Not sure if that counts as proper evidence, but I have seen some logs[0] albeit with encryption but from my understanding, they control the encryption keys or atleast certainly have the ability to change (if they get hacked themselves for example)
Would you like to see a proper evidence of the logging policy? I feel like I can try finding that again if you/HN community would be interested to see that.
Edit: also worth pointing out that keeping logs with time might be a form of meta-data, which depending on your threat-vector (journalism etc.) can be very sensitive info.
Yes, it's terrible and something even Windows handles better. It's one of those utterly bizarre Apple things which make me wonder which old product guy has dirt on everyone else at the company.
History is full of such incidents. Isn't US have been using EU air space to conduct strikes in other countries? Is not EU kept silence for the election stolen in Pakistan? Is EU kept silence when hundreds of people were killed by Pakistan Army in 2024 and 2025? Is not EU kept Pakistan 2024 election report unpublished for 2 years? Why do EU support Pakistan Army's illegal rule? Oh, and Isn't NATO has been killing in Libya, Iraq and Afghanistan?
F-Droid is so irrelevant that it doesn't even begin being targeted by supply chain and scam attacks. Being obscure always help with this, but pretending that it's the same threat model is absolutely false.
The XZ utils backdoor made it into Debian repositories undetected, although it was caught before it was in a stable version.
Debian repositories are quite secure, but also pretty limited in scope and extremely slow to update. In practice, basically everyone (I'm sure there are a few counterexamples) using a Linux distro uses it as a base and runs extra software from less tightly controlled sources: Docker hub, PyPI, npm, crates, Flathub etc. It's far easier for attackers to target those, but their openness also means there's a lot of useful stuff there that's not in Debian.
Holding up Debian as a model for security is one step up from the old joke about securing your computer by turning it off and unplugging it. It's true, but it's not really interesting.
XZ attack is an extremely rare event coming likely from a state actor, which actually proves that GNU/Linux is a very important target. It was also caught not least thanks to the open nature of the repository. Also, AFAIK it wasn't even a change in the repo itself.
In short, using FLOSS is the way to ensure security. Whenever you touch proprietary staff, be careful and use compartmentalization.
A large portion of which are using it in a feature phone capacity. Many only use smartphones because it’s what their carrier gave them after their old candybar dumbphone either broke or became unable to connect to cell towers.
The other groups are those who use it identically to how they would iOS (and don’t root or sideload), those that use it as computer replacement, and those who just like to tinker. Those last two groups are a tiny, tiny sliver relative to the others.
Especially once you start counting car entertainment systems, POTS terminals, digital signage, and hundreds of other classes of devices that are not genera-purpose toys.
Significantly larger than the number of users wanting to sideload.
There are millions of people affected by targeted scams every year, significantly outnumbering the non-developer sideload community. Especially when you take into account that the sideload community doesn't all use Google Android and isn't affected by this.
reply