Matthew GarrettPeople will complain that a technology can be used to oppress user freedom while contributing to free software that gets used in literal weapons of war
I do entirely understand the idea that functionality that can be used against users (even if it can also be used to enhance user security) is bad, I just don't understand why people will simultaneously make that argument and support the idea that a software license that says "You may not use this software to murder people" is incompatible with the ideals of free software
DRM is pretty obviously something that inherently removes user freedom without benefit, and decrying it is entirely reasonable. Hardware identity and state attestation *can* be used for DRM, but can also be used for other purposes that improve things for users (like Signal verifying that it's communicating with a genuine enclave before disclosing any sensitive data), and attacking the technology rather than the ways it's used seems short-sighted
Manoj Kasichainula@mjg59
I don't have the nuance of whomever you're replying to, so broadly:
(Approximately) no one complains about Yubikeys, datacenter HSMs, etc., because context matters. FIDO deployment wasn't going to lead to controlling what computers you can use the web with. But Google's ReCAPTCHA replacement has as a specific tactic to stop people operating outside the phone duopoly from using portions of the web.
And it probably won't even be good at their alleged goal: https://bsky.app/profile/retr0.id/post/3mljwh4k4k225
@headmold People are turning this into an argument about attestation in general, not the specific instance of it
@mjg59 Ah OK, yeah I can't go so far as to oppose all attestation yet. If you had to bring up "free software gets used in weapons, ya know", I can only imagine.
Where I sit right now: Yubikeys and secure elements are pretty good. Google Play Integrity is bad.
@headmold Yeah, but from a technology perspective there's basically no difference between Yubikey attestation (and some banks do insist on actual Yubikeys, not other valid WebAuthn tokens!) and what Google's doing here - which is why I think it's important to talk about the ways people use it, rather than the technology
hughcb@mjg59 @headmold I think there's a big difference between attestation tech that's tightly coupled with computer/phone hardware and vendor-provided OSes and doesn't work on LineageOS/PostmarketOS/etc, versus attestation done by a relatively cheap pluggable external device. Only the former is restricting the OS & software people can run on devices they own. OTOH Yubikeys and other pluggable/NFCable tokens can work with basically any OS.
@mjg59 Fair point. My brokerage restricted by key vendor too.
But certain implementations of attestation are going to bias more towards particular uses. Yubikeys are *mostly* (to me) good. I think Google Play Integrity, because it is flaky for security yet effective for control, is mostly bad. That's why I argue against this particular "technology" or at least implementation of it.
I can't tell if I'm arguing something you disagree with though :).