[Linux-aus] Encryption bill and open source

[C J du Preez]

> For instance:
> 
>  - anyone running stock Android or iOS on their phone or table is
>    vulnerable to vendor backdoors; is it practical to build your own
>    version of Android from source to avoid this? Personally, I've been
>    waiting since last LCA for Marco to give a talk at HUMBUG about
>    LineageOS which maybe solves this... <eyeroll emoji; that exists
>    right?>
> 
>  - anyone running any Android or iPhone apps by Australian authors
>    are potentially vulnerable to backdoors due to the new legislation;
>    can you use fdroid or some other open source "app store" to at least
>    theoretically avoid that risk? Are there any app stores that are
>    both open source-y and can accept payment via Bitcoin, say?
> 
>  - is there any realistic best practices for code verification, so that
>    deliberate backdoors can be detected before you install a binary or
>    get exploited? in particular ones that square with things like pypi
>    or nodejs or java or ruby dependency systems where you're randomly
>    installing bunches of easily updatable code from internet
>    repositories?
> 
>  - is it realistic to do any of the things everyone relies on centralised
>    trusted third parties for, ourselves? like Google Maps'
>    location history, or facebook/instagram/snapchat's photo
>    and story sharing, or hangouts/skype/zoom videochat, or
>    signal/whatsapp/telegram/wickr/whatever "private" messaging, or
>    dropbox/evernote/gdrive/etc file storage, or even gmail? Every trusted
>    third party has always been a security hole, but now you're not only
>    trusting the nominal provider, but every Australian security dept too
>    (except the anti-corruption ones, apparently?). Freedom Box was meant
>    to help with this, but never really did afaik...
> 
> I know enough to ask the questions, and to know that I don't have good
> enough answers to any of those; if someone actually knows better about
> any of them, I'd like to subscribe to your newsletter, so to speak. Or
> attend an impromptu BOF or similar at lca or elsewhere? But maybe nobody
> knows better, and lots of people know less and I should be offering the
> BOF? I have no idea.
> 

Some options:

A phone:

https://puri.sm/products/librem-5/

Decentralized chat you can host:

https://matrix.org/blog/home/

An OS:

https://www.qubes-os.org/

Recommendations for privacy tools and services:

https://www.privacytools.io/

https://thatoneprivacysite.net/