l3db3tt3r

You make valid points. I don’t know that the word apathy is strong enough in this context, shrug. I mean, why not just say the thing? “This needs to be fleshed out”. At least it provides direction and context, (go push sand somewhere else; the TAB) and would probably be quicker/easier to write then sling this tired narrative, and non-answer to what is actually being asked;

Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced.

(The TSEM LSM people aren’t trying to push a specific thing, they are asking for clarity of the process and particulars by witch a thing should be submitted; because from what I understand, their project (and others) keep hitting walls on the grounds of ‘formatting’ and ‘structure’; as a stop-gap, and thus an incomplete review, of the ideas and contents of the problem/solution set of the project. (Think: “It’s too difficult for me to read the thing, so I won’t until you fix it” – And not name with specifics to what is considered ‘fixed’, or what the process for re-submission is; It’s a backhand way of claiming “secret knowledge” over the thing and then saying “just fix it”. Fix what specifically ? )

That is to say; when outsiders see these kinds of roadblocks, and the responses/narratives of key figures in these spaces is “apathy” of this degree, it feels something to me akin to security theater.

“Yes, I know that security people always think they know best, and they all disagree with each other, which is why we already have tons of security modules. Ask ten people what model is the right one, and you get fifteen different answers.”

“I’m not in the least interested in becoming some kind of arbiter or voice of sanity in this.”

How do you even get to a consensus model to tease these things out; when your answer is a refusal to engage with “pointless” things?

It just seems contentious to me, that anyone when considering this kind of rhetoric, would make claims in regards to the level of security that Linux (may) provide. It just feels something akin to playing in the realm of security theater.

Maybe start here? https://fightchatcontrol.eu/

A non-walled garden isn’t much help for you either. There’s nothing stopping them from ‘requiring’ Client-Side - Device level scanning. The technological ‘problem’ required to do that, isn’t too difficult to impose when you also create an environment where your device/provider ‘requirement’ in order to even use your technology, forces compliance, and it isn’t that far fetched of a technical problem to be solved.

If Signal leaves the official app stores

I know this is probably semantics; but I don’t think it will be completely on Signal, ie the app store owner is the one who is going to have the pressure to remove the apps: plural, as they will likely also remove any alternatives in the same vain. Same with any other service provider, store front, internet or cellular access, or device maker…

• There is no strictly defined “scope” of what ChatCountrol covers. It’s as broad as scanning “communications”. And includes things like Client-Side Scanning.
  • Pre-encryption scanning - Content is analyzed before it gets encrypted
  • Device-level analysis - Scanning occurs on the sender’s device before transmission
  • End-to-end encrypted services - Even encrypted communications are subject to scanning requirements

What I mean by Signal complying by leaving, is that they stop allowing registration of phone numbers ‘from’ these countries, and stop hosting any of their infrastructure (AWS) within these boarders.

Self-Hosted or Federated, is only a small portion of the battle. You have a bigger problem.

It isn’t criticism if it isn’t based on fact. The U in FUD stands for Uncertainty; and what do you think “might” falls under, or it’s relation to sowing Doubt?

The law related to job postings, is a labor law, that also covers minimum wage, and uses the same definitions. Labor Code Section 432.3 (Pay Transparency Law) Labor Code Section 1197.5 - California Equal Pay Act (Fair Pay Act) Labor Code Section 2750.3 (Employee vs Independent Contractor Classification)

Let me do the work for you; since you’d rather just spread FUD then look for facts.

1. https://www.linkedin.com/company/grapheneos/people/

• 0 California “employees” listed

2. https://www.dir.ca.gov/dlse/SB3_FAQ.htm (I just want to point out that there is a distinction; and I am not a lawyer) “Any individual performing any kind of compensable work for the employer who is not a bona fide independent contractor would be considered and counted as an employee, including salaried executives, part-time workers, minors, and new hires.”

It also sounds like they are trying to fill a part-time role. “Must be able to commit to spending 80 hours or more a month” = ~20 hours a week, but given the ebb and flow of release/bug/patch work needed…

FUD

1. GrapheneOS is a non-profit out of Canada.
2. It’s an “independent contractor” role. California has specific laws governing the classification of workers as employees versus independent contractors.

I don’t know if there’s really a better way to manage this need. They need a pretty niche specialized developer, so you have to cast a pretty wide net (globally, mind you) for remote work.

1. It’s a pretty small global team.
2. How would they financially/legally manage the burden of tax/benefit/workers rights across all boarders; especially as a non-profit.

Yes, people should know what they are getting into, with independent contractor work. I just think there is (probably) some nuance to this particular case; where hiring people on as an employee doesn’t make a lot of sense.

I don’t see Signal complying, and it’s already a target for ‘breaking’ it’s encryption. I think it is more likely to leave the marketplace in which ChatControl is forced (it’s the only winning move); and I don’t think that necessarily means you ‘can’t’ use it; if anything ChatControl environments give a framework that allows them to force supporting network/service infrastructure into blocking or restricting the ‘ease’ in which these tools can be installed, accessed and used. I would focus efforts on how people can get around this vector, not just the specific tool in use.

Who benefits?

Who benefits from sowing a narrative around “drama”, “accusation”, and/or “paranoia”. Seriously.

I think given the following circumspect; GrapheneOS’s reaction, to move project pieces out of potential hostile environments/jurisdiction, is perfectly reasonable.

1. France’s Support for EU “Chat Control”, scanning proposals. France has been one of the governments most supportive of EU‑level proposals that would require scanning of communications and devices for illegal content.

2. The general French framing and approach to cybercrime. As in other EU countries, French authorities are pushing for: Expanded powers to compel cooperation from service providers, and developers. Strong rhetoric against tools that are seen as systematically obstructing investigations.

I believe this is what you are looking for https://killedbymozilla.com/

The revelations that came out from the Edward Snowden ordeal.

Find the skills gaps that you have; find the thing that interests you about it; and dig into that fundamental piece, don’t understand what the fundamentals might be, go check out .edu, or certification outlines with the vocabulary/knowledge you do have so you can build from the concepts (and benefit from their already determined progressions) , so you can developed additional vocabulary and knowledge of the discipline.

I think the gatekeeping part isn’t the warning or cautionary advice being given, It’s the failure to point, and give direction to, the relevant thing(s), the skill sets, the place to start in order to understand the complexities.

Like the hart-surgeon analogy given elsewhere in the comments; it’s not just the dire warning of ‘you can kill someone’ - it’s the humanity to say, well if you want to learn how to do this, you’re going to have to start by having an understanding of basic biology, organic chemistry, human anatomy, etc, and to learn about those things go here…

I think you’ve missed the point OP is trying to communicate. It’s not that these things aren’t relevant, highly important, and good caution/warning. It’s the gate that people are creating with these no depth explainers. “you need to understand” “if you don’t know” – then fail to provide direction to people who want to know, to learn these things, to figure out where to start; that’s the gate.

The price of being on the bleeding edge.
But also, trust the process, it’s a feature not a bug.

Also, I’ll add, that I think that beginners learning this immutable, devcontainer, distrobox workflow offers you more space to practice and learn by doing. You’ll will learn a lot by recovering from some misstep (rollback), and/or by blowing it up, to rebuild it again. (and I encourage you to do it often for the practice and confidence)

Check out the ‘dx’ variants within universal blue It would be a good time to become familiar with rebasing.

I run bluefin-dx environment. (gnome).

There is a different learning curve to immutable/atomic systems and workflows. I don’t think it’s harder per say, it’s just you’ll have to be cognizant of the differences when searching for relative and relevant information when you come up against anything (like any opinionated *nix distro). Learn Homebrew, and Flatpack (and thier quarks running with atomic systems).