top | item 46437990

(no title)

mcsniff | 2 months ago

Ugh. This 100% shows how janky and unmaintained their setup is.

All the hand waving and excuses around global supply chains, quotes, etc...it took pretty long for them to acquire commodity hardware and shove it in a special someone's basement and they're trying to make it seem like a good thing?

F-Droid is often discussed in the GrapheneOS community, the concerns around centralization and signing are valid.

I understand this is a volunteer effort, but it's not a good look.

discuss

lrvick|2 months ago

As someone that has run many volunteer open source communities and projects for more than 2 decades, I totally get how big "small" wins like this are.

The internet is run on binaries compiled in servers in random basements and you should be thankful for those basements because the corpos are never going to actually help fund any of it.

pydry|2 months ago

It's a shame mozilla wont step up to fund it. They've spunked way more money on way dumber things.

unknown|2 months ago

[deleted]

lukan|2 months ago

"I understand this is a volunteer effort, but it's not a good look."

I would agree, that it is not a good look for this society, to lament so much about the big evil corporations and invest so little in the free alternatives.

fruitworks|2 months ago

You can't just host servers in your own basement! You need to pay out the ass to host servers in some big company's basement!

magguzu|2 months ago

Graphene is a great product but their incessant mud slinging at any service that isn't theirs is tiresome at best.

Some of their points are valid but way too often they're unable to accept that different services aren't always trying to solve the same problem.

ekjhgkejhgk|2 months ago

> their incessant mud slinging at any service that isn't theirs is tiresome at best.

100%. But you know, sadly I've noticed that non-experts are impressed by elitism. So you don't have to be good, you just have to shit on others, and passerbys will interpret that as being very competent.

Which is super ironic, from a project which about privacy but only supports hardware built by the biggest surveillance company.

troyvit|2 months ago

It's like ya'll are so eager to crap on a thing that you don't even read tfa.

> this server is physically held by a long time contributor with a proven track record of securely hosting services.

So you are assuming it's a rando's basement when they never said anything like that.

If their way of doing business is so offensive either don't use them, disrupt them or pitch in and help.

> I understand this is a volunteer effort, but it's not a good look.

What does make a "good look" for a volunteer project?

wtallis|2 months ago

> What does make a "good look" for a volunteer project?

It's an open-source project. It should be... open. Not mysterious or secretive about overdue replacements of critical infrastructure.

well_ackshually|2 months ago

> this server is physically held by a long time contributor with a proven track record of securely hosting services.

This is effectively a rando's basement. It doesn't matter that they've been a contributor or whatever. Individuals change, relationships sour. Securely hosting how ? By locking the front door ? By being a random tech company in the midwest ? Or by having proper access control ?

As a little reminder, F-Droid has _all_ the signing keys on its build server. Compromising that is somewhere between "oh that's awful" and "stop the world". These builds go out as automatic updates too. So uh, yeah, I'd like it if it was hosted by someone serious and not my buddy joe who's a sysadmin don't worry

cyberax|2 months ago

I read it a bit differently: you don't need to be a mega-corp with millions of servers to actually make a difference for the better. It really doesn't take much!

Also, even 12-year-old hardware is wicked fast.

Aurornis|2 months ago

The issue isn’t the hardware, it’s the fact that it’s hosted somewhere private in conditions they wont name under the control of a single member. Typically colo providers are used for this.

ekjhgkejhgk|2 months ago

> F-Droid is often discussed in the GrapheneOS community, the concerns around centralization and signing are valid.

Clearly the GrapheneOS community is clueless then.

You can host F-Droid yourself, which is the opposite of centralized. If the GrapheneOS community actually is concerned about centralization they can host an instance as well.

Futhermore, each author signs their own software, which again is the opposite of centralized. One authority signing everything would be centralized.

So F-Droid is decentralized in authorship and distribution. Google store is only decentralized in authorship.

xandrius|2 months ago

"Nothing is ever good enough" (tm)

orthecreedence|2 months ago

If I were running a volunteer project, I would be dumping thousands a month into top-tier hosting across multiple datacenters around the world with global failover.

gnufx|2 months ago

> commodity hardware

Apart from the "someone's basement", as objected to in this thread, it also doesn't say they acquired "commodity hardware"; I took it to suggest the opposite, presumably for good reason.

wtallis|2 months ago

> it also doesn't say they acquired "commodity hardware"; I took it to suggest the opposite, presumably for good reason.

This seems entirely like wishful thinking. They were using a 12 year old server that was increasingly unfit for the day-to-day task of building Android applications. It doesn't seem like they were in a position to acquire and deploy any exotic hardware (except to the extent that really old hardware can be considered exotic and no longer a commodity). I'd be surprised if the new server is anything other than off the shelf x86 hardware, and if we're lucky then maybe they know how to do something useful with a TPM or other hardware root of trust to secure the OS they're running on this server and protect the keys they're signing builds with.

viraptor|2 months ago

> shove it in a special someone's basement

They didn't say what conditions it's held in. You're just adding FUD, please stop. It could be under the bed, it could be in a professional server room of the company ran by the mentioned contributor.

lrvick|2 months ago

100%. Just as an example I have several racks at home, business fiber, battery backup, and a propane generator as a last resort. Also 4th amendment protections so no one gets access without me knowing about it. I host a lot of things at home and trust it more than any DC.