without root

Yeah Leaseweb can't be compared to Novoserve in my experience.

wrong channel

so just use root and don't bother setting up udev rules

far more likely you screw up stuff with udev rules

strcat: but I can access it just fine with android-tools. It’s platform-tools that are causing issues

LOL.

cx2[m]: don't know what you mean by that

what is 'android-tools'

guessing some messed up fedora package with nonsense like setuid / setgid binaries]

anyway just do it as root that's what your distribution needs

fussing around with udev rules is pointless

if you do stuff via sudo from your user account, it is basically the root account anyway

<strcat "cx2: don't know what you mean by"> When downloading android-tools (which is old so I `dnf remove` it) it initially worked without root. Again, i realized it was old, and accoriding to the instructions, went with downloading platform-tools..... which is not working

just run `sudo -i` and do everything in that shell instead

cx2[m]: I don't know what android-tools is

cx2[m]: that's not an AOSP / Android thing

that's some non-standard fedora thing

cx2[m]: perhaps android-tools includes udev rules for fastboot with some devices

What is android tools?? It’s in your documentation

“Arch Linux: android-tools provides fastboot...”

cx2[m]: that's an arch linux package

a fedora package called android-tools is not the same thing

android-tools is an arch linux package made by the maintainer of the package

he wrote a new build system for fastboot, adb, etc. and packages it his way

includes a random assortment of tools he chose

that is arch linux specific

well that’s where I made the mistake. Either way, I removed it.... even though fastboot was working just fine.

it is an arch linux project not an AOSP / Android project

the whole thing seems based on a misunderstanding of AOSP

by these distros

they don't understand the versioning system of platform-tools (fastboot, adb, etc.) somehow and invented their own

they don't understand how to sync the sources

they don't know how to use the build system

and they made their own downstream packages with their own versioning schemes, etc.

so for example

# Android has a huge and monolithic build system that does not allow to build

# components separately.

but you can run `m adb fastboot` to build just those...

and there are build targets for the SDK repository packages like platform-tools

so you can build platform-tools as a whole

and have a zip produced with the standard platform-tools

cx2[m]: anyway you don't have udev rules for this kind of device so you need to do stuff as root

cx2[m]: you're overcomplicating it by doing some stuff as non-root and some as root, etc.

cx2[m]: either obtain set up proper udev rules or use root

and listen to my warning that fussing around with udev rules is not actually accomplishing anything and is overcomplicating it

gives you another thing that could go wrong and you need to maintain that

get your distro to provide less bad packages

So with `sudo -i` —-> `fastboot —version` prints `bash: fastboot: command not found...`

Then `Install package ‘android-tools’ to provide command ‘fastboot’`

what arch linux does is still super messed up just far less than fedora, debian, etc. which all have differently fucked up stuff

cx2[m]: I said you need to start from grapheneos.org/install#obtaining-fastboot

sudo -i gives you a root shell

you are starting over as root

cx2[m]: you have a lot of different options but you're choosing to stay stuck overcomplicating things

self-inflicted issues

either do everything as root or do what is required to make it work as non-root

otherwise you will encounter the issues you have encountered mixing a non-root environment with a DIFFERENT root environment

you can't set up fastboot for one user and then run it in a different user's environment

linux distros overcomplicate this

it would be really easy to not use the CLI at all if they just had proper packages

could ship an unlock and lock script

double click unlock, double click flash-all, double click lock

but no they decide to make everything super fucked up / complicated

I could just tell people the only supported OSes are Windows, macOS and Arch Linux and explicitly check for and reject other distros until they fix their packages

strcat: heres the deal... You’re original comment, was “follow the instructions to the letter”

No where in those instructions does it say anything about `sudo -I` etc. In fact, following those instructions *does not* work on Fedora apparently.

Things like “self-inflicted issues” are not useful. Especially when I have stated multiple times that I am creating this handset PURELY to help out however i can. If that means it’s only CTS then so be it. If that **ALSO** means I can help provide a workaround to getting GrapheneOS up and running on Fedora, then even better.

cx2[m]: your distro doesn't have a working non-root user

use root for everything

or spend your time working around / fixing the distro including setting up custom udev rules

which is a super messed up thing to need

the way this works is just broken

List of distribution packages:

Arch Linux: android-tools provides fastboot and other useful tools not required for installation such as adb. android-udev provides udev rules allowing fastboot and adb to work in local sessions without root.

cx2[m]: the answer to your problems is there

and don't ask me why extra udev rules are required - I can't justify how fucked up it is

that udev rules are required to use a hardware bitcoin wallet, serial debug cable and all kinds of other devices not fitting existing rules

it doesn't make any sense

<strcat "cx2: the answer to your problems"> You’re still getting this wrong. This is not “my” answer. I already have a grip of phones that I can’t use. This answer is for the community. For people that are, in this case, on Fedora.

* > <@freenode_strcat:matrix.org> cx2: the answer to your problems is there

You’re still getting this wrong. This is not “my” answer. I already have a grip of phones that I don’t use running GrapheneOS. This answer is for the community. For people that are, in this case, on Fedora.

I am fortunate in that I have the means to procure multiple machines and handsets to support in this way, since I am clearly not a programmer.

report a bug to your distribution about their broken packaging and OS

multiple bugs

1) they should allow local users to use USB devices without special rules or packages

2) they shouldn't have totally broken android SDK packages, if they aren't going to properly build / package things they shouldn't have packages for them

they should use the upstream versioning and upstream build system

and stop making broken crap

or call it fedora-android-tools to make it clear it isn't some upstream / AOSP / Android thing it's their own fork

if people pulled that shit with my project I would be telling them they have to stop naming it after my project based on trademark law like firefox did with debian for a long time

<strcat "and stop making broken crap"> I don't think that's possible. Linux distros *are* broken crap.

what justification do they have to write their own broken build system for this

they don't understand the software or what they're doing

and why is root needed to access USB devices unless you make a bunch of custom udev rules for each type of USB device other than basic things like flash drives

no real alternative sadly @madaidan.:matrix.org

why is it so fucked

my answer is just do everything as root since your user account is already effective root anyway

what difference would it make if you just logged in as root compared to a user account with full root access

it's just like UAC on windows but worse

UAC is less bad than this kind of sudo use

I wonder if the windows subsystem for linux thing has working usb devices

<cn3m[m] "no real alternative sadly @madai"> TempleOS

wsl2 should iirc

but wsl2 is just a vm

so it has all the problems of the distro

true

Everything is okay there

<strcat "2) they shouldn't have totally b"> Just use arch Linux

Imagine how advanced the world would be if everyone were strcat clones

No

Yes

<madaidan[m] "Danny@WorkOrderPro: btw I've hea"> I know what it probably is.. its the Milkman

what is the [m] indicate on user nicks?

They dont like Daniel and they are vicious, I've seen folks on Techlore quoting from MMJDs vicious attacks

<dazinism "I know what it probably is.. its"> I hate that guy

BrokenCog: people bridged from matrix

ahh.

<madaidan[m] "Imagine how advanced the world w"> I dream of this

<dazinism "They dont like Daniel and they a"> One of the Techlore mods is also a mod of MMJD's cybersecurity overview room.

Imagine if everyone was Daniel

Linux would be hardened

<BrokenCog "what is the [m] indicate on user"> Matrix users

You wouldn't be able to hack into your friend's PC and steal their porn /s

<anupritaisno1[m] "Imagine if everyone was Daniel"> It would be paradise

Not against Daniel but I know MMJD holds endless grudges and likes to have totally unbelievable exaggerated extended rants where he makes stuff up character assassinating people

<madaidan[m] "It would be paradise"> *trouble in paradise

<dazinism "Not against Daniel but I know MM"> **X** e

He banned me from all his rooms ages ago because I called him out on one of his untrue character assassinations

I wasnt sad to not have to read his shit anymore

Well it's matrix

Destroy him with 10k alts

lol

dazinism: this stuff is causing immense harm

james primarily but also people like that milkman guy

I mean what's stopping you?

<anupritaisno1[m] "Destroy him with 10k alts"> Internet vigilante brigaders

<madaidan[m] "Internet vigilante brigaders"> No

Just for laughs

Finally

<strcat "james primarily but also people "> BTW what's going on

Like you were expecting a unique person but it was just me, dazinism

When using `curl`, how do I know that I am downloading the Beta Channel? The address is the exact same unless i am way off

cx2[m]: releases.grapheneos.org/sargo-beta

cx2[m]: releases.grapheneos.org/sargo-stable

the URL for a given release is the same

the channels refer to releases

strcat: that stuff sounds like exactly the kind of thing milkman would say. And he's always happy to bring up his grudges and expand on the fantasies of his character assassinations.

it's also what james does

and btw milkman literally destroyed the old matrix channel

because he was pissed I wanted control of it even though he claimed he MADE IT FOR ME

he claimed he was just running it for me

and would turn over control if I ever wanted it

and then when I did

he threw a fit and blew it up

BTW Daniel

How are streaming updates verified?

anupritaisno1[m]: by update_engine

can we have a group for sharing misinformation sources and countering them?

anupritaisno1[m]: same as regular updates

I would participate, but I never see such things

Maybe you could just ignore him if that's possible

can't ignore people that are actively spreading misinformation and turning people against the project

running character assassination campaigns specifically targeted at me

it's aggressive harassment

I was trying to add it to my client and madaidan brought up the concern

<strcat "because he was pissed I wanted c"> BTW how great is the damage he does?

both of them cause substantial damage

I would say they succeed in wiping out half of the time and energy I have for the project

so 50% of the resources of the only full time dev

<strcat "anupritaisno1: by update_engine"> But before install or after install?

and they have caused so many people to be pushed away from the project

anupritaisno1[m]: define install

His group has 3k+ members

<madaidan[m] "His group has 3k+ members"> Oh boy

<cn3m[m] "can we have a group for sharing "> an enforcable code of conduct would help to alleviate this pressure on project and trying to deplatform the people causing harm

anupritaisno1[m]: streaming updates require leaving out the payload.bin from the update package it downloads

instead it's just metadata

and then it passes it to update_engine

I didn't finish implementing it

getting moderators would also help a lot too

matrix is federated

<strcat "anupritaisno1: define install"> Writing to the partitions?

<strcat "both of them cause substantial d"> Any way we can help?

I already got some of his channel aliases removed from matrix.org but not all

right now its only jolly and strcat that do the moderating, i believe

But tbh madaidan you can only go so far

clearly I need to take much more extreme measures

and it takes too much time from them to deal with the trolls and misinformation

<anupritaisno1[m] "Any way we can help?"> Debunk the bullshit people spread

Bullshit spread like wildfire

<madaidan[m] "Debunk the bullshit people sprea"> Think I already do that

aeonsolution[m]: the problem is not really this channel

<anupritaisno1[m] "Bullshit spread like wildfire"> basically

it's people spreading misinformation elsewhere specifically 2 people with huge spiteful grudges

and other people they have converted to their side to help spread character assassination nonsense

and misinformation / fraudulent claims

how do we find this bullshit?

people just repeat this unsourced info

cn3m[m]: by actively joining tons of communities and watching for it

cn3m[m]: we know it is happening in certain communities already

Was really sad to see Millman build his empire of BS and vicious authoritarianism on matrix. I watched him join matrix and squat/make loads of matrix.org rooms for loads of popular OS projects and tech subjects.

James has been in the Samourai Wallet community for 2+ years and has used it as a platform to spread fraudulent claims and character assassination about me