[Replicant] Proprietary blob found in all Replicant 6.0 builds
Denis 'GNUtoo' Carikli
GNUtoo at cyberdimension.org
Mon Nov 30 00:29:24 UTC 2020
On Mon, 23 Nov 2020 22:31:32 +0000
belgin <belginstirbu at hotmail.com> wrote:
> Hello!
Hi again,
I've reviewed part of the patchset already, and for the parts that
looked good I pushed them already.
Here's my status on it so far:
[ OK ] packages/apps/PhoneCommon:
[ OK ] -> bdac5aa5af2de5aca946f9bc0caf58b5b38935a6
[ OK ] |-> Tag LineageOS mirror
[ OK ] |-> Tag Replicant
[ OK ] => Manifest
[ OK ] packages/apps/Dialer:
[ OK ] -> a245d5701b0452145b2a813464fa2f1fec74fddd
[ OK ] |-> Tag Replicant
[ OK ] |-> Rebase last commit on top
[ NA ] => Manifest
[ ] packages/apps/Messaging:
[ OK ] Fork in Replicant
[ ] -> 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74
[ ] |-> Tag LineageOS mirror
[ ] |-> Tag Replicant
[ ] - Subject: [Replicant] [PATCH 1/9] Revert "Save messages to SIM feature"
[ ] => Manifest
[ ] packages/apps/Contacts:
[ OK ] Fork in Replicant
[ ] -> 1e2ad0157e708d06728ef575aa556c1e0455d278
[ ] |-> Tag LineageOS mirror
[ ] |-> Tag Replicant
[ ] => Manifest
[ ] packages/apps/ContactsCommon:
[ OK ] Fork in Replicant
[ ] -> 463be6a1088c8a3259d618ac67884a74ae8c2d8a
[ ] |-> Tag LineageOS mirror
[ ] |-> Tag Replicant
[ ] => Manifest
[ OK ] vendor/replicant:
[ OK ] - Subject: [Replicant] [PATCH] Remove ambientsdk
[ NA ] => Manifest
[ OK ] packages/apps/InCallUI:
[ OK ] -> d69ce6c2a65c3d451dfb5837678221e56fef1880
[ OK ] |-> Tag LineageOS mirror
[ OK ] |-> Tag Replicant
[ OK ] - Subject: [Replicant] [PATCH] Fix building after removing ambientsdk
[ OK ] |-> Re-apply on top of tag
[ OK ] => Manifest
[ OK ] vendor/cmsdk:
[ OK ] - Subject: [Replicant] [PATCH] Remove analytics support
[ NA ] => Manifest
[ OK ] packages/apps/SetupWizard:
[ OK ] - Subject: [Replicant] [PATCH] Remove analytics support
[ NA ] => Manifest
[ OK ] packages/apps/Settings:
[ OK ] - Subject: [Replicant] [PATCH] Remove analytics support
[ NA ] => Manifest
[ OK ] packages/apps/Trebuchet:
[ OK ] - Subject: [Replicant] [PATCH 1/4] Revert "IconCache: Simplify application of custom titles from STK"
[ OK ] => Manifest
So I still have some patches and git hash to reviews.
I also found an issue with the following:
> packages/apps/Messaging -> 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74
The issue with packages/apps/Messaging is that we have 3 CVE if we
revert to 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74:
> $ git log \
> 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74..replicant-6.0-0004-rc3 | \
> grep -i CVE
> CVE-2017-0780
> CVE-2017-0494
> CVE-2017-0476
The Manifest.xml has that:
> package="com.android.messaging"
So this looks like the default SMS application.
A solution would be to replace it by something else.
Silence could be a good candidate.
Here are the advantages of shipping Silence:
- It would also make encrypted SMS easier to use as you need to make
silence the default SMS application in order to properly decrypt the
messages you received.
- The lower level of recovering Silence data or moving it is already
documented in Replicant wiki a bit.
- It doesn't force users to use encryption at all.
The disadvantages is that you can miss the ability to decrypt an SMS
if it arrives when silence is not the default application. I don't
know the reason of that though.
I'm also not aware of other implementations of that protocol, so the
risk here is that if people starts using the encryption, they might end
up being dependent on an application that only runs on 1 OS (Android).
Given that GNU/Linux starts gaining traction again on smartphones that
could be an issue but I guess it's probably worth the tradeoff.
And shipping an applications with known CVEs is probably worse than
the potential downsides here.
Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20201130/e26fdaa2/attachment.asc>
More information about the Replicant
mailing list