-
DannyWorkOrderPr
Anyone know why Bromite defaults to Google search? Asking for a friend, lol
-
organella[m]
<jalb "You can only se 1 VPN service in"> Thanks!
-
nuttso[m]
U could use 2 if I use shelter or similar
-
organella[m]
<strcat "there is an issue filed in our t"> Will it still be helpful at this stage to have this done? I'd be interested to do it but only know some Java, a bit of C, and nothing about Android development so don't know if it's something I could even realistically do.
-
organella[m]
Another thing I'd be interested to do even more, is a 'sub-contacts' feature, where you can create a list of say just 10 contacts out of your full list and feed just that into a messenger app, so it doesn't have access to all your contacts
-
DannyWorkOrderPr
organella: If you try, you're capable, if you've worked with those languages. See GrapheneOS.org/build for info. We really need ya.
-
renlord
organella[m]: just use user profiles
-
renlord
profile A -- full contact list; profile B -- sub contact list
-
renlord
besides, you cant even control how apps will use your new custom contacts api to retrieve sub contacts
-
renlord
so at the end of the day, you still need to use user profiles
-
organella[m]
<DannyWorkOrderPr "organella: If you try, you're ca"> Had a look and should be able to set up the environment. Don't want to promise anything before I've seen how it all works, and I don't have much spare time at all, but would be happy to help if and with what I can.
-
organella[m]
<renlord "organella: just use user profile"> Isn't it a hassle to constantly switch profiles for messengers?
-
organella[m]
And do you get a notification when you receive a message but are not in the other profile?
-
renlord[m]
If your threat assessment says that it's dangerous for an app to view your full contact list, that's the only safe way around the problem.
-
renlord[m]
User profiles.
-
organella[m]
I know, that's why I was thinking that a sub-contacts feature can add a lot of convenience for such use cases
-
organella[m]
The idea for the API is to replace the current API that the apps see so they won't even know the difference
-
DannyWorkOrderPr
It's a very worthwhile cause that will benefit many users and other projects, and your success story will surely spur more to jump in, too. You've got a lot of cheerleaders here, and people to help you leapfrog into action!
-
organella[m]
They ask for access to Contacts and they get access to Contacts and are none the wiser that there are multiple lists in reality
-
organella[m]
Danny@WorkOrderPro I know, and I'm sad to see that Graphene is so short on contributors at the moment which makes be doubly as happy to help
-
renlord[m]
Why can't you toggle between profiles or just use different phones altogether.
-
organella[m]
I can but everything has a cost - carrying more than one phone isn't convenient (I often do have two...) - and switching profiles takes some time and mental cycles that add up so if they can be saved all the better
-
renlord[m]
The same mental cycle exist if you split contacts like this.
-
renlord[m]
People have to actively be aware that there are different contact groupings that's completely incompatible with the standard Android model
-
renlord[m]
Sure, with enough effort and dedication you can make it compatible and less intrusive, but we already have a simpler solution for this type of threat model (i.e. using user profiles)
-
renlord[m]
User profiles also have added benefit so you actually explicitly context switch to a different profile altogether.
-
organella[m]
The development work is a one off and it goes to 'voluntary work on a worthy project' so it's on a different time budget :) Then if you use profiles in comparison you still need to manage the lists, so let's say that would be the same amount of work and you'll only do it if you think it's worth the benefit. And the feature itself can require optional activation so Contacts work like in standard Android for the
-
organella[m]
regular user, and sub-lists are available only if you turned them on
-
renlord[m]
You're mistaken to think that it's one off
-
organella[m]
True, maintenance
-
renlord[m]
Unless you upstream your changes you are expected to maintain it until it at least gets upstreamed.
-
DannyWorkOrderPr
organella: for the record, I was not referring to the Contacts bit, but helping out Graphene in general =] Hoping you'll give it a go.
-
DannyWorkOrderPr
If you're 100% trying to get that specific change, I'd definitely see if you can PR it to upstream (AOSP).
-
organella[m]
Understood! But still best to start with something exciting to help go through the learning pains. And as I said I don't want to promise anything before I've seen how things work and time will certainly not be a great amount, but hopefully some bits here and there that are useful are possible!
-
DannyWorkOrderPr
Take a look at the issue tracker, and see if there's anything that piques your interest
-
organella[m]
The storage issue that was mentioned earlier sounded interesting too but there was no link, would you know which issue that would be? It was about doing some emulation for the apps that still target the old APIs with the storage permission
-
organella[m]
If it's still relevant of course given the expected v11 changes
-
organella[m]
Btw re PR to upstream, is there anything you'd normally do before you develop the feature, like ask if it would be accepted, or you just develop and offer it and see if they take it?
-
organella[m]
Like write out how it would work for example so they can say if any tweaks would be necessary before development
-
organella[m]
* Like write out how it would work for example so they can say if they'd require any tweaks to take it, before development
-
DannyWorkOrderPr
I'd definitely do a brief writeup and find whatever channel they use for chat, if any. Not a ton of experience with interacting with the AOSProject
-
DannyWorkOrderPr
organella: This is only storage related issue on the tracker right now:
GrapheneOS/os_issue_tracker #105
-
mxnorvak[m]
organella : personally using different profiles has had many different benefits for me ,one of it being that i can feed it the contacts i want,the others are that the app i want to restrict doesn't have access to my main user profile storage ( assuming its an app that needs storage permission to function properly ) and another important one is that i choose what other apps are in that profile and i can isolate it in
-
mxnorvak[m]
that regard as well
-
organella[m]
I love the profile segregation and use it! This is just for the extra convenience of not switching profiles to use my main messengers. But it's also a part of a larger point about permissions. I hate it when an app says I want everything or I won't even start. I want to be able to say - you want to manage calls and sms? Ok, here you go, a dummy api for call management that's not connected to the actual calls and
-
organella[m]
texts. You want location - Location manager, tell this app I'm at these coordinates in Paris. You want Contacts? Here, my only two contacts.
-
renlord[m]
These are complaints that should be directed to app developers
-
renlord[m]
Their apps should handle denied permissions gracefully.
-
TheJollyRoger
Aaaarrgh python2, why oh why is Google holding out on you...
-
organella[m]
<renlord[m] "These are complaints that should"> Somehow I don't see Tencent heeding my complaint that WeChat should work without drilling my phone for everything
-
strcat[m]
TheJollyRoger: replaced in master
-
» TheJollyRoger gasps.
-
organella[m]
And my Chinese client won't use anything else
-
strcat[m]
what are you doing that needs python2?
-
TheJollyRoger
I uh...
-
strcat[m]
don't need it to build GrapheneOS unless you build Vanadium
-
TheJollyRoger
I'm uh, trying to build Vanadium... on my G-- oh
-
» TheJollyRoger redfaces.
-
organella[m]
So control needs to be in the user's hands, not the app developer's
-
strcat[m]
ah yeah
-
strcat[m]
you need it for Vanadium lol
-
strcat[m]
for now
-
» TheJollyRoger cracks up.
-
TheJollyRoger
Got it!
-
strcat[m]
it takes so long to build
-
strcat[m]
I need a new computer
-
TheJollyRoger
Jeez.
-
strcat[m]
-
strcat[m]
probably one of these
-
strcat[m]
but I heard there are issues with ECC memory on Linux
-
strcat[m]
and I don't think I want to get 128GB+ of memory without ECC
-
TheJollyRoger
I currently use ECC RAM on Linux...?
-
TheJollyRoger
But it's on POWER and not x86.
-
TheJollyRoger
I don't know what difference that would make, unfortunately.
-
strcat[m]
it's an issue with threadripper
-
strcat[m]
not ECC ram in general
-
TheJollyRoger
Oh!
-
TheJollyRoger
Oh yipes big difference then O_O.
-
TheJollyRoger
I wonder if they can fix it with a microcode update? Or is this just uh... not fixable/defect by design?
-
strcat[m]
TheJollyRoger: I think it';s a Linux kernel bug
-
strcat[m]
for threadripper
-
TheJollyRoger
OH!
-
TheJollyRoger
Oh yipes >_<.
-
» TheJollyRoger buries his head in his hands.
-
BallMonokuma[m]
rip
-
joshman[m]
Someone had an issue with removing apps. How did you solve it? I run into the same problem. Uninstalled the app through Aurora. In permission settings I still can see this app has access to them
-
joshman[m]
* Someone had an issue with removing apps. How did you solve it? I ran into the same problem. Uninstalled the app through Aurora. In permission settings I still can see this app has access to them
-
joshman[m]
* Someone had an issue with removing apps. How did you solve it? I ran into the same problem. Uninstalled an app through Aurora. In permission settings I still can see this app has access to them
-
joshman[m]
* Someone had an issue with removing apps. How did you solve it? I ran into the same problem. Uninstalled an app through Aurora. I still see this app has access to certain permission settings
-
gervarouge[m]
<joshman[m] "Someone had an issue with removi"> Uninstall through system settings
-
renlord[m]
Strcat why not use something like distcc on aws or something
-
renlord[m]
Then spin it down when you're done.
-
strcat[m]
too inconvenient and slow
-
JTL
strcat[m]: I'm in similar need of a new workstation/system and I want something with ECC RAM. What exact issues are you referring to? I remember kernel EDAC reporting for Ryzen platforms didn't work for quite awhile but was allegedly fixed with the 5.4 LTS kernel
-
JTL
Let me know what you find
-
JTL
I was talking about this with cdesai recently and he wa also uncertain about this
-
cdesai
One thing I saw recently was somebody building a workstation with a server epyc chip
-
JTL
Yeah me too
-
JTL
Lower clockspeed and more expensive, but I'm not counting it out
-
cdesai
-
JTL
I've been tempted to try and get a Gigabyte X570 board, lower end Ryzen chip and ECC RAM and try and return it if it doesn't work, but that's a hassle in Canada.
-
JTL
:/
-
cdesai
It might be easier to just find somebody with a working config on the internet and just try cloning that
-
JTL
There haven't been many attempts with the X570 platform
-
JTL
and the ones I've found are ASUS and I'd liek to avoid them for other reasons
-
JTL
*cough* garbage QC/RMA department outside of US
-
cdesai
Maybe try asking AMD? I dealt with them for a rma and they were super nice
-
JTL
About ECC platform support? Their official response is "not disabled or hindered by US, but since it's Ryzen they [motherboard vendors] might do things differently"
-
renlord[m]
I thought it's only a fresh compilation once a month
-
renlord[m]
Then it's always just incremental builds.
-
renlord[m]
Most of the time the bottleneck is the linker also.
-
JTL
renlord[m]: I think strcat still needs to do release builds more often then that
-
JTL
heheh
-
» JTL remembers OOM'ing during kernel LTO
-
cdesai
Though even on these chips lto takes so long
-
JTL
right
-
strcat[m]
JTL: linux kernel LTO might be peak memory usage now that chromium uses thinlto
-
TheJollyRoger
Hmm. For android-prepare-vendor, I need to use `qq2A.200501.001.b2` with `blueline` and it's case sensitive, right?
-
TheJollyRoger
Oh wait a minute...
-
strcat[m]
it's upper case
-
TheJollyRoger
Yep, Got it, so the command should be something like `./vendor/android-prepare-vendor/execute-all.sh -d BLUELINE -b QQ200501.001.B2 -o...` etc etc etc...?"
-
aeonsolution[m]
yeah
-
TheJollyRoger
Okay! It's just having a tad bit of trouble finding the url, I'm wondering if I should just try or if it's possible to download the images using curl or something like that and running the script on that instead...?
-
aeonsolution[m]
let me get it for you
-
aeonsolution[m]
-
aeonsolution[m]
you need to run the commands there as is
-
aeonsolution[m]
if you get the URL not found error
-
TheJollyRoger
Got it. That's the part I'm stuck at. >_<
-
TheJollyRoger
Oh.
-
TheJollyRoger
Okay!
-
aeonsolution[m]
-
aeonsolution[m]
find -name download-nexus-image.sh
-
TheJollyRoger
Woah, okay, let's see...
-
TheJollyRoger
Woah, woah thanks! Okay! Just making the change now...
-
aeonsolution[m]
😁
-
TheJollyRoger
There we go, the fix did it!
-
aeonsolution[m]
woot, woot
-
TheJollyRoger
Now I just gotta wait for the download to finish, I'm imagining someone at Google writing the TCP packets onto parchment, putting the parchment into bottles, and tossing them into the sea.
-
TheJollyRoger
One TCP packet at a time :D
-
TheJollyRoger
You guys are free to imagine me hauling on a rope to winch the bits in faster while singing "~what shall we do with the drunken sai~lor ear~lay in the moo~~orning~~"
-
gervarouge[m]
I miss mobile games on my Phone
-
gervarouge[m]
Any safe way to run them?
-
DannyWorkOrderPr
gervarouge: Stuff on F-Droid is auditable.
-
DannyWorkOrderPr
Stuff you don't trust can be installed in other Android user profiles
-
DannyWorkOrderPr
<DannyWorkOrderPr "gervarouge: Stuff on F-Droid is "> Once in a while, I like the Tetris clone, and SuperTuxKart is a blast too - and cross platform/multiplayer! But you can disable the networking bits (they are by default)
-
gervarouge[m]
<DannyWorkOrderPr "Once in a while, I like the Tetr"> SuperTuxKart is on iOS too?? Wow that's awesome I prefer playing with friends so
-
gervarouge[m]
That's huge
-
gervarouge[m]
I'm stoked thanks man
-
DannyWorkOrderPr
Not iOS, but Mac/Windows/Linux
-
DannyWorkOrderPr
Sorry to disappoint
-
gervarouge[m]
iOS is in beta testflight
-
gervarouge[m]
They have a blog post
-
gervarouge[m]
Apparently it's going well
-
dazinism
> Is there any way to know the api version an app is using?
-
dazinism
renor
-
dazinism
-
dazinism
I guess the reason Fdroid keep apps with lower target SDK is for all the folks in the world on ancient/low end android devices
-
dazinism
Neither the old apps or the old phones are good for security/privacy. But some people dont have the ability to choose
-
dazinism
Read some dev from Cuba chatting about how they and many others collected apps and ran their app stores hyper locally on Bluetooth / wifi
-
gervarouge[m]
I wonder if there will ever be decent security for old phones
-
gervarouge[m]
iPhones excluded of course (looks at the 5s)
-
dazinism
gervarouge: sadly quite a bit would have to change
-
gervarouge[m]
I know virtualization can negate some local hardware attacks, but Qubes has proven that's only partially effective. I doubt a fully hardened Xen based Qubes would keep an old device safe.. :(
-
dazinism
Yeah hardware often has unpatchable vulns discovered.
-
dazinism
Then theres nothing that can be done
-
gervarouge[m]
I mean you CAN, but it's not cost effective or even foolproof
-
dazinism
See intel
-
gervarouge[m]
MediaTek too. Google had to step in after 6 months and clean it up
-
gervarouge[m]
The open source community has shown they can't keep up with firmware security like a serious company can either (Qualcomm or Apple come to mind)
-
gervarouge[m]
So I guess the only hope is either a design safety push (I guess rust) which is only partially helpful. And probably open source officially
-
gervarouge[m]
Overall it's probably a lost cause and recycling is the answer
-
parazen616[m]
I flashed a grapheneOS yesterday on my new pixel 3. It was quite late.. I set a lock pattern and I forgot it 😅 is there anything I can do?
-
dazinism
parazen616: yeah can reset the phone
-
parazen616[m]
Thought so... Thx
-
dazinism
Get into recovery, the hold volume up and power
-
dazinism
*then hold
-
dazinism
gervarouge: guess something is possible. Although performance will likely be substantially below state of the art devices
-
dazinism
FPGAs give the ability to "change the hardware" if issues are found
-
dazinism
Although I imagine theres the possibility of vulns found in the basic architecture of a FPGA
-
gervarouge[m]
True, the xen4android prototype (essentially Qubes for Android) claimed 97% performance retained. On a high ram device that's not bad at all even if they are old
-
strcat
dazinism: higher targetSdkVersion doesn't impact compatibility
-
strcat
dazinism: it's not the minimum version, it's the target version for semantics
-
strcat
you have to support older versions with custom code as always
-
dazinism
Yeah, as you pointed out before, keeping support for old SDK versions takes dev time away from other stuff (eg. targeting newer SDK)
-
dazinism
strcat: talking of which, I've been snooping about trying to work out exactly what would be involved getting PDFViewer signed by you on FDroid.
-
dazinism
Theres a few apps that do it Briar, Oeffi, the Fdroid App
-
strcat[m]
the older v1 signing format is far less secure so I won't use that
-
dazinism
That was the question I was going to ask
-
dazinism
strcat: was wondering if somehow could get it done with v1 and v2 sigs - possible in AOSP not sure about Fdroid
-
dazinism
If it was possible on Fdroid, would you add a v1 sig ?
-
dazinism
Or make a release with v1 and v2 ?
-
strcat
dazinism: it doesn't have v1 because the oldest supported version has v2
-
strcat
I won't add v1, it's not secure
-
dazinism
Was thinking it'd be nice to get it on Fdroid. All kinds of people use it. They could benefit, may even get contributors to the app, plus get some extra visibility for GrapheneOS generally.
-
gervarouge[m]
Good call
-
gervarouge[m]
Not worth it
-
strcat
signature v2 was added in Android 7 and is a security update
-
strcat
August 2016 is when Android 7 was released
-
strcat
v2 was available before then since there was the SDK to support Android 7 and dev previews
-
dazinism
Yeah, I know. Guess we'll have to wait and see when they may move to supporting v2
-
strcat
I don't understand why they can't support v2 trivially
-
dazinism
I got confused looking at their repos
-
dazinism
Someone made a PR for v2 and v3 recently
-
strcat
and btw Android 7 support is over so I am dropping it from those apps
-
strcat
right now
-
dazinism
But somehow it wasnt for their build server, but for somewhere else
-
dazinism
..well doesnt add v2 support for their reproducable builds
-
dazinism
-
strcat
btw that's a substantial security downgrade due to using F-Droid
-
strcat
i.e. all their signatures are v1
-
strcat
despite it being far less secure and replaced in August 2016
-
strcat
v2 is a whole file signature
-
strcat
wouldn't you expect that signature verification checks the whole file?
-
strcat
apparently on F-Droid, it does not, since they didn't ship v2 sigs in 2016
-
strcat
they shouldn't support using jarsigner at all
-
strcat
apps without v2 signature should be considered a security vuln
-
dazinism
Yeah, its not great is it
-
strcat
v1 signature is only included when supporting API < 24 and v2/v3 signature is always included
-
strcat
since v1 (JAR signing) had serious security flaws
-
dazinism
From that PR looks like they may get v2 soon
-
strcat
I just don't really consider it at all acceptable that they didn't add v2 ASAP in 2016
-
strcat
says a lot
-
strcat
if you get the apk from the devs it will have v2 sig
-
strcat
downgrading the security of apps from upstream, especially when they may make the assumption that the whole file is verified
-
strcat
is problematic
-
dazinism
Its a weird sprawling project, much/most done by volunteers.
-
strcat
an app with minSdkVersion 24+ that assumes the whole apk is verified is not wrong unless it's built improperly
-
strcat
it's a security vulnerability in F-Droid
-
strcat
it's not just a missing feature
-
strcat
this is a serious vulnerability
-
strcat
dazinism: try verifying Signal with v1 and look at output
-
strcat
verbose
-
strcat
-
strcat
hmm
-
strcat
like, doesn't this seem bad?
-
strcat
and the structure of the zip itself is not fully signed
-
dazinism
Not had a chance to do any sig verification on a PC, has been on my todo list for a while. But I'm rarely on a PC nowadays.
-
strcat
dazinism: there were vulnerabilities found and rather than just fixing them they made a more secure format
-
strcat
but I think v2 can be considered a security fix
-
strcat
v1 design (from Java land) was flawed
-
dazinism
When I was reading think I saw some stuff about v1 not being such a problem for apps via Fdroid, because of the way their repo and app works. But I cant remember why, or where I saw that.
-
strcat
I mean how much confidence do you have in their own security work when they don't apply a 2016 important security update to the signing format
-
strcat
dazinism: I'd guess they use similarly bad signing for their repo index
-
strcat
using v2 app signatures won't fix their repo index
-
strcat
anyways given up on them already
-
strcat
going to make our own thing
-
dazinism
Yeah, I know theres problems with Fdroid, but theres problems everywhere.
-
strcat
the main problem is with culture
-
dazinism
A GrapheneOS app store will be ace
-
strcat
you fix that by making a new project without those people
-
strcat
you cannot fix it with any amount of contributions or money
-
strcat
in fact, it will make the problem worse
-
cn3m[m]
Would CalyxOS ever work with you guys on this?
-
dazinism
cn3m: guess they'd be interested, as would others.
-
dazinism
Apparently wouldnt be too much work to get a minimal version up and running
-
cn3m[m]
would be cool
-
dazinism
Base it off GrapheneOS seamless updates
-
dazinism
renlord started looking at it a while ago, but I think hasnt had much time recently
-
dazinism
Would be good to have as then updates to vanadium could be pushed out without needing full OS build for every device. Would save a whole load lf time
-
dazinism
If theres a critical vanadium update that needs pushing out in between monthly releases
-
renor[m]
<strcat "TheJollyRoger: well I just chang"> Nice!!!
-
cn3m[m]
has anyone tried exploiting old versions of Graphene and Vanadium to see how effective exploits are?
-
renlord
i stop teaching next month and should have more time
-
DannyWorkOrderPr
> in fact, it will make the problem worse
-
DannyWorkOrderPr
See: Mozilla
-
strcat
openssl
-
strcat
gpg
-
strcat
linux kernel
-
strcat
lots of projects where if you give them more resources they will largely just add more attack surface / complexity
-
strcat
culture problem
-
strcat
not fixed by more resources
-
dazinism
Guess the thing with Fdroid is that theres currently no good way for people to source apps.
-
dazinism
Every source has issues
-
strcat
yeah and F-Droid is an obstacle to creating one
-
strcat
because people lack interest in making something when a crappy solution already exists
-
cn3m[m]
Most people don't think it's crappy
-
dazinism
But between here and there people are still going to get their apps from somewhere..
-
cn3m[m]
you should see the downvotes I get
-
strcat
I'll add a warning when installing a v1 signature app
-
dazinism
lol
-
strcat
I just raised the targetSdkVersion it expects to 28, why not do that too
-
DannyWorkOrderPr
<cn3m[m] "you should see the downvotes I g"> It's because people see it as the best option in a sea of nothingness, and cling to it illogically.
-
cn3m[m]
in GrapheneOS?
-
cn3m[m]
nice
-
strcat
Play Store *requires* API 28 for any new app or app update btw
-
strcat
-
strcat
I could find where this warning is implemented and add one for v1 sigs
-
hypokeimenon[m]
<DannyWorkOrderPr "It's because people see it as th"> Making the best of bad options is not illogical
-
dazinism
Guess its a question which is best
-
DannyWorkOrderPr
hypokeimenon: Poor wording, no sleep. They *don't speak out about their concerns* or dig too deep into it, because it's the best they feel they have.
-
-
dazinism
All the nasty abusive apps on Play, or the less well implemented FDroid
-
DannyWorkOrderPr
cn3m: Important for the community to do this.
-
strcat
F-Droid also has legacy versions of apps, unmaintained forks, etc.
-
strcat
you aren't just getting the maintained software from the devs
-
hypokeimenon[m]
<DannyWorkOrderPr "hypokeimenon: Poor wording, no s"> Yeah I agree.
-
dazinism
Think all other app stores are trash (unless i miss something?)
-
strcat
you have F-Droid between you and the devs, building the code and maybe updating it
-
cn3m[m]
it's hard work. I have poured around an hour a day into it for 3 weeks
-
strcat
dazinism: at least with Google Play, a developer like myself can ship an app to end users through it
-
cn3m[m]
ptio Reddit is horrible
-
cn3m[m]
can't make some of this stuff up
-
strcat
dazinism: without people interfering in the security and making it worse
-
dazinism
strcat yeah theres that
-
DannyWorkOrderPr
cn3m: Thank you. We're all in this together. Every bit you combat = more dev interest, and less time out our devs' full schedule to write that stuff out.
-
renlord
i'll probably never teach again, people these days dont even care much about learning in depth
-
renlord
just learning to pass fkin exams
-
cn3m[m]
<DannyWorkOrderPr "cn3m: Thank you. We're all in th"> thanks amigo
-
renlord
it has been incredibly dissatisfying
-
dazinism
renlord: sorry to hear that
-
renlord
probably more satisfying doing stuff for grapheneos than getting paid to teach
-
renlord
ffs
-
cn3m[m]
one guy claimed I was a DanielMicay alt once. Never been so flattered
-
dazinism
We all know you are
-
renlord
lol
-
DannyWorkOrderPr
renlord the hungry techie kids are all here, in these rooms.
-
DannyWorkOrderPr
Thanks for everything you do.
-
strcat[m]
renlord: I mean that's what undergraduate degrees are about these days
-
dazinism
At least it looks like FDroid repo will get v2 soonish
-
strcat[m]
getting a piece of paper that gets you a better paying job through any means necessary
-
renlord
autodidacts are more keen learners than people who pay to go to university
-
dazinism
Theres also other repos that have the developers builds of apps
-
strcat[m]
and from the university perspective it's a way to get money to fund themselves
-
strcat[m]
I don't think a lot of the profs want to be there teaching lol
-
strcat[m]
it's just a sacrifice
-
strcat[m]
to do what they actually want to do
-
renlord
yes
-
renlord
at least in my institution, if you can get enough grant monies through the door, you probably can be exempted from teaching
-
renlord
and grant monies again, is soul-crushing
-
strcat[m]
yeah I have little interest in that kind of thing
-
renlord
the salary premium that comes with an undergraduate versus vocational education apprenticeship has been narrowing over the years
-
renlord
in my home state, skilled tradespersons probably start with better starting wages than graduates
-
dazinism
Yeah I've never done academia, but know many folks that have. Spending so much time chasing grants or sweet talking large corporates to partner on projects.
-
dazinism
Generally I think the increasing commercialization / marketization of the academy is a huge problem
-
cn3m[m]
Pixel Visual Core is a backdoor... I've heard it all
-
cn3m[m]
I literally want to delete my Reddit account
-
dazinism
Backdoor to your nude selfies
-
cn3m[m]
theanonymousejoker is a buttface
-
cn3m[m]
he is consistently attacking sanity
-
cn3m[m]
last night it was the guy who said I'm stupid since MITM can't see encrypted data and it's useless to audit with
-
cn3m[m]
he also said that adtech coding is only for the browser
-
cn3m[m]
I worked in adtech on apps hello
-
cn3m[m]
I worked in adtech on apps hello
-
strcat
someone is emailing me and claiming they got hacked, typical daily emails
-
strcat
another one is asking me to hack someone for them (???)
-
strcat
usually their ex
-
strcat
you wouldn't believe the fucked up things people email to GrapheneOS and my email
-
dazinism
People are.....
-
renlord
despite the dkim/dmarc?
-
renlord
still getting shitz?
-
strcat
renlord: lol not spam
-
strcat
genuine stupid emails
-
cn3m[m]
shit
-
strcat
I don't really get spam to those addresses now that I am dropping the fake emails via DMARC
-
strcat
I'm sure they'll start getting spam considering I have no spam filtering
-
strcat
I am totally willing to make DMARC/SPF/DKIM and TLS mandatory
-
renlord
you should report them as spam
-
renlord
what if someone from LKML wants to contact you?
-
renlord
and refuses to setup email properly?
-
strcat
they clearly don't want to contact me if they won't setup email properly
-
strcat
I'm not interested in what they have to say if they won't use a sane email setup to send it to me
-
cn3m[m]
<strcat "they clearly don't want to conta"> this
-
strcat
hmm maybe I should BCC myself instead of putting the emails in the folder via mutt so I can see the headers postfix added
-
renlord
i've met people who swear by the fact that email cannot be saved
-
renlord
and will refuse to put in any effort to setup email properly
-
strcat
yeah so I don't need their email
-
strcat
I get enough email already
-
strcat
I would happily do something like randomly rejecting 50% of emails
-
strcat
and people who really want to contact me will keep trying
-
renlord
a good subset of these people are security folks though
-
strcat
as long as they get notified it's rejected, it's fine
-
strcat
not ones I want to hear from
-
strcat
also they could just talk to me here
-
strcat
instead of annoying me with emails
-
strcat
emails are stressful, I have important emails I actually have to deal with and I get 50 stupid emails a day
-
strcat
at least this grapheneos mail server is not getting any non-spoofed spam yet
-
strcat
renlord: also ppl mail random shit to the security@ address
-
strcat
and come up with some BS reason it's a security flaw
-
renlord
strcat: you probably need a full time PA
-
strcat
like send email asking for Pixel 4 support
-
strcat
I get 10 of those a day
-
cn3m[m]
yes that's true
-
strcat
and send to security@ saying it's a security flaw it's not supported, k
-
cn3m[m]
shit
-
cn3m[m]
the community sucks
-
cn3m[m]
you're too good for us strcat
-
strcat
I'd say I get ~20 emails asking for device support daily
-
renlord
should auto-reply: "Pixel 4 Support PRs welcome, till then, good luck and goodbye"
-
strcat
although 1/2 of those are part of existing email chains
-
strcat
renlord: yeah but then they email about that
-
strcat
repeatedly
-
strcat
ask all these questions
-
strcat
I mostly just link to the faq / site
-
BallMonokuma[m]
<strcat "I'd say I get ~20 emails asking "> That sucks man
-
cn3m[m]
I'm so sorry man
-
mxnorvak[m]
<dazinism "
hub.libranet.de/wiki/gra"> Tnx for this, didn't know i could check which API the app targets, based on what you guys discussed up there the API level should be looked at more as a way of knowing how much the developer cares about implementing latest security and privacy standards right? And not that if an app's API is 24 or 25 it means that it shouldn't be used or its dangerous (i mean for normal
-
mxnorvak[m]
apps not the ones for secure communications or anything that has access to important data)
-
aeonsolution[m]
I finally got the development branch flashed on my phone!!!!!!!!!!!!!
-
aeonsolution[m]
Build number: aosp_sargo_userdebug 10 QQ2A.200501.001.B2 2020.05.13.21 test-keys
-
aeonsolution[m]
I would like to thank TheJollyRoger
-
aeonsolution[m]
and JTL for the help
-
aeonsolution[m]
I also want to thank strcat and renlord for telling me to stick with it and of course dan-v for the troubleshooting help.
-
BrokenCog
congrats!!
-
aeonsolution[m]
thanks!
-
rwarr627[m]
-
rwarr627[m]
strcat: will use it as a reference for implementing `malloc_object_size` in `hardened_malloc`
-
neothechosenone[
Just came into the room, the past posts won't load up is that normal?
-
shad0wbit[m]
@neothechosenone:matrix.org: Yes, it is. But the room is logged, so you can view the logs.
-
neothechosenone[
Thanks
-
shad0wbit[m]
Just in case you didn't see it, in the room description there is the link to the logs
-
neothechosenone[
Thank you.
-
ProtoMan
probably already know the answer to this but is there a way to get the os on non-pixel phones?
-
aeonsolution[m]
no, the project follows strict guidelines to get support; at this time that is only the Pixel line
-
aeonsolution[m]
-
ProtoMan
awe well, i guess i'll switch when I get a new phone then
-
ProtoMan
thx for that
-
aeonsolution[m]
you're welcome, please check out the FAQ, it has really useful information on how the project is setup and why some decisions are made
-
aeonsolution[m]
hardened security is the focal point
-
ProtoMan
mhmm will do, i'm on resurrection remix rn and its time for a change
-
ProtoMan
got any recommendations since i cant get graphene?
-
aeonsolution[m]
the chat isn't really here for that, but you can look up on the logs if you'd like
-
aeonsolution[m]
-
ProtoMan
alrighty much appreciated
-
aeonsolution[m]
np
-
duke_h3
Good evening!
-
duke_h3
A friend of mine send me a link to your project a few days back
-
duke_h3
and I have been reading up on it ever since, watching YouTube and so forth
-
duke_h3
I have a bunch of questions about a few things, and was hoping to be able to find somebody that could help me out
-
duke_h3
We are currently working with a handset manifacturer
-
duke_h3
That is considering how to improve the users security
-
duke_h3
And one option is to add support of grapheneos
-
duke_h3
Is there any good resource what is required of the phone to be able to handle graphenos?
-
hypokeimenon[m]
It's on the website.
-
TheJollyRoger
Ahoy duke_h3!
-
TheJollyRoger
Yep, let me get you the faq with respect to device support, give me a moment...
-
TheJollyRoger
-
hypokeimenon[m]
-
duke_h3
Yes I did read that part :)
-
duke_h3
I am sorry if I sound like a newbie here
-
TheJollyRoger
No problem. What could I help you with?
-
duke_h3
but some of the requirements do not sound clear to me
-
duke_h3
I magine that you have the full cooporation of the company producing the device
-
TheJollyRoger
Heh, well...
-
TheJollyRoger
Google actually is very forthcoming with this.
-
duke_h3
For the pixel phone
-
duke_h3
But now I am talking about another vendor
-
duke_h3
that is interested
-
TheJollyRoger
Ideally, we would want to get hardware tailored to the project's needs, in the far future.
-
duke_h3
But what would that be
-
hypokeimenon[m]
Can you name the vendor in question?
-
TheJollyRoger
But that's for the far future and is contingent upon getting enough regular contributors and being a stable, sustainable open source project.
-
duke_h3
not at the moment
-
hypokeimenon[m]
Or are you not at liberty to say?
-
hypokeimenon[m]
Alright, lol forget I asked.
-
duke_h3
There are well known, but not large
-
duke_h3
And are interested
-
duke_h3
My job is basicly to get an assesment to the CEO what it would take in terms of resources to increase there security profile
-
TheJollyRoger
In theory, with enough money and manpower, a lot of things would be possible. But that's contingent upon the manpower and contributions recieved.
-
duke_h3
Yes, I have been in the buisness for 20 years ;)
-
duke_h3
But is it hard to boot G on a new device?
-
TheJollyRoger
Well, let me put it this way:
-
duke_h3
Assuming it runs android today
-
TheJollyRoger
If your objective is "just get the damn thing to boot once," then that's actually not that difficult in the grand scheme of things. However, it's a *completely* different ball game to produce stable, production-quality releases with security (and privacy) equivalent to or exceeding that of the reference implementation of Android provided by Google on its own handsets. This is a collossal
-
TheJollyRoger
undertaking, requiring dedicated maintainers for each device that can backport all of the device-specific exploit mitigations, patches to the kernel, firmware,
-
ss66
Hello everyone
-
TheJollyRoger
and testing to each device, for the lifetime of the device.
-
TheJollyRoger
Hello ss66
-
ss66
How is it going?
-
TheJollyRoger
This on its own is likely going to require full-time attention from someone, for the next three years.
-
TheJollyRoger
Yarr, it be well!
-
ss66
Nice!
-
duke_h3
Ok I guess its more stupiq quiestion
-
duke_h3
( I have yet to get my Pixel 3 ) so I have so far not tried things out
-
duke_h3
but GOS is basicly a striped down version of android
-
TheJollyRoger
Vendor support is /essential/ to this part, and isn't doable without the vendor at least being forthcoming with firmware updates and driver updates. Google so far has been very helpful here.
-
duke_h3
That are running a few patches
-
TheJollyRoger
duke_h3: no it is not.
-
duke_h3
The most important patch is the malloc?
-
TheJollyRoger
No. GrapheneOS is a large collection of subprojects that all work together in harmony to improve the security of AOSP: this includes the auditor and attestation server, hardened Bionic C library, Vanadium, hardened malloc, much of the specific work in the kernel,
-
TheJollyRoger
it's right across the entire stack.
-
duke_h3
Ok
-
Johnwake
Hey I was wondering if one of you guys could kindly help me flash the os?
-
duke_h3
Got it, you have more that just the kernel patches
-
TheJollyRoger
To call it "a few patches" is really selling the project short.
-
TheJollyRoger
Hi Johnwake, I will be with you in just a sec.
-
Johnwake
Thank you
-
TheJollyRoger
What problems are you having at the moment?
-
TheJollyRoger
(I may need to ask you a couple questions to do some sanity checking, since I will not be over your shoulder)
-
JTL
aeonsolution[m]: Cheers
-
TheJollyRoger
Ahoy JTL!
-
Johnwake
So I tried flashing the phone, however the os isn't installed
-
Johnwake
it just goes back to stock android
-
aeonsolution[m]
Hi Johnwake, could you be more specific. It's hard to diagnose the problem without any background.
-
» JTL waves at TheJollyRoger
-
TheJollyRoger
I think I have an idea of what happened, but what are you seeing right now, is the bootloader locked or unlocked?
-
Johnwake
hey
-
Johnwake
unlocked
-
TheJollyRoger
Also, what host and version of fastboot are you using?
-
Johnwake
minimal adb
-
TheJollyRoger
Could you tell me the output of `fastboot --version` and what host operating system is the computer running?
-
TheJollyRoger
You'll need to be specific, remember that I'm not sitting there next to you looking over your shoulder.
-
duke_h3
Are there any other kernel patches except for the malloc?
-
Johnwake
fastboot version eac51f2bb6a8-android
-
TheJollyRoger
duke_h3: Yes, look under kernel_google_[device codename]
-
TheJollyRoger
Johnwake: yep, probably an outdated or incorrectly versioned release of Fastboot.
-
TheJollyRoger
You're going to need to download the correct version of fastboot - incorrectly versioned or out of date versions of fastboot can brick your device.
-
TheJollyRoger
What operating system are you running?
-
Johnwake
windows atm
-
TheJollyRoger
Ok, great hang on a sec.
-
TheJollyRoger
duke_h3: I suggest you look at the GrapheneOS repository on github:
github.com/GrapheneOS
-
duke_h3
Wait, the hardend malloc is not a kernel patch?
-
TheJollyRoger
Johnwake:
developer.android.com/studio/releases/platform-tools You'll need to download the latest one from here for Windows.
-
TheJollyRoger
You will also need to remove /all other versions of fastboot/ from your computer.
-
TheJollyRoger
Remember, you can *softbrick your phone* with old and incorrectly versioned/numbered versions of fastboot. Your safest bet is to download platform tools directly from Google.
-
TheJollyRoger
It's likely that the version you used had broken autodetection.
-
Johnwake
How can I remove the old versions? TheJollyRoger
-
TheJollyRoger
duke_h3: it's not just a kernel patch, it's also integrated into the hardened Bionic C library which is unique to this project.
-
TheJollyRoger
Johnwake: you'll have to delete or uninstall them.
-
TheJollyRoger
When you type `fastboot --version` at the prompt, it should return something like `fastboot version 30.0.something`
-
TheJollyRoger
It must at /least/ be version 29.0.something in order to safely install GrapheneOS.
-
duke_h3
I am trying to asses the improvements you are doing the security model of the device
-
duke_h3
One key issue is be able to protect sencitive date
-
duke_h3
One key issue is be able to protect sencitive data
-
duke_h3
like keys
-
hypokeimenon[m]
duke_h3 are you a developer?
-
duke_h3
yes
-
duke_h3
I write code
-
duke_h3
But now adays I do mostly arcitecture
-
TheJollyRoger
You actually should be in a much better position to read it than I am, then. I'm just the greeter and the friendly face/installation help guy around this channel.
-
TheJollyRoger
I can understand some of these concepts at a very abstract level.
-
TheJollyRoger
The GrapheneOS threat model is to help mitigate and protect against exploits, such as memory corruption/slab corruption exploits on Linux.
-
TheJollyRoger
And Bionic C.
-
duke_h3
One thing that we are looking for is to protect the clients sensitive data like keys that could be very valuable
-
TheJollyRoger
It also uses strong encryption for the disk, which is always on, utilizes the full hardware security features of the phones, and implements remote attestation to ensure that you can prove the operating system you installed is the one you think you installed,
-
TheJollyRoger
while the operating system is online.
-
TheJollyRoger
duke_h3: in all honesty that's very very vague.
-
duke_h3
And one of the threats we are looing into i the potental for "bugs" like stagefright
-
duke_h3
I assume you are familiar with the concept?
-
TheJollyRoger
Stagefright's been mitigated on the factory operating system from Google, long ago. You can actually run a CTS test for it, and stagefright is one of the test cases.
-
TheJollyRoger
Under cts-tradefed, run "security-bulletin"
-
TheJollyRoger
This was a long time ago.
-
TheJollyRoger
Outside of that example, it's been one of GrapheneOS' core goals to try to mitigate exploits.
-
duke_h3
TheJollyRoger obiosly, but its safe to assume that simelar threats are still out there
-
TheJollyRoger
Of course, that's why you keep your operating system up to date.
-
duke_h3
well I was hoping that GOS had a higher abition
-
TheJollyRoger
I'm not quite sure what you're getting at, can you be more specific?
-
Johnwake
Hey TheJollyRoger I am having some troubleinstalling the new fastboot
-
duke_h3
to build in security walls so that a big like SF could not be implemented
-
hypokeimenon[m]
<duke_h3 "well I was hoping that GOS had a"> What is that supposed to mean? lol
-
Johnwake
I'm not sure which program to run
-
TheJollyRoger
Because honestly what you're asking is not making much sense, it's very vague, and if I'll be bluntly honest, it feels like you're essentially trying to ask me to See The Future.
-
hypokeimenon[m]
Also, I am not affiliated with the Graphene OS project so ignore me.
-
TheJollyRoger
hypokeimenon[m]: heh, well, at least we're on the same wavelength.
-
duke_h3
Our assesment is that a lot code in a big project like android is too large to auidit in a safe way
-
TheJollyRoger
Johnwake, have you uninstalled all previous/old/obsolete versions from your computer, and downloaded the latest version of fastboot?
-
duke_h3
And much of the code is written in a way that allows bugs to be inserted
-
duke_h3
or mistakes are made
-
TheJollyRoger
duke_h3: right now GrapheneOS has expressed dissatisfaction with the state of the Linux kernel when it comes to security, or the lack of it. But right now we're working with the hand we've been dealt.
-
duke_h3
yes
-
TheJollyRoger
If you've got a Microkernel and Qualcomm reference SoC that's been fused to accept our own firmware, we welcome your contributions.
-
duke_h3
So we where looking into the concept of separating stuff so that unsafe android code could be run on the phone
-
Johnwake
I couldn't find a way of uninstalling it
-
duke_h3
and keept separate from the sencetive data
-
TheJollyRoger
Johnwake: you'll need to delete the old fastboot, then.
-
hypokeimenon[m]
"I thought the Graphene project had more ambition..."
-
hypokeimenon[m]
"Our assessment is that Android is too large to audit in a safe way..."
-
hypokeimenon[m]
This is a strange way to converse with a project trying it's damndest to be as secure as is feasible.
-
Johnwake
I'm just having trouble finding a way to delete it
-
Johnwake
I could my linux pc if that makes things easier
-
duke_h3
I think you are doing a excelent job
-
duke_h3
And I really liked the concept you hade on your webpage
-
TheJollyRoger
Johnwake: You'll need to do the same thing, do not install platform tools from your operating system's software repositories, download it from Google.
-
TheJollyRoger
If you already have, uninstall it.
-
Kurai
Johnwake if you are on windows you can just delete the folder
-
duke_h3
Talking about the Xen
-
TheJollyRoger
Well, again, as mentioned on the roadmap, adopting lofty goals like that is contingent upon the project being able to not just survive, but also thrive as a non-profit open-source project. If you've been at the development game for 20 years, we could use those skills.
-
duke_h3
Yes, that was the plan
-
duke_h3
I just need to understand where things are, and what resources I need to request
-
Johnwake
My current fastboot version on my linux pc is version 1:8.1.0+r23-5~18.04.
-
Johnwake
Is this the up to date version?
-
TheJollyRoger
Johnwake: you'll need to uninstall it, that version will create you a brick.
-
TheJollyRoger
No. If it doesn't say at least 29.0.[a number], you're going to get a softbrick.
-
Johnwake
How can I uninstall it?
-
TheJollyRoger
Please uninstall that version of fastboot and download platform tools from the link I sent you.
-
TheJollyRoger
What operating system are you running?
-
Johnwake
mint
-
TheJollyRoger
Oh man.
-
Johnwake
lol
-
TheJollyRoger
either su to root and run `apt remove fastboot` or run `sudo apt remove fastboot`
-
TheJollyRoger
If I recall correctly.
-
anupritaisno1[m]
strcat (@freenode_strcat:matrix.org): when does update engine verify during a streaming OTA?
-
TheJollyRoger
Johnwake: I have a script that should help prepare mint. Let me go and get it.
-
Johnwake
thanks
-
TheJollyRoger
-
TheJollyRoger
Save that someplace, and `chmod u+x prepare-mint.sh`
-
joeri_poeri[m]
anyone else notice that switching an app using gesture control doesn't immediately disable scrolling in apps?
-
Johnwake
nice guide ty
-
TheJollyRoger
Johnwake: it's more than a guide! It's a shell script.
-
TheJollyRoger
You'll be able to download it and run it as if it were a program and it will do all that automatically for you.
-
TheJollyRoger
I strongly recommend you do it this way by running it as a script.
-
TheJollyRoger
Rather than run the commands manually.
-
Johnwake
I'll open oit on my linux pc then
-
TheJollyRoger
Yes, this is for debian based Linux /only./
-
Johnwake
Ok
-
Johnwake
How would I run it as a script?
-
TheJollyRoger
Open a command terminal for me?
-
duke_h3
TheJollyRoger do you know if any of the architects are around?
-
Johnwake
Ok it is open
-
duke_h3
I understand that chat is prob the worst plattform to try to ask my questions
-
TheJollyRoger
duke_h3: indeed, the lead developers do hang out in this channel. I would highly suggest though coming up with very specific, very focused questions to ask them though, /before/ you start asking them broad and vague ones.
-
TheJollyRoger
I can help you with that if you'd like, because I do not want to waste their time, and they would not like their time to be wasted either.
-
duke_h3
I work partly over at Bodhi Linux, so I know that drill
-
TheJollyRoger
-
duke_h3
And I have to say guys like you do a very good job
-
duke_h3
and the projects would not survive without you
-
TheJollyRoger
Before you do anything more, I HIGHLY ENCOURAGE YOU TO open it in a text editor and make sure I haven't snuck in something like a "delete everything/nuke your computer" command in there.
-
duke_h3
HA HA HA
-
» TheJollyRoger cracks up
-
duke_h3
copy all the bitcoin keys to the internet
-
Johnwake
lol
-
dazinism
duke_h3: if you want highly protected data, you would do best copying the design brought in on Pixel 3
-
dazinism
Using strongbox
-
dazinism
Its a load of work to set everything up properly
-
TheJollyRoger
Hey, I tricked someone into running `curl -s [file] | bash` once :D Fortunately, all it did was print a skull-and-crossbones ascii art onto his terminal :P.
-
Johnwake
&& chmod u+x prepare-mint.sh
-
Johnwake
Do I put these last terms in the same line?
-
TheJollyRoger
Yep! && is Unix for "and if it went successfully, run this next command."
-
Johnwake
nice
-
TheJollyRoger
Once you're /completely/ confident that I haven't snuck in a "nuke your computer/install malware/steal your bitcoin keys" command into that script, the command to run it is,
-
TheJollyRoger
`./prepare-mint.sh`
-
dazinism
and the apps that would hold the precious data would need to be set up to make full use of strongbox
-
TheJollyRoger
What dazinism said! The strongbox keymaster API is pretty neat: keys check in, and can't leave.
-
TheJollyRoger
I don't quite fully understand how it works though.
-
TheJollyRoger
So the android documentation on it is a must-read.
-
TheJollyRoger
By the sound of it, it's a full API with all sorts of functionality that can be used for a lot of different things involving cryptographic operations that need to be kept separate from the host or while the host is locked.
-
Johnwake
ok it is running
-
TheJollyRoger
Great.
-
Johnwake
This must of taken you a while to produce
-
TheJollyRoger
Keep an eye out on what it prints to your screen, I tried to make it so that it walks you through what it's doing.
-
Johnwake
I think i'm downloading something from google
-
TheJollyRoger
Heh, well, a little bit, I just collected most of the stuff I was telling most users to do.
-
TheJollyRoger
Yep, it's downloading platform-tools-latest.
-
Johnwake
I am now ready to install graphene os
-
TheJollyRoger
Great!
-
Johnwake
I'll redownload the file then try to flash it once more
-
TheJollyRoger
Hopefully this got all the dependencies. Occasionally we've had some users come in with strange or unusual configurations for Mint that have produced errors, but this covers like ~90% of cases.
-
TheJollyRoger
Sure.
-
TheJollyRoger
From this point, you should be ready to follow the official instructions; that said, if you get a "<waiting for device>" when you type in fastboot flashing unlock or any operations involving fastboot, you will need to reboot the computer, because udev is not reloading its rules. This can be "fixed" by simply restarting.
-
TheJollyRoger
This should hopefully help. If it goes wrong, be sure to save the logs of what happened, because they contain valuable information that can help us figure out what went wrong.
-
TheJollyRoger
(If you're in the 10% with an unusual configuration or are missing dependencies that weren't installed)
-
Johnwake
Thank you
-
TheJollyRoger
You're welcome!
-
TheJollyRoger
Oh yeah.
-
TheJollyRoger
One more catch...
-
duke_h3
Well I will get a Pixel 3 in the coming days
-
TheJollyRoger
Use the USB A-to-USB-C cable that came with your phone, or if you didn't get one, make sure it has full tracing. Plug it directly into your motherboard, don't plug it into a front port.
-
duke_h3
Then we shall see
-
TheJollyRoger
Hey right on.
-
duke_h3
Btw, we are runing a webTV channel
-
duke_h3
for the PirateParty here in Sweden
-
TheJollyRoger
The thing is that a lot of vendors are kinda lackadaisical about supporting all the traces with front USB ports, and fastboot uses all the traces
-
duke_h3
we could make an episode on the project
-
TheJollyRoger
Arr!
-
Johnwake
wait a moment
-
Johnwake
My fastboot version is still the same as before
-
TheJollyRoger
Ok, that's bizarre.
-
TheJollyRoger
can you search up `apt search fastboot` and see if apt is still reporting fastboot to be installed?
-
Johnwake
I don't think so
-
TheJollyRoger
if it isn't, apt is broken... and we've had this happen before.
-
TheJollyRoger
Can you search it up and see if it says installed?
-
Johnwake
I don't see that phrase
-
TheJollyRoger
can you type in `which fastboot` and paste the answer here?
-
TheJollyRoger
if it's in anywhere but /home/[username]/GrapheneOS, then your operating system is holding onto broken packages.
-
Johnwake
says /usr/bin/fastboot
-
TheJollyRoger
Yep, your operating system is holding onto broken packages.
-
TheJollyRoger
This happens a lot with Mint.
-
TheJollyRoger
Hang on a sec.
-
TheJollyRoger
can you run `sudo apt purge android-sdk-platform-tools-common -y && sudo apt autoremove -y` for me, then run `which fastboot` a second time?
-
TheJollyRoger
And tell me if it still says /usr/bin/fastboot ?
-
Johnwake
sure
-
TheJollyRoger
Don't worry... we've had bucketloads of problems with Mint before, this is nothing new.
-
Johnwake
Do I need to type " ` " when I type the command?
-
TheJollyRoger
Oh no no no, the backticks are just there to differentiate what I'm saying from the command syntax.
-
Johnwake
cool
-
Johnwake
Still the same fastboot
-
Johnwake
and location
-
TheJollyRoger
Ok. Last resort. `sudo mv /usr/bin/fastboot /usr/bin/fastboot.old && which fastboot`
-
TheJollyRoger
This is a pretty awful hackjob to temporarily rename it but Mint itself can't get much worse.
-
Johnwake
is the " && " spaced?
-
TheJollyRoger
Yes.
-
Johnwake
missing destination file operand after `/usr/bin/fastboot/usr/bin/fastboot.old`
-
TheJollyRoger
You need to properly space your commands -- you omitted a space.
-
TheJollyRoger
Please type those commands (minus the backticks) exactly as I type them.
-
Johnwake
Ok
-
Johnwake
ok
-
Johnwake
it says cannot stat `/usr/bin/fastboot
-
Johnwake
but my fastboot is in the graphene folder
-
TheJollyRoger
Please type in, exactly as I type it:
-
TheJollyRoger
sudo mv /usr/bin/fastboot /usr/bin/fastboot.old && which fastboot
-
TheJollyRoger
Copy that exact line.
-
TheJollyRoger
That whole line, please.
-
Johnwake
ok
-
TheJollyRoger
This /needs/ to be done exactly. Please do not try to take shortcuts; the computer won't like it.
-
Johnwake
I followed your intructions
-
TheJollyRoger
What do you see for `which fastboot`+
-
TheJollyRoger
*`which fastboot`?
-
Johnwake
I get /home/land/grapheneos/platform-tools//fastboot
-
Johnwake
however
-
Johnwake
When I copy and pasted your cmd I got `mv: cannot stat `/usr/bin/fastboot` : No such file or directory
-
TheJollyRoger
Ok.
-
TheJollyRoger
Can you check fastboot version with `which fastboot`?
-
TheJollyRoger
Er,
-
TheJollyRoger
Sorry,
-
TheJollyRoger
can you check fastboot version with `fastboot --version` ?
-
TheJollyRoger
Sorry, my mistake.
-
Johnwake
for fastboot --version I get bash: /usr/bin/fastboot: no such file or directory
-
TheJollyRoger
post output of `export path`
-
Johnwake
post output?
-
Johnwake
nothing happened
-
TheJollyRoger
er, sorry, can you close that terminal window, open another one, and try `echo path`? My mistake
-
TheJollyRoger
Sorry, my mistake there.
-
Johnwake
gave me "path"
-
TheJollyRoger
Sorry `echo $PATH` ahahaha sorry.
-
TheJollyRoger
Brainfart there.
-
TheJollyRoger
Sorry.
-
TheJollyRoger
Phone rang.
-
Johnwake
No worrys
-
Johnwake
I'm glad your helping me at all
-
Johnwake
I got /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/land/GrapheneOS/platform-tools/:/home/land/GrapheneOS/platform-tools/
-
TheJollyRoger
Hang on a sec, it's still giving you an incorrect fastboot version even with path set and the old fastboot moved to "fastboot.old"?
-
Johnwake
I'm not sure
-
Johnwake
wait
-
Johnwake
when I type fastboot --version
-
Johnwake
I got 30.0.01-6435776
-
TheJollyRoger
Ok, great, it's working.
-
TheJollyRoger
Proceed to install GrapheneOS.
-
Johnwake
installed as /home/land/grappheneos/platform-tools/fastboot
-
Johnwake
dude
-
Johnwake
Thank you so much!
-
TheJollyRoger
You're welcome :)!
-
TheJollyRoger
We're weathering the storm! Okay! The next step is going to be to flash... now if you're missing some dependencies, Mint may complain. There's a good chance you aren't, but keep an eye on the backbuffer.
-
Johnwake
got ya
-
Johnwake
One more question
-
Johnwake
what is the factory image?
-
TheJollyRoger
The factory image, in common parlance, is actually a zip file containing an installer script, the firmware for your phone's modems and radios, and also the system image, which is itself going to be in another .zip file.
-
TheJollyRoger
The system image is a pre-built operating system image, which is signed, and verified by the bootloader itself.
-
TheJollyRoger
Which device do you have?
-
Johnwake
pixel 3
-
TheJollyRoger
Got it. You'll want this one then, for the Pixel 3 (with the glass back, NOT the 3a).
releases.grapheneos.org/blueline-factory-2020.05.05.02.zip
-
TheJollyRoger
This will work on the 3 only. It will not work on the 3a.
-
Johnwake
Understood
-
TheJollyRoger
Once you download it, unzip that file to anywhere you like, and follow the instructions (you do not need to unzip it to platform tools, and in fact I recommend against this)
-
TheJollyRoger
Inside, you'll find another .zip file, and a file called "flash-all.sh". That "flash-all.sh" file is the installer file, which will take care of the rest.
-
TheJollyRoger
Make sure to lock your bootloader after installing; all GrapheneOS phones have the entire system image signed and validated and bitwise identical right down to the very last bit.
-
TheJollyRoger
This ensures that the operating system you run, is the same as the operating system I run on my Pixel 3, as well as every other Pixel 3 running GrapheneOS that has its bootloader locked, and is validated all the way back to the signing keys, and you can use attestation.app to prove it.
-
Johnwake
The program won't run
-
TheJollyRoger
Can you tell me the error message?
-
Johnwake
Should I run it through the cmd?
-
TheJollyRoger
(Remember, I'm not sitting next to you and I'm essentially flying blind)
-
Johnwake
Understood
-
TheJollyRoger
Yes, you will need to execute it using `./flash-all.sh`
-
Johnwake
cmd prompt it is
-
BrokenCog
Where does the BuildID come from in this step?
-
BrokenCog
./vendor/android-prepare-vendor/execute-all.sh -d bonito -b $BUILDID -o vendor/android-prepare-vendor
-
TheJollyRoger
You'll need to cd to where it's been downloaded and run it from there.
-
BrokenCog
I thought it was emmited by the choosecombo output?
-
TheJollyRoger
BrokenCog: it should be on... just a sec.
-
Johnwake
CD?
-
TheJollyRoger
BrokenCog:
developers.android.com/android/images - do you see something that looks like "QQ2A.200501.001.B2"? That's the build ID. You will need Dan V's patch to the script or it will fail with a "URL Not Found" error.
-
TheJollyRoger
Johnwake "cd" (remember that in Linux, commands are cAsE sEnSiTiVe!) means "change directory"
-
BrokenCog
ah, I had that patch and thought it was only for a previous graphene release ... guess I need it again.
-
TheJollyRoger
-
BrokenCog
thansk
-
BrokenCog
also, that link to the android/images is 404, but was this what you were linking:
-
BrokenCog
-
BrokenCog
-
Johnwake
ok
-
Johnwake
I think it's finished
-
TheJollyRoger
BrokenCog: Whoops. Sorry, it should be
developers.google.com/android/images , sorry >_<.
-
BrokenCog
okay, so "QQ2A.200501.001.B2" not "QQ2A.200501.001.B2.2020.05.05.02" ?
-
TheJollyRoger
Johnwake: Awesome! It will reboot to "fastbootd" you're going to need to select the option "reboot to bootloader"
-
BrokenCog
or ... trial and error ? :)
-
TheJollyRoger
BrokenCog: I think the first one, QQ2A.200501.001.B2, give that one a try?
-
Johnwake
then lock the bootloader right?
-
TheJollyRoger
Johnwake: yep! Lock your bootloader!
-
BrokenCog
yes, that's the correct one. It IS also output by choosecombo/lunch.
-
Johnwake
ok it is locked
-
Johnwake
Do i START?
-
TheJollyRoger
Johnwake: okay! Start it!
-
Johnwake
caps
-
Johnwake
dude
-
Johnwake
yes
-
Johnwake
yes
-
Johnwake
Can I unplug my device?
-
TheJollyRoger
Splice the mainbrace! Welcome aboard the ship, matey! :)
-
TheJollyRoger
Yep! Unplug your device.
-
TheJollyRoger
You can optionally decide to turn "OEM unlocking" to off if you like.
-
Johnwake
I should
-
Johnwake
Thank you TheJollyRoger
-
Johnwake
You were such a big help
-
Johnwake
Thank you
-
TheJollyRoger
Anytime :).
-
TheJollyRoger
I hope GrapheneOS serves you well! If you like, you can get Signal from
signal.org/android/apk <- this is the only place you should be getting Signal from if you cannot compile it yourself.
-
Johnwake
I'm glad I made the investment
-
Johnwake
thanks again
-
TheJollyRoger
While F-Droid is far from ideal and contains a lot of old and outdated applications which are liable to stop working, if you, you can navigate to
f-droid.org and install it from there if you like.
-
TheJollyRoger
Anytime :)
-
Johnwake
it was either this or the librem 5
-
TheJollyRoger
There's a short usage guide at
grapheneos.org/usage
-
TheJollyRoger
Hehe, well, you certainly made the right choice here ^_^.
-
Johnwake
great ty
-
TheJollyRoger
If you're interested in knowing more about GrapheneOS and the security features on it I can show you around a little bit but most of the security features, such as verified boot, function transparently, and there is no knobs/tunables/tweaks, etc.
-
TheJollyRoger
However I can certainly show you around Auditor, which I highly recommend you use.
-
Johnwake
sounds good
-
TheJollyRoger
attestation.app/tutorial will tell you how to use the local or remote verification: One of the things that makes the Pixel 3 so secure is the presence of the Titan M HSM embedded in the phone.
-
TheJollyRoger
That Hardware Security Module has a private key in it, the certificate of which is validated by a batch key, which is then validated vendor key, which is then validated by Google's root certificate.
-
Johnwake
It's funny how Graphene os is only on the "Google" Pixel
-
TheJollyRoger
So the interesting thing is that remember the verified boot we talked about earlier? The Titan is in a very privileged position and while it can't control the phone (it can only run signed code), it can actually attest to the authenticity of the digital signature on the phone's system image.
-
Johnwake
dayum
-
Johnwake
Thats pretty cool
-
TheJollyRoger
It can even do this if the operating system tries to lie about its own authenticity!
-
Johnwake
=$
-
TheJollyRoger
So if for instance, let's say you somehow download malware, and somehow that malware escapes from the SELinux sandbox, breaks the Linux user model, and manages to modify your system partition...
-
TheJollyRoger
The next time your phone dials in to submit an attestation, the Titan will detect that tampering has occurred since the signature won't match.
-
TheJollyRoger
And it'll be able to warn you "Hold it! Something's not right!" and send that warning to another (hopefully not compromised) system.
-
TheJollyRoger
The attestation's under your control as a user as well, you can turn it on and pair it, or un-pair it anytime you like.
-
TheJollyRoger
Heh well... the irony many people have pointed out of wanting to get privacy from Google... and needing to buy Google handsets isn't lost on me... but there's a good reason for it:
-
TheJollyRoger
The funny thing is that Google actually is probably the best vendor for it: they're actually the most helpful when it comes to providing support for the handsets. They provide all their tools as open source and the entire system pretty much as open source, and they even make firmware available to us (although you have to ask for it)
-
TheJollyRoger
They also have gone out of their way to allow us to run our own system images on their phones with full hardware security features enabled: most other vendors will only allow you to run different operating systems on their phones if you cripple the bootloader security.
-
TheJollyRoger
Samsung, for instance, if you want to run your own system image on their phones, you must /permanently cripple/ bootloader security forever, and then the phone will never be the same again.
-
Johnwake
huh....
-
TheJollyRoger
Yeah. Google also is probably the best in terms of firmware security and diligence. They actually take their firmware security seriously, and even have gone so far as to implement Insider Access Protection which is the neatest thing since sliced bread.
-
Johnwake
One question
-
TheJollyRoger
Firmware absolutely, and should be updated, and treated like any other component of the software stack; it must be kept up to date to mitigate exploits.
-
TheJollyRoger
The Titan M won't allow the firmware to be updated /unless/ it recieves the password.
-
TheJollyRoger
So this deters an attack where a very determined adversary confiscates your phone, takes it to Google or to Qualcomm, and then uses legal or extralegal pressure to get them to sign rogue firmware.
-
TheJollyRoger
Yeah what's up?
-
Johnwake
How do I sync my contacts from my sim card?
-
TheJollyRoger
Even if they were to find an exploit for the operating system, root your phone, and try to push an update to it, that IAP prevents the phone's firmware from being updated unless *you* do it.
-
TheJollyRoger
Ah, huh. I've actually never tried that on GrapheneOS before, heh.
-
TheJollyRoger
I didn't even know storing contacts directly on the SIM card was still possible, I thought the phone industry had started to move toward depreciating that function.
-
Johnwake
For sure
-
TheJollyRoger
Yeah, sorry. I don't know if there's an easy way to do it without simply copying the contacts off by hand :(.
-
Johnwake
No worrys
-
fll[m]
I use an app called "dumb phone assistant" to copy from and to sim cards
-
TheJollyRoger
The contacts app can accept properly formatted .vcf files but--
-
TheJollyRoger
Oh splice the mainbrace!
-
TheJollyRoger
fll[m] to the rescue!
-
miniblue[m]
The security of GrapheneOS is crazy. It's a fucking dream, actually.
-
TheJollyRoger
Yeah!
-
TheJollyRoger
I like the hardware bound encryption the best and a long passphrase.
-
TheJollyRoger
I find it very difficult to memorize eight random digits or like a password generated by KeePass, but it's relatively easy for me to memorize four distinct dictionary words.
-
TheJollyRoger
Much easier for me to type too.
-
TheJollyRoger
(Even though a four digit pincode is enough, thanks to the Titan and the increasing lock timeout.)
-
TheJollyRoger
As well as the Android compartmentalization, that's a huge one.
-
TheJollyRoger
Johnwake: if you're familiar with or you've used Android before, you'll notice that there are two new permissions GrapheneOS has that are unique to it: Sensors, and Network. Turning off Network permissions will prevent the app from dialing out, and turning off Sensors will zero out sensor input.
-
Johnwake
Yea I saw
-
TheJollyRoger
Something you might consider getting if you use F-Droid, is OpenCamera. Turn on the "Camera2" API and watch the quality of your pictures *skyrocket*
-
miniblue[m]
I have a six digit pincode but will probably eventually shift to some some sort of passphrase if it's better from a security perspective. But you know, Titan M and all.
-
TheJollyRoger
Yeah. The passphrase for me is sorta force of habit. It's just easier for me to memorize it.
-
Johnwake
it would be cool is you guys added a usb kill switch
-
gervarouge[m]
There is
-
gervarouge[m]
Kinda
-
miniblue[m]
Also use Bitwarden but should shift to Keepass as it's a lot better from a security perspective.
-
TheJollyRoger
Not required actually -- while the phone is locked, it won't allow new gadgets plugged into it unless those gadgets were plugged in *before* it was locked.
-
TheJollyRoger
When you plug in, it won't let the phone do anything but recieve power.
-
TheJollyRoger
Unless you select to allow it.
-
gervarouge[m]
Bitwarden is pretty terrible
-
TheJollyRoger
(Although you can change this default behaviour in Developer options, I strongly recommend you leave it as the default, the defaults are set to be secure. That function is only done to save developer time for engineering and testing only! Please don't use it!)
-
miniblue[m]
Yeah I agree. I heard there was some weird blackbox tracker shit and their server hosting is insecure. Plus it's a cloud service and those are terrible for passwords.
-
gervarouge[m]
Cloud service is fine
-
gervarouge[m]
Forcing account management through website is sketchy
-
miniblue[m]
That's true
-
TheJollyRoger
Now there is one thing you should know about USB killing...
-
TheJollyRoger
Unlike the iPhone X, the Pixel 3 doesn't have USBKiller Protection.
-
TheJollyRoger
So if you plug a 10,000 volt USB Killer into an iPhone, it'll ground out and will probably be fine, but a Pixel 3 will be fried.
-
gervarouge[m]
Not really a security issue
-
gervarouge[m]
It's worth noting though
-
TheJollyRoger
So even if you're protected from JuiceJacker attacks, *please* don't plug it into devices that are designed to send 10,000 volts into your phone.
-
TheJollyRoger
Heh, yeah.
-
miniblue[m]
TL;DR don't plug shit in unless you know what it is.
-
TheJollyRoger
Yeah.
-
miniblue[m]
Which I mean goes along with "don't install apps that you don't trust" or "verify your sigs" or "don't click on random links" or "don't send 8 Bitcoins to the Nigerian Prince".
-
» TheJollyRoger cackles
-
TheJollyRoger
Yeah.
-
miniblue[m]
Because the most insecure part of any system (besides Ubuntu) is the user.
-
TheJollyRoger
I think there's a YouTube channel where someone actually "destructively tests" cellphones and I think one of them he destroyed a Pixel 3 by giving it a 10,000 volt surprise. Interestingly enough, the screen remained fine for a second, but the phone was *gone*.
-
TheJollyRoger
like, boom, instant death.
-
gervarouge[m]
I sent 6 I'm okay right?
-
TheJollyRoger
Ahahaha XD
-
miniblue[m]
Open Camera's UI man
-
Johnwake
bet
-
miniblue[m]
I mean look at it
-
TheJollyRoger
It's... it's a little bit clunky :(
-
TheJollyRoger
OK and that's an understatement X(
-
miniblue[m]
Still better than my Leafpic Revived icon
-
miniblue[m]
I would just use Simple Gallery but I hate the UI of those apps for some reason.
-
miniblue[m]
I actually find UI design pretty important tbh. I know that's probably not the best but I have chosen some apps over others simply because they look better.
-
miniblue[m]
(When there is no other major difference, that is)
-
Johnwake
I'll catch you guys later
-
Johnwake
Thanks again TheJollyRoger
-
TheJollyRoger
Anytime!
-
bseeinu[m]
<miniblue[m] "Also use Bitwarden but should sh"> Same. Though a couple things:
-
miniblue[m]
Well honestly the whole appeal of Keepass is the offline element. I think you can sync it with some stuff but not sure what.
-
bseeinu[m]
I mean, it's nice to have a synced database between Grapheme, macos, etc for all regular and mundane accounts
-
bseeinu[m]
Like, very nice
-
bseeinu[m]
If it was an encrypted database via WebDAV for Keepass
-
bseeinu[m]
It'd be great. But there's only one open source Mac client doing that, not any on Android that I could find
-
MadCamel
maaan.. can't wait until the bluetooth audio fix rolls out I'm dying here
-
MadCamel
I use syncthing to keep my files synced between devices, including keepass db. might be something you could explore
-
bseeinu[m]
Thanks! So wait, whenever I connect the bluetooth headphones in LDAC and no music plays but calls are okay
-
bseeinu[m]
That's a bug in graphene and not the app being stupid?
-
MadCamel
yeah that's a bug in graphene
-
MadCamel
if you are trying to use bluetooth audio and it plays from the phone speaker it's this:
GrapheneOS/os_issue_tracker #137
-
renlord
MadCamel: not a bug in graphene os
-
renlord
its an upstream bug that got uncovered by Graphene OS
-
renlord
bseeinu[m]: it is patched now with an appropriate fix by valldrac. Wait for next release.
-
MadCamel
yeah I know. was leaving out the gory details.
-
renlord
MadCamel: its not even gory detail, what you said was flat-out incorrect.
-
MadCamel
ok whatever you say boss
-
MadCamel
I'll refrain from helping people anymore since nobody likes my generalizations. Peace.
-
bseeinu[m]
Sweet, thanks for uncovering it!