@v_d_richards@benroyce@MastodonEngineering I taught my kids you always lie about your age online and your birthdate is always [easy to remember date that makes you over 30] and you don't submit to tests that could try to verify it.
@geco_de@guardianproject@signalapp@threemaapp That's only the case if the promised security properties of the messenger that users are depending on admit subversion by the party who provided it. That's not the case with Signal. The only way they could subvert it is by denying availability (shutting the infrastructure down) or shipping malware in new versions of the application. They are not going to do the latter. Thinking they are is insulting to the people working on it and makes no sense. They have no reason to do that.
When you are making a claim of security as a result of being open source, the fact that that you allow someone else to provide a binary and then inject it into your final build is a problem.
I can only assume that you're arguing for the sake of arguing, rather than making a real point.
@david_chisnall@guardianproject@signalapp@fdroidorg No, I'm calling out bad faith criticism. Using closed source components from untrustworthy party X is a valid criticism. "Allows party X to inject arbitrary code" is a mischaracterization of that which serves an agenda (usually promoting scammy fake secure messengers).
@david_chisnall@guardianproject@signalapp@fdroidorg No, they're fixed code that contains exactly whatever code was there at the time Signal acquired and linked them in. Regardless of whether you have the source, this is analyzable, and if it doesn't have backdoor communication channels, the likelihood of harm is low even if you haven't done detailed analysis.
"Arbitrary code execution" would mean that they phone home to dynamically obtain code that Google could alter at any time to change the behavior after Signal shipped the app. That's the apparently false allegation folks are making about Signal.
@david_chisnall@guardianproject@signalapp@fdroidorg That's a perpetual myth that seems to have no basis in reality. The libraries in question have not been shown to be able to inject arbitrary code unless a malicious OS (which already has the capability to inject code into any program it hosts) has instructed them to do so.
(To be clear, this means on a Googled Android, you're just as vulnerable to Google's whims as you already were by running a Google OS, and on deGoogled Android you do not appear to be vulnerable.)
If this is incorrect, I'd like to see evidence.
Still I think on principle Signal should remove all Google code. There's no reason for it to be there and it hurts trust.
@maggiejk Car payments and mortgages are compounding. They're just on an amortization schedule so you pay the same amount each month as long as you pay on time, but over the lifetime of the loan, the payments transition from being mostly interest almost no principal to mostly principal almost no interest.
@cstross Not just why you should pay attention, but why you should have immense gratitude for trans folks sounding the warnings (and maybe contribute some mutual aid to express that gratitude) rather than deriding them for it.
@xgranade@valkyrie The entire "appeal" of "AI" is as an excuse to bypass regulation and subject consent to amass information that can be used to wield power & control.
@xgranade i remember my doctor arguing about this with me recently, saying that none of that will ever be accessible without permission. and i was like yeah, i'm gonna keep being cagey about anything ive learned in my therapy sessions so it's not on record, because i know that's a lie. and here we are with the autism registry and a free for all on access to people's private medical data. sick.
@autinerd@NewtonMark@raven667@voltagex@ryanc Despite most versions of Windows having a ridiculous UI in control panel that zero pads the decimal quad fields. Probably lots of routers, printers, etc. too.