l3db3tt3r

You make valid points. I don't know that the word apathy is strong enough in this context, shrug. I mean, why not just say the thing? "This needs to be fleshed out". At least it provides direction and context, (go push sand somewhere else; the TAB) and would probably be quicker/easier to write then sling this tired narrative, and non-answer to what is actually being asked;

Thus seeking documented guidance on new Linux Security Module submissions for how they should be optimally introduced.

(The TSEM LSM people aren't trying to push a specific thing, they are asking for clarity of the process and particulars by witch a thing should be submitted; because from what I understand, their project (and others) keep hitting walls on the grounds of 'formatting' and 'structure'; as a stop-gap, and thus an incomplete review, of the ideas and contents of the problem/solution set of the project. (Think: "It's too difficult for me to read the thing, so I won't until you fix it" -- And not name with specifics to what is considered 'fixed', or what the process for re-submission is; It's a backhand way of claiming "secret knowledge" over the thing and then saying "just fix it". Fix what specifically ? )

That is to say; when outsiders see these kinds of roadblocks, and the responses/narratives of key figures in these spaces is "apathy" of this degree, it feels something to me akin to security theater.

"Yes, I know that security people always think they know best, and they all disagree with each other, which is why we already have tons of security modules. Ask ten people what model is the right one, and you get fifteen different answers."

"I'm not in the least interested in becoming some kind of arbiter or voice of sanity in this."

How do you even get to a consensus model to tease these things out; when your answer is a refusal to engage with "pointless" things?

It just seems contentious to me, that anyone when considering this kind of rhetoric, would make claims in regards to the level of security that Linux (may) provide. It just feels something akin to playing in the realm of security theater.

A non-walled garden isn't much help for you either. There's nothing stopping them from 'requiring' Client-Side - Device level scanning. The technological 'problem' required to do that, isn't too difficult to impose when you also create an environment where your device/provider 'requirement' in order to even use your technology, forces compliance, and it isn't that far fetched of a technical problem to be solved.

If Signal leaves the official app stores

I know this is probably semantics; but I don't think it will be completely on Signal, ie the app store owner is the one who is going to have the pressure to remove the apps: plural, as they will likely also remove any alternatives in the same vain. Same with any other service provider, store front, internet or cellular access, or device maker...

• There is no strictly defined "scope" of what ChatCountrol covers. It's as broad as scanning "communications". And includes things like Client-Side Scanning.
  • Pre-encryption scanning - Content is analyzed before it gets encrypted
  • Device-level analysis - Scanning occurs on the sender's device before transmission
  • End-to-end encrypted services - Even encrypted communications are subject to scanning requirements

What I mean by Signal complying by leaving, is that they stop allowing registration of phone numbers 'from' these countries, and stop hosting any of their infrastructure (AWS) within these boarders.

Self-Hosted or Federated, is only a small portion of the battle. You have a bigger problem.

It isn't criticism if it isn't based on fact. The U in FUD stands for Uncertainty; and what do you think "might" falls under, or it's relation to sowing Doubt?

The law related to job postings, is a labor law, that also covers minimum wage, and uses the same definitions. Labor Code Section 432.3 (Pay Transparency Law) Labor Code Section 1197.5 - California Equal Pay Act (Fair Pay Act) Labor Code Section 2750.3 (Employee vs Independent Contractor Classification)

Let me do the work for you; since you'd rather just spread FUD then look for facts.

1. https://www.linkedin.com/company/grapheneos/people/

• 0 California "employees" listed

2. https://www.dir.ca.gov/dlse/SB3_FAQ.htm (I just want to point out that there is a distinction; and I am not a lawyer) "Any individual performing any kind of compensable work for the employer who is not a bona fide independent contractor would be considered and counted as an employee, including salaried executives, part-time workers, minors, and new hires."

It also sounds like they are trying to fill a part-time role. "Must be able to commit to spending 80 hours or more a month" = ~20 hours a week, but given the ebb and flow of release/bug/patch work needed...

FUD

1. GrapheneOS is a non-profit out of Canada.
2. It's an "independent contractor" role. California has specific laws governing the classification of workers as employees versus independent contractors.

I don't know if there's really a better way to manage this need. They need a pretty niche specialized developer, so you have to cast a pretty wide net (globally, mind you) for remote work.

1. It's a pretty small global team.
2. How would they financially/legally manage the burden of tax/benefit/workers rights across all boarders; especially as a non-profit.

Yes, people should know what they are getting into, with independent contractor work. I just think there is (probably) some nuance to this particular case; where hiring people on as an employee doesn't make a lot of sense.

I don't see Signal complying, and it's already a target for 'breaking' it's encryption. I think it is more likely to leave the marketplace in which ChatControl is forced (it's the only winning move); and I don't think that necessarily means you 'can't' use it; if anything ChatControl environments give a framework that allows them to force supporting network/service infrastructure into blocking or restricting the 'ease' in which these tools can be installed, accessed and used. I would focus efforts on how people can get around this vector, not just the specific tool in use.

I don't know that many of my adult friends even hit half the items talked about in this article.
What's your own score?

I believe this is what you are looking for https://killedbymozilla.com/