Open Source

Seven core contributors and one board member met in Scotland, the birthplace
of F-Droid, for the first in-person F-Droid team meeting. One of the most
pressing tasks we needed to take care of was setting up a
contributor-controlled backup of all of our signing keys. The requirements
made it necessary to have a lengthy, in-person, consensus-driven planning
session. We found no good documentation of such a procedure, so we’re going
out on a limb here and publishing the general outline of our process. This
process was informally audited by multiple people with varying expertise
before the public key was used to encrypt anything.

F-Droid manages secret signing keys for thousands of apps. Someone who has
control over those keys could create malicious app releases that could be
transparently installed as updates. On top of that,
Android
does
not
make it
easy
to rotate to new signing keys, unlike TLS or Signal. So these keys are very important to protect. They are also very
important to backup, since the Android OS uses the signing key combined with
the Application ID as the unique identifier to represent each installed
app. This meeting gave us the perfect opportunity to create a new backup
process that ensures that at least 4 trusted community members must be
physically present in order to decrypt the backup of all the keys. First,
we started with the requirements:

• Regular backups as new keys get added.
• Strong, proven encryption for all backups.
• Minimum of four participants to decrypt.
• Specific technical experience should not be required to be a participant.
• The components should be physically spread out across jurisdictions.
• Access should minimized as much as possible (e.g. the signing server
  maintainer does not need access to the backups).
• As low a stress level as possible for each participant.
• Each participant should be free to hand over their component if they are
  forced to, without jeopardizing the encryption.

Then we mapped out who was present:

• Seven core contributors.
• One board member.
• One trusted external witness.
• No one else.

From that, we built the process:

• Three roles for physical control: operator of the signing server,
  encrypted backup holder, passphrase shard holder.
• Each person only takes on a single role, for example, shard holders do not
  have access to the signing keys or the encrypted backup.
• The encryption key used for the data is public key cryptography.
• The private key was generated on a one-time-use, in-memory, disposable
  TAILS session.
• The private key was sharded using Shamir’s Secret
  Sharing.
• We used an implementation of Shamir’s Secret Sharing that has been
  maintained for over 15 years. The installation that was used was
  confirmed via reproducible builds.
• Each shard was written to a removeable storage device bought in a store
  with cash without pre-order or registration.
• Each removeable storage device with a shard was physically handed each
  shard holder to pack in a tamper-evident envelope as the others observed.
• Backups must not be transmitted over the internet, only exchanged via
  in-person meetings between people who know each other.
• All involved sat around a table for the duration of the ceremony. The
  security profile of in-person discussions is drastically easier to manage
  than secure online discussions.
• All present were observers of each step of the process, and verbally
  confirmed their agreement.
• The operators of the signing server and the holders of the backup data
  verified each others’ identities via F-Droid networks, PGP Web of Trust,
  and checks of government issued IDs.
• Pieces from a minimum of two jurisdictions are required to decrypt: EU,
  Europe non-EU, US.

One important factor in reliable backups is regular updates. New apps are
constantly being added, and those usually get a new signing key assigned.
So we needed a system where it was easy to update the backup data while
involving as few people as possible. An operator of the signing server
receives the public key to encrypt the backups via in-person exchange with a
holder of the backups. The holders of the backup data receives the
encrypted backups from an operator of the signing server via in-person
exchange.

Holding such important secrets also brings some unavoidable stresses to the
people holding them. One key design goal was to create a protocol that did
not add to the stress of any existing operators. Furthermore, we aimed to
keep the individual stress as low as possible for all roles in this
protocol. That makes it possible to empower volunteer contributors without
overburdening them.

For restoring, we agreed that it should happen in an in-person meeting. The
process requires three shard holders meet with one encrypted backup holder,
then the results need be given to a signing server operator. Requiring an
in-person meeting could delay the restore process, but the added trust
seemed worth it. So this is the default process. We could still switch to
partially online process if the need arises. That would require the
agreement of five participants.

We believe this is a secure and reliable backup procedure for very sensitive
data. We welcome further scrutiny and plan to update the procedure as
needed in a future meeting.

(This meeting was paid for by the FFDW-DVD grant.)

The “enshittification” of social media started around 2016, but it reached new highs in 2023. All chronological feeds and hashtag importance have given way to narrow-AI algorithms and recommendation engines. The result was that reach has become impossible for the common user, and many art creatives lost their livelihoods. Enter the Fediverse. From Wikipedia: “The fediverse is an ensemble of federated (i.e. interconnected) servers that are used for web publishing (i.e. social networking, microblogging, blogging, or websites) and file hosting, which, while independently hosted, can communicate with each other.“ This system has some advantages: It is almost impossible for governments to shut down in its entirety. User load can be shared among different servers (“instances”). Different instances have different rules, so you join the one you agree best with. Generally no spam and fewer bots. A non-aggressive environment as users get along better. No telemetry or ads. Everything is chronological so there are equal chances to be seen, no weird recommendation engines here. As for the disadvantages: Some instance admins are too twitchy, and can block other servers on a dime (my main gripe with the system). Some users are too sensitive for some topics, and require you to self-censor. The system probably can’t sustain more than 10-20 million active users, because not many people have the expertise to run their own instance and pay for the financial costs before donations start rolling in. If your instance goes down, you’ll have to migrate and re-acquire all your followers from scratch. Your family and friends aren’t on it, and probably never will be. Here are the Fediverse alternatives to the classic options: Alternative to Twitter: Mastodon The biggest federated environment with over 2 million active users. Great for “toots”, and small-sized blogging. Very actively developed. While there’s an official app for it and a third party one called… Shitter, and FediLab, the best way to view it remains the web browser. Alternatives to Mastodon: Pleroma, Diaspora, Misskey/Calckey (they mostly interoperate anyway). Alternative to Reddit: Lemmy Since the latest Reddit shenanigans Lemmy has jumped to become the second most used fediverse service. Still under active development, but it works great and it has all major Reddit features. People there are much nicer too! Alternative to Lemmy: Kbin (they interoperate, so Kbin content is available on Lemmy, and vice versa). Apps: Jerboa, Lemming, LiftOff, Summit, Connect. Alternative to Instagram: Pixelfed A bit slow compared to the other fedi services, but it’s unique in getting the original Instagram experience. As an artist, I love it. PixelDroid is the mobile app for it. Alternative to Youtube: PeerTube Well, there’s TilVids, and then there’s everyone else. TilVids doesn’t want to federate with everyone else, but it does have the most interesting videos (particularly of Linux interest). Spectra.Video and Diode.Zone are also great options to move your videos at. Just note that bandwidth is limited in these free services, so it’s best to upload in 1080p instead of 4k. There are 3-4 mobile apps for it. Alternative to Medium/Wordpress/SubStack: WriteFreely Not much to say here, a very modern editor that acts as blogging and article publishing service. Secure Messaging and IRC/Discord alternatives: Matrix Matrix is secure messaging end-to-end with Element.io being the main provider. It can also act as a community messaging server. Nostr and Jami are the newest such services on the block, but they’re a little bit weird to get into, I still prefer Matrix. Alternative to TikTok: none Thank the Olympian gods! Finally, the best way to deal with some smaller instances going down and losing your account is to get 1-3 different accounts on different instances. I personally have 3 Mastodon accounts, 3 PeerTube ones, and 2 Lemmy/1 Kbin ones. I used an older $70 phone (Moto G5 Plus) where I have installed the free, and very private Murena /e/ OS. It’s a totally de-googled Android OS (more so than LineageOS) that uses the iOS UI paradigm. In it, I use three app stores that only carry open source apps: F-Droid, IzzyOnDroid, and Obtainium. I avoid as much as possible from installing from the Aurora or the included App Lounge app stores that use the Google Play Store. The OS uses the open source microG service to replace the Google Play Services. So, I have almost completely left behind the normal social media and moved on to the Fediverse (apart from FB messenger with my mom, and a couple of special-interest subreddits via my laptop). You see, after leaving OSNews 15+ years ago, I became an artist. And social media was the way to get sales back then. I started with Tumblr, and later Instagram and FB. Overall, I had amassed about 340,000 followers across all social media. Sales were good for a while. Then, the enshittification started. The biggest blow was Instagram removing the chronological feed and hashtag importance, and little by little only superstar accounts were pushed by the recommendation engines. By 2020, it was near-impossible to survive online selling your art. Now, I don’t have any illusions that the Fediverse can replace the golden era of social media (2010-2020). I have calculated that you need a minimum of 100 million active users for various niche business to survive under a fair social media system. And currently, the whole Fediverse only has about 14.5 million accounts, with only about 2.2 million being active. In fact, I don’t expect the fediverse to ever achieve more than 10 million active users… And yet, I prefer to stay on it. It’s simply a more fair system. It’s not a corporation that changes its policies at a whim, or sells your data. I rather use a “lesser” system in terms of reach and maintain my mental health, than battling Instagram’s algorithms all day long (“no, I don’t want to shoot useless vertical short videos”). So, come on and join us on the fediverse. The more the merrier! Note: OSNews is very active on the Fediverse. We have the main OSNews account which posts our stories,