119

Would you trust an open source software maintained by a developer who you disagree with politically (or otherwise don't like the developer)? (sh.itjust.works)

submitted 2 days ago by DeathByBigSad@sh.itjust.works to c/asklemmy@lemmy.world

91 comments fedilink hide all child comments

"Trust" as in: trust it enough to run it on your machine.

(And assuming that you can't understand code yourself)

you are viewing a single comment's thread
view the rest of the comments

[-] ilmagico@lemmy.world 5 points 1 day ago

Ok first of all: GrapheneOS is great, probably the best alternative Android OS, but their PR skills are rock bottom. Still, many ignore that due to how good it is.

With that said, I don't believe their claim that it's impossible for them to target a user with a malicious OTA: their reason is basically that the update server never even knows who is downloading, and so it can't send a different file to just one user. That's true, but thet could, in theory, make a single OTA that everybody gets, but checks for a specific IMEI or other device ID and only there enables some malicious payload.

I trust them not to do it, for many reasons, but technically they could. I also don't think they'd do it to Louis, despite the beef they have with him.

[-] other8026@lemmy.ml 3 points 1 day ago

Well, the fact is it is impossible to target someone with a modified update. The update client sends no IDs to the server, it just fetches static files and determines whether it needs to update or not. The server only has static files.

thet could, in theory, make a single OTA that everybody gets, but checks for a specific IMEI or other device ID and only there enables some malicious payload.

That would be very obvious in the code. And how would devices be targeted if GrapheneOS project members don't know the unique IDs because they're not sent in the first place? There are also community members who build GrapheneOS on their own and check if the builds match because GrapheneOS builds are reproducible. It just isn't possible. But even if people don't believe all of that, they can still disable the updater app and sideload updates manually. Instructions are on the website.

this post was submitted on 03 Sep 2025

119 points (100.0% liked)

Ask Lemmy

34388 readers

1032 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.

It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

6) No US Politics.

Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online

Reminder: The terms of service apply here too.