This is good news, for standardization, I mean: https://www.zdnet.com/article/linux-foundation-readies-global-covid-certificate-network
Yes. The principle is the same.
However I was more concerned about the ābodyā (the ācontentā) i.e. what is being leaked. If different EU countries go off in different directions then it makes it more difficult to verify what is leaking and hence make an informed decision.
In theory some EU country could encrypt the body, so that you canāt read it at all, and no other random can read it, but the government can still use it to verify your vaccination status. In that situation it would be relatively safe to post the QR code to a public forum as far as identity theft concerns go, but not safe of course if you need to avoid a forum persona being associated with a real-life persona by a government.
The only realistic way of distinguishing the two cases - encrypted body v. encoded body - is to have the format publicly documented.
Of course if it is truly plain text then itās all much easier.
1 Like
The last time I looked into this, I found it was a free-for-all. I could not find any standards, and some sources said there were no standards. Of course, itās hard to prove that there isnāt a standard for something, because thereās always the possibility that you just havenāt discovered it yet!
It seems to me that the WiFi and SMS QR code schemes are de-facto standards, so the standard is effectively defined by the most influential implementations. (i.e. Android and iOS)
Since QR codes are really just a data storage medium. I think that it is a free-for-all by default, because thereās always going to be someone who wants to encode something application-specific in a QR code.
A camera app is not the first place Iād look for barcode-scanning functionality. I would expect there to be a dedicated barcode scanning app that tries to parse the barcode and, if it recognises the format, presents optional actions to take (go to URL, connect to WiFi, handle it using [App], add contact, etc), with the option to also view the raw data from the QR code, since that can be interesting or useful even if the format is not known.
Though, Iād also expect specific applications to feature built-in barcode scanning. (E.g. an inventory management app could scan barcodes on inventory items in order to update their status and location.)
1 Like
That was my impression.
IANA has a registry for schemes but it seems that was mostly created in a reactive, after the fact, and historical manner. So BigSnoop (Apple / Google) can register new schemes if they want.
I note that the IANA registry even contains sms: (RFC 5724) while in fact smsto: is being used in the wild. (It may be entirely appropriate not to use sms: if the syntax being used does not comply with the related RFC, and non-compliance appears to be the case here.)
wifi: is registered and it refers the reader to the āWi-Fi Alliance Wi-Fi Protected Access 3 (WPA3) specificationā for the syntax (but I donāt have a copy of that document).
Thatās the way it works on the iPhone though. The camera app always (continuously) analyses the image in the viewfinder for a valid QR code and if there is one then a dialog box pops up, giving you some indication of what would happen if you proceed. Touching the dialog box āopensā the QR code, where the meaning of āopenā depends on the scheme. (So, while one is using the camera app, there is no need to take a photo.)
I think there are solid arguments both ways.
From a security point of view, it may be safer to have a dedicated QR code app - so that visiting an unsafe web site (drive by attack) requires more explicit actions on the part of the user i.e. launch specific app and confirm to proceed. A dedicated app would be able to give the user more information about the contents of the QR code, which the user would be able to use to make an informed decision about whether to proceed. (Compare that with the existing iPhone camera app where the dialog box is minimalist and the user is exercising a high degree of trust.)
The counterarguments would be mostly around a) familiarity b) proliferation of apps (my Librem 5 screen already has too many apps, with no obvious way to organise them).
2 Likes
I just tried this on an old iPad Mini, which was foisted upon me. I always thought it was odd that the iPad didnāt have a way to scan QR codes. Alas, the camera app didnāt seem to do anything. The iPad is stuck on iOS 9, because Apple, so Iām guessing they added this feature quite recently (i.e. in the last five or six years).
1 Like
It was definitely added - in the sense that there was a time that it did not work this way and you needed to install a dedicated QR code app (which I did at the time). Sorry I donāt remember how long ago that was but yes maybe it has been around for five years.
As far as the Librem 5 goes, I am happy either way - built in to the camera app or a dedicated app. I just need a working camera i.e. a way to capture an image. I can do the rest myself with a shell script. 
Are you intending to work on something like CHDK (https://chdk.fandom.com/wiki/CHDK) on the Librem 5 Camera?
Um, no. Nothing so fancy. I just need QR code scanning to work - because of COVID.
@irvinewade QR codes are bad and have a much bigger potencial for bad people to hide their malicious code in it so once you scan the QR code, a malicious code in a specific line in background is injecting RAT into your phone. See hack contests for example. Say no to QR codes.
1 Like
@wednesday That would only be true if you have an shitty QR code scanner which allows running the contents as code or if it automatically follows whatever resource is pointed to by the QR code (e.g. website) and use a vulnerability in the browser to do the hack.
A proper QR code scanner reads what is on it, but does not act on it until the user accepts the action. For example, asks the user āwould you like to open the webpage www.shadywebsite.com?ā.
QR codes as a format is safe, itās just bad implementations. Donāt disregard good technology just because of one bad implementation. If you think thatās a good idea, stop using a web browser completely because there are unsecure implementations of them out there.
6 Likes
I created a separate topic for following this line of enquiry.
1 Like
megapixels 0.16.0-1pureos2 has just entered landing, and 0.16.0-1pureos2~amber1 got into amber-phone-staging. In a few days theyāre going to migrate into byzantium and amber-phone respectively.
This is the version that contains color calibration, white balancing presets and fixed colors in the preview. Together with recent kernel it should be able to take nicely looking photos from both rear and front cams - although rear camās operation can still be spotty as the kernel driver still needs some improvements (restarting the app or switching the cameras back and forth usually make it behave again meanwhile).
23 Likes
Woohoo! Iāve successfully scanned my first QR code.
OK, I admit I was using the Librem 5 (Megapixels) to photograph QR codes that are displayed on my screen, which in turn had been photographed by me around the place with another phone - so the quality was probably poorer than usual. However the quality was good enough for zbarimg to find and decode the QR code, which is all I wanted.
I look forward to my first real QR code scan.
6 Likes
Latest Megapixels for amber does not save pictures from the main camera. If you hit the button to take a shot, the saving changes to busy and stays there for ever. If while in this state you switch to selfie camera it immediately takes the shot from the selfie.
Anyone else having this behavior?
1 Like
This is a problem with the kernel. It sometimes works, and sometimes doesnāt.
Be sure to always boot with the camera switch on.
2 Likes
I always have the camera on. Today it has not worked at all. I did at least 3 reboots.
At least it is a known issue, so people will look for the solution. Thanks.
2 Likes
It is final for me with the latest state of amber: the main camera does not work (in the sense that can not save a picture) no matter how many reboots I do.
1 Like
If itās any consolation, this is happening for me too. It has previously worked, but not now. I likewise booted with the camera on.
I guess weāre waiting for a future kernel update ā¦
2 Likes
I did a sudo apt install megapixels, as it doesnāt show up by searching the PureOS store on the L5. The version is the same one that @dos said.
The view is stuck on selfie, and doesnāt switch to rear camera when I tap the button. I had to adjust the phoneās brightness to even see a dark and grainy image, no matter the settings for Gain, Exposure, Balance, and Focus.Also, it doesnāt save, just spins.
So there are still a lot of bugs, but weāre getting there.
You are experiencing most of the same bugs that I am. It feels as if it has gone backwards slightly, as I wonāt be able to scan QR codes at all now. (Half-serious question: Would a USB webcam work on the Librem 5? I think that would attract some attention in the supermarket though. LOL.)
2 Likes