Librem seems to have the correct way forward, reject the big mess of Android and catch up to it with completely Open pieces.
They're making good progress and I can't wait to be able to update my handheld device with mainline pieces for as long as anyone who still uses one cares to update it. Currently my Samsung Android device is at Dec 2018 patchlevel and nothing I can do about it.
> with completely Open pieces
AOSP is completely open source. Hardware and firmware is a much different story, but that applies to the device you're promoting just as much...
> They're making good progress and I can't wait to be able to update my handheld device with mainline pieces for as long as anyone who still uses one cares to update it. Currently my Samsung Android device is at Dec 2018 patchlevel and nothing I can do about it.
What's the relevance?
It's also quite important to note that the Android patch level includes firmware. Purism doesn'tship firmware updates in PureOS as part of it being 'pure', so you would be stuck with the equivalent of an ancient patch level at least with the stock OS. You're also no less dependent on the companies releasing firmware updates.
You're also bringing up hardware as an alternative to an OS that would run on the hardware that you're talking about. It's hard to understand the point. The Librem 5 will be a hardware target for GrapheneOS to consider. It will be missing many of the core hardware security and robustness features, so it couldn't be a tier 1 target, but it could still be unofficially or even officially supported.
If it doesn't depend on any out-of-tree kernel drivers, that will apply to Android and GrapheneOS too. I'm not sure why you're bringing it up as something distinct.
> AOSP is completely open source.
This is only true in the most technical way possible. Yes, AOSP is open source -- but none of the standard applications on any stock version of Android use AOSP anymore. The calendar and other applications are all proprietary. The AOSP versions feel like they stopped being developed in 2010 -- which coincidentally is when Google started developing proprietary replacements.
I use LineageOS (and have for a while), which is mostly AOSP, and the applications from AOSP today feel older than the ones I used on Google's Android ~5 years ago. As a simple example, Google's Calendar application can create very complicated recurring events while the AOSP one is much dumber.
> Hardware and firmware is a much different story, but that applies to the device you're promoting just as much...
The Librem 5 hardware was specifically chosen so that it contains no firmware blobs and all the firmware is free software and upstream in Linux. There is a caveat for the baseband, but that's because it's not legal in most countries to sell or use baseband hardware that is free software (unless the user is licensed and even then it's non-trivial).
OK, so with AOSP we have a good base to build upon. Why NOT use AOSP to create new FLOSS standard applications? It's certainly less work than having to start from scratch. Besides, there are already some really good free open source Android apps in the F-Droid app store
LineageOS already exists -- if you want an updated AOSP, use that. I'm not sure why folks seem to think that all free software phone projects must necessarily just reinvent the Android ROM.
Android itself has a wide variety of issues which might be solved (or at least solutions might explored) by creating projects that go outside of the mold of Android ROMs.
> There is a caveat for the baseband, but that's because it's not legal in most countries to sell or use baseband hardware that is free software (unless the user is licensed and even then it's non-trivial).
Interesting, I did not know that. What are the reasons for this? Military application? Are these laws subject to change?
I always thought that there is no way to separate the CPU from the baseband/communications PU.
It's my understanding that the issue is one of FCC certification and licensing -- the FCC won't approve something which can be easily modified to transmit on non-free frequencies (tools which can usually are sold to hamradio license holders, which should know better and know how much trouble they can get into).
> AOSP is open source -- but none of the standard applications on any stock version of Android use AOSP anymore.
I want a real Linux in a phone as much as anyone. In fact, I have stuck to the Maemo N770-N9 saga as much as I could.
But I am also realistic. Developing a new secure Linux distribution for phones and, most importantly, a healthy ecosystem with useful applications will take a lot of time and effort.
In the meanwhile, as discussed in other threads here, using AOSP on a Pixel (or even better, GrapheneOS) is a really good solution. It's remarkable how few people use it in comparison to the benefits it brings into the table, and given it's quite easy to migrate to it with the appropriate hardware (hopefully device-independent ROMs make this less restrictive).
If standard applications in AOSP are lagging behind, then it'd be probably worthy to spin off an effort to replicate all proprietary functionality. An equivalent to MicroG.
That said, I've never missed anything major. For me, Firefox/Chromium, K-9, Conversations/Signal, OsmAnd and Termux provide a great userland experience.
>This is only true in the most technical way possible. Yes, AOSP is open source -- but none of the standard applications on any stock version of Android use AOSP anymore. The calendar and other applications are all proprietary. The AOSP versions feel like they stopped being developed in 2010 -- which coincidentally is when Google started developing proprietary replacements.
AOSP sample applications like Calendar are exactly that: samples. I'm not sure why those are at all relevant. There's a very healthy and active open source app ecosystem, along with many other apps that work on AOSP. Those AOSP apps are included as samples, and they're being removed from the project as at this point there's no real need to have these samples.
It's also not true what you claim about the stock applications shipped on a phone like a Pixel. Apps like Dialer, Contacts, DeskClock, etc. are still actively developed and maintained in AOSP with the Google variants being extended versions of those apps. It's true that some apps like the keyboard forked away from the AOSP version, but it doesn't make AOSP any less viable of a basis for an OS. It's not a bad thing for AOSP to not ship a bunch of user-facing apps when there are a bunch of good alternatives outside of it. Apps do better without a release cycle tied to the slower pace of the OS releases.
> The Librem 5 hardware was specifically chosen so that it contains no firmware blobs and all the firmware is free software and upstream in Linux. There is a caveat for the baseband, but that's because it's not legal in most countries to sell or use baseband hardware that is free software (unless the user is licensed and even then it's non-trivial).
This is completely untrue and absolutely a false claim. The SoC is entirely proprietary with proprietary hardware, firmware and microcode along with the other components like Wi-Fi, the baseband, etc. being the same. The cellular baseband is not an exception. It applies to all of the hardware components in general. Librem 5 is not open hardware and does not have open firmware or microcode. It's simply untrue, and you're falsely representing it. I can see why you would be under that misunderstanding based on their incredibly misleading marketing but they never actually claim what you are claiming.
Not providing firmware updates for these things is a security disaster. The firmware that's upstream in Linux is rarely open source. It's a subset of the necessary firmware for most devices and is still proprietary. Projects like linux-libre / PureOS do not ship these upstream Linux firmware updates. They strip all of this out of the kernel. They also don't provide all the additional firmware updates beyond what is upstream.
The hardware and firmware is just as proprietary. The boot chain has open source components near the end before the OS (coreboot), just as many mainstream devices do (https://source.codeaurora.org/quic/la/abl/tianocore/edk2).
There's a huge difference between choosing hardware that has built-in firmware and can work without the OS supplying it each boot and hardware with open firmware... what they are doing is shipping a device that can work without the OS providing firmware updates, since they don't do that to keep it 'pure' of proprietary code. The firmware is still present and running, except it's out-of-date and vulnerable to many patched security vulnerabilities. You're completely misrepresenting the reality and falsely portraying it as having open hardware and firmware when it absolutely does not.
What you claim about not being allowed to have open cellular baseband firmware is also nonsense. It's also not particularly different from how Wi-Fi works. Wi-Fi firmware is a comparable secondary OS, and the same applies to a lot of other components. These hardware and firmware components on the Librem 5 are not any more open. What you're doing is spreading misinformation and false claims to promote it as something that it's not.
Librem 5 isn't going to be particularly security-focused: no attestation, no trusted boot, most userspace programs are written in memory unsafe languages like C, with no extra effort memory corruption mitigations. Also, Flatpak offers a permission system that's very limited compared to Android.
While with each Android interaction, Google locks down the amount of C and C++ code that gets exposed to outside world.
As such I have a very hard time believing that Librem with be as secure as modern Android.
There is security, and then there is freedom. You can have the most secure system in the world -- but if there are state sponsored, or company back back doors it means nothing.
In FOSS initiatives spent ages building fee and and open software, combating proprietary systems and software that they had no control over.
All that would be loss just to give it up now that we have moved from PCs to phones....
I for one want control over all the software I run on hardware I own. I am not sure why we are so willing to give that control up simply because the platform changed.
> There is security, and then there is freedom. You can have the most secure system in the world -- but if there are state sponsored, or company back back doors it means nothing.
Okay, so you're saying: "If a backdoor is present than your security prioritization doesn't matter, the result is bad." I understand, but:
1. If there is a back door in open source code that goes unnoticed (and it certainly does) because of persistent but bad practices in the open source community (e.g., a stubborn refusal to stop using C-like memory management semantics and primitives when dealing with untrusted inputs), then why don't said accidentaly backdoors invalidate the open source work?
2. Does "control" actually matter in the context of AOSP? Strictly speaking, you have essentially everything you need up utill you hit the hardware drivers. You can easily rewrite that to your hearts content.
3. Given Librem's recently move into commodity-based social products (and the poop-from-great-height attitude they initially adopted), are you genuinely sure that they're actually trustworthy actors? If they're coerced, how will yu attest that they never injected a deeply subtle backdoor on millions of lines of code which you'd like to be unique and less scrutinized?
I can't really work out why you feel the way you do, so I ask these questions.
> persistent but bad practices in the open source community (e.g., a stubborn refusal to stop using C-like memory management semantics and primitives when dealing with untrusted inputs)
This applies to the entire industry. It's not something specific to the open source community. It's also extreme to call the use of C as "bad practice," as any language has its own strengths and weaknesses.
Not the entire industry, as many companies have thankfully moved on from plain old C, or at very least reduced its use quite considerably.
BSD/Linux derived FOSS is still the C stronghold.
The Morris worm was in 1988, since then C has collected enough CVEs due to memory corruption issues to consider its use bad practice.
Something that even Apple, Google and Microsoft security reports now advise against, and with Google actively engaging into taming C's usage in Linux kernel.
> BSD/Linux derived FOSS is still the C stronghold.
Oh that's ok then, it's not like that accounts for most of the world's server and embedded infrastructure, open or otherwise...
The operating system is only a tiny fraction of commercial code out there most of which is either written in (more) memory safe languages like Java, C# or C++. SAPs code base alone is 1 billion lines of mostly C++ and their own proprietary scripting language.
Wait, is C++ memory safe?
I know they've introduced a lot of ways that memory management becomes easier or automatic, but I'm not sure you can call it "memory safe" can you?
Not to the extent that it is tainted by C's copy-paste compatibility.
Still it does provide a stronger type system, proper string, vectors, reference paramenters and strong type enumerations, to prevent a large amount of C security exploits.
C++ teams that care about security do use such features and respective static analysers on their CI/CD to enforce them.
While it doesn't cover everything, it is much safer than plain C.
Ideally, we will reach a state where both C and C++ get nuked, or ISO C++ just drops its C copy-paste compatibility, which in the end means it is anyway easier to switch to something else.
However that process will take decades, and is hampered by relying on POSIX based systems.
How are they doing in the desktop and mobile OS worlds?
And regarding embedded space, AUTOSAR now requires C++14.
I think there are enough computers with wheels to deem it relevant.
Desktops are dwarfed by mobiles devices. AFAICT a linux kernel variant is present on most of the world's smartphones (with most of the rest being iOS devices, which I know little about), though you've addressed that by saying Google are pushing to reduce the impact of C underlying their system.
I don't want to make a song and dance about C being awesome or anything - we've certainly got massive issues with allowing that extreme amount of flexibility without ensuring that the developer really, really means what they've just told the machine to do - but it's hardly a small enclave that's holding out, it's still huge.
And there are still companies developing in it. I've seen a sort-of-microservices-in-C-implemented-as-a-sort-of-supersized-cgi-bin approach relatively recently.
And yes it was an abomination!
So you want to talk about mobiles?
An irrelevance given their complete lack of market presence.
The rest all have significant underlying C components you've identified. All I'm saying is that's a hardly a 'niche holdout' when it appears to be at the heart of the vast majority of shipping devices.
It is, given the amount of usage across the OS stack, which decreases with every OS release.
By the way on iOS, drivers are written in C++.
Why do you assume that OSS has more bugs than proprietary software? I would probably argue the opposite.
With OSS you get more people working on a project that actually care. A proprietary business project prioritizes making money over actually creating a good product everyone loves.
You're right that this is not a perfect solution. All software has bugs and all software may have malicious back doors. I just find it much easier to trust the development that happens in the open with community involvement than the development that happens in secret where I have absolutely no way see what's going on.
If you had an inkling that someone was trying to poison you, would you rather eat the food you watched be prepared or the food that was prepared in secret? Both dishes might be poisoned, but it's reasonable to prefer the one you were able to examine.
> Why do you assume that OSS has more bugs than proprietary software? I would probably argue the opposite
I don't. But nor do I assume it has less. My point, as restated elsewhere, is that from a user's point of view Openness of Source is more about protecting against negligence.
I feel google is really turning into Microsoft. These are the same anti open source talking points / FUD you’d see in the early 2000s.
Who exactly is talking about anti-openness here? We're talking about which open source piece of code to reuse. Someone gave a bad argument against one company's offering.
Microsoft of the 90s, which no one emulates these days and it's a wrongheaded comparison anyways, would have said that all the open options are bad to begin with.
If you meant to say "anti-free software" then maybe we could have a conversation, but that's hardly the problem Microsoft faced in the 90s and 2ks.
Seriously, what does your post mean? Could you maybe be specific? And while we're at it, what's your connection if any with the company that sells Purism phones.
“Open source is not safer because people won’t read the source”, “having control doesn’t matter”, and trying to raise doubts about the trustworthiness of the people involved... that’s old Microsoft textbook approach.
At least MS wasn’t built on open software, unlike Google.
> And while we're at it, what's your connection if any with the company that sells Purism phones.
None at all. I’ve just heard of this project a few days ago via a DDG search.
Believe it or not, not everyone is a corporate shill.
> Open source is not safer because people won’t read the source
That's not what I said. To sum it up: Open source is not really a security proposition. It eliminates problems related to negligence.
> having control doesn’t matter
In what concrete way does the Purism OS give you more control over your device than AOSP?
It really seems like you are confusing open source and free software for this entire conversation, as literally every line of code we are discussing is shared under a license that allows you to look at, modify and use as you see fit.
> None at all. I’ve just heard of this project a few days ago via a DDG search.
The depth of your consideration was already fairly easy to guess, but thanks for being honest.
> Believe it or not, not everyone is a corporate shill.
Physician, heal thyself.
Bad software is bad whether it's open or not. But historically, closed software has more lock-in. If a particular open lib or component is bad, it can often be fixed by somebody who didn't create it. Or, for those who don't want to touch the scary hairball, it can often be replaced by a completely new hairball written from scratch by a completely different party. Even if there's nothing broken with the original, open software is friendlier to alternatives. It might take a bit of work, but you can replace one open part with another just because it's shinier or smaller or faster or not Oracle or whatever.
I don't trust all open source software, but I trust it by default more than I trust closed software. And I know that if something really bad gets exposed the odds of a solid fix are better in open source. I get to see the warts of OSS. There's public criticism over small details on a lot of important projects. That doesn't happen for closed stuff. Sure, a vendor may have four of the brightest devs in that field and they might hash it all out behind closed doors. The open alternative usually has another four of the top 12 minds in that field along with four pretty competent others and they have a better process for hashing it out.
Then there's that other guy who's not in the top 12 who goes it alone and comes up with something spectacular. So three of the four from the other open project jump on board because they can. And since this new project tries very hard to be backwards compatible, it just snaps in as an overnight replacement. That's part of the awesomeness of OSS.
It's good then that both options I discussed were open source.
What freedom does PureOS offer that AOSP without Google services lacks?
I believe there is a general lack of awareness of what AOSP is without Google services and add-ons on top of it.
In some facets, AOSP is not a complete and working OS as is. In particular, I have personally had many issues with GPS location for the past fews years. Out-of-the-box, GPS simply does not work without additional non-free software to help it out. Additionally, many (that is, 95%) of all Android apps that you would find on the Google Play store do not function properly without Google services (which AOSP does not have). Applications that are built to run on stock AOSP are not the 'Snapchats' or 'Instagrams' of the world. They are typically FOSS projects that are built out of passion, but recieve little funding or corporate support.
These shortcomings often carry over to third-party ROMs, such as Lineage.
So in my experience, as someone who used to flash a new Android ROM every week, it is not about freedom - its about basic functionality. One could also argue that, since the world operates on all kinds of propietary platforms that aren't available on stock AOSP, so do we also lack the freedom to use AOSP as our daily driver - simply because it often does not interface properly with these propietary platforms.
Edits: grammer and clarifications
In general, until we have open source handset hardware to work with, all fine-tuned sensors and clock hardware support will be bad. This is a problem Linux had for a long time, and it took a ton of effort to partially solve the problem. It seems a bit unfair to blame AOSP for not having drivers for specific hardware, that's not it's function.
The big contribution of Purism phones is that more open hardware. After that, the real question we should ask is, "What software platform can offer us the greatest values in the multi-dimensional optimization problem we face?"
It's true though that you wouldn't just flash AOSP. But it's also true that dismissing Graphene BECAUSE it is based on AOSP is unfair.
I agree, hardware is a primary concern.
I am not meaning to paint those who work on AOSP or third-party ROMs in a bad light. The work they do is terrific and great for the community. I also do not mean to dismiss any of the fantastic work that Graphene brings to the Android community.
I am simply stating that the biggest difference between Librem and Android is that there are more hurdles to jump through to provide a completely usable and free AOSP phone to an end-user in 2019. Android has been made to host a Google ecosystem, where the Librem 5 is being created to host an open ecosystem.
It sounds like the Purism team identified this issue ahead of time and decided to provide that open hardeware platform for us.
Librem 5 is not open hardware. I also don't understand why you're comparing hardware to an operating system that's perfectly capable of running on top of it with the strengths and weaknesses of the hardware underneath it. You make it sound like AOSP or GrapheneOS wouldn't run on it. I don't think it would make a very good hardware target due to having so many security regressions from the status quo but it could certainly be one of the official targets. Whether or not it's an official hardware target, people will be able to use GrapheneOS on it.
strcat, many thanks for your interesting explanations.
Could you write more on the state of open hardware, and perhaps point me to open-hardware endeavours that have the slightest chance of success?
I understand that it is an very expensive undertaking to deliver a hardware mashine that is based on an open architecture from the CPU to the actual communication/data storage devices (logical design, actual layout, photolithography, assembly). Since patents on older circuitry must be all expired by now, it must be the lack of money that is the actual stopper for truly open systems.
PureOS seems to have these exact same problems except way worse.
Yes, a significant fraction of Android apps do not work on AOSP without Play Services. And 100% of Android apps do not work on PureOS. F-Droid alone has ~1800 apps. I do not see PureOS or PostmarketOS catching up to that level anytime soon.
FOSS projects that are built out of passion, but recieve little funding or corporate support? Exact same situation on PureOS.
Are the Snapchats and Instagrams of the world going to port their apps over to this entirely new platform when they can't even be bothered to make versions of their Android apps that work without Google's services?
> 100% of Android apps do not work on PureOS. F-Droid alone has ~1800 apps.
This is a fair point. It's not a huge argument for me because I'm only interested in maybe 20 categories of app and I've never been thrilled with the 30 contenders in each category. For instance, if it has only one browser and that one is Firefox, that will be ok with me to begin with. It won't bother me if there are five other choices in F-Droid. But in general, more choice is good, so I grant that this is an important consideration.
> Are the Snapchats and Instagrams of the world going to port their apps over to this entirely new platform when they can't even be bothered to make versions of their Android apps that work without Google's services?
Android without Google's services is a tiny fraction of Android and a smaller fraction of the whole market. PureOS or anything else with even smaller share can expect to be similarly ignored. But Android sans G seems even less likely to go viral than something else.
For one thing, it's too fractured. There is no AOSP brand. There's a bunch of little no-names that happen to offer AOSP under some name that isn't "AOSP" and has no recognition at all. If two or three lower-tier makers offer "Brand C" phones, it could spark. Maybe not in your neighborhood. But if it catches on in India or Malaysia or Brazil, it might be enough to attract Instagram or Twitter. Remember that those companies don't want to depend on Google. They very much want Google out of the picture.
So a handful of apps can legitimize a new platform that is attracting a million or ten users anyway. Then it becomes perilous not to be on that platform. WhatsApp can't afford to let some up and comer get a foothold just because WhatsApp wasn't available on the viral new platform.
Ahhhhhh. Ok I'm going to quit dreaming for now and get back to work. I'm not holding my breath, but I do think it can happen. It just takes the right lucky timing. There have been so many helps lately that I think if there was something ready to take advantage of these incidents, the timing is right.
> I believe there is a general lack of awareness of what AOSP is without Google services and add-ons on top of it.
That lack of awareness seems to be your own.
> In particular, I have personally had many issues with GPS location for the past fews years. Out-of-the-box, GPS simply does not work without additional non-free software to help it out.
GPS doesn't require Play Services, etc. Play Services provides supplementary network-based location services for providing a coarse, inaccurate location estimate without waiting for a while for a GPS lock. The infrastructure for this is open source and part of AOSP. It has generic, provider-agnostic support for services like supplementary location providers, text-to-speech, speech-to-text, geocoding, etc. Play Services is what provides these on phones with Google Play, but there are alternative implementations used by Amazon and in China.
> Applications that are built to run on stock AOSP are not the 'Snapchats' or 'Instagrams' of the world.
Yet apps like WhatsApp, Facebook's apps, Microsoft's apps, etc. do work without Play Services... despite what you claim. A lot of these mainstream apps do work fine, and there's a large ecosystem of open source apps that are mostly designed to run without Play Services. Providing the Play Services APIs with an alternate implementation and is also certainly possible, although I would prefer a different approach than microG.
How is any of this resolved by moving to a completely different OS with far less privacy and security, none of these mainstream applications you talk about and barely any open source application ecosystem by comparison? I don't get it.
You seem to be off on the state of Google Play Services from a real-world standpoint. Case in point: Microsoft's core apps like Outlook and Skype don't work without Google Play Services enabled, even if you find the APKs somewhere other than the Play Store to sideload them.
Microsoft's apps are specifically an example I've given of how closed Android truly is: Even Google's competitors, which have all of the same service capabilities, are essentially forced to use Google Play Services. Especially when you consider the other top HN item today about how Google now essentially requires all apps use a closed source Firebase library for push notifications.
And while yes, Google Location Services is a location provider that slots into Android, you are missing that Google has convinced app developers to call it directly, rather than using the Android location provider. This means that no alternate location provider will do: Google Location Services is hard coded into almost every location-based Android app today.
If you're willing to make your location known in order to take advantage of location services why wouldn't you want the very best possible service? There are complicated workarounds that can be used in place of Google's location services but none of them are anywhere near as easy to implement for the app developer or as easy to use or as accurate for the end user.
GPS doesn't make your location known at all, it's receiving only. It sends information about your location to nobody, it triangulates your position from publicly broadcast signals.
And, I would much rather "make my location known" to about fifty other companies before I would want Google to have it.
I did not know that and even looked it up to confirm. Thanks for mentioning it
Yeah, GPS is actually insanely cool technology, and the US making it available to everyone was a real public service. Now of course, other nations are, partially for defense purposes of course, deploying similar networks as well.
And it's just out there. Usable with no subscription, no account, nothing. It's just free data.
Notice I didn't specifically mention GPS, although I agree that it is pretty cool. That said, GPS alone isn't capable of providing the UX that end users expect from a modern app. Fused Location is required for more accurate location information and it isn't passive like GPS.
I used CopperheadOS (without GApps) on a Nexus 6P as my daily driver for almost 2 years. Very few "mainstream" apps worked; they would loudly complain about the lack of Google Play Services, and at best would lose functionality (e.g. Slack, which apparently relies on Play Services for notifications) or at worst would crash either immediately or within a few minutes after launch (multiple reasonably-popular online dating apps had this problem).
In short, of the apps I tried that weren't distributed via F-Droid, most of them suffered from varying degrees of brokenness without Google Play Services (and these same apps work fine on my HTC One M8 and my current-daily-driver OnePlus 5T, both of which run LineageOS w/ GApps).
You're right, though, that "some Android apps work fine" is a better situation than "no Android apps work at all". Hopefully GrapheneOS can leverage that advantage well. It'd just be useful to acknowledge that it ain't all sunshine and rainbows just because it's AOSP-based; whether it's microG or something that ain't a security landmine waiting to blow off someone's leg, addressing that issue with an alternative service provider would be a game-changer, and would readily address the one issue I ever had with CopperheadOS (and - it seems - likely would still have with GrapheneOS).
Have you tried a pure AOSP + F-Droid on Nexus/Pixel or Xperia? It's quite good. The only major drawback are closed drivers. But the userland is nice, open and polished.
My worry with Librem and all those initiatives is that rebuilding an ecosystem like F-Droid takes a lot of effort and time.
I primarily used a OnePlus 3 (non-3T) and a Nexus 4. The OnePlus 3 seemed to have a very active ROM community.
I tried many of the well-known ROMs: Lineage, Paranoid, Ressurection.
I also tried many of the OnePlus-specific ROMs, that were typically maintained by only one or two devs each.
Most of the features worked perfectly fine on both phones. But the deal-breakers were often the simple things: GPS (w/o downloading extra geolocation database services) and Bluetooth were the kickers for me. These services were consistently spotty across every ROM I tried.
My experience is as of a couple years ago. I have since moved away from the ROM scene, simply because I do not have the time to deal with this sort of stuff anymore.
A Pixel running stock AOSP with F-droid and Chromium is the bleeding edge of what's possible with open source. There's no better UI/UX in existence and the tragedy of it all is that outside of Android developers and software engineers most people never get to experience it at all.
The reality is that Librem is unnecessary because we have F-droid. There's nothing wrong with F-droid and as time goes on more mainstream apps will continue being brought over.
Too bad the Pixel doesn't have a headphone jack, otherwise I would have bought one. I've also heard it was pagued with hardware issues. Stuck on Nexus 5 + LineageOS for the time being.
GrapheneOS is sadly only available on Pixel devices.
Pixel 3a has a jack. Not supported yet by GrapheneOS, but it might be in the future. You can always self-compile your own plain AOSP.
I am stuck on nexus 5 + lineage. Sadly lineage is stuck on version 14 because of some Bluetooth bug.
How does microg help with that?
I tried microg's Lineage image on the OnePlus 3. It was probably the most painless ROM I had ever flashed.
The microg project has been fantastic in providing an open mechanism to interface with Google's services. When I first tried it, I believe they did not yet have a working implementation of all the Google services. Some apps complained about Google services, some did not. You still needed to sign into Google though, which might turn some people away.
For those who want to interface with Google on an open-source ROM, microg's image is probably the way for you.
I for one cannot attest how many backdoors this Ubuntu installation might have, and I doubt everyone has the knowledge to validate their complete FOSS stack.
> As such I have a very hard time believing that Librem with be as secure as modern Android.
Android isn't secure, it's limited, that's the whole problem here. Any security you can't control isn't a security feature but just a limitation. It's "secure" because you can't do anything interesting with it.
Using Android with reluntance, since my favourite OSes were Symbian and Windows Phone, additionally I dislike Android J++ and the NDK is relatively constrained.
Still, I can do plenty of interesting things with my Android gadgets.
I guess that's because they know that Chain-of-trust only gets you so far.
Eventually you're running something big with bug after bug found every month and and an attack surface that includes the local filesystem and the network. At that point the buzzwords make no difference.
Chain of trust won't reduce the attack surface, but adopting memory corruption mitigations and replacing C code with something with stronger memory-protection guarantees would -- and while some kinds of memory protection can be bolted on later with minimal disruption, minimizing C is best done from the start.
That sounds reasonable, but here we are with Android's endless security disaster and all their apps written in not-Java from the beginning.
The most cancerous aspects of Android are by design, that you cannot control network exfiltration from apps, you cannot update or modify the OS pieces at will, and the apps are monetizing everything you do and everything they can find against you. Librem will answer these.
> that you cannot control network exfiltration from apps
GrapheneOS has a Network permission toggle, which is one of the features already restored from the past work on the project. There are many other privacy and security features that still need to be ported to the latest release, although a lot of them have become standard features especially in Android Q. https://gist.github.com/thestinger/e4bb344dcc545d2ee00dcc22f... is an overview of the Android Q privacy improvements(not security improvements, just privacy) in the context of GrapheneOS. To conserve development resources, the past features that are becoming standard aren't going to be ported over rather than just waiting for the standard implementations being released around August. Some of them will need to be adjusted to make them a bit more aggressive when it comes to apps targeting the legacy API level, but that's a lot less work than maintaining downstream implementations of all of this.
> you cannot update or modify the OS pieces at will
Having a well-defined base OS with verified boot and proper atomic updates with automatic rollback on failure is a strength, not a weakness. It's the same update system (update_engine) as ChromeOS. The update system is not the problem with the broader Android ecosystem with lack of updates to vendor forks. The migration towards everything being apk components that can be separated updated rather than moving more towards the ChromeOS design is a negative thing in terms of GrapheneOS and it's one of the things that has to be changed downstream to improve verified boot.
> Librem will answer these.
That's nonsense. First of all, that's hardware, and also moving to a far less secure software stack with non-existent privacy and security, an inferior update system and no verified boot is not a solution to these problems. The solution to privacy and security problems is not completely throwing away privacy and security...
>The migration towards everything being apk components that can be separated updated rather than moving more towards the ChromeOS design is a negative thing in terms of GrapheneOS
Doesn't stuff like fs-verity help with stuff like this instead of just a block based RO partition that can be verified ? Overall, for the android ecosystem, it seems like a net gain if google moves more and more stuff out of band away from OEMs as OEMs are not incentivized to do anything other than sell devices. That is, as long as everything is still pushed to AOSP.
> not security improvements, just privacy
Privacy is security!
Large majority of Android security exploits are in C and C++ written drivers, hence why with each release the amount of freedom with native code gets further locked down.
Android Q has another round of such measures.
Those may be security exploits, but the real malware is what gets installed through Google Play.
Hence a Play Store free alternative like GrapheneOS.
Nothing can be done to prevent stupid users to install everything that shines.
Even HNers do curl | sh without thinking twice about it.
Chain of trust does protect you from evil maid attacks. And yes, there can be bugs in application layer, but at least half of all CVEs are memory corruption bugs.
These practices do offer a massive reduction in attack surface. You seem to argue it doesn't matter since it doesn't eliminate attack surface completely.
No, chain-of-trust only has one trick... it can check that what you're about to run is unaltered from what was signed to some degree of probability.
If that is the - shipped and validly signed - bugridden nightmare-fuel like the propreitary Qualcomm 802.11 stack or proprietary multimedia bits that are a rich and continuous source of vulnerabilities (take a look through the last months here https://source.android.com/security/bulletin/2019-06-01 ) all the buzzwords did was ensure the vulnerable version is running so it can be exploited. The evil maid can get in that way.
Librem's security model is that of a Linux box, signed update packages... it's not a panacea against hacks but nor are the buzzwords you mentioned. At least they're trying to eliminate the really dangerous proprietary pieces that constantly provide new vulns.
You mean the one that had 68% of CVE exploits reported in 2018 due to memory corruption errors?
Source, the Kernel Self Preservation Google's talk at the Linux Kernel Summit 2018.
Upstream Linux kernel security is hopeless at this point. You can't expect it to secure anything.
> No, chain-of-trust only has one trick... it can check that what you're about to run is unaltered from what was signed to some degree of probability.
This is only one of many privacy and security regressions from moving to a far less secure software stack without anything close to the same level of hardening or work on privacy / security.
> If that is the - shipped and validly signed - bugridden nightmare-fuel like the propreitary Qualcomm 802.11 stack or proprietary multimedia bits that are a rich and continuous source of vulnerabilities (take a look through the last months here https://source.android.com/security/bulletin/2019-06-01 ) all the buzzwords did was ensure the vulnerable version is running so it can be exploited. The evil maid can get in that way.
Counting CVEs is not a way to judge security. Qualcomm's SoC hardware, firmware and driver security is the leader among the available options. The huge amount of both internal and external public security research targeting it is a strength rather than a weakness. The lack of attention given to other assorted drivers is not a strength of those drivers but rather reflects their obscurity and lack of hardening / auditing.
It's also not the norm in the Linux world to assign a CVE for a security vulnerability when it's fixed. The norm is to fix them silently without trying to obtain a CVE. It's completely bogus to judge security based on counting CVEs for many reasons. Not having public lists of the fixed vulnerabilities with CVEs assigned doesn't mean there aren't a bunch of vulnerabilities being fixed, and it's even worse if the vulnerabilities aren't being found and fixed.
Every x86 and ARM device is proprietary and has a massive amount of complex proprietary hardware, firmware and microcode. There is no escaping that for these architectures. The Librem 5 is not an open hardware device and has a proprietary SoC, proprietary Wi-Fi, etc. all with their own proprietary firmware and in some cases entire operating systems (Wi-Fi / Bluetooth, cellular, etc.). The distinction of an OS like PureOS is that they don't ship updates to this firmware but rather leave it vulnerable to all the fixed security issues, because they won't redistribute the proprietary firmware updates. The firmware is still present, but the OS is 'free'. Either way, that firmware is running, and with a bunch of known vulnerabilities if you don't update it.
Proprietary hardware and software is also not inherently less private or secure than open source software. These are differences in development model, not privacy or security. You're very mistaken if you think open source software eliminates backdoors / vulnerabilities or even reduces them. It's not how things work out in reality. Open source reduces the barrier to entry for security research, whether it's for good or evil, but it's certainly still possible without it being open source. Either way, the comparison you're making is between proprietary hardware + proprietary firmware + open source OS to proprietary hardware + proprietary firmware (but without updates shipped by the OS) + open source OS.
> Librem's security model is that of a Linux box, signed update packages
Again, you're mixing hardware and software. The Librem hardware isn't only for PureOS and will be able to run Android.
Signed update packages alone are inferior to not only having signed update packages but also verified boot and attestation. GPG also has far too much complexity and attack surface for this, and having online build / signing servers, etc. is a joke.
Android is Linux, and the Linux kernel is not a strength but rather the most prominent weakness in Android. A massive monolithic kernel written entirely in a memory unsafe language and entirely responsible for enforcing the low-level privacy/security model is not a strength. That's a major problem which needs to be resolved, not a hole to dig deeper. It's fundamentally not fixable and while a bunch of work on mitigations can help, it's very limited in what can be achieved. Moving to the desktop Linux software stacks also gives up the vast majority of these mitigations and the security model that has been rapidly improved over the years. It gives up having such strict SELinux policies developed as an integral part of the base system, as just one of many things that are lost. This level of security cannot be obtained on a traditional Linux distribution without a well-defined base system that's developed together with lots of holistic systems level privacy and security work. Addressing it in a bunch of separate fragmented projects doesn't work out, and prevents having the same kind of security model and security policies. The way that SELinux is used on Android compared to a distribution like RHEL / Fedora is day and night. It's drastically different and not even comparable at all. The same goes for the deployment of other privacy and security features / models.
> Android is Linux....
Kind of, Google can release Android running on top of any OS that implements the NDK stable APIs, plus their POSIX subset, and besides OEMs no one would notice the change.
Other than that I fully agree with your statement regarding being a security weakness.
Yes, that's true. I mean the Android Open Source Project, rather than Android as an OS family. For Android as a platform defined by the Compatibility Definition Document / Compatibility Test Suite, it doesn't have a specific kernel, and Windows could have become certified as Android if they had actually gone ahead with pursuing that.
> isn't going to be particularly security-focused: no attestation, no trusted boot
This is only true initially, presumably due to time and funding constraints. From the FAQ (https://puri.sm/faq/):
> What are your plans for tamper-proofing the Librem 5?
> We hope to have a version of PureBoot available for the Librem 5 for users who want to verify it with a Librem Key. We cannot commit to it being available at launch but it’s a goal.
A PureBoot description can be found at (https://puri.sm/posts/pureboot-the-high-security-boot-proces...).
I imagine it would be possible to get Genode running on the Librem 5, which would be even more secure than Android. Only you'd be limited in what applications you can run.
Still, even on Linux, you can set up SELinux or Apparmor to harden your system as much as possible, run untrusted applications as a different user, compile your own hardened kernel, and so on. It's going to be a less secure system for casual users, but it'll allow power-users to more easily (you can do that on Android as well, but it's more difficult) secure their system as much as they want.
> It's going to be a less secure system for casual users, but it'll allow power-users to more easily (you can do that on Android as well, but it's more difficult) secure their system as much as they want.
No, it really won't. Doing substantial privacy and security hardening requires a years of work by a team focused on it and the OS needs to be developed with it in mind. Sure, you can enable SELinux elsewhere, but you won't have anything remotely comparable to the complete, full system SELinux policies developed as part of the Android Open Source Project and deeply integrated into it. You're talking about users doing all this from scratch somehow when there is hardly any interest in it for that ecosystem. There's barely any application sandbox or permission model to speak of and projects like Flatpak are not approaching it in a meaningful way that avoids trusting apps.
You're suggesting throwing out having an application security model and all this privacy / security work to reinvent it all from scratch for a new ecosystem without existing applications. It's hard to understand how that makes anything easier.
Having the well-defined base OS with verified boot and clear separation between the OS and applications which are sandboxed and offered capabilities via a permission model is crucial. It's not an advantage for security to completely do away with that. It's important to implement each feature / capability in a way that fits into the overall security model. Developers love taking shortcuts and doing this in a lazy / negligent way, and you can see exactly that with how people implement features via the shortest path of depending on app-accessible root instead of doing it properly, even when that's a niche thing.
Attestation of what? Software security is inferior in Android (hello leaky API), hardware is untrusted in Librem sinde Day 0. Show me a TPM chip with open firmware or it's a security disaster on my board. Seccomp is a thing. Also, Flatpak is the last thing I would concider to use.
Indeed. I'm tired of each new attempt to fix Android and make it usable and safe. Apps written for Android are written to work with Google's expectations and assume the presence of Google's servers and proprietary APIs, and that's getting worse, not better.
Librem is going the right way, and there are a handful of other companies working along the same path. Necunos is another I heard of as well: https://necunos.com/community/
Also https://postmarketos.org/blog/2017/05/26/intro/ - "Aiming for a 10 year life-cycle for smartphones" using mainline Linux kernels.
Yeah, and pmOS adds an interesting angle that they're adding legacy Android hardware to these companies' work on their own hardware, all running real Linux.
Note that Necunos' phone could actually be bought with pmOS preloaded as well, so you can really start to see how a few of these different projects are starting to work together and build on each other.
Hopefully we can have a truly FOSS mobile ecosystem in the next couple of years.
pmOS should support the Librem 5 when it comes out, as well. We have several contributors working on them.
> Currently my Samsung Android device is at Dec 2018 patchlevel and nothing I can do about it.
Have you checked whether there's a LineageOS build for your device? https://wiki.lineageos.org/devices/#samsung (Darker links indicate a build is maintained and available.)
Unfortunately, based on how the devices are supported by volunteer work, supported hardware has large gaps.
My Samsung galaxy S6 (march 2018 patch level) wasn't supported the last few times I checked, but older galaxy models were.
Lineage are quite aggressive in dropping older hardware since they pivoted towards 'experience'. My 2013 Galaxy S4 is no longer supported.
I hope Librem remains viable. As someone who needs some specific apps for work, I won't be able to switch for practical considerations unless those services work well enough on the device. For example, Slack.
I could carry a second device for personal use, but am unlikely to.
Exactly. How much I like the idea of a truly open phone platform there are some obstacles:
- Decent hardware available at competitive price
-- While I could make do with some degraded performance for a truly open phone concept, most people would not, especially if price point is similar to, or higher, than established closed platform brands
- Must have apps available - needed for wide acceptance
-- My personal examples of must have apps:
-- BankID (Swedish e-id, needed for banks, taxes, government sites, payments)
-- Swish - Swedish app for personal micro transactions
-- Public transportation apps (tickets/timetable)
-- Bank application
Without these apps, a open platform phone would be next to useless to me. And I am a big proponent of open platforms.
And looking at how reluctant BankID were to even support older version android phones, I am not optimistic to them adding a completely new platform to support.
I know people who were forced to upgrade from "old" phones because BankID no longer supported their Android version, and phones would not get newer Android version.
Specific app needs have killed dozens of potential third party mobile OSes. I suspect that PWAs may finally help with that.
What's wrong with AOSP? It's fully open source, supported by a huge amount of phones and has a snappy UI. The only other open source UI that has managed that so far is Sailfish OS.
Just dump all the proprietary Google add-ons and enjoy the F-Droid app store. You will have amazing battery life, less detractions, less ads and a lot more security and privacy.
I enjoyed this with CopperheadOS (the GrapheneOS predecessor) on a Nexus 5X until the project folded. Google stopped supporting the Nexus 5X with updates a few months later.
I'm really excited for it. I also have my eyes on the Pine phone project.
I don’t fully understand why it was not easier to build a fork of aosp, but it is exciting at least
The big problem is the price which too high.
R&D and a small batch size are the only reasons.
I am not blaming them for that, I understand that but I understand also customer who does not pay twice as more as for other phone.
A very condensed version of the messy CopperheadOS implosion is: https://en.wikipedia.org/wiki/CopperheadOS#History
It's good that the tech person is moving on, but Android doesn't seem a great starting point if privacy&security are the top priorities (as opposed to remaining captive in the Android camp, with some belief that you're a bit more secure than default).
The Android Open Source Project is the only viable starting point. I don't know what else you would suggest. It has solid privacy and security as a baseline already, unlike other mobile or desktop Linux-based operating systems. There's also a huge amount of public security research targeting it for both offensive and defensive work. Moving to the desktop Linux stack would drastically set back both privacy and security. It would take a decade of work by dozens of programmers just to catch up, and the goal of the project is advancing the status quo rather than trying to play catch up to it for years. The goal is not creating a new ecosystem for applications and convincing developers to target it, especially if it would be for no particular reason. It needs an existing application ecosystem, so Android app compatibility is of utmost importance.
Having a massive monolithic kernel at the core of the operating system written entirely in a memory unsafe language is obviously a huge problem, and will need to be addressed over the long term. It's an increasingly blatant weakness, and the enormous amount of ongoing work that has gone into userspace doesn't translate well to the kernel. Developing increasingly more sophisticated mitigations helps a bit, but it can't solve the fundamental issues with the choice of language, architecture or development process. Linux ultimately isn't a viable choice for creating a system with decent security. However, Linux compatibility is part of Android compatibility and is essential. That means the Linux kernel either has to be kept around in virtual machines or replaced with a compatibility layer on top of a microkernel. https://github.com/google/gvisor is an existing project which could be ported to arm64, expanded as needed and adjusted to run on top of another kernel but it doesn't need to be the starting point. It's usually a good idea to start from an existing base like this and try to land everything needed upstream though, rather than burning far more resources starting from scratch and losing out on the shared benefits from collaboration with a larger community.
Using virtualization is a nearer term goal, with a compatibility layer as a much longer term aspiration. There's not much written about the roadmap on the linked page, but this stuff is actually mentioned, and I'd recommend checking it out before wrongly assuming that the goal is simply having a hardened fork of AOSP. There has already been substantial work on experimenting with integrating virtualization for app containment, although containing user profiles would be another approach and potentially more useful.
That's what OK Labs did before GD bought them:
CompSci folks have been doing it, too. Here's a paper describing the design style:
Genode OS Framework is only one I know building something like this in FOSS. The rest, esp used in phones, were commercial. One might port Android to something like it or seL4 with dynamic, resource management. Rewrite drivers or anything that's moved to kernel mode for performance in safe language or lots of verification tooling thrown at it.
> Linux ultimately isn't a viable choice for creating a system with decent security.
Stop spreading FUD. In this conversation we are talking about phones filled with bloatware that spies on the user in every instant and you nitpick about memory safety in the kernel.
I'm not spreading FUD, and the conversation isn't about what you claim. Talking about the lack of basic security on existing operating systems based on monolithic kernels written in memory unsafe languages is hardly nitpicking. It's the kind of stuff that GrapheneOS is all about... which is what this entire is about.
I always wondered what the backstory was there, but the internet is one of those places where if I heard to the real story I don't know if I'd know enough to belive it.
Edit: Voluntarily replaced with...
I had summarized public information and questions from as the implosion was happening, trying to be impartial and not voice my guesses as to what actually went on, and concluded that everyone should be given the benefit of the doubt, given all the unknowns.
But that impartiality could be upsetting to one of the parties (by bringing up things that, say, a good guy maybe can't talk about), and maybe this isn't the time, as people are recovering and moving forward.
At the same time, HN people might need to know some lessons from this noteworthy incident in development and privacy&security, since it should inform how we think about how other projects and startups can fail.
For example: a prominent security product can suddenly be compromised (e.g., in the sense of trusted security update mechanism broken, or a change in who controls updates), or a business partner can force out you and your intentions/stewardship of the product that you think depends on you being in the loop to not be evil, or a different business partner can delete very important keys, or (vaguely) this is another way it can be difficult to reconcile privacy&security goals with business ones.
These failures might be things we briefly consider as hypotheticals when planning or evaluating, but they do happen, in real life, on prominent efforts.
The open source project was started before Copperhead existed and long before it was incorporated. The project was never directly owned or controlled by the company, as that was an explicit condition of the collaboration with the company. GrapheneOS is the continuation of that original project, but a lot has been learned and it will never become associated with another company or organization to the same extent. The purpose and values behind the project were eroded by the association with a company focused on a business model. It was a problematic relationship long before you heard about it and eventually Copperhead betrayed the project. You can see for yourself that they made a bunch of ultimatums and threats trying to take over the project and end the independence from the company. They failed at doing that, but they succeeded at hijacking all of the infrastructure and preventing it from ever pushing out another update to the existing installs. The OS was never compromised, but it lost all of the infrastructure and resources supporting it so it has taken a long time to even get some basics back up and running. Most of the initial focus after the disaster was on standalone projects like https://github.com/GrapheneOS/hardened_malloc and https://github.com/GrapheneOS/Auditor. It took a long time to get things back up and running, and it has definitely been massively set back both not only in terms of the development work but also in many other ways. It has still managed to continue onwards and while the OS itself hasn't been fully restored, there's a bunch of useful standalone work that's far better than anything the project offered in the past.
You're substantially misrepresenting the events that occurred based on a very incomplete account of the events that you've seen. People seeing your comment are going to end up with an incorrect understanding, just as you did. You're stating your assumptions and misconceptions about what happened as if they're facts. It's a very incorrect account of a very small part of the story. This game of broken telephone where people misinform themselves and then propagate variations of that to many other people is a poor way of spreading knowledge.
I don't think he's representing or misrepresenting much at all. Most of his comment (like mine) talks about what we don't know and asks questions, and like mine admits it would be hard to know anything even if we were told what "really" happened.
>It was a problematic relationship long before you heard about it
Probably day 1 as it sounds like there was a fundamental conflict with the business and non business entities, I don't get what anyone thought such an arrangement would really do that would be positive. Hopefully everyone learned from their experience, can do some good work now, and can avoid such things in the future.
The business wasn't supposed to be entirely based around my open source project. It was a security consulting company.
Agreed. It is so strange how it just sort of "happened" generally I don't think such things usually just happen out of nowhere, so half the story I think would how everyone came together to work together and then end up in a situation that was as apocalyptic as far as how it played out for the project.
Well their long term goal is evidently moving to a microkernel based based OS rather than Linux. This seems like a lofty goal if they aren't for instance planning on switching to Fuschia (which may replace Android all together). Also its not like there are a lot of open mobile stacks that don't involve basically creating a ecosystem from scratch, aside from the Librem phone by Purism which is trying to integrate with the existing Debian/GNU Linux ecosystem.
Doing away with the Linux kernel is a much longer term aspiration. The intention is to use virtualization as a way of reinforcing the app sandbox and/or user profile isolation in the meantime. There has been successful experimentation with this already, but fully integrating it and maintaining it will need to wait until the project has gotten further underway and has more developers that are up to speed on it. It's one thing to simply integrate Xen or KVM for toy examples and quite another to more meaningfully integrate it in an invisible way that preserves the existing functionality rather than being useful only as a proof of concept for research or presentations.
That is how ChromeOS runs the new Linux sandbox, implemented in Rust.
Check the Google IO 2019 talk about Linux support on ChromeOS.
Creator of CopperheadOS  and now GrapheneOS, Daniel Micay, was a prolific contributor to rustlang-core  but did rub off the rustlang community the wrong way? If I'm not mistaken he has a history of contributing to Arch Linux, as well.
What happened with CopperheadOS was unfortunate . I hope Daniel  is able to work on GrapheneOS on his own terms . The work that was done had garnered a lot of following and there's hope, given his exploits in the past, that he'd be able to steer this non-profit to heights where industry leaders building SilentCircle  and CyanogenMod failed.
Sure will be following the project from afar and routing for its success.
Good luck Daniel.
This project and its predecessor are so cool. I've been glad to see their continued progress.
It's probably not wise to post this, since I never talk about it publicly, he might not like it, and this thread should be about GrapheneOS, not Rust or myself. But with the mention of his Rust involvement and the history of CopperheadOS, I feel compelled at the moment to add some context and give him props.
He is an exceptionally skilled developer.
Some of his contributions to Rust were crucial. Of particular note, he re-designed Rust iterators to their current form. But he added to Rust so much more, both with his ideas and code.
And from what I recall he was in high school at the time. Amazing.
I happened to be the Rust team lead during much of his time contributing to the project, and a good deal of the blame for his departure belongs to me. It was a difficult learning experience for everyone.
It is totally fair to say that Rust would not be what it is today, both technically and socially, without him.
I was happy to see him rebound with CopperheadOS, and again here with GrapheneOS.
Good luck, Daniel.
(edited to remove some Rust cheerleading)
I remember him as a very Torvalds-like person, for better or worse.
I wanted him to stay a little more around the Rust 1.0 era because I thought as many warts as possible should have been fixed before the backward compatibility guarantee was made, but he left too early.
Didn't know about the CopperheadOS incident, too bad such a situation happened to him. Good to see it's kinda resolved now.
We're all grateful for Daniel's contributions to the Rust project and to the state of open source security in general. I certainly don't bear him or anyone else involved at the time any ill will.
He's also the author of Termite. Pretty impressive how many projects he's been involved with.
Termite has been officially maintained by https://github.com/jelly for quite a while now though.
The CoppetheadOS subreddit and Daniel's reddit account has a lot of his perspective on what happened with that project as well if people are interested.
It seemed like he got royally screwed just given the amount of time and effort he put into the project, easily shown just from his activity and responses during its life cycle.
> but did rub off the rustlang community the wrong way?
I find it interesting that people bring up my time contributing to Rust as a negative thing, largely due to my former business partner misrepresenting it and falsely claiming I was kicked out of the project. To be clear, I don't think you're doing it maliciously, but it's quite weird that contributing so much of my time to an open source project and then having that used against me as if working on a set of open source projects nearly full time for a year as a volunteer was a terrible thing to do. It's a large part of why I now avoid doing work without compensation. If people are going to value my work so little, then I'm at least going to get paid for it.
I left Rust on my own accord because I wasn't enjoying it anymore and I'd determined that it was extremely unlikely that it would turn into a career which is part of why I'd persisted long past the point that I was enjoying it. It became harder and harder to accomplish anything of substantial value as it moved towards stability. I had strong opinions on many of the topics and to get anything done as an outsider I had to make strong arguments and be incredibly persistent, which rubbed some people the wrong way. It was also very rough at that time being an outsider and trying to have a significant influence on it, especially when I disagreed in many areas with the core developers. The way things were done drastically changed later on for the better. I left the project for the same reason a few people didn't like my involvement in it. I was getting burned out dealing with them and they were getting burned out dealing with me. It certainly went both ways and the vast majority of the people involved in the project didn't have issues with me. Out of thousands of people, there were only a couple that I truly didn't get along with and literally only one person where that persists today (and believe me, I'm not the only person who doesn't click with them).
I've certainly evolved how I communicate with people online since then. I still take serious issue with people bending the truth and being dishonest / misleading, which can make arguments very heated if people aren't trying to debate based on the facts. There's a tiny minority of people that I absolutely don't get along with because they'll keep bending the truth and I'll keep pointing out that they're doing it, which they can interpret as an insult. In the context of a debate over the design of a project where the stakes are high, I'll choose not to be very diplomatic when the alternative is letting someone walk all over me with false claims. It's too tiring refuting things over and over and having facts treated as subjective things rather than being able to agree upon a set of facts and argue things based on their merits. I think the world would be a better place if people didn't tolerate this so much. I was no good at playing politics and choosing my battles carefully which played a big part in it too.
The objective truth is that I decided to leave the Rust project and community, and I removed myself as a contributor from the repository. If I recall correctly, I think someone misinterpreted what happened and posted a thread on /r/rust incredibly angry because they thought I was kicked out of the project. The people who saw the thread but weren't aware of the details assumed that it actually happened and then had a massive fight with each other about whether something that didn't happen was justified or not. The reality is that it didn't happen in the first place.
I also seriously doubt that I would be kicked out of any project for occasionally being a bit abrasive in arguments. It would be a bit ridiculous for a project to ban people from contributing for having that kind of personality or not being neurotypical. It's possible that they would have asked me to start being less abrasive in debates, sure, but they hadn't. I definitely don't think I was always fun to work with, particularly once things had soured with Mozilla, but I don't think it's entirely fair to put all the blame on me for that. I was upset about what had happened overall and that definitely influenced how I participated.
My experiences with Rust and other projects are what led to me making sure that I'd own and control the projects that I'd be heavily working on in the future so I wouldn't need to spend so much of my time debating and playing politics. When I co-founded Copperhead, I made sure that it was explicitly agreed that my open source work would remain under my control despite the company sponsoring it. It was explicit that I would own and control the OS development project. It's worth noting that there were 3 co-founders, and 2 of us believed in open source and the company building value around it rather than by selling it. Unfortunately, the 3rd co-founder left early on before shares were even divided up, and I ended up owning the company 50/50 with a narcissistic sociopath who ended up totally screwing me over. Internally, there was conflict and dysfunction long before it became public. I wanted to be free of that company for a long time, but I couldn't leave because I couldn't just abandon the people using the project and it had become too tied to the company. Eventually, my business partner decided to throw away all the agreements and just try to take over the project with threats / ultimatums. I don't think it was at all rational for him to do that. It wasn't at all in his best interest even from an entirely selfish point of view. There's absolutely no way I was going to turn over ownership / control of my project to someone that by then I considered highly untrustworthy and downright dangerous. Unfortunately, they had set up everything to be able to completely screw with over by tricking me at various points and being very strategic about how the domain, infrastructure, etc. was set up. It ended up not mattering at all that I owned 50% of the shares because they just ignored my rights as a shareholder and banked on me not wanting to spend a huge amount of money fighting them in court.
GrapheneOS is the direct continuation of my work on this, which began before Copperhead became involved in it. It had existed before it was CopperheadOS. I've learned a lot of lessons from the experience there. One of the biggest mistakes was being tricked into not being a director early on, but that was also before the stakes had become so high. It also really shouldn't have mattered to the extent that it did if the Copperhead lawyer had been at all competent and truly looked after the interest of the company instead of acting solely on behalf of my business partner. Anyway, I'd rather not be directly involved in businesses at all. I've had almost nothing but bad experiences with governments, businesses, etc. including things far worse than the stuff with Copperhead.
Just wanted to say: Thanks for all your work on these projects
Also, https://postmarketos.org/ is a good project too.
PostmarketOS seems the most promising effort for a truly open and affordable handheld OS with mainline kernel and other good practices.
And there's also a useful incremental path for evolution, that starts with a familiar GNU/Linux and moves gradually towards handheld tweaks (UI, power, devices, apps).
It's important to be upfront that PostmarketOS is not yet viable as a daily driver, or people will feel they wasted their time looking at it. What it really needs is programmers, like the earlier Linux ones, who will power through the pain of getting things working well, and stick with it for months, as a labor of love.
PostmarketOS reminds me a lot about the approach Openmoko (https://en.wikipedia.org/wiki/Openmoko) took way back over a decade ago, except that they did have to build the hardware as well.
There've been several such prominent open source handheld projects in the last 20 years. PostmarketOS seems the most viable, IMHO, because it emphasizes the old Linux (and GNU) principles of getting working on lots of available hardware, with true open source, mainlined. (Separately, it also potentially builds on a wealth of GNU/Linux stuff that there's no good reason shouldn't have a lot of commonality between desktop and handheld.)
PostmarketOS in tandem with the Pinephone should be a great choice in the future.
https://grapheneos.org/#roadmap is pretty interesting:
> Details on the roadmap of the project will be posted on the site in the near future. In the long term, it aims to move beyond a hardened fork of the Android Open Source Project. Achieving the goals requires moving away from relying the Linux kernel as the core of the OS and foundation of the security model. It needs to move towards a microkernel-based model with a Linux compatibility layer, with many stepping stones leading towards that goal including adopting virtualization-based isolation.
Strengthening the security with virtualization is something that's in the early stage of experimentation and research and will be a long-term project. Over the long term though, the goal is moving away from having the Linux kernel completely other than as the native API / ABI for apps. Projects like https://github.com/google/gvisor are very promising in that regard even if they end up playing no part in how this eventually happens for GrapheneOS. A clearer and much more detailed roadmap will be posted soon. The site is still very newly created and barely has any information about the project.
Essentially, the goal for the project is for it to be an OS compatible with Android apps, using the Android Open Source Project software stack to run them, but the underlying base can become whatever is most suited to the task. For now, the most practical approach is using virtualization to reinforce the app sandbox and user profiles. Eventually, the virtual machines can drop having their own Linux kernels (see gVisor as an example of this). In the very long term, the Linux kernel at the core of the OS could eventually go away too.
I'd recommend checking out the standalone projects like https://github.com/GrapheneOS/hardened_malloc and https://github.com/GrapheneOS/Auditor for an idea of what the project is focused on doing. The hardened_malloc implementation supports other operating systems, as does Auditor, which supports verifying the stock OS on many mobile devices (they need to be added one-by-one to the internal database based on users submitting attestation samples with the app) and CalyxOS in addition to GrapheneOS.
The OS project itself is still in the early stage of reviving it, porting over past work and getting the basics done. It's very focused on the infrastructure and low-level work right now. Working on the higher level features that are more user facing and bundling various apps, etc. is not a priority right now. It doesn't even bundle F-Droid right now, because it's not quite at the point where bundling any third party apps makes sense. It also needs to be determined how to best approach that. A lot of these things will also be done in collaboration with other projects like CalyxOS, with GrapheneOS focusing more on low-level security hardening. CalyxOS is primarily working on areas like the backup service implementation and various other higher-level services, and a lot of this will be used by GrapheneOS too.
I think if you dont have a strong opinion about it, this is exactly what they are trying to achive with Zircon/Fuchsia kernel.
A micro-kernel, with a linux virtualization layer, being abble to run Linux executables as if they were native.
My hunch is that in the long term, Google will probably use Zircon as the 'first-level' kernel, and run the android apps using some emulation layer.
Maybe it could be the answer for what you are trying to accomplish, without having to create a whole micro-kernel OS from scratch, while at the same time benefiting from whats already there.
I bet that with such a thing in place, the Linux kernel could totally go away, with only a emulation layer in place if you want to.
Google has already kind of achieved that with ChromeOS, each Linux executable runs in a sandbox, specially tailored for it.
It can only see hardware, files and processes that the user allows to as well.
It was written in Rust.
Check the ChromeOS support for Linux talk at Google IO.
I have checked this earlier. Its pretty cool stuff, but its more in the direction of userspace emulation like what GVisor do.
The OP expressed he wanted to use (or create idk) a micro-kernel based OS, and that in the end he would like to scrap the Linux kernel.
Of course the solution you are pointing out will deliver in one of those axis, but the solution im pointing out would deliver in both, Linux emulation/sandboxing and a micro-kernel based OS controlling all of this.
I just think that the direction Fuchsia is going, has a little bit more to do, to what he is trying to achieve.
But he can totally mix the 'syscall proxy' solution of ChromeOS and a micro-kernel, even if this would still be Zinc or something else. And depending on the goal, maybe having this in userspace level would make more sense. He just need a good and flexible IPC communication (like the one in Chrome, or something on the kernel level).
It supports the Google Pixel range of phones only so far.
So in order to get that is more secure and more independent from Google I have to buy a Google phone?
There are not that many phone manufacturers that even allow you to change the trust anchor (which makes any of this even remotely possible). For example, Samsung uses e-fuses to burn in their signing key, rewriting recovery will permanently trip their attestation (Knox); other manufacturers use similar practices. Pixels are one of the only currently available phones with user-controlled trusted boot in mind.
Yea. It's bullshit. You can't install something like Magick and then relock the bootloader with a new signature.
A PC with UEFI (except for a few of those which Microsoft locked down) lets you turnoff secure boot, and install your own keys, and turn it back on. So you actively delete the stock keys that boot stock Microsoft/Ubuntu/Redhat, and then custom sign your Grub bootloader or UEFI-Stub Kernel, add that cert to SecureBoot and turn it back on.
You can argue device security all day long, but if manufactures can't update Android security patch sets as they come out, then you have gaps in your device security anyway.
Google controls ASOP. They could literally force manufactures to be compliant, have UEFI or devicetree as a standard, demand every device allow a stock reinstall just like Windows and even create shims to fix the broken Linux driver ABI. But there is more money in planned obsolescence. Gotta throw out that phone after two years and just buy a new one.
I'm currently using Galaxy S9 and it is the first phone I decided not to root. I've always rooted my phones since I was introduced to Android, but this time Samsung tied its crucial functionalities with Knox. And Samsung Pay was just too important to me. Too bad more manufacturers are doing this.
There are more devices supporting this than there used to be though. https://grapheneos.org/#device-support explains that it's going to support other devices. It doesn't support the Pixel 3a and Pixel 3a XL yet either. Supporting each device is a lot of work, and other devices will need to be carefully chosen. It would be harmful to make bad choices about device support and encourage people to buy insecure devices with too many issues that can't be fixed with another OS.
Has Project Treble helped in this area?
Oneplus phones too.
>So in order to get that is more secure and more independent from Google I have to buy a Google phone?
Yes, people find it ironic, but that's how it is. Google's hardware is always better than competition for security: not just in phones, but also look at chromebooks. However, not running proprietary google software is left as an exercise for the reader.
> It supports the Google Pixel range of phones only so far.
See https://grapheneos.org/#early-stage-of-development and https://grapheneos.org/#device-support. There's barely any content on the site, since it's so new, but this is covered pretty well. It does support other devices already. There's a difference between that and deciding to do all the work to provide official releases with seamless over-the-air updates covering all firmware, etc. along with porting all device-specific hardening work.
> So in order to get that is more secure and more independent from Google I have to buy a Google phone?
The goal is primarily implementing privacy and security improvements. It doesn't include Google services for privacy reasons, but that's not the purpose of the project. A project aiming to project AOSP with the baseline privacy/security intact and work to fill in gaps left by not having Play Services would be useful, but that's a tiny subset of what GrapheneOS is about. It's primarily about the privacy/security research and development work.
You can see that the GrapheneOS Auditor project supports a large range of devices already:
That's because it's quite easy to add support for each device one-by-one once users submit attestation samples with the app. The main list is for devices with the stock OS. It also supports CalyxOS and GrapheneOS on all their supported devices and will happily include other operating systems with verified boot and the security model intact. There are now a bunch of devices supporting verified boot with alternate operating systems.
How good is the Dual-SIM support ? Seeing the P20 Pro on that list is very promising.
Exactly my question. I have seen a bunch of these OSs, all useless because there is no build for my phone and no described path for making one. I would love to get the T-Mobile spyware off my phone. What do i do?
See https://grapheneos.org/#device-support. The goal of the project is not to bring security to people's existing devices. It will have official releases with all the device-specific hardening for non-Pixel phones, but they'll be devices with solid security. They probably won't be quite on the same level as Pixels, but they'll still be ones with proper security support, verified boot support for alternate operating systems, etc.
If you have a phone with T-Mobile spyware then it almost certainly also has a locked bootloader with no official unlock method. What are you expecting people developing alternate OSes to do about that?
The obvious way to get a phone not running T-Mobile spyware is to not buy a phone from T-Mobile.
Not trying to be snarky here, I have one of these phones too. Though if you happen to have a T-Mobile Oneplus phone like I do it is possible to flash the international ROM and replace the T-Mobile spyware with Chinese spyware.
To clarify, some of the phones you can buy directly from T-Mobile can also be bought "unlocked" in the open market.
In general, if you want any hope of unlocking your phone (either for use on other carriers or unlocking the bootloader) then you should NOT buy from the carriers' online or brick & mortar stores.
Unfortunately all you can really do is pick up a different phone. Luckily finding an old unlocked Nexus 5 or OnePlus One on ebay is pretty easy and relatively cheap.
Stop buying telco subsidized phones.
For anyone interested in doing their own customizable builds of AOSP for Pixel devices check out: https://github.com/dan-v/rattlesnakeos-stack. This doesn't have any of the security hardening features of GrapheneOS, but does have some of the same security properties like verified boot, OTA software updates that included updated firmware/drivers, support for remote attestation, etc.
Stock-ish Android that gets updates is good enough for me. I'm looking forward to wider support of U2F over NFC in general though, I don't keep data on the phone itself.
You can buy a contactless smartcard for $15 each and install this on it https://github.com/tsenger/CCU2F
What does it matter if you are still running proprietary software with direct memory and CPU access on your network, camera, ...
Android can give you privacy and enough security for most people. This can't add much more as long as its running on the same devices.
This is a great effort and I support it, but let's not imagine this will make our phones that much more secure.
For reference, this concern has been addressed here: https://news.ycombinator.com/item?id=20149112
Open source is a development model and doesn't have magical privacy and security properties. An iPhone is going to remain the best overall option for privacy and security for the near future, especially for users that aren't very technical. That's not really in spite of it being almost entirely proprietary but rather that's something quite orthogonal to it. GrapheneOS aims to provide a much more private and secure option down the road, but it's trying to do that based on merit rather than by claiming that being open source makes it better. Either way, the any ARM SoC is going to be a massively complex set of proprietary hardware / firmware / microcode. An open hardware SoC wouldn't provide inherently better privacy or security, and unlike software you wouldn't even be able to reproduce the build and verify that it matches what it's supposed to be. In reality, that provides very little for software, because sources are full of vulnerabilities and it being open source doesn't magically fix them. A maliciously inserted backdoor designed to be stealthy would be indistinguishable from those, and it's nearly impossible to know how many of the vulnerabilities being fixed in software were intentionally inserted backdoors, if any. A sophisticated attacker in a position to insert a backdoor into hardware or software could just use the existing vulnerabilities, and if they did insert a backdoor how would you distinguish it from one of those?
Components with DMA can be contained by IOMMU, and that's the industry standard today. However, you seem to be implying that backdoors are being inserted into non-CPU SoC components, and it's very hard to understand the threat model you're applying to this. Why would there even be a backdoor inserted into an SoC component like the image processor, which is contained by the IOMMU, rather than the CPU? These SoC components aren't third party components. They're on the same die as the CPU and come with it. That doesn't mean they can freely access all memory... but it does mean that supply chain attacks targeting them would generally be able to target the CPU instead.
If a hardware component is compromised, an attacker would target the driver and gain code execution in the Linux kernel via an exploit. The Linux kernel is a weak target (monolithic - no internal security boundaries, fully written in a memory unsafe language) and drivers are rarely well hardened against attacks from hardware since developers have a tendency to trust it and to not apply an adversarial model towards it as they do with userspace. They don't need unrestricted DMA access, and proper IOMMU setup keeps them from having that. Having DMA does not mean having full control over all memory. Not having DMA doesn't mean that the component is well isolated. Whether or not the component is on the same die is totally orthogonal to whether it has DMA access. These are common misconceptions, and are being abused by dishonest marketing to trick people.
> Android can give you privacy and enough security for most people.
Some of that is due to the improvements landed upstream based on the work in this project.
> This can't add much more as long as its running on the same devices.
I don't agree with that at all. It can't improve the security of firmware directly, but it can certainly improve the isolation of it by auditing and improving IOMMU configuration along with hardening the drivers. It also won't be supporting devices without decent IOMMU support and firmware security updates. The project has also reported various firmware security issues to the relevant companies over the years of the project, so that's an indirect way of improving them.
A large portion of the project will also be on app layer projects like https://github.com/GrapheneOS/Auditor usable on the stock OS and other operating systems. Auditor / AttestationServer support the stock OS on a bunch of devices, along with CalyxOS and GrapheneOS. Other apps will generally be more portable, but in this case it has to have a database of the verified boot key fingerprints and other device properties. The verified boot key is the only information included in the signed hardware attestation data that it can use to distinguish between devices which it needs to do in order to show the device model and apply different checks based on the device. That's why devices need to be added to Auditor one-by-one based on users submitting sample attestations with the app.
"They're on the same die as the CPU and come with it. That doesn't mean they can freely access all memory... but it does mean that supply chain attacks targeting them would generally be able to target the CPU instead."
I don't disagree with your overall post. I do want to add that there's a good reason to not put the backdoor in the CPU: it's main place they'll look with plenty of people capable of spotting it. The guy that taught me about hardware subversion years ago preferred hiding stuff in analog parts of mixed-signal ASIC's. He said digital people neither saw it nor understood it. He and others taught me about how the two can interact in invisible ways where analog or RF portions might pick up leaks. So, deniability is maximum if it's some kind of analog or RF part of a chip. He claimed to have never found backdoors but that he and others used this for I.P. obfuscation a lot.
I do like the IOMMU and firmware work. There's a lot of custom I.P. to build before being competitive with one of high-end SOC's. One thing I considered about trying to make an open phone is whether a company with money could just pay for Snapdragon to be integrated with the RISC-V cores. Modify RISC-V core to use microcode for security updates and product enhancements. Put security barriers in key places so Snapdragon I.P. is a little less dangerous or can even be powered off component by component. Then, if the agreement gets more data on hardware, use that with secure, development practices to make robust drivers. Include method for secure boot and update that still allows user to put their own stuff on the phone if they choose.
What you think?
EDIT: In case it wasn't clear, I know there's stuff like IOMMU's in Snapdragon. I'd just prefer an independent, security-focused company to be making those components. Sort of a check against incompetence or malice on Snapdragon's end.
> Open source is a development model and doesn't have magical privacy and security properties.
This is misleading.
> A maliciously inserted backdoor designed to be stealthy would be indistinguishable from those
This is a false equivalence. In most closed source systems the vendor does not need to put efforts into designing a stealthy backdoor.
It just adds tons of code that spy on the user and call it features. The amount of homecalling done by android, ios and windows is staggering.
Not to mention the ability to push an update that can contain a backdoor on a specific, targeted device without the users being aware of it.
Would this be something Huawei might get into?
Huawei could probably do something similar, however they still can't access the Google Play Store and such, therefore leaving them in a problematic area. For instance, though somewhat substantial, the Amazon store is quite pitiful in comparison to Google Play. Huawei could attempt to make a store but it won't have the world of apps that already exist on the Play Store.
This would work in China though, since they don't have the Play Store in the first place.
"Android compatibility" implies that it's something entirely new. It appears to be an Android fork that simply hasn't done away with compatibility. There are neat ideas and all, but the title implies that it's something that it isn't.
Lastly, I wonder how this will do over time considering Fuschia.
It's not implied that it's something completely new, although a dozen of the sub-projects are new projects rather than forks of existing ones. The overall project is not simply a fork of the Android Open Source Project with hardening. That's a subset of the work, and a big part of it. I also added a paragraph to the placeholder index page clarifying the longer-term plans with virtualization: https://grapheneos.org/#roadmap.
GrapheneOS includes sub-projects including standalone projects like https://github.com/GrapheneOS/Auditor and https://github.com/GrapheneOS/hardened_malloc that are portable to other operating systems. This also applies to a lot of work that's under active development and not yet published as part of the stable releases.
It intentionally doesn't stick to the Compatibility Definition Document / Compatibility Test Suite requirements required to be Android, so it can't be referred to as Android, but rather it's an OS with Android app compatibility. It preserves what's actually needed for compatibility in practice, while not being strictly bound by those requirements. The intentional deviations from these are documented, and there are a bunch of them.
> Lastly, I wonder how this will do over time considering Fuschia.
If it ends up shipping as a replacement for the core OS, with Android running in a virtual machine or on top of a compatibility layer like gVisor, that would just mean that there's a better base to build on than before. All of the work done by the project would still be relevant in a future like that. I'm not so sure that's truly going to happen though.
I get that, and the site doesn't imply that it's something new, but I simply found the title of the post to be such.
Fair enough though.
>If it ends up shipping as a replacement for the core OS, with Android running in a virtual machine or on top of a compatibility layer like gVisor, that would just mean that there's a better base to build on than before. All of the work done by the project would still be relevant in a future like that. I'm not so sure that's truly going to happen though.
I can see what the focus is, but I couldn't find a page that clearly spelled out differences with AOSP. I realize that's a missing target, but as a potential user it's interesting to know how it's going to be different than stock Android (beyond what the "focus" is).
I shouldnt be commenting. But os with new kernel like chrome os would be ideal for security, privacy and performance. Only thing left is open hardware not sure how to go about it.
I need to try this, I also need to get a Librem 5, and build my project for it. Anyone know of any good projects for replacing google services with FOSS services that do the same basic things?
Is that like the real thing (graphene) and can do anything but go out of the lab ?
how does this compare with something like microG?
It doesn't compare because microG isn't an Android "ROM" - you can't compare the two.
You most certainly can!
Microg is a (very welcome!) band-aid for the fact that the android ecosystem is critically dependent on a proprietary piece of software called play services.
PMO is a different, libre, OS and ecosystem that doesn't have that problem to begin with since it is truly a Linux (as opposed to AOSP) and truly free (as opposed to android's "can read most code but Google holds all the cards")
There's a far larger app ecosystem for Android without Play Services than any other mobile OS. It's very odd to try to claim that it doesn't have that problem. Android is truly a Linux distribution too, and is truly free software. You can promote your preferred mobile OS without making misleading claims.
How does graphene compare to linage os?
Why use utility token? Coin Circle a state of utility token, get a chance to win $500 USD daily contest at https://coincircle.com/l/1RQBJ6CRKU
you edited your comment 3 times to downplay Daniels difficulty to work with? following this link http://slash-r-slash-rust.github.io/archived/2u1dme.html do you have a comment
Please don't use HN to promote personal attacks. It damages the community, regardless of how badly someone might have behaved in another context.
We detached this comment from https://news.ycombinator.com/item?id=20149702 and marked it off-topic.
Security focused and Android in the same sentence? All I can say is good luck with various firmware, custom services and drivers.
From the link- "In the current early stage of the project, GrapheneOS provides production releases for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3 and Pixel 3 XL. It will support other devices in the future, but devices are carefully chosen based on their merits rather than the project aiming to have broad device support. Broad device support is counter to the aims of the project, and the project will eventually be engaging in hardware and firmware level improvements rather than only offering suggestions and bug reports upstream for those areas."
Don’t even those phones feature a cellular modem that shares memory with the CPU? In that case, they remain insecure.
A component being on the same die as the CPU doesn't mean that it isn't isolated. The SoC components in Snapdragon chips have IOMMU isolation. In modern computers, including smartphones, there are many components inside and outside SoC with memory access. A component being on the SoC is orthogonal to whether it has direct memory access. Direct memory access is supposed to be contained properly by an IOMMU, and that's the case for most of the components in the devices targeted by GrapheneOS. It's one of many kinds of hardware / firmware security properties that's going to play a substantial role in researching and choosing devices as targets.
Research is currently ongoing into choosing at least one decent low-end device with the least security compromises. There's no way to avoid losing some of the fancier hardware security features like the HSM because they aren't offered. The expectation is still that all the basic hardware / firmware security features are intact, which includes a decent IOMMU implementation, verified boot / attestation, at least a TEE-based hardware keystore (if they don't have a nicer HSM implementation like the high-end targets), etc. Many of the baseline security properties are tied to the SoC, including the IOMMU implementation for SoC components. Device vendors and the peripheral hardware vendors (like Broadcom for Wi-Fi) end up responsible for properly setting up IOMMU containment for peripherals, and that's often where the ball is completely dropped. There are often problems tied to where there are boundaries between organizations because there's often a lack of responsibility taken for these things. SoC security is unavoidably something that the SoC companies are responsible for handling, but issues like properly containing the Wi-Fi SoC can end up relegated to being treated as someone else's problem by every company involved.
May have been an issue in the past. Daniel claims that modern Pixel devices (among others) use IOMMU to control which memory segments the baseband device can access, and if implemented correctly it should only allow what is necessary for device->driver communication.
I do think more research is needed.
I was pretty amazed when I bought an MR200 lte-capable router that the LTE module actually runs its own personal Android discrete from the router cpu.
Of course that has never and will never receive any security updates. So although iommu isolation is good, it may not help much if there's a whole other OS hacked that can initiate its own network connections and futz with any traffic, eg, deny main OS updates until it can attack it via an unpatched vuln. TLS is good but it'd only take one hhtp connection through unpatched webview.
The cellular, Wi-Fi / Bluetooth and NFC radios do receive firmware security updates. GrapheneOS isn't going to support devices without proper security support, which includes ongoing maintenance and security engineering / research for the firmware and drivers.
Focusing on the cellular baseband is missing the bigger picture. There are dozens of computers in modern personal computers running their own operating systems. Cellular basebands are very directly comparable to the Wi-Fi SoC. It's a mistake to think that the same things don't apply to Wi-Fi, especially when on so many devices it's much less contained than the cellular baseband. I'd recommend checking out https://googleprojectzero.blogspot.com/2017/04/over-air-expl... which is about exploiting the Wi-Fi SoC older generation device, which then provides full direct memory access since it wasn't meaningfully contained by the IOMMU. It was a configuration and driver coding issue, as the hardware was entirely capable of containing it but was unfortunately not set up to do it.
> Security focused and Android in the same sentence?
The whole point behind it is working on a new mobile OS, while providing Android app compatibility by using the Android Open Source Project. As the page states, the long-term goal is to turn AOSP into an application layer while moving away from entirely depending on Linux for low-level security since it's a huge liability / weakness. It already isn't 'Android' since it makes changes deviating from what's required to be Android (the Compatibility Definition Document and Compatibility Test Suite). The goal is practical compatibility with Android applications rather than conforming to what's requiring to be Android.
> All I can say is good luck with various firmware, custom services and drivers.
Hardware, firmware and drivers aren't an OS specific issue beyond drivers being tied to Linux. There's barely any content on the site yet, but it does cover how important it's going to be to make careful choices about which hardware to support in the device support section. It talks about how much of the privacy and security is tied to hardware capabilities and security support.
Found the Apple zealot!
Seriously though, I hear Apple is super great on privacy now as long as you take their word for it and not their track record of being a member of PRISM https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%... , etc
Every US company has to comply with lawful US government orders if they're going to continue operating. I highly recommend reading carefully through the details on the page you linked. It doesn't only apply to a few companies. It's very difficult to fight the government even in cases where it's arguably unconstitutional, etc. You have to assume that all US companies are going to comply with US warrants to obtain information, including when those warrants come from a secret court with a gag order.
There were consequences to the US passing draconian surveillance laws like the Patriot Act and the updates to it. Companies / organizations and individuals based in the US are subject to those laws. Many other countries have similar or even more oppressive laws when it comes to these things.
A company being based in for example France doesn't mean that the same kind of things don't apply.
If you don't want data to be subject to warrants requesting the information from companies, you need to either avoid having your data there or make sure it's encrypted with a key that the company doesn't have. End-to-end encryption is important. The companies could also have the data exposed by a malicious insider or a data breach. Many countries will happily demand the key from you and then treat you as a criminal for not turning it over but that doesn't work for mass surveillance.
maybe take a look at /e/ https://e.foundation/
/e/ is not as "un-googled" as they claim to be: