
Librem 5 USA - kgwxd
https://puri.sm/posts/librem-5-usa/
======
icefog
I'm unsold on spending $2,000 or even $700 on a new phone, but I also care
deeply about privacy and security. Is there any strong reason to choose
"Librem" over a cheaper Android running LineageOS or GrapheneOS? They can be
purchased for a fraction of the cost and have been quite reliable for me.

~~~
fghtr
Why Librem 5 costs that much: [https://puri.sm/posts/breaking-
ground/](https://puri.sm/posts/breaking-ground/)

Upd: quote from the Purism forum:

"First hardware kill switches; first replaceable cellular modem and Wi-Fi/
Bluetooth (on M.2 cards); first smart card reader (for 2FF OpenPGP card);
first running 100% free software; only current phone to offer convergence as
PC without special hardware"

[https://forums.puri.sm/t/will-the-librem-5-be-a-white-
elepha...](https://forums.puri.sm/t/will-the-librem-5-be-a-white-elephant-or-
the-first-in-a-wave/6883)

~~~
computerex
It's probably also the only "phone" that can't place phone calls.

~~~
lostgame
Not sure why the downvotes, here - it’s incredibly valid that a phone of this
price should be able to place a normal phone call - it also should’ve been a
priority for the developers.

~~~
kop316
The down votes are because it can place and receive phone calls, there is just
a bug that doesn't allow audio on the call. EDIT: according to someone below,
that bug is fixed too.

In addition, the backers getting the phone now were explicitly told that the
software isn't polished yet, and that they are getting beta hardware. The
backers were offered also to be allowed to wait for a later batch if they
wanted to.

It definitely is not ready to be a daily driver, don't get me wrong. But folks
who wanted it early knew that.

~~~
unlinked_dll
That's absurdly pedantic. If it can't use audio during a phone call, then the
device is incapable of making phone calls.

That's like arguing you have a functioning heart because it's connected to
your veins but can't pump blood.

~~~
kop316
If you look at another reply, the bug was fixed already.

But to your original comment, I'd argue it's not. Saying it can't make phone
calls implies there's a much more severe issue than it apparently was.

~~~
computerex
It's _not_ fixed. What gives you the impression that it is? No update has been
rolled out with a fix.

~~~
kop316
Please read the other reply to the comment. You'll see where I got the
impression then.

Edit: it looks like the person also directly replied to another comment of
yours, so I'll add that here:

" > and of course this "bug" hasn't been fixed

You can hear call audio if you use CI images since a few days ago already.
Last rough edges are being sorted out right now before finally packaging it
all into PureOS."

~~~
computerex
The "fix" hasn't been distributed out via an update. You can't expect
consumers to go pull images off github. You can't call a problem "fixed" when
the alleged "fix" hasn't even been distributed or tested by the public en
mass.

------
computerex
A fair warning to anyone looking at placing an order for this.

[https://jaylittle.com/post/view/2019/10/the-sad-saga-of-
puri...](https://jaylittle.com/post/view/2019/10/the-sad-saga-of-purism-and-
the-librem-5-part-1)

[https://jaylittle.com/post/view/2019/10/the-sad-saga-of-
puri...](https://jaylittle.com/post/view/2019/10/the-sad-saga-of-purism-and-
the-librem-5-part-2)

[https://jaylittle.com/post/view/2019/10/the-sad-saga-of-
puri...](https://jaylittle.com/post/view/2019/10/the-sad-saga-of-purism-and-
the-librem-5-part-3)

The company practices a lot of shady business. Their "phone" that they are so
proudly claiming to be releasing to backers _cannot place phone calls_ , the
camera doesn't work, and there is no power management.

> To turn on your Librem 5 disconnect it from a power source and hold down the
> power button until it turns on. Currently calling is established (e.g. both
> sides connect fine) but audio is not routed (no voice heard or sent), this
> will be a few days until the bug is fixed.

They shipped out a "phone" that can't place phone calls.

edit:

The reason why this is significant is because not being able to make phone
calls with a phone is not the type of "bug" that slips through the cracks. The
company released the phone despite it not being able to make phone calls, and
if this was simply a bug that could be fixed "in a few days", all logic and
reasoning suggests that they would have fixed the problem and _then_ shipped
the phones to preserve the integrity of their brand and prevent negative brand
perception.

The fact that they shipped out a phone that can't place phone calls is highly
suggestive that there is a bigger issue with the phone and that they are under
a time crunch to show the backers that they have accomplished something with
all the funding that they have received.

~~~
jolmg
Seems like it can be fixed with a software update, though. A few days of
waiting doesn't seem like that big of a deal. It's not like the phone is going
to be forever unusable.

~~~
computerex
If it was an issue that could be fixed "in a few days" why wouldn't they
simply fix the issue and then release the phone? Or are you suggesting that
_not being able to make phone calls on a phone_ is something that slipped
through their testing? It has been a "few days" since their announcement and
of course this "bug" hasn't been fixed. It seems less like a bug and more like
a major design flaw/hurdle.

~~~
jolmg
> why wouldn't they simply fix the issue and then release the phone?

Hadn't they pushed the release date many times already? I think making
progress more palpable was important. Isn't it better to ship something flawed
and continue improving while already in the hands of people than to ship
nothing at all and appear more and more like vaporware?

~~~
filmgirlcw
> Isn't it better to ship something flawed and continue improving while
> already in the hands of people than to ship nothing at all and appear more
> and more like vaporware?

If you position it purely as a hobbyist project and do not guarantee it for
day to day use, I think that’s fine. This is fine for a dev kit.

I think taking preorders and trying to sell it as a privacy-focused phone that
can be a real alternative to the main steel options when you don’t have basic
things, like making audio calls, figured out, is problematic.

I get the company needs money from preorders to fund development and
production, but at the same time, as a consumer, their lack of funding for
development/business plan isn’t my problem.

I’m generally fine when things like this are kickstarted and the risk is
clear. I’m less comfortable when after the crowdfunding, the company does
direct to consumer sales/pre-orders, when the stuff just isn’t done and that
isn’t well articulated to anyone clicking that pre-order button.

~~~
seba_dos1
None of the pre-ordered (after the campaign) devices shipped yet, those are
early batches sent to early backers who were given a choice to either get them
now, or wait for mass produced version.

~~~
filmgirlcw
I understand that. You're still pre-ordering something that there isn't
concrete proof will be ready/as described.

------
katmannthree
Wow, this version is $1,999, and if you've pre-ordered you can upgrade to the
US-produced model for an extra $1,300.

Does this pricing accurately reflect the increased cost of producing
everything but the chassis in the US?

~~~
hwbehrens
There are probably several factors at play here.

First, not all of the parts are necessarily _produced_ in the USA - the PCBA
is produced there, and the parts are _assembled_ there, but the parts
themselves are likely procured elsewhere. Even still, this greatly complicates
the kind of supply chain attack this is meant to prevent, because you have to
compromise individual components that you hope will end up in the device
you're targeting.

Second, they already had these facilities in place in the US for prototyping
purposes. Thus, the up-front cost investment for setting up a facility in the
US is much lower than usual, so they can set a lower price than others might
be able to offer.

Third, there is probably a capacity constraint at that facility; the price
chosen was likely selected to suppress demand below that threshold, not purely
based on relative production cost.

Finally, although I have only limited experience (n=2) with cross-shopping
electronics manufacturing between the US and China, a 3x overhead is actually
substantially lower than I would expect; we were seeing ~6-10x increases for
manufacturing and assembly. This could be because their production facility
(which, again, already exists) would otherwise be sitting idle.

I can't speak to the health of their business (a sibling comment suggested
this was a "money grab"), but the numbers seem pretty reasonable for what
you're getting, overall. Note that this is not targeting the same crowd who
buys "Made in USA" t-shirts to support the local economy; the audience is more
likely to be security wonks who are already concerned about supply chain
attacks.

~~~
bluGill
I think the real target is - or should be - CIA, and NSA. People who have
security needs that China will never agree to. The hardware switches help play
into their needs: shut the chips off in situations where they are a concern.

Pursim should have a standing offer: we will make your phone on a day
scheduled well in advance and allow your auditors in the factory to watch over
the process. At an extra cost of course, but I think this is something they
could offer easily enough and it would be very helpful to those most paranoid
about security.

Dealing with government contracts isn't easy though.

------
ir77
digression: christ, what font are they using? the undersized letter 't' in
that text hurts my head just looking at it, barely making the text readable. i
couldn't even finish a post and get the gist from the comments here.

comment: doesn't it reflect poorly on librem to even offer this option? for a
hw company whose sole market shtick is to offer hw/sw privacy they're now
implying that the majority of their hw can be compromised and if you really
want the uncompromising security you should get the 4x more expensive option
made in the USA?

either they should completely eliminate the made in china option or they
really should try to spin this a different way, because it reflects absolutely
horribly on them.

~~~
danShumway
It's Libre Baskerville: [https://www.fontsquirrel.com/fonts/libre-
baskerville](https://www.fontsquirrel.com/fonts/libre-baskerville)

I find Baskerville pretty readable. Is it the same font you're seeing on the
page? I wonder if something caused your browser to show a fallback instead.

I think it reflects that _all_ phones made in China have the potential to be
compromised by malicious actors. That risk shouldn't be in most people's
threat model, and if you're comparing the Librem to a standard Android phone
you're still getting a substantial privacy bump just from hardware kill
switches alone.

If you have a very specific threat model, Purism is now one of the few
companies that offers made-in-US phones, which (in theory) fills an
underserved niche. But most people who want a Librem 5 should get the normal
phone.

If you have control over the entire assembly process, that eliminates a class
of security risks that otherwise need to be addressed with tamper-evident
firmware or by checking for bugs and extra components after the phone is
assembled. But that drives costs up substantially, so nobody assembles phones
in the US -- not even companies like Apple.

Remember that security isn't binary. Different segments even within the
privacy community need different levels of security.

~~~
ir77
why shouldn't, in this case, security be binary? either there is a threat or
there isn't. if someone in china is adding additional monitoring malware to
librem's phones then isn't the whole privacy/security thing out the window?

either they believe in their chinese supply chain or they don't. and it's not
like their usa manufacturing is done in-house by librem so they still don't
have 'control over the entire assembly process" because they depend on a 3rd
party to make their boards for them.

~~~
danShumway
They have a nonbinary degree of confidence in the Chinese supply chain, while
keeping in mind that the risk is slightly higher than it would be if it was
assembled closer to them within an imperfect, but at least less openly hostile
government that has less access to directly control business operations.

The likelihood of China compromising the Librem 5 is very low, and there are
safeguards in place to prevent that. But no safeguard is absolute. Even
manufacturing in the US isn't absolute security -- it's just a bit less
dangerous than China.

Whether that reduced risk is important enough to be worth $1300... I tend to
think it's not, but I assume there are a few people who will care enough to
pay that.

The same situation applies to companies like Apple, Samsung, etc... the only
difference is that those companies have judged that the potential market
benefits of catering to people who have extremely strict privacy requirements
is too low to justify starting up US operations.

The hardware switches are also a good example of what I'm talking about here.
There is a small risk of malicious firmware or a bug in software allowing a
camera to be turned on without your knowledge. Does this mean the iPhone is
insecure? There's not a yes or no answer. It means there is a specific subset
of users who would be served by a stricter (but still imperfect) extra
security control -- a physical kill switch.

An even safer policy would be to remove the camera entirely -- then you could
be certain that the physical hardware isn't defective and allowing the camera
to be flipped back on. But even that wouldn't be binary security. There is no
such thing as binary security.

~~~
isantop
You place a lot of faith on the ability of US-based companies to resist
control by the US Government.

------
bitL
What's the native development framework for Librem 5 apps? I see they support
web apps, but what do they use for native apps?

~~~
mattl
The phone runs GNOME, so GTK+

~~~
TingPing
It does not run GNOME, it uses some GNOME applications.

~~~
seba_dos1
It pretty much does run GNOME, just with its one component (GNOME Shell)
replaced by phoc and phosh.

------
shmerl
Is anyone working on the Linux Vulkan driver for Vivante GPU that's used in
Librem 5?

------
uncletaco
Imagine wanting a privacy-centric anything that was _Made in the USA_

~~~
oarsinsync
For those downvoting, I suspect the point is that we've had leaks
demonstrating that the US government is capable of compromising hardware
devices (e.g. networking equipment).

Which makes their concerns about Huawei all the more understandable. They know
the risks because they've performed the attacks themselves.

~~~
ISL
There are many countries where I would expect a conscientious citizen to make
the public aware of such a compromise. The United States is among them;
Lavabit's actions provide precedent.

