Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/114393132056439789">Rich Felker (dalias@hachyderm.io)'s status on Thursday, 24-Apr-2025 22:17:53 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://infosec.exchange/@david_chisnall/114392323957185122" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/31034" title="signalapp@mastodon.world">Signal</a></li><li><a href="https://gnusocial.jp/user/153731" title="guardianproject@social.librem.one">Guardian Project</a></li><li><a href="https://gnusocial.jp/user/241214" title="david_chisnall@infosec.exchange">David Chisnall (*Now with 50% more sarcasm!*)</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@david_chisnall">@david_chisnall</a> <a href="https://social.librem.one/@guardianproject">@guardianproject</a> <a href="https://mastodon.world/@signalapp">@signalapp</a> <a href="https://floss.social/@fdroidorg">@fdroidorg</a> That's a perpetual myth that seems to have no basis in reality. The libraries in question have not been shown to be able to inject arbitrary code unless a malicious OS (which already has the capability to inject code into any program it hosts) has instructed them to do so.</p><p>(To be clear, this means on a Googled Android, you're just as vulnerable to Google's whims as you already were by running a Google OS, and on deGoogled Android you do not appear to be vulnerable.)</p><p>If this is incorrect, I'd like to see evidence.</p><p>Still I think on principle Signal should remove all Google code. There's no reason for it to be there and it hurts trust.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4792902#notice-9689360">In conversation</a><time datetime="2025-04-24T22:17:53+09:00" title="Thursday, 24-Apr-2025 22:17:53 JST">about a month ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/114393132056439789" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/114393132056439789">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Thursday, 24-Apr-2025 22:17:53 JSTRich Felker
in reply to
@david_chisnall @guardianproject @signalapp @fdroidorg That's a perpetual myth that seems to have no basis in reality. The libraries in question have not been shown to be able to inject arbitrary code unless a malicious OS (which already has the capability to inject code into any program it hosts) has instructed them to do so.
(To be clear, this means on a Googled Android, you're just as vulnerable to Google's whims as you already were by running a Google OS, and on deGoogled Android you do not appear to be vulnerable.)
If this is incorrect, I'd like to see evidence.
Still I think on principle Signal should remove all Google code. There's no reason for it to be there and it hurts trust.
In conversationabout a month ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice