@eu_os @EC_OSPO #IMHO, it's overdue that @EUCommission & @bsi ban non-#FLOSS & #CCSS in #administration and espechally #CriticalInfrastructure.

• We need #auditable (as in #ReproduceableBuilds!) systems!

@ueeu well, @monocles do #ReproduceableBuilds as that's necessary to get their apps on @fdroidorg / #FDroid!

@ueeu I think crucial parts is looking at it's components, dependencies, size and for apps permissions.

• Also make shure it uses #OpenStandards, because #OpenSource can be just a "smoke grenade" when it's a #centralized, #proprietary, #SingleVendor & #SingleProvider solution.

#ReproduceableBuilds for example are important, so the actually released source code is what people actually get served as basis.

• Both of the latter points are something that @monocles / #monoclesChat does perfectly and that @signalapp completely fails at!

Plus in terms of #security, choose *real #E2EE with #SelfCustody of all the #Keys!

@centopus well, feel free to port @AsahiLinux 's patches to #C.

As for #Rust, IDGAF in general.

• All I care about are easy #reproduceableBuilds for @OS1337 ...

@lispi314 @enigmatico @bunnybeam @kimapr
nodds in agreement

• I think having a proper #API is a way to facilitate that, cuz worst-case one just slaps together some #aliases in #bash, #fish, #zsh or whatever #shell and just uses #curl to query stuff manually as this solves the whole #WebApp - issue.

And I do prefer #FLOSS as it works fine for an ever increasing audience!

• Even if we choose to point at bad #UX / #UI combos like #GnuPG, we've to also acknowledge better existing alternatives like #enc that just work!

Personally, I think that everything people are expected to use if not forced to use should be #OpenSource as licensed in a #OSI accredited license and be released with #SourceCode and #documentation to make #reproduceableBuilds and thus facilitate #audits by truly independent parties...

• And if that's not possible any requirement to using said things should be outlawed no matter the context!

A unsarcastically good example is #S3, even tho I hate #amazon, they wanted #developers to integrate their #ObjectStorage which necessitated an #open source'd API to the point that it's #backend is inherently reproduceable, and now every halfassing #Webhoster offers S3 #storage, sometimes with bit & second-precise billing.

@dragonarchitect @Siph also just using #Rust isn't automatically make shit good.

• And I doubt it can be as compact and efficient as #C when it comes to a minimalist #Linux distro...

But then again I care more about #ReproduceableBuilds and #Maintainablility than the languague.

@ai6yr nodds in agreement whereas the "akshual coding" is "relatively simple" if one doesn't mind #readability, #maintainability or using understandable variablr names...

• #Testing and having #ReproduceableBuilds as well as #Documentation (even just #comments in #code!) Is way more important, cuz that'll make it maintainable!

Testing can be automated if one builds and documebts the tests that is...

• So yeah, one does not remove or automate away these things easily, cuz even the best #autogenerated documentation needs #proofreading and testing for correctness and completeness!!!

"#AI" can't do this because those #LLM|s don't learn organically but merely act as "#StochasticParrot" and not as intelligent beings that is able or even willing to transfer * exchange information freely...

@lucasmz @estelle It is proprietary in that to this day there are neither #ReproduceableBuilds nor is it #SelfHosting-capable...

Which makes @signalapp a #liability and #incapable of complying with #GDPR & #BDSG due to #CloudAct making that impossible!

@eemmaa personally, I do intent to copy that with @OS1337 because #ReproduceableBuilds are as much of an important step in having an #auditable system as having unrestricted (#opensource licensed!) #sourcecode availability & access...

@ditol @samueljohn @linuzifer

THIS is where I disagree...

You may think it's elitist, but if people are too lazy to learn even fundamentals like how to use #Tails then maybe they should just not do #tech at all?

• Like: We expect people to show at the every least theoretical proficiency in terms of #TrafficCode and #VehicleSafety in +every juristiction I'm aware of* and literally mandated #DrivingLicense|s for that reason.

I'll gladly teach #TechIlliterates but I won't waste my time on people that spread disinfo...

It's 2024: @tails_live / @tails has been out for over a decade and there are a shitload of guides ranging from written documentation to Zoomer-friendly TikTok-Style shorts on how to get started.

• I don't expect people to do #airgapped pffline-PGP but with @thunderbird including #Enigmail and not requiring any external dependencies like the god-awful #GPG4Win stuff's easier than ever.

• Same with #mobile: #Appls like @monocles / #monoclesChat are so easy, I've been able to onboard literal tech-illiterates remotely with few steps and simple instructions.

FOR THE LAST TIME:

*STOP MAKING EXCUSES TO JUSTIFY ESCALATING COMMITMENT TO EVIDENTLY BAD SOLUTIONS!"

• Cuz when push comes to shove @Mer__edith herself would introduce a #Govware #backdoor into @signalapp when faced with indefinite jailtime...

Whereas with #SelfCustody of all the keys as well as #ReproduceableBuilds and real #decentralization, this would be evidently impossible even if all the devs wanted to comply honestly and not just because they could be held at gunpoint.

• #Signal is not your friend. It's merely a tax-exempt "non-profit" corporation, and corporations are explicitly nobodys friend - espechally when they demand #PII like phone numbers for useage.

Compare that to #monocles where you do pay like €2 p.m. but in return get #standard #protocols like #IMAP, #SMTP & #XMPP and can pay anonymously and not have to provide any PII whatsoever!

• And unlike #Signal they ain't dependent on #VC funding and #grant money to keep the lights on.

Make of that what you will, but just like allowing flatearthers to roam freely without caretaker supervision doesn't make the world less round, so won't the facts change about #ITsec, #InfoSec, #OpSec & #ComSec.

• The only reason Signal is still online and not #pwned like #EncroChat is because it's either a Sting op like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield or they have already backdoored their #backend so hard that all their #marketing is just #lies like #Apple...
  

Because all #centralized, #SingleVendor & #SingleProvider solutions are bad, and if they don't even allow for #SelfCustody then they are just a #grift to #scam tech-illiterates that don't know and/or don't care!

#thxbye #EOD

@bananapi Q: How about you get proper #drivers amd #support going for your existing #products?

• And I don't mean just release some images that'll never get updates but rather #sourcecode and #firmware and #ReproduceableBuilds!

Cuz that's what makes #RaspberryPi better!
https://www.youtube.com/watch?v=51OMXTElStM

@renan nodds in agreement

Tho #SimpleX, like #Threema, is also a #centralized, #proprietary, #SingleVendor & #SingleProvider solution with neither #SelfCustody of keys nor any means to #SelfHost and have #reproduceableBuilds.

Granted, @OS1337 has a different target mission, which is to be a #KISS-principled, easy to build, extent and adapt basis for #Firmware and #Embedded Systems...

• Like some #minimalist #rescue and/or #preparation system...

Or to power some #security-focussed #EmbeddedSystems where having #ReproduceableBuilds is part of the #transparency culture I aim for.

@HunterZ @Yuki @mos_8502 @aphyr Not entirely:

I want to see simple executeables that just work.

See #XMRig 1 & #YoutubeDLP 2 as well as #toybox 3 4 5...

• You can have both #ReproduceableBuilds and #EasyToUse applications!

@landley showed it with Toybox and I just try the next best step of a #minimalist #Linux distro with @OS1337 ...

• Other examples include @torproject / #TorBrowser 5 and and #FeatherWallet for #Monero 6...

@SweetAIBelle @OS1337
So yeah, even if anything beyond the minimalist 1440kB Floppy is quite bigger, being able to #reproduce a system and have #ReproduceableBuilds is in my eyes the only way to get enough #trust so #CriticalInfrastructure providers would consider it even remotely for use.

• Or in some cases barely allow it #onsite for use.

And that's why I use #toybox: Because the motivations align with those of @landley and I also want counter-#FUD decisionmakers by showing them:

"This is what I'd use to administrate your critical #Linux / #BSD / #Unix servers. You don't have to trust me, here's the code that you can build it yoursef - airgapped and inhouse - and it WILL exceed any security and auditability criteria you can create that any other OS can comply with!"

Not to mention a compact system can just yoink itself into RAM and just be available for tasking, making #ThinClient updates super fast and easy to facilitate across machines, preventing any persistence of malicious code or unauthorized access beyond reboot...

Basically the #VT69 dumb terminal but over #SSH and thus way more practical!

@ravirockks Needless to say that only #transparency with #ReproduceableBuilds can enshure the #SourceCode is related to the #binary released.

And being able to audit oneself or choose any auditor of choice to do so is also critical to the whole #ITsec aspect of it.

You don't want people to be able to "pull rank" but instead you want critical code to be looked at with as many eyes as possible.