GrapheneOS and AOSP are Linux-based and there are no closed source kernel modules. They aren't somehow not actual Linux due to not using systemd, glibc, binutils, GCC, pulseaudio/pipewire, polkit, NetworkManager, GNOME, etc. If that's what you mean, you should say so, because those userspace components are not Linux and not using those doesn't make it any less of a Linux distribution. Is Alpine not a real Linux distribution? Is it only a real Linux distribution if it looks like what you're familiar with? More developers are familiar with Android than the desktop Linux software stack. More work goes into it. Far more apps are written for it, and that includes a very active open source app ecosystem.
Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source. GrapheneOS only supports devices with proper security support for all the firmware, drivers, etc. and again there are no closed source kernel drivers. We can support pretty much any mobile device with alternate OS support since any serious one will have AOSP support. Most devices have lackluster security and don't meet our requirements. We're working with a hardware vendor to get a non-Pixel phone actually meeting reasonable security requirements.
Librem 5 has a bunch of components where they are not shipping updates. You have things very much backwards on that front. The Librem 5 does not come close to meeting the security requirements to run GrapheneOS. It has a bunch of poorly secured and insecurely configured legacy hardware often without proper updates available, components that are not properly isolated via IOMMU, no secure element or all the stuff that comes along with that (HSM keystore with a nice API used by apps, Weaver to make disk encryption work for users without a high entropy passphrase like 7 diceware words, insider attack resistance, working attestation not depending on hard-wiring hashes and a lot more) and many other things. The OS they use has a near total lack of any systemic overall privacy/security work or privacy/security model and only falls further and further behind. The most exciting feature for securing devices right now is hardware memory tagging support in ARMv9, but there are years and years of tons of important privacy/security work done in a systemic way across hardware/firmware/software which are missing there before worrying about stuff like that.
Marketing something as private/secure and spreading tons of misinformation and outright lies about the mainstream options doesn't make it secure or more secure than those. It's actually pretty funny that they mislead people about the isolation of hardware components like the cellular baseband in other devices when the vast majority of mainstream phones (iPhone, Pixel, Qualcomm SoC devices, Exynos SoC devices) have it done quite well when they don't. Strange that they get away with these games of misrepresenting things, hiding the fact that they still have entirely proprietary hardware and near entirely proprietary firmware for the SoC and other hardware components, etc. Hiding proprietary stuff doesn't make it go away. Not updating it doesn't make it go away and simply ensures a highly insecure device.
> GrapheneOS and AOSP are Linux-based and there are no closed source kernel modules.
I ran AOSP builds for years and that's a half-truth at best. Sure for the kernel proper, you have the source. However, there are a fair number of closed source drivers for the GPU, modem, wifi etc. From the GrapheneOS Wikipedia page[1] it sure looks like they're following this model.
If I am mistaken and there is a miraculous state-of-the-art SoC with completely open source drivers being used by a major handset maker, do tell. You'll be a hero in the open source world for pointing out something everyone else has overlooked.
> Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source.
It has everything to do with things being closed source. Try doing a Linux kernel major version upgrade with binary-only drivers for key components sometime. It sounds like the only reason GrapheneOS works is because they're 'drafting' off of the kernel and driver work done by Google, not that they've cracked that particular nut themselves. Nothing wrong with that, but it does limit the useful life of a device to the first major security issue they can't fix due to a lack of source code.
Regarding the rest of your response, you're assuming that I was speaking to the Librem 5 specifically, I was not. Notice that I was only speaking about the goal of a 'pure' Linux phone since that was what seemed to be being asked about. Personally, I have a PinePhone[2] and wasn't interested in rehashing the various issues with the Librem 5.
> It has everything to do with things being closed source. Try doing a Linux kernel major version upgrade with binary-only drivers for key components sometime. It sounds like the only reason GrapheneOS works is because they're 'drafting' off of the kernel and driver work done by Google, not that they've cracked that particular nut themselves. Nothing wrong with that, but it does limit the useful life of a device to the first major security issue they can't fix due to a lack of source code.
As stated earlier, there are no closed source kernel drivers for AOSP, GrapheneOS or even most mainstream Android devices running the stock OS.
The reason for using an LTS kernel branch with 6 years of support from kernel.org is stability. Porting forward the drivers to each new kernel release is entirely possible and isn't a lot of work when it's done incrementally. Not that many changes are even required. The issue is that there are substantial regressions in each Linux kernel release and it takes at least 4 months or more to get a production quality kernel for a specific hardware target with nothing break, the massive CTS/ITS/VTS passing, etc. Pixel 6 uses the Linux 5.10 kernel branch which was the latest at the time, and those LTS branches have 6 years of support from kernel.org and expanded support with more bug fixes / security enhancements / other improvements via the AOSP common/generic kernel. It's entirely possible to move to a newer LTS branch. There are no closed source kernel drivers. Is it worth the time, when newer LTS branches have substantially more attack surface and tons of regressions that are going to need to be detected/fixed? Bear in mind it would not expand the lifetime of devices at the moment, time several hardware components won't receive more than 6 years of firmware support.
There are already people who have gotten the mainline 5.15 kernel working with the Pixel 6, but from 5.10 to 5.15 there are a lot of regressions, and there's a lot of new attack surface. There's a reason that ONLY the Pixel 6 among the Pixel family has been vulnerable to several serious core Linux kernel vulnerabilities disclosed in the past few months including the branded dirty pipe vulnerability. There are both advantages and disadvantages to using a newer LTS branch. Unfortunately, one of the disadvantages is that there are more bugs overall, including more vulnerabilities overall. Many software projects mature over time and the rate of finding vulnerabilities goes down. That's not the case for the Linux kernel. It's having vulnerabilities introduced at a faster pace than they're fixed. It isn't better from a security perspective to use the 5.15 LTS rather than the 5.10 LTS, especially with the additional changes backported by AOSP including security enhancements like mitigations, not just bug fixes. It may be a good idea to move to the new LTS branch once it has matured for 1-2 years, but definitely not months after release.
strcat is right here. Purism designs and markets their devices, effectively, to cater to a crowd that believes that devices with actual security are inherently evil, because they do not understand it. You can have better security with user control, but for that you need to look at the details. They don't care about the details; their story is all fluff under the guise of freedom and privacy.
Purism's marketing material is outright deceptive, e.g. they insist that in competing phones the baseband blob has access to system memory, which is a lie. The reality is that the baseband blob in the Librem 5 (which is every bit a giant blob as that in the competition) has access to the USB port of the AP and there is no filtering implemented yet, so the attack surface it is exposed to is every USB driver in the Linux kernel, which is much worse than systems with embedded basebands and proper memory firewalling where the baseband has no more inherent access, but is exposed to a smaller attack surface. That means that you are more vulnerable to giant blobs doing evil things with a Librem 5 than with, say, an Android phone running a free OS build.
Then there's the whole hilarious situation with the RAM initialization blob where Purism went and hid it behind two layers of CPUs (not execution, just handling it), because somehow doing that - which provides absolutely no benefit to the user, it's just a waste of engineering time - made it possible to certify the phone under the FSF's utterly broken and nonsensical "Respects your Freedom" program, even though precisely zero freedom was gained by doing this, since it still running the same blob on the same final CPU with the same access. All the while while reducing security, since the blob is then made no longer part of the normal OS image and is not validated with it, so it could be backdoored as part of a supply chain attack and you would be none the wiser.
The whole thing just stinks the more you look into it, and it is completely evident that the folks behind Purism are a mix of deliberately deceiving people and just clueless about security and modern embedded platforms.
> the attack surface it is exposed to is every USB driver in the Linux kernel, which is much worse than systems with embedded basebands and proper memory firewalling where the baseband has no more inherent access, but is exposed to a smaller attack surface.
You're saying that as if the firewall handled the communication with the modem. There's a Linux driver behind the firewall to do the actual communication, except that's probably not a USB driver.
The attack area is probably comparable, except a misconfigured USB driver doesn't automatically give full memory access, while a misconfigured IOMMU (the firewall) does.
There's a linux driver behind typical basebands. One driver, since there is no device discovery for platform devices.
The Librem 5 doesn't have one driver exposed to the baseband. It has every single USB driver in the kernel exposed to it, because the baseband can present any descriptors it feels like and engage whatever driver it wants, or a combination thereof by presenting itself as a composite USB device, since USB is plug&play. That is a massively larger attack surface. All you have to do is find one exploitable bug in any USB driver in Linux, and you're in.
This can be mitigated with USB descriptor filtering, but the Librem 5 guys haven't implemented that yet, because they don't actually care about security. So while their marketing department is lying about DMA access for the competition (heck, as far as I know no iPhone gas ever given the baseband unchecked DMA access to the system, but Purism claims they all do!), their engineering department can't even bother to lock down the attack surface of the baseband to something smaller than "every single USB driver in the kernel".
Also, for what it's worth, the Librem 5 doesn't even have an IOMMU at all. They can't even use the PCIe ports in their SoC because that would give whatever you plug into them full DMA to the system. This also means that driver bugs that result in bad DMA descriptors for embedded SoC devices will directly escalate to full memory access; there is no safeguard by having to engage the IOMMU subsystem first to map them.
It's immensely frustrating for us (GrapheneOS) because we desperately want more devices to support but the devices supposedly focused on privacy/security are really massive setbacks for it. We want to convince vendors with the resources available to produce devices on the same security level as Pixels with a couple additional features. It would also be neat to be considered an official OS without the verified boot notice from loading a key from the secure element instead of a hard-wired key in the firmware, but that's not important. We've found one vendor interested in listening us and acting on it. It remains to be seen how that goes.
Our perspective is that this has been made immensely harder by the dozens of 'secure' phone companies providing something far worse than iPhones and Pixels. Most of those aren't presented as being 'open hardware' that's not at all open hardware, but they do share a lot in common. A few of them were so bad that they were actually law enforcement stings from the beginning (https://en.wikipedia.org/wiki/ANOM) or turned into them (https://en.wikipedia.org/wiki/EncroChat) which is amusing.
We'd happily target iPhones but Pixels are the only smartphones providing proper alternate OS support. On Pixels we get to have full verified boot covering all the OS images with downgrade protection, very nicely designed hardware attestation, all the hardware keystore capabilities, the disk encryption key derivation throttling feature with insider attack resistance, A/B updates for the firmware/OS, etc. This is the stuff we expect other vendors to provide us with in order to support their phones. Vendors using a flagship Qualcomm SoC, including the alternate OS verified boot / attestation support and doing a good job with security work themselves come close, but we need more than that. There's a fair bit missing without vendors caring enough to go above and beyond with security and alternate OS support.
When we look at the Librem 5, what we see is rolling back privacy/security massively on the hardware, firmware and software levels with no possible way we could support it. We were actually in contact with them at one point but it became clear that they had zero interest in anything more than an empty partnership where out name would be used for marketing without us being able to use the device at all. That was back before lots of the security improvements in the Android smartphone world where Pixels caught up and even surpassed iPhone security in most areas.
Our expectations used to be far lower, and they get higher as devices like iPhones/Pixels get better. For example, Weaver showed up with the Pixel 2, as did the related secure element insider attack resistance where the main owner user has to authenticate for firmware updates to be applied. Before then, the SEP was way ahead in this area, and continued to be ahead in a lot of others until the Titan M. Weaver provides always enabled aggressive throttling for disk encryption key derivation attempts, with full support for the separate per-user encryption keys. It quickly throttles up to 1 day per attempt after 140 failed attempts. We take it for granted that we get all this stuff including the hardware keystore with physical confirmation support, etc. We expect these features from other vendors. It's not a lot to ask that they implement a feature like Weaver which was introduced with the Pixel 2 via open source AOSP code for the OS integration and open source secure element applets for an off-the-shelf Java smartcard secure element. That got obsoleted by the Titan M, which is actually well on the way to becoming open source with OpenTitan and the Pixel 6 shipping a RISC-V implementation of it based on that. It would be great for that to be fully open sourced and usable by other vendors. That's the kind of thing which is exciting in this area. Pixel 6 using Trusty OS for TrustZone isn't that compelling since TrustZone is terrible and largely obsolete beyond being the component responsible for talking to the actual secure element via authenticated encryption. They're also on the path to getting rid of it now that there's proper virtualization support, which is where the nonsense like Widevine is moving to be properly unprivileged/isolated unlike the mess of TrustZone.
It would be great if other vendors actually cared more and tried to actually compete with iPhone and Pixel security. We found a vendor that's willing to put in the effort, and we're optimistic about that. We're more than happy to work with others. The main thing we need to do is point them at what they need to implemented and the existing open source AOSP code for the OS side of it, etc. We have a lot of experience with this including reporting a bunch of firmware vulnerabilities / bugs in Pixels. There are so many things which could be done better but it starts with any other vendor catching up to where iPhones / Pixels where years ago.
Why can't you port Graphene OS to Librem 5 and use its security features there? Librem 5 is actually based on FLOSS drivers unlike any Android phone, so it should be doable. It's also the only phone with a FLOSS OpenPGP card .
Please read https://news.ycombinator.com/item?id=30761693 and the other comments again. Librem 5 has incredibly poor hardware/firmware security and it isn't possible for us to work around that at a software level. It's missing the basic hardware and firmware security features that are required. It's also missing functionality beyond that required to run the full OS.
> It's also the only phone with a FLOSS OpenPGP card .
It has no such thing (there is no open source secure element available aside from OpenTitan, although Trezor is working on one too) and it isn't an alternative to a proper secure element used by apps via the standard AOSP hardware keystore API (StrongBox keystore) and integrated into the rest of the hardware/firmware/OS for verified boot, attestation, throttling disk encryption key derivation attempts, insider attack resistance (only allowing signed firmware updates after owner account authentication) and the other features that are provided.
And what little "security" features the Librem 5 has, they aren't even using. One of their engineers came at me with "we have RPMB!" (a poor excuse for anti-replay memory that is semi-standard these days, and vastly inferior to dedicated chips like Pixels and iPhones have). I asked what they use it for, and got crickets.
> Marketing something as private/secure and spreading tons of misinformation and outright lies about the mainstream options doesn't make it secure or more secure than those.
That's true and relevant to Purism.
Now, how about something true and relevant to your post wrt FOSS:
> GrapheneOS only supports devices with proper security support for all the firmware, drivers, etc. and again there are no closed source kernel drivers.
Tell me about the license for the source of "all the firmware." And keep in mind you found it important enough to reiterate the point about "no closed source" for the kernel drivers.
> Tell me about the license for the source of "all the firmware." And keep in mind you found it important enough to reiterate the point about "no closed source" for the kernel drivers.
There isn't anything remotely misleading about the correction that kernel drivers are not in the same situation as most firmware in that they're entirely open source. Every ARM SoC is a proprietary SoC with proprietary CPU cores, memory controller, GPU, image processor, radios and all the other massive complexity included in them. There's a ton of firmware involved in that proprietary hardware. It exists whether or not it's updated. Not updating the radio, GPU, etc. firmware doesn't mean it doesn't exist. Whether or not it's open or closed source has little relevance to the need for it to be hardened, properly isolated and updated. Open or closed source does not directly provide any privacy or security properties. Other components outside the SoC are almost always closed source too. We don't think the fact that the Pixel 6 has a TEE OS based on the open source Trusty TEE or a RISC-V secure element based on OpenTitan makes it inherently more secure than Qualcomm's offerings. Pixel 6 having a Samsung cellular radio and Broadcom Wi-Fi/Bluetooth radio as 2 separate chips from the SoC instead of being part of the SoC has not made those more isolated or more open, and if anything we consider moving away from the Qualcomm radios to be a security regression with how well Qualcomm hardens them, although the overall improvements make up for it. If we made a device, it would have a Qualcomm Snapdragon 8 Gen 1, and we'd be quite happy with having the most secure radios, hardware memory tagging support and Qualcomm's great security work elsewhere. Would it be nice if we could have more control and insight? Sure. If a theoretical currently non-existent open source RISC-V smartphone SoC existed and it had comparable privacy/security (which would be very difficult), we'd be very interested. It would take massive work beyond simply having a viable SoC in the performance class with the necessary functionality to make anything remotely competitive on a security level.
GrapheneOS is a non-profit open source project and doesn't produce or sell hardware products. We don't do consulting, exclusive deals with companies or anything like that. There is no intention to ever sell any products, but rather we research hardware, report issues upstream and choose the best available hardware as the officially supported targets. We also intend to work with hardware partners on equal footing with nothing exclusive to help them produce better devices, which will benefit them and will benefit us through having more and better devices to support. We could potentially get more reliable donation revenue through devices with GrapheneOS installed, but that's in no way any kind of requirement for us to work with vendors. We have little to no interest in ever selling devices ourselves. We're fine with the fact that over a dozen companies sell devices with GrapheneOS installed mostly without giving anything back to us. Only a couple give us any form of donations/support. This is not a business.
The claim that there are closed source kernel drivers is untrue for most mainstream Android devices and is a misunderstanding of why devices stick to a specific LTS kernel branch. Those branches receive 6 years of support now because of the model that's used for mainstream embedded / mobile devices. They don't want to port their drivers to newer versions and spend a year getting it working robustly again. It would be entirely possible to do it and it's possible it will happen for Tensor but it can be an overall bad thing for security instead of a good one due to all the added attack surface. A great example is how a bunch of recent vulnerabilities such as 'Dirty Pipe' only impacted the Pixel 6 due to it using the 5.10 LTS branch which was the newest at the time. A Qualcomm device wouldn't have been impacted due to having an older kernel branch.
> If a theoretical currently non-existent open source RISC-V smartphone SoC existed and it had comparable privacy/security (which would be very difficult), we'd be very interested.
It has a better security. It's open hardware, verifiable, with no proprietary chips whatsoever unlike any Google-targeted phone. Even the physical construction can be verified manually:
> 200 ppi black and white LCD (336 x 536 resolution), 100% inspectable with standard optical microscope
Can you do it with your so much advertised phones? Oh, you "trust" large manufacturers. Good luck with that.
Where is the secure element? Where is the pointer authentication? Where is the secure boot?
>no proprietary chips
The device uses a Xilinx XC7S50 which is proprietary.
>Oh, you "trust" large manufacturers.
Yes, I do trust large manufacturers. The probability that someone makse you a custom phone to compromise you is practically 0%. The chance they do it via a visible hardware change as opposed to a software change is 0%. If you are that paranoid why not worry about trusting Xilinix in producing a custom bitstream when it sees you trying to synthesize this chip. Fortunately reality is more boring and these companies aren't out to get you.
Just so I'm crystal clear-- when you mentioned firmware with "proper security support" on these devices, you are talking about firmware that has a proprietary license, correct?
> More developers are familiar with Android than the desktop Linux software stack. More work goes into it. Far more apps are written for it, and that includes a very active open source app ecosystem.
The problem is that the Android app ecosystem has a very large number of apps which are based on collecting users' personal information and violating people's privacy, and it is hard for a normal user to avoid all the spyware and malware in Android. In my experience using CyanogenMod/LineageOS and the F-Droid repo since 2015, I inevitably fall back to installing some proprietary apps when using AOSP-derivatives, whereas my PinePhone and Librem 5 USA only have FOSS apps and drivers installed on them. If the goal is to use FOSS as much as possible, you are better off buying a Linux phone in my opinion.
By the way, one of the apps that I helped develop is on F-Droid (https://f-droid.org/en/packages/com.ketanolab.nusimi/ ) and I have given workshops on how to install LineageOS on phones, so I speak as someone who tries to promote the use of FOSS on Android phones, but the phone industry does put up a lot of barriers to make it difficult to install AOSP-derivatives.
> GrapheneOS only supports devices with proper security support for all the firmware, drivers, etc. and again there are no closed source kernel drivers. We can support pretty much any mobile device with alternate OS support since any serious one will have AOSP support. Most devices have lackluster security and don't meet our requirements.
The problem is that Google only sells Pixels in a very limited number of countries. Whereas Purism offers free worldwide shipping for the Librem 5, the Pixel 6 is only being sold in 8 countries (Australia, Canada, France, Germany, Japan, Taiwan, UK, USA), so your security requirements exclude over 90% of the world's population from being able to use GrapheneOS. Plus, many people don't want to financially support a company like Google which is based on Surveillance Capitalism.
> We're working with a hardware vendor to get a non-Pixel phone actually meeting reasonable security requirements.
Good to hear. I look forward to seeing it.
> Librem 5 has a bunch of components where they are not shipping updates.
Not true. Purism has promised to provide updates to the proprietary firmware on the Librem 5, and already provides instructions for how to update the firmware on the WiFi/BT and USB controller. See: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque...
> It has a bunch of poorly secured and insecurely configured legacy hardware often without proper updates available
What are you talking about? Purism purposely designed the Librem 5 to avoid planned obsolescence, so it looked for component suppliers who support their hardware for a long time. For example, NXP guarantees that that it will provide updates for the i.MX 8M Quad for 15 years (Jan. 2018 - Jan. 2033). See: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque...
In contrast, Google only promises to provide 3 years of OS updates and security updates for the Pixel 3/4/5, and 3 years of OS updates and 5 years of security updates for the Pixel 6. Qualcomm announced in Dec. 2020 that it will support its Snapdragon processors (which are used in Pixel devices) for 3 years of Android updates and 4 years of security updates.
Linux phones like the Librem 5 and PinePhone use separate components which are supported for many years by the manufacturers, whereas most Android phones (like the Pixels) use integrated mobile system-on-chips which are only manufactured for 1-2 years and only supported for 3-4 years by the manufacturer. Because Linux phones use components with long-term support by the component suppliers, the Librem 5 is the first phone to be sold with the guarantee of lifetime software updates, and PINE64 promised to manufacture the PinePhone for 5 years, which is longer than any other smartphone ever sold.
> components that are not properly isolated via IOMMU,
The Librem 5 doesn't need an IOMMU, because it uses separated components, and it uses serial buses (USB 2.0/3.0, SDIO, I2C and I2S) that don't allow direct memory access, so there is absolute no chance of the WiFi/BT, cellular modem, GNSS and USB controller being able to access the RAM or the SoC's cache. Unlike the Snapdragon processors in Pixels whose hardware is essentially a black box, we can independently verify by looking at the open source schematics that direct memory access is not possible in the Librem 5.
> but there are years and years of tons of important privacy/security work done in a systemic way across hardware/firmware/software which are missing there before worrying about stuff like that.
If you are talking about kernel hardening and running each app in its own sandbox with its own UID, then I would agree that Android/AOSP has more security features than Debian/PureOS, but the problem with your argument is that you are ignoring the fact that a mountain of spyware and malware has been created for the Android platform and users have to be very vigilant to not install any of it. According to AV-TEST, 3.38M pieces of malware and 3.18M potentially unwanted apps (mostly spyware) were created for the Android platform in 2021, whereas it is unlikely that any of that garbage will get into the Debian->PureOS repos to ever effect users of the Librem 5. Linux users rarely install anything from outside their distro's repo, whereas I often find myself installing apps whose code I can't verify when I use AOSP-derivatives because I can't find all the apps that I need in F-Droid.
Yes, Android/AOSP does have a lot more security built into its design than Debian->PureOS, but it is based on a model of letting all sorts of unverifiable and dangerous code run inside it. For more on the Librem 5's security, see: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque...
> Marketing something as private/secure and spreading tons of misinformation and outright lies about the mainstream options
Care to provide any evidence to prove that Purism or its employees are "spreading tons of misinformation and outright lies about the mainstream options"?
I don't see what you're doing as engaging in good faith, and I don't see any use in further discussion. Seeing the same inaccurate talking points over and over attacking GrapheneOS only makes us see Purism and their community as increasingly hostile and malicious. Please keep in mind that I'm only replying here because your community started attacking GrapheneOS. You aren't going to achieve your goal of promoting their products by having me write up a bunch of responses to debunk misinformation. Due to the importance of reusing work, the inevitable result will be that I'll collect it all into an article to post as part of https://grapheneos.org/articles/. We'll will simply link to that as our response going forward. Our community will likely spread the article as they do with our other documentation like our FAQ sections and usage guide. The article(s) will be repeatedly expanded to add sections debunking attempts to misrepresent it or to mislead people about the topics.
At the moment, I'm not currently interested in investing the necessary time into writing such as an article. If you're going to post another lengthy problematic reply, that's the medium I'm going to use for my response rather than writing another comment on this platform which few people are going to see, which is not a good use of my time.
> Due to the importance of reusing work, the inevitable result will be that I'll collect it all into an article to post as part of https://grapheneos.org/articles/. We'll will simply link to that as our response going forward. Our community will likely spread the article as they do with our other documentation like our FAQ sections and usage guide. The article(s) will be repeatedly expanded to add sections debunking attempts to misrepresent it or to mislead people about the topics.
Not OP but I did enjoy reading your well-written replies, so I hope they don't get lost with time as only HN comments, and that you're able to carry them forward more effectively to be shared with others.
> If you are talking about kernel hardening and running each app in its own sandbox with its own UID, then I would agree that Android/AOSP has more security features than Debian/PureOS, but the problem with your argument is that you are ignoring the fact that a mountain of spyware and malware has been created for the Android platform and users have to be very vigilant to not install any of it. According to AV-TEST, 3.38M pieces of malware and 3.18M potentially unwanted apps (mostly spyware) were created for the Android platform in 2021, whereas it is unlikely that any of that garbage will get into the Debian->PureOS repos to ever effect users of the Librem 5. Linux users rarely install anything from outside their distro's repo, whereas I often find myself installing apps whose code I can't verify when I use AOSP-derivatives because I can't find all the apps that I need in F-Droid.
Many other people promoting these platforms often talk about the (limited) support for running Android apps. You can choose to use those apps there, just as you can on GrapheneOS, and it does not make sense to claim that availability of apps is a bad thing. GrapheneOS supports nearly every Android app which would run on the stock OS thanks to the sandboxed Google Play compatibility layer feature. Many of our users including make no use of that feature, and it didn't exist before 2021 so our entire userbase before then was happily using it without Play services. There are more users now, but there were still many before, and many are happy using only the open source Android app ecosystem which goes far beyond F-Droid which doesn't even have apps like Signal, Chromium, Brave, Bromite, etc.
You're trying to make this about AOSP vs. a completely insecure software stack but the post is about a phone which is capable of running AOSP and other phones are more than capable of running the desktop Linux stack. It's a red herring, and you're being thoroughly dishonest and manipulative in how you're presenting the app ecosystem considering that there is a far larger open source app ecosystem for AOSP than there is for desktop Linux on mobile... F-Droid has very incomplete coverage of the overall open source app ecosystem and they don't always do a particularly good job maintaining it. F-Droid itself still targets Android 7.1 (API 25).
I'm talking about the fact that this hardware, firmware and software is a decade behind on security and has almost zero systemic privacy/security work across it. You have the privacy and security situation completely backwards. The fact that Purism blatantly lies about many aspects of their hardware, firmware and software also demonstrates that they're a highly untrustworthy vendor. I would trust a company like HTC far more because at least they aren't blatantly lying about the security patch level, openness of the hardware and they aren't covering up security vulnerabilities, weaknesses and the fact that the firmware/hardware is proprietary.
> Yes, Android/AOSP does have a lot more security built into its design than Debian->PureOS, but it is based on a model of letting all sorts of unverifiable and dangerous code run inside it.
I'm not sure why someone would want to place complete trust in thousands of different fragmented projects which have no real isolation and no systemic privacy/security work on the overall OS or across those projects. Many of those projects are unmaintained, and some of them have even shipping malicious changes either unintentionally or intentionally before. You're also trusting the huge amount of packagers for the OS who set up the builds and patches for these projects. There are still closed source apps availability, but open source is not the magical panacea that you present it as and does not infer any inherent privacy/security properties on the software. It doesn't make the developers inherently more trustworthy or ethical either. It's a development approach, which we can both agree is a great approach and enables people to make changes to the software, fork it or attempt to contribute to it upstream.
> Care to provide any evidence to prove that Purism or its employees are "spreading tons of misinformation and outright lies about the mainstream options"?
You've done a great job of doing that yourself by cycling through a whole bunch of inaccurate talking points promoting their products and attacking other projects like GrapheneOS. Most of it comes directly from Purism, and your comment is an extension of their highly underhanded, dishonest and malicious attacks on projects like GrapheneOS to make sure they keep getting their substantial salaries and profit.
> Care to provide any evidence to prove that Purism or its employees are "spreading tons of misinformation and outright lies about the mainstream options"?
Since you're doing that yourself, I don't think engaging with you on the topic is productive. I responded here due to the inaccurate attacks on GrapheneOS from people promoting Purism products. Doubling down on spreading their inaccurate marketing / talking points isn't going to deter us from responding and we're more than happy to post a more detailed response on our site and across platforms. I already gave detailed responses and don't intend to repeat much of what I've already said.
> The problem is that the Android app ecosystem has a very large number of apps which are based on collecting users' personal information and violating people's privacy, and it is hard for a normal user to avoid all the spyware and malware in Android. In my experience using CyanogenMod/LineageOS and the F-Droid repo since 2015, I inevitably fall back to installing some proprietary apps when using AOSP-derivatives, whereas my PinePhone and Librem 5 USA only have FOSS apps and drivers installed on them. If the goal is to use FOSS as much as possible, you are better off buying a Linux phone in my opinion.
There's a far larger and better ecosystem of open source apps for Android than there is for the products that you're marketing, and they can be used on secure devices rather than blatantly insecure ones not even meeting basic standards as I've already detailed in my responses.
> The problem is that Google only sells Pixels in a very limited number of countries. Whereas Purism offers free worldwide shipping for the Librem 5, the Pixel 6 is only being sold in 8 countries (Australia, Canada, France, Germany, Japan, Taiwan, UK, USA), so your security requirements exclude over 90% of the world's population from being able to use GrapheneOS. Plus, many people don't want to financially support a company like Google which is based on Surveillance Capitalism.
Pixels can be purchased internationally. They don't need to be bought from Google. Purism is a company based around spreading misinformation and marketing their products dishonestly which I know people in our community don't want to support. We're not going to support thoroughly insecure devices from a company which is unwilling to even admit to the limitations/weaknesses let alone fixing them and producing something we could ever consider supporting. The experience we had with them is that they only want to use the name of projects like ours to promote themselves as partners without doing anything on their part. They engaged in libel/harassment/bullying targeting our developers in response to us not supporting their phone as a target and explaining why within our community. I see what you're doing here as an extension of their dishonest marketing and inaccurate attacks on other platforms/projects/products. If this is going to be something that's happening regularly, we'll add detailed documentation / articles to our site about the topic to reference so we don't need to keep writing up the same things.
> Not true. Purism has promised to provide updates to the proprietary firmware on the Librem 5, and already provides instructions for how to update the firmware on the WiFi/BT and USB controller.
There aren't full firmware security updates for the Librem 5 and what I said is completely accurate. What's even worse is that they do not ship the incomplete updates that could be available and they did things in a way that makes it impossible to even ship all of those as part of an OS. Please don't claim that my completely accurate description of the situation is not true based on something that's not in any way debunking what I said.
> What are you talking about? Purism purposely designed the Librem 5 to avoid planned obsolescence, so it looked for component suppliers who support their hardware for a long time. For example, NXP guarantees that that it will provide updates for the i.MX 8M Quad for 15 years (Jan. 2018 - Jan. 2033).
They're unable to provide full security updates from day one and the device is already end-of-life in terms of what that means for GrapheneOS. It would have to be marked as end-of-life from day one if we added support for it. We would be unable to declare any Android security patch level for the device due to it not meeting the basic security requirements and not having full firmware security updates available. What I've said is true, and you're just claiming otherwise based on their deliberately very incomplete and misleading marketing.
> In contrast, Google only promises to provide 3 years of OS updates and security updates for the Pixel 3/4/5, and 3 years of OS updates and 5 years of security updates for the Pixel 6. Qualcomm announced in Dec. 2020 that it will support its Snapdragon processors (which are used in Pixel devices) for 3 years of Android updates and 4 years of security updates.
Those are minimum guarantees of full security updates, not end-of-life dates and the number of days you get those for the Librem 5 is ZERO. The only recommended devices for GrapheneOS are the Pixel 6 and Pixel 6 Pro, which means that there is at least 5 years of full security updates for the devices we support. You can see from our site that we continue providing extended support releases which we mark as insecure past the end-of-life of devices. A device is end-of-life as soon as any important component no longer provides the proper monthly security updates. How can we support the Librem 5 even aside from all the missing security features which have already been explained elsewhere, when we would be unable to provide anything close to the March 2022 security update, and would be unable to ship all the updates that are available through the OS?
> Linux phones like the Librem 5 and PinePhone use separate components which are supported for many years by the manufacturers, whereas most Android phones (like the Pixels) use integrated mobile system-on-chips which are only manufactured for 1-2 years and only supported for 3-4 years by the manufacturer. Because Linux phones use components with long-term support by the component suppliers, the Librem 5 is the first phone to be sold with the guarantee of lifetime software updates, and PINE64 promised to manufacture the PinePhone for 5 years, which is longer than any other smartphone ever sold.
This is completely inaccurate. They still use an SoC and the components they've chosen do not provide a longer period of support in the sense that Android expects in order to declare the latest security patch level. Several of their component choices including the radios rule that out, as does the way they are integrated. Your claim of lifetime security updates is completely bogus and demonstrates the extreme lengths Purism goes to in order to mislead people and profit from it. They still need firmware support and all the drivers, etc. still need to be maintained. There's really no point of engaging with people lying through their teeth and pushing all their inaccurate talking points so I'm not going to keep engaging with you much further.
Linux doesn't mean systemd, polkit, glibc, GCC, binutils, GNOME, pulseaudio/pipewire, Wayland/X11, etc. It makes no sense to claim these are Linux phones when the vast majority of smartphones run Linux. It's marketing spin. If you want to call it a GNU/Linux phone, go ahead, but what you're doing is a deliberate attempt at misleading people on their part.
> The Librem 5 doesn't need an IOMMU, because it uses separated components, and it uses serial buses (USB 2.0/3.0, SDIO, I2C and I2S) that don't allow direct memory access, so there is absolute no chance of the WiFi/BT, cellular modem, GNSS and USB controller being able to access the RAM or the SoC's cache. Unlike the Snapdragon processors in Pixels whose hardware is essentially a black box, we can independently verify by looking at the open source schematics that direct memory access is not possible in the Librem 5.
This is not accurate. It still has an SoC with a ton of components aside from the SoC despite your inaccurate claim that it doesn't, and those components still need to be isolated with an IOMMU. The other components which you're talking about using USB are dramatically less isolated than the Qualcomm or Samsung baseband on mainstream devices. You're trying to present something dramatically worse as being better in this regard. Are you trying to claim that the Librem 5 doesn't have components like a GPU and other SoC components? The Librem 5 hardware is also just as much of a black box. It's 100% as proprietary. It does not have firmware or hardware that's any more open and this is a blatant lie. Them marketing the hardware as being more open is thoroughly unethically and dishonest. They've done the same with their laptops and other products, which has done immense harm to projects like Talos actually trying to produce open hardware in any actual sense of the word.
> The Librem 5 hardware is also just as much of a black box. It's 100% as proprietary. It does not have firmware or hardware that's any more open and this is a blatant lie. Them marketing the hardware as being more open is thoroughly unethically and dishonest. They've done the same with their laptops and other products, which has done immense harm to projects like Talos actually trying to produce open hardware in any actual sense of the word.
There is a major difference between the openness of the Librem 5 (L5) vs Android phones. The L5 is the first phone with free/open source schematics (GPL 3.0) for its circuit boards since the Golden Delicious GTA04A4 which was released in Jan 2012. Purism has only released the STL files for the L5's case and the board schematics in PDF, so it would take some work to recreate the original CAD files, but anybody can legally reproduce the hardware in the L5. To find a phone which released its CAD files, you have to go back to the OpenMoko Neo FreeRunner released in June 2008.
Purism has also released the board view images to show where components are placed on the L5's boards. You may be able to find the board view for a few models (such as iPhones), because they get leaked, but as far as I know, no Android phone manufacturer publicly releases the board views of their circuit boards.
If your argument is that the circuit boards don't matter, because most of the functionality is locked up in proprietary chips, then let's look at the chips that Purism selected and see if there's a difference. Qualcomm, MediaTek, UNISOC and Samsung don't release the documentation for their mobile application processors without an NDA, and Apple and Huawei don't release their documentation on their chips to any outside companies as far as I know. In contrast, NXP released 7000 pages of documentation plus their Android and Linux software for the i.MX 8M Quad to anyone who registers on their website. They restrict the security manual to only certain approved people, but everything else can be obtained and NXP has a public forum where anyone can ask questions about their i.MX processors. Likewise, Thales releases the documentation on the PLS8 cellular modem and provides a public forum.
Android phones commonly have a locked bootloader which prevents the user from changing the OS. All Huawei and Apple phones have the bootloader locked. Most Samsung phone require using an unauthorized crack. Motorola and Xiaomi require applying for an unlock code code and waiting up to two weeks for it and using it voids the hardware's warranty. Sony makes it easy but voids the warranty. Google also makes it easy, but won't honor the warranty unless the Pixel is reflashed to the original OS and relocked. In contrast, the Librem 5 has such restrictions.
Another issue is the drivers and kernels. Qualcomm has the best track record of the major mobile SoC manufacturers since it provides public access and the commit record to its kernel source code at Code Aurora, but the community has to take that code and adapt it to work in mainline Linux and it often takes 3 or 4 years to fully support Snapdragons. Samsung has done better in recent years, but MediaTek, UNISOC, Huawei and Apple are horrible. However, NXP is far better than all these since it commits directly to mainline Linux and is willing to work with the community to support its chips.
Purism develops its code in public and encourages its developers to interact with the community. All the firmware in the L5 is proprietary, but it is worth mentioning that Purism is planning on using FOSS firmware in its secondary Cortex processor to control the smartcard reader. Also the OpenPGP specification is open, so anyone can study it.
I would argue that all of these things add up to make the Librem 5 the most open phone that can be bought today (with the PinePhone a close second). I have a problem with some of Purism's marketing, like the "100% made in the USA electronics" slogan for the Librem 5 USA, but you have to look at this in the context of the actual mobile industry and what is possible in the real world. Sure it would be great to have a phone with open hardware chips, but you are talking about hundreds of millions of dollars to develop those chips and paying hundreds of millions more to license the necessary IP, which is totally unrealistic.
> Linux doesn't mean systemd, polkit, glibc, GCC, binutils, GNOME, pulseaudio/pipewire, Wayland/X11, etc. It makes no sense to claim these are Linux phones when the vast majority of smartphones run Linux. It's marketing spin. If you want to call it a GNU/Linux phone, go ahead, but what you're doing is a deliberate attempt at misleading people on their part.
I was simply following the standard convention of saying "Linux" to mean the entire OS that is found in popular distros like Debian, Arch and Fedora, whereas people generally say "Linux kernel" to refer to just the kernel. Saying "GNU/Linux" is problematic because most distros contain software which isn't part of GNU and isn't approved by the FSF, but I will use that term for lack of a better one.
By the way, it is just as problematic to say that GrapheneOS is "Linux" because GrapheneOS is using a kernel which has been substantially modified by Google, and Qualcomm's drivers for the Snapdragon which GrapheneOS uses are only designed to support an Android kernel, not a mainline Linux kernel. GrapheneOS doesn't use mainline Linux kernels and it usually takes 3-4 years for the mainline kernel to fully support new Snapdragons after they are released, so I don't know why you are even bothering to make this argument.
> There's a far larger and better ecosystem of open source apps for Android than there is for the products that you're marketing...
Just to be clear, I'm simply a customer of Purism and PINE64 who owns the Librem 5 USA and PinePhone, so I don't represent these companies and I'm not marketing their products.
I'm not sure whether there is a larger ecosystem of open source apps for Android rather than the GNU/Linux distros that run on the Librem 5 and PinePhone. If we are talking about apps which are designed to run on mobile phones, then you have a point, since it will take a while to adapt all the desktop software to be mobile-friendly, but Kirigami or libhandy/libadwaita is getting added to a lot GNU/Linux desktop software to make it adaptive. Google purposely does not label software with FOSS licenses in the Play Store, so it is hard to count the number of FOSS apps for Android. I count 4472 apps in F-Droid (https://f-droid.org/repo/index-v1.jar), whereas Debian 11 "bullseye" (which is what PureOS and Mobian are based on) has 59,551 packages. I know that not all FOSS apps make it into the F-Droid repo and the Debian repo includges the entire operating system and many of its applications use multiple packages, so we are comparing apples and oranges, but I don't see much evidence that the Android FOSS ecosystem is "larger and better" than the GNU/Linux ecosystem.
I often find that I need to install proprietary apps when using LineageOS because I can't find what I need in F-Droid, whereas I generally don't install proprietary apps in my GNU/Linux systems, so from that point of view, GNU/LInux is "better". Also a sizeable number of the FOSS apps that I encounter in F-Droid contain some code which was originally written for GNU/Linux, whereas I rarely find code in GNU/Linux which was originally written for Android.
> This is not accurate. It still has an SoC with a ton of components aside from the SoC despite your inaccurate claim that it doesn't, and those components still need to be isolated with an IOMMU.
I stated that "the Librem 5 doesn't need an IOMMU" to isolate the WiFi/BT, cellular modem, GNSS and USB controller, but in case you are worried, the i.MX 8M Quad SoC in the Librem 5 does have a Resource Domain Controller (RDC), Arm TrustZone and On-chip RAM (OCRAM) secure region protection, which does isolate the CPU, GPU and VPU. See section "3.2.2.4 Resource Domain Control and Security Considerations" in the "i.MX 8M Dual/8M QuadLite/8M Quad Applications Processors Reference Manual". (NXP requires registration to download the manual.)
> Those are minimum guarantees of full security updates, not end-of-life dates and the number of days you get those for the Librem 5 is ZERO. The only recommended devices for GrapheneOS are the Pixel 6 and Pixel 6 Pro, which means that there is at least 5 years of full security updates for the devices we support.
The GrapheneOS FAQ lists the Pixel 3a released in May 2019 as a "supported" device, but the Pixel 3 released in October 2018 is listed as "end-of-life" because it no longer gets full security updates, so that tells me that most people are using GrapheneOS on devices that have a 3 year lifespan.
I downloaded the Pixel 3a's "bonito" kernel (https://github.com/GrapheneOS/device_google_bonito-kernel) and I see that it is using kernel version 4.9.292. Mainline Linux 4.9.292 was released on 2021-12-08 and 4.9.0 was released on 2016-12-11. Call me crazy but I prefer to use an up-to-date mainline kernel rather than one that is over 5 years old and takes 3 months to get the latest security patches from kernel.org. (To be fair, I should mention that the Librem 5 issn't yet fully supported in mainline Linux, so you can't run the latest mainline kernel on day one of its release, but the Purism devs say that mainline support is coming.)
> Your claim of lifetime security updates is completely bogus and demonstrates the extreme lengths Purism goes to in order to mislead people and profit from it.
Purism says that it went way over-budget trying to develop the Librem 5 and its software, which is why it has been raising its prices. Considering the roughly 20 companies that lost their shirts in the past when trying to develop mobile Linux, it is unrealistic to think that Purism is doing this for profit. (See: https://amosbbatto.wordpress.com/2020/07/17/mobile-linux-tra...)
Granted that NXP will stop providing firmware updates for the i.MX 8M Quad in 2033, and I expect that the firmware updates will end much sooner than that for the RS9116 WiFi/BT, BM818 cellular modem, Tesio-Liv3 GNSS, etc, but there is no reason to not expect lifetime software updates, because the Librem 5 should soon have mainline Linux support. Purism has worked hard to upstream its code changes to parent projects (Linux, wlroots, geoclue, ModemManager, GTK, GNOME libraries, GNOME applications, etc.), so that future releases of these projects should run on the Librem 5 with minimal work. Phosh was designed as a thin overlay on top of standard GNOME libraries and applications (which have substantial support from IBM/Red Hat, SUSE, Canonical and Google) and roughly 176k of the roughly 250k lines of code that Purism has created for the Librem 5 are now incorporated as official GNOME projects. (see: https://amosbbatto.wordpress.com/2021/12/15/amount-code-libr... ) What this means is that it shouldn't cost Purism much to keep providing future software updates. In addition, postmarketOS and Mobian developers are now participating in the development of Phosh which has become the most popular interface among PinePhone users, so even if Purism dies as a company, it is likely that the community will maintain the interface. For more info, see: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque...
> Purism says that it went way over-budget trying to develop the Librem 5 and its software, which is why it has been raising its prices. Considering the roughly 20 companies that lost their shirts in the past when trying to develop mobile Linux, it is unrealistic to think that Purism is doing this for profit.
The Librem 5 is incredibly low-end hardware with many corners cut being sold for now 1299 USD. You go across platforms marketing their products with thoroughly dishonest claims and spin. It's highly likely that you have a financial stake in the company's products because nothing else would explain your devotion to so thoroughly misleading people and marketing their products across many platforms.
> Granted that NXP will stop providing firmware updates for the i.MX 8M Quad in 2033, and I expect that the firmware updates will end much sooner than that for the RS9116 WiFi/BT, BM818 cellular modem, Tesio-Liv3 GNSS, etc, but there is no reason to not expect lifetime software updates
It's a completely false and outrageous claim that it will receive 'lifetime' updates but I see now that you're narrowing it down to simply receiving INCOMPLETE support/updates for the software indefinitely which applies to anything where you can install another OS and you're simply admitting to your explicit attempt to mislead people.
Not receiving firmware updates for every component, which is already the case today, means it's end-of-life. The Librem 5 is already end-of-life by the definition implemented by GrapheneOS. It cannot reach the current Android security patch level. There is no Android security patch that it could reach, since even the earliest ones required avoiding security weaknesses which are unavoidable on that hardware. It's a highly insecure device and no amount of your / Purism (likely one and the same) dishonest marketing is going to change that.
Linux kernel updates in no way guarantee security support for all the drivers, etc. which are being used, and there is no such guarantee for any of the device support code in userspace or any of the userspace projects. Security updates are not provided for many Debian packages. Only a subset of the security fixes get backported in the first place to those that are supported. Using Debian in no way implies getting indefinite or even current security support.
Any further contact with the GrapheneOS project or project members on your part or any further attempts to spread misinformation about it will be considered harassment as I already said earlier. We aren't interested in communication with you. If you don't stop contacting us, spreading libel about our project members and misinformation about our project, we'll begin contacting organizations/projects where you're involved about the harassment and malicious behavior across platforms towards an open source project.
Anyone can look at https://news.ycombinator.com/threads?id=amosbatto and see that you're heavily involved in marketing and providing customer support for Purism, which unfortunately involves spreading a lot of misinformation about both Purism's products, the company and about other open source projects which you aim to steer people away from and towards buying their products. We've already requested that Purism avoids contacting us and trying to harm our product. That extends to you too. You need to stop. This is your final warning.
As I already stated earlier, if you continued to spread misinformation, an article will be posted on our site with all the information that I posted here and more. That's going to be happening now. If you continue, then there will be a response directed towards you personally too, because you have made it person with the libel that you and other Purism employees/associates have regularly spread about us across platforms.
> It's highly likely that you have a financial stake in the company's products because nothing else would explain your devotion to so thoroughly misleading people and marketing their products across many platforms.
Let me state for the record that I have no financial stake in Purism, and I do not represent the company. I am simply a customer of the company who tries to correct the misinformation that I see being posted about the Librem 5 on public forums like this one, because I think that Purism is doing important development work for mobile Linux. I am using my real name "Amos Batto", and anyone who does a simple internet search can find my personal blog, my github page, my facebook page, etc. and verify who I am.
> If you don't stop contacting us, spreading libel about our project members and misinformation about our project, we'll begin contacting organizations/projects where you're involved about the harassment and malicious behavior across platforms towards an open source project.
This is ludicrous. You posted information which I consider to be incorrect about the Librem 5 on this forum and at r/Purism. When I responded to correct the record, you accused me of engaging in "harassment and malicious behavior across platforms towards an open source project".
Everyone can see your behavior and it fits a consistent pattern. You go out of your way to criticize other open source projects on public forums. Then, when people try to respond on the technical points, you accuse people of harassing you and trying to harm your project, which is simply not true. Responding to the technical points that you raised on a public forum is not an attempt to "contact" you or members of your project and it certainly is not "harassment" as you term it.
> I was simply following the standard convention of saying "Linux" to mean the entire OS that is found in popular distros like Debian, Arch and Fedora, whereas people generally say "Linux kernel" to refer to just the kernel. Saying "GNU/Linux" is problematic because most distros contain software which isn't part of GNU and isn't approved by the FSF, but I will use that term for lack of a better one.
So then Alpine Linux isn't Linux either? That's not a standard convention at all. It's a way of misleading people, and you're doubling down on it.
> By the way, it is just as problematic to say that GrapheneOS is "Linux" because GrapheneOS is using a kernel which has been substantially modified by Google, and Qualcomm's drivers for the Snapdragon which GrapheneOS uses are only designed to support an Android kernel, not a mainline Linux kernel. GrapheneOS doesn't use mainline Linux kernels and it usually takes 3-4 years for the mainline kernel to fully support new Snapdragons after they are released, so I don't know why you are even bothering to make this argument.
Why are you specifically talking about Snapdragon when the current generation and only recommended devices use the Exynos-based Tensor SoC? Current generation devices are using Generic Kernel Images and DO NOT have substantial modifications to the kernel. It's entirely possible to use the kernel.org LTS releases.
GKIs have a stable ABI for kernel modules, and all of the kernel modules for all the generations of devices were already open source despite inaccurate claims to the contrary here.
> Just to be clear, I'm simply a customer of Purism and PINE64 who owns the Librem 5 USA and PinePhone, so I don't represent these companies and I'm not marketing their products.
You're marketing their products and are heavily involved in spreading misinformation about AOSP and GrapheneOS. We consider you to be malicious and you're now involved in spreading libel about our developers. There will be a response to that if you continue down that path. It's likely that you're financially tied to them.
Please stop contacting our project members and refrain from involvement in our community going forward. It will be considered harassment and will be responded to as such.
> I'm not sure whether there is a larger ecosystem of open source apps for Android rather than the GNU/Linux distros that run on the Librem 5 and PinePhone. If we are talking about apps which are designed to run on mobile phones, then you have a point, since it will take a while to adapt all the desktop software to be mobile-friendly, but Kirigami or libhandy/libadwaita is getting added to a lot GNU/Linux desktop software to make it adaptive. Google purposely does not label software with FOSS licenses in the Play Store, so it is hard to count the number of FOSS apps for Android. I count 4472 apps in F-Droid (https://f-droid.org/repo/index-v1.jar), whereas Debian 11 "bullseye" (which is what PureOS and Mobian are based on) has 59,551 packages. I know that not all FOSS apps make it into the F-Droid repo and the Debian repo includges the entire operating system and many of its applications use multiple packages, so we are comparing apples and oranges, but I don't see much evidence that the Android FOSS ecosystem is "larger and better" than the GNU/Linux ecosystem.
This is another demonstration of how unserious you are about remotely sticking to the truth where you venture off into claims that aren't even remotely plausible. F-Droid is a tiny subset of the overall open source Android app ecosystem. Again, it doesn't even have Signal, Firefox, any Chromium-based browser or MANY other widely used open source apps, let alone non-widely-used ones. I have no clue why you're referring to the total number of packages in Debian as anything to do with the number of mobile applications. It's another completely, thoroughly dishonest misrepresentation of the truth.
> I stated that "the Librem 5 doesn't need an IOMMU" to isolate the WiFi/BT, cellular modem, GNSS and USB controller, but in case you are worried, the i.MX 8M Quad SoC in the Librem 5 does have a Resource Domain Controller (RDC), Arm TrustZone and On-chip RAM (OCRAM) secure region protection, which does isolate the CPU, GPU and VPU. See section "3.2.2.4 Resource Domain Control and Security Considerations" in the "i.MX 8M Dual/8M QuadLite/8M Quad Applications Processors Reference Manual". (NXP requires registration to download the manual.)
It does not isolate either the on-SoC or off-SoC components in a remotely comparable way to Snapdragon, Exynos or Tensor. It's also not configured for production use and security properties which could have been provided are far from all being provided.
> The GrapheneOS FAQ lists the Pixel 3a released in May 2019 as a "supported" device, but the Pixel 3 released in October 2018 is listed as "end-of-life" because it no longer gets full security updates, so that tells me that most people are using GrapheneOS on devices that have a 3 year lifespan.
The current generation devices have a minimum of 5 years of support, as has already been stated. The Pixel 3 still receives GrapheneOS updates. It's considered a legacy device as the Librem 5 would have to be considered a legacy device already due to inability to reach the current Android security patch level for many reasons. This was already stated multiple times, and you're once again doubling down on inaccurate claims.
> I downloaded the Pixel 3a's "bonito" kernel (https://github.com/GrapheneOS/device_google_bonito-kernel) and I see that it is using kernel version 4.9.292. Mainline Linux 4.9.292 was released on 2021-12-08 and 4.9.0 was released on 2016-12-11. Call me crazy but I prefer to use an up-to-date mainline kernel rather than one that is over 5 years old and takes 3 months to get the latest security patches from kernel.org. (To be fair, I should mention that the Librem 5 issn't yet fully supported in mainline Linux, so you can't run the latest mainline kernel on day one of its release, but the Purism devs say that mainline support is coming.)
The Pixel 3a / Pixel 3a XL are on the March 2022 Android security update including for the kernel and have additional patches backported to them. Their kernel is based on the Android Common Kernel, which is only indirectly based on the kernel.org releases. Ubuntu doesn't use the kernel.org releases in general at all and that does not mean their kernels are less secure, just because they do not update to newer kernel.org releases because there are none for their kernel branch, which they maintain themselves. This is how Linux works across distributions. Can you name one distribution directly shipping kernel.org releases without patches? Even Arch Linux doesn't do that.
A subset of the kernel.org changes is shipped by AOSP on a monthly basis with additional backports by GrapheneOS. The kernel.org releases are shipped by AOSP as part of the quarterly updates, they get shipped approximately every 3 months. GrapheneOS is fully capable of shipping the latest kernel.org releases but we found that there are too many regressions including security regressions and we stopped shipping them faster than AOSP for most devices. The current generation devices, which for some reason you feel like ignoring in favor of 3 year old ones use Generic Kernel Images and can be trivially updated to the latest kernel.org LTS without any changes since there are ZERO device-specific changes to the kernel. Maybe you should stop trying to make dishonest and misleading comparisons by comparing the latest generation of one device to 3 generations ago for another device, while adding in your own inaccurate claims to that.
For your information, the Pixel 3a has not been vulnerable to many of the most recent serious recent kernel vulnerabilities unlike the Pixel 6 because it's on the 4.9 branch instead of the 5.10 branch. The 5.10 branch has massively more complexity, attack surface and does not offer substantially improved security. The new mitigations in the Android 5.10 common kernel.
Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source. GrapheneOS only supports devices with proper security support for all the firmware, drivers, etc. and again there are no closed source kernel drivers. We can support pretty much any mobile device with alternate OS support since any serious one will have AOSP support. Most devices have lackluster security and don't meet our requirements. We're working with a hardware vendor to get a non-Pixel phone actually meeting reasonable security requirements.
Librem 5 has a bunch of components where they are not shipping updates. You have things very much backwards on that front. The Librem 5 does not come close to meeting the security requirements to run GrapheneOS. It has a bunch of poorly secured and insecurely configured legacy hardware often without proper updates available, components that are not properly isolated via IOMMU, no secure element or all the stuff that comes along with that (HSM keystore with a nice API used by apps, Weaver to make disk encryption work for users without a high entropy passphrase like 7 diceware words, insider attack resistance, working attestation not depending on hard-wiring hashes and a lot more) and many other things. The OS they use has a near total lack of any systemic overall privacy/security work or privacy/security model and only falls further and further behind. The most exciting feature for securing devices right now is hardware memory tagging support in ARMv9, but there are years and years of tons of important privacy/security work done in a systemic way across hardware/firmware/software which are missing there before worrying about stuff like that.
Marketing something as private/secure and spreading tons of misinformation and outright lies about the mainstream options doesn't make it secure or more secure than those. It's actually pretty funny that they mislead people about the isolation of hardware components like the cellular baseband in other devices when the vast majority of mainstream phones (iPhone, Pixel, Qualcomm SoC devices, Exynos SoC devices) have it done quite well when they don't. Strange that they get away with these games of misrepresenting things, hiding the fact that they still have entirely proprietary hardware and near entirely proprietary firmware for the SoC and other hardware components, etc. Hiding proprietary stuff doesn't make it go away. Not updating it doesn't make it go away and simply ensures a highly insecure device.