Anyone know why Bromite defaults to Google search? Asking for a friend, lol

<jalb "You can only se 1 VPN service in"> Thanks!

U could use 2 if I use shelter or similar

<strcat "there is an issue filed in our t"> Will it still be helpful at this stage to have this done? I'd be interested to do it but only know some Java, a bit of C, and nothing about Android development so don't know if it's something I could even realistically do.

Another thing I'd be interested to do even more, is a 'sub-contacts' feature, where you can create a list of say just 10 contacts out of your full list and feed just that into a messenger app, so it doesn't have access to all your contacts

organella: If you try, you're capable, if you've worked with those languages. See GrapheneOS.org/build for info. We really need ya.

organella[m]: just use user profiles

profile A -- full contact list; profile B -- sub contact list

besides, you cant even control how apps will use your new custom contacts api to retrieve sub contacts

so at the end of the day, you still need to use user profiles

<DannyWorkOrderPr "organella: If you try, you're ca"> Had a look and should be able to set up the environment. Don't want to promise anything before I've seen how it all works, and I don't have much spare time at all, but would be happy to help if and with what I can.

<renlord "organella: just use user profile"> Isn't it a hassle to constantly switch profiles for messengers?

And do you get a notification when you receive a message but are not in the other profile?

If your threat assessment says that it's dangerous for an app to view your full contact list, that's the only safe way around the problem.

User profiles.

I know, that's why I was thinking that a sub-contacts feature can add a lot of convenience for such use cases

The idea for the API is to replace the current API that the apps see so they won't even know the difference

It's a very worthwhile cause that will benefit many users and other projects, and your success story will surely spur more to jump in, too. You've got a lot of cheerleaders here, and people to help you leapfrog into action!

They ask for access to Contacts and they get access to Contacts and are none the wiser that there are multiple lists in reality

Danny@WorkOrderPro I know, and I'm sad to see that Graphene is so short on contributors at the moment which makes be doubly as happy to help

Why can't you toggle between profiles or just use different phones altogether.

I can but everything has a cost - carrying more than one phone isn't convenient (I often do have two...) - and switching profiles takes some time and mental cycles that add up so if they can be saved all the better

The same mental cycle exist if you split contacts like this.

People have to actively be aware that there are different contact groupings that's completely incompatible with the standard Android model

Sure, with enough effort and dedication you can make it compatible and less intrusive, but we already have a simpler solution for this type of threat model (i.e. using user profiles)

User profiles also have added benefit so you actually explicitly context switch to a different profile altogether.

The development work is a one off and it goes to 'voluntary work on a worthy project' so it's on a different time budget :) Then if you use profiles in comparison you still need to manage the lists, so let's say that would be the same amount of work and you'll only do it if you think it's worth the benefit. And the feature itself can require optional activation so Contacts work like in standard Android for the

regular user, and sub-lists are available only if you turned them on

You're mistaken to think that it's one off

True, maintenance

Unless you upstream your changes you are expected to maintain it until it at least gets upstreamed.

organella: for the record, I was not referring to the Contacts bit, but helping out Graphene in general =] Hoping you'll give it a go.

If you're 100% trying to get that specific change, I'd definitely see if you can PR it to upstream (AOSP).

Understood! But still best to start with something exciting to help go through the learning pains. And as I said I don't want to promise anything before I've seen how things work and time will certainly not be a great amount, but hopefully some bits here and there that are useful are possible!

Take a look at the issue tracker, and see if there's anything that piques your interest

The storage issue that was mentioned earlier sounded interesting too but there was no link, would you know which issue that would be? It was about doing some emulation for the apps that still target the old APIs with the storage permission

If it's still relevant of course given the expected v11 changes

Btw re PR to upstream, is there anything you'd normally do before you develop the feature, like ask if it would be accepted, or you just develop and offer it and see if they take it?

Like write out how it would work for example so they can say if any tweaks would be necessary before development

* Like write out how it would work for example so they can say if they'd require any tweaks to take it, before development

I'd definitely do a brief writeup and find whatever channel they use for chat, if any. Not a ton of experience with interacting with the AOSProject

organella: This is only storage related issue on the tracker right now: GrapheneOS/os_issue_tracker #105

organella : personally using different profiles has had many different benefits for me ,one of it being that i can feed it the contacts i want,the others are that the app i want to restrict doesn't have access to my main user profile storage ( assuming its an app that needs storage permission to function properly ) and another important one is that i choose what other apps are in that profile and i can isolate it in

that regard as well

I love the profile segregation and use it! This is just for the extra convenience of not switching profiles to use my main messengers. But it's also a part of a larger point about permissions. I hate it when an app says I want everything or I won't even start. I want to be able to say - you want to manage calls and sms? Ok, here you go, a dummy api for call management that's not connected to the actual calls and

texts. You want location - Location manager, tell this app I'm at these coordinates in Paris. You want Contacts? Here, my only two contacts.

These are complaints that should be directed to app developers

Their apps should handle denied permissions gracefully.

Aaaarrgh python2, why oh why is Google holding out on you...

<renlord[m] "These are complaints that should"> Somehow I don't see Tencent heeding my complaint that WeChat should work without drilling my phone for everything

TheJollyRoger: replaced in master

And my Chinese client won't use anything else

what are you doing that needs python2?

I uh...

don't need it to build GrapheneOS unless you build Vanadium

I'm uh, trying to build Vanadium... on my G-- oh

So control needs to be in the user's hands, not the app developer's

ah yeah

you need it for Vanadium lol

for now

Got it!

it takes so long to build

I need a new computer

Jeez.

probably one of these

but I heard there are issues with ECC memory on Linux

and I don't think I want to get 128GB+ of memory without ECC

I currently use ECC RAM on Linux...?

But it's on POWER and not x86.

I don't know what difference that would make, unfortunately.

it's an issue with threadripper

not ECC ram in general

Oh!

Oh yipes big difference then O_O.

I wonder if they can fix it with a microcode update? Or is this just uh... not fixable/defect by design?

TheJollyRoger: I think it';s a Linux kernel bug

for threadripper

OH!

Oh yipes >_<.

rip

Someone had an issue with removing apps. How did you solve it? I run into the same problem. Uninstalled the app through Aurora. In permission settings I still can see this app has access to them

* Someone had an issue with removing apps. How did you solve it? I ran into the same problem. Uninstalled the app through Aurora. In permission settings I still can see this app has access to them

* Someone had an issue with removing apps. How did you solve it? I ran into the same problem. Uninstalled an app through Aurora. In permission settings I still can see this app has access to them

* Someone had an issue with removing apps. How did you solve it? I ran into the same problem. Uninstalled an app through Aurora. I still see this app has access to certain permission settings

<joshman[m] "Someone had an issue with removi"> Uninstall through system settings

Strcat why not use something like distcc on aws or something

Then spin it down when you're done.

too inconvenient and slow

strcat[m]: I'm in similar need of a new workstation/system and I want something with ECC RAM. What exact issues are you referring to? I remember kernel EDAC reporting for Ryzen platforms didn't work for quite awhile but was allegedly fixed with the 5.4 LTS kernel

Let me know what you find

I was talking about this with cdesai recently and he wa also uncertain about this

One thing I saw recently was somebody building a workstation with a server epyc chip

Yeah me too

Lower clockspeed and more expensive, but I'm not counting it out

I've been tempted to try and get a Gigabyte X570 board, lower end Ryzen chip and ECC RAM and try and return it if it doesn't work, but that's a hassle in Canada.

:/

It might be easier to just find somebody with a working config on the internet and just try cloning that

There haven't been many attempts with the X570 platform

and the ones I've found are ASUS and I'd liek to avoid them for other reasons

*cough* garbage QC/RMA department outside of US

Maybe try asking AMD? I dealt with them for a rma and they were super nice

About ECC platform support? Their official response is "not disabled or hindered by US, but since it's Ryzen they [motherboard vendors] might do things differently"

I thought it's only a fresh compilation once a month

Then it's always just incremental builds.

Most of the time the bottleneck is the linker also.

renlord[m]: I think strcat still needs to do release builds more often then that

heheh

Though even on these chips lto takes so long

right

JTL: linux kernel LTO might be peak memory usage now that chromium uses thinlto

Hmm. For android-prepare-vendor, I need to use `qq2A.200501.001.b2` with `blueline` and it's case sensitive, right?

Oh wait a minute...

it's upper case

Yep, Got it, so the command should be something like `./vendor/android-prepare-vendor/execute-all.sh -d BLUELINE -b QQ200501.001.B2 -o...` etc etc etc...?"

yeah

Okay! It's just having a tad bit of trouble finding the url, I'm wondering if I should just try or if it's possible to download the images using curl or something like that and running the script on that instead...?

let me get it for you

you need to run the commands there as is

if you get the URL not found error

Got it. That's the part I'm stuck at. >_<

Oh.

Okay!

make the change from RattlesnakeOS/android-prepare-vendor 32e6e21

find -name download-nexus-image.sh

Woah, okay, let's see...

Woah, woah thanks! Okay! Just making the change now...

😁

There we go, the fix did it!

woot, woot

Now I just gotta wait for the download to finish, I'm imagining someone at Google writing the TCP packets onto parchment, putting the parchment into bottles, and tossing them into the sea.

One TCP packet at a time :D

You guys are free to imagine me hauling on a rope to winch the bits in faster while singing "~what shall we do with the drunken sai~lor ear~lay in the moo~~orning~~"

I miss mobile games on my Phone

Any safe way to run them?

gervarouge: Stuff on F-Droid is auditable.

Stuff you don't trust can be installed in other Android user profiles

<DannyWorkOrderPr "gervarouge: Stuff on F-Droid is "> Once in a while, I like the Tetris clone, and SuperTuxKart is a blast too - and cross platform/multiplayer! But you can disable the networking bits (they are by default)

<DannyWorkOrderPr "Once in a while, I like the Tetr"> SuperTuxKart is on iOS too?? Wow that's awesome I prefer playing with friends so

That's huge

I'm stoked thanks man

Not iOS, but Mac/Windows/Linux

Sorry to disappoint

iOS is in beta testflight

They have a blog post

Apparently it's going well

> Is there any way to know the api version an app is using?

renor

I guess the reason Fdroid keep apps with lower target SDK is for all the folks in the world on ancient/low end android devices

Neither the old apps or the old phones are good for security/privacy. But some people dont have the ability to choose

Read some dev from Cuba chatting about how they and many others collected apps and ran their app stores hyper locally on Bluetooth / wifi

I wonder if there will ever be decent security for old phones

iPhones excluded of course (looks at the 5s)

gervarouge: sadly quite a bit would have to change

I know virtualization can negate some local hardware attacks, but Qubes has proven that's only partially effective. I doubt a fully hardened Xen based Qubes would keep an old device safe.. :(

Yeah hardware often has unpatchable vulns discovered.

Then theres nothing that can be done

I mean you CAN, but it's not cost effective or even foolproof

See intel

MediaTek too. Google had to step in after 6 months and clean it up

The open source community has shown they can't keep up with firmware security like a serious company can either (Qualcomm or Apple come to mind)

So I guess the only hope is either a design safety push (I guess rust) which is only partially helpful. And probably open source officially

Overall it's probably a lost cause and recycling is the answer

I flashed a grapheneOS yesterday on my new pixel 3. It was quite late.. I set a lock pattern and I forgot it 😅 is there anything I can do?

parazen616: yeah can reset the phone

Thought so... Thx

Get into recovery, the hold volume up and power

*then hold

gervarouge: guess something is possible. Although performance will likely be substantially below state of the art devices

FPGAs give the ability to "change the hardware" if issues are found

Although I imagine theres the possibility of vulns found in the basic architecture of a FPGA

True, the xen4android prototype (essentially Qubes for Android) claimed 97% performance retained. On a high ram device that's not bad at all even if they are old

dazinism: higher targetSdkVersion doesn't impact compatibility

dazinism: it's not the minimum version, it's the target version for semantics

you have to support older versions with custom code as always

Yeah, as you pointed out before, keeping support for old SDK versions takes dev time away from other stuff (eg. targeting newer SDK)

strcat: talking of which, I've been snooping about trying to work out exactly what would be involved getting PDFViewer signed by you on FDroid.

Theres a few apps that do it Briar, Oeffi, the Fdroid App

the older v1 signing format is far less secure so I won't use that

That was the question I was going to ask

strcat: was wondering if somehow could get it done with v1 and v2 sigs - possible in AOSP not sure about Fdroid

If it was possible on Fdroid, would you add a v1 sig ?

Or make a release with v1 and v2 ?

dazinism: it doesn't have v1 because the oldest supported version has v2

I won't add v1, it's not secure

Was thinking it'd be nice to get it on Fdroid. All kinds of people use it. They could benefit, may even get contributors to the app, plus get some extra visibility for GrapheneOS generally.

Good call

Not worth it

signature v2 was added in Android 7 and is a security update

August 2016 is when Android 7 was released

v2 was available before then since there was the SDK to support Android 7 and dev previews

Yeah, I know. Guess we'll have to wait and see when they may move to supporting v2

I don't understand why they can't support v2 trivially

I got confused looking at their repos

Someone made a PR for v2 and v3 recently

and btw Android 7 support is over so I am dropping it from those apps

right now

But somehow it wasnt for their build server, but for somewhere else

..well doesnt add v2 support for their reproducable builds

btw that's a substantial security downgrade due to using F-Droid

i.e. all their signatures are v1

despite it being far less secure and replaced in August 2016

v2 is a whole file signature

wouldn't you expect that signature verification checks the whole file?

apparently on F-Droid, it does not, since they didn't ship v2 sigs in 2016

they shouldn't support using jarsigner at all

apps without v2 signature should be considered a security vuln

Yeah, its not great is it

v1 signature is only included when supporting API < 24 and v2/v3 signature is always included

since v1 (JAR signing) had serious security flaws

From that PR looks like they may get v2 soon

I just don't really consider it at all acceptable that they didn't add v2 ASAP in 2016

says a lot

if you get the apk from the devs it will have v2 sig

downgrading the security of apps from upstream, especially when they may make the assumption that the whole file is verified

is problematic

Its a weird sprawling project, much/most done by volunteers.

an app with minSdkVersion 24+ that assumes the whole apk is verified is not wrong unless it's built improperly

it's a security vulnerability in F-Droid

it's not just a missing feature

this is a serious vulnerability

dazinism: try verifying Signal with v1 and look at output

verbose

dazinism: paste.xinu.at/6EJrGp

hmm

like, doesn't this seem bad?

and the structure of the zip itself is not fully signed

Not had a chance to do any sig verification on a PC, has been on my todo list for a while. But I'm rarely on a PC nowadays.

dazinism: there were vulnerabilities found and rather than just fixing them they made a more secure format

but I think v2 can be considered a security fix

v1 design (from Java land) was flawed

When I was reading think I saw some stuff about v1 not being such a problem for apps via Fdroid, because of the way their repo and app works. But I cant remember why, or where I saw that.

I mean how much confidence do you have in their own security work when they don't apply a 2016 important security update to the signing format

dazinism: I'd guess they use similarly bad signing for their repo index

using v2 app signatures won't fix their repo index

anyways given up on them already

going to make our own thing

Yeah, I know theres problems with Fdroid, but theres problems everywhere.

the main problem is with culture

A GrapheneOS app store will be ace

you fix that by making a new project without those people

you cannot fix it with any amount of contributions or money

in fact, it will make the problem worse

Would CalyxOS ever work with you guys on this?

cn3m: guess they'd be interested, as would others.

Apparently wouldnt be too much work to get a minimal version up and running

would be cool

Base it off GrapheneOS seamless updates

renlord started looking at it a while ago, but I think hasnt had much time recently

Would be good to have as then updates to vanadium could be pushed out without needing full OS build for every device. Would save a whole load lf time

If theres a critical vanadium update that needs pushing out in between monthly releases

<strcat "TheJollyRoger: well I just chang"> Nice!!!

has anyone tried exploiting old versions of Graphene and Vanadium to see how effective exploits are?

i stop teaching next month and should have more time

> in fact, it will make the problem worse

See: Mozilla

openssl

gpg

linux kernel

lots of projects where if you give them more resources they will largely just add more attack surface / complexity

culture problem

not fixed by more resources

Guess the thing with Fdroid is that theres currently no good way for people to source apps.

Every source has issues

yeah and F-Droid is an obstacle to creating one

because people lack interest in making something when a crappy solution already exists

Most people don't think it's crappy

But between here and there people are still going to get their apps from somewhere..

you should see the downvotes I get

I'll add a warning when installing a v1 signature app

lol

I just raised the targetSdkVersion it expects to 28, why not do that too

<cn3m[m] "you should see the downvotes I g"> It's because people see it as the best option in a sea of nothingness, and cling to it illogically.

in GrapheneOS?

nice

Play Store *requires* API 28 for any new app or app update btw

I could find where this warning is implemented and add one for v1 sigs

<DannyWorkOrderPr "It's because people see it as th"> Making the best of bad options is not illogical

Guess its a question which is best

hypokeimenon: Poor wording, no sleep. They *don't speak out about their concerns* or dig too deep into it, because it's the best they feel they have.

All the nasty abusive apps on Play, or the less well implemented FDroid

cn3m: Important for the community to do this.

F-Droid also has legacy versions of apps, unmaintained forks, etc.

you aren't just getting the maintained software from the devs

<DannyWorkOrderPr "hypokeimenon: Poor wording, no s"> Yeah I agree.

Think all other app stores are trash (unless i miss something?)

you have F-Droid between you and the devs, building the code and maybe updating it

it's hard work. I have poured around an hour a day into it for 3 weeks

dazinism: at least with Google Play, a developer like myself can ship an app to end users through it

ptio Reddit is horrible

can't make some of this stuff up

dazinism: without people interfering in the security and making it worse

strcat yeah theres that

cn3m: Thank you. We're all in this together. Every bit you combat = more dev interest, and less time out our devs' full schedule to write that stuff out.

i'll probably never teach again, people these days dont even care much about learning in depth

just learning to pass fkin exams

<DannyWorkOrderPr "cn3m: Thank you. We're all in th"> thanks amigo

it has been incredibly dissatisfying

renlord: sorry to hear that

probably more satisfying doing stuff for grapheneos than getting paid to teach

ffs

one guy claimed I was a DanielMicay alt once. Never been so flattered

We all know you are

lol

renlord the hungry techie kids are all here, in these rooms.

Thanks for everything you do.

renlord: I mean that's what undergraduate degrees are about these days

At least it looks like FDroid repo will get v2 soonish

getting a piece of paper that gets you a better paying job through any means necessary

autodidacts are more keen learners than people who pay to go to university

Theres also other repos that have the developers builds of apps

and from the university perspective it's a way to get money to fund themselves

I don't think a lot of the profs want to be there teaching lol

it's just a sacrifice

to do what they actually want to do

yes

at least in my institution, if you can get enough grant monies through the door, you probably can be exempted from teaching

and grant monies again, is soul-crushing

yeah I have little interest in that kind of thing

the salary premium that comes with an undergraduate versus vocational education apprenticeship has been narrowing over the years

in my home state, skilled tradespersons probably start with better starting wages than graduates

Yeah I've never done academia, but know many folks that have. Spending so much time chasing grants or sweet talking large corporates to partner on projects.

Generally I think the increasing commercialization / marketization of the academy is a huge problem

Pixel Visual Core is a backdoor... I've heard it all

I literally want to delete my Reddit account

Backdoor to your nude selfies

theanonymousejoker is a buttface

he is consistently attacking sanity

last night it was the guy who said I'm stupid since MITM can't see encrypted data and it's useless to audit with

he also said that adtech coding is only for the browser

I worked in adtech on apps hello

I worked in adtech on apps hello

someone is emailing me and claiming they got hacked, typical daily emails

another one is asking me to hack someone for them (???)

usually their ex

you wouldn't believe the fucked up things people email to GrapheneOS and my email

People are.....

despite the dkim/dmarc?

still getting shitz?

renlord: lol not spam

genuine stupid emails

shit

I don't really get spam to those addresses now that I am dropping the fake emails via DMARC

I'm sure they'll start getting spam considering I have no spam filtering

I am totally willing to make DMARC/SPF/DKIM and TLS mandatory

you should report them as spam

what if someone from LKML wants to contact you?

and refuses to setup email properly?

they clearly don't want to contact me if they won't setup email properly

I'm not interested in what they have to say if they won't use a sane email setup to send it to me

<strcat "they clearly don't want to conta"> this

hmm maybe I should BCC myself instead of putting the emails in the folder via mutt so I can see the headers postfix added

i've met people who swear by the fact that email cannot be saved

and will refuse to put in any effort to setup email properly

yeah so I don't need their email

I get enough email already

I would happily do something like randomly rejecting 50% of emails

and people who really want to contact me will keep trying

a good subset of these people are security folks though

as long as they get notified it's rejected, it's fine

not ones I want to hear from

also they could just talk to me here

instead of annoying me with emails

emails are stressful, I have important emails I actually have to deal with and I get 50 stupid emails a day

at least this grapheneos mail server is not getting any non-spoofed spam yet

renlord: also ppl mail random shit to the security@ address

and come up with some BS reason it's a security flaw

strcat: you probably need a full time PA

like send email asking for Pixel 4 support

I get 10 of those a day

yes that's true

and send to security@ saying it's a security flaw it's not supported, k

shit

the community sucks

you're too good for us strcat

I'd say I get ~20 emails asking for device support daily

should auto-reply: "Pixel 4 Support PRs welcome, till then, good luck and goodbye"

although 1/2 of those are part of existing email chains

renlord: yeah but then they email about that

repeatedly

ask all these questions

I mostly just link to the faq / site

<strcat "I'd say I get ~20 emails asking "> That sucks man

I'm so sorry man

<dazinism "hub.libranet.de/wiki/gra"> Tnx for this, didn't know i could check which API the app targets, based on what you guys discussed up there the API level should be looked at more as a way of knowing how much the developer cares about implementing latest security and privacy standards right? And not that if an app's API is 24 or 25 it means that it shouldn't be used or its dangerous (i mean for normal

apps not the ones for secure communications or anything that has access to important data)

I finally got the development branch flashed on my phone!!!!!!!!!!!!!

Build number: aosp_sargo_userdebug 10 QQ2A.200501.001.B2 2020.05.13.21 test-keys

I would like to thank TheJollyRoger

and JTL for the help

I also want to thank strcat and renlord for telling me to stick with it and of course dan-v for the troubleshooting help.

congrats!!

thanks!

strcat: found this code in the AndroidHardeningArchive: github.com/AndroidHardeningArchive/…e/libc/bionic/omalloc.c#L2130-L2225

strcat: will use it as a reference for implementing `malloc_object_size` in `hardened_malloc`

Just came into the room, the past posts won't load up is that normal?

@neothechosenone:matrix.org: Yes, it is. But the room is logged, so you can view the logs.

Thanks

Just in case you didn't see it, in the room description there is the link to the logs

Thank you.

probably already know the answer to this but is there a way to get the os on non-pixel phones?

no, the project follows strict guidelines to get support; at this time that is only the Pixel line

awe well, i guess i'll switch when I get a new phone then

thx for that

you're welcome, please check out the FAQ, it has really useful information on how the project is setup and why some decisions are made

hardened security is the focal point

mhmm will do, i'm on resurrection remix rn and its time for a change

got any recommendations since i cant get graphene?

the chat isn't really here for that, but you can look up on the logs if you'd like

alrighty much appreciated

np

Good evening!

A friend of mine send me a link to your project a few days back

and I have been reading up on it ever since, watching YouTube and so forth

I have a bunch of questions about a few things, and was hoping to be able to find somebody that could help me out

We are currently working with a handset manifacturer

That is considering how to improve the users security

And one option is to add support of grapheneos

Is there any good resource what is required of the phone to be able to handle graphenos?

It's on the website.

Ahoy duke_h3!

Yep, let me get you the faq with respect to device support, give me a moment...

Yes I did read that part :)

I am sorry if I sound like a newbie here

No problem. What could I help you with?

but some of the requirements do not sound clear to me

I magine that you have the full cooporation of the company producing the device

Heh, well...

Google actually is very forthcoming with this.

For the pixel phone

But now I am talking about another vendor

that is interested

Ideally, we would want to get hardware tailored to the project's needs, in the far future.

But what would that be

Can you name the vendor in question?

But that's for the far future and is contingent upon getting enough regular contributors and being a stable, sustainable open source project.

not at the moment

Or are you not at liberty to say?

Alright, lol forget I asked.

There are well known, but not large

And are interested

My job is basicly to get an assesment to the CEO what it would take in terms of resources to increase there security profile

In theory, with enough money and manpower, a lot of things would be possible. But that's contingent upon the manpower and contributions recieved.

Yes, I have been in the buisness for 20 years ;)

But is it hard to boot G on a new device?

Well, let me put it this way:

Assuming it runs android today

If your objective is "just get the damn thing to boot once," then that's actually not that difficult in the grand scheme of things. However, it's a *completely* different ball game to produce stable, production-quality releases with security (and privacy) equivalent to or exceeding that of the reference implementation of Android provided by Google on its own handsets. This is a collossal

undertaking, requiring dedicated maintainers for each device that can backport all of the device-specific exploit mitigations, patches to the kernel, firmware,

Hello everyone

and testing to each device, for the lifetime of the device.

Hello ss66

How is it going?

This on its own is likely going to require full-time attention from someone, for the next three years.

Yarr, it be well!

Nice!

Ok I guess its more stupiq quiestion

( I have yet to get my Pixel 3 ) so I have so far not tried things out

but GOS is basicly a striped down version of android

Vendor support is /essential/ to this part, and isn't doable without the vendor at least being forthcoming with firmware updates and driver updates. Google so far has been very helpful here.

That are running a few patches

duke_h3: no it is not.

The most important patch is the malloc?

No. GrapheneOS is a large collection of subprojects that all work together in harmony to improve the security of AOSP: this includes the auditor and attestation server, hardened Bionic C library, Vanadium, hardened malloc, much of the specific work in the kernel,

it's right across the entire stack.

Ok

Hey I was wondering if one of you guys could kindly help me flash the os?

Got it, you have more that just the kernel patches

To call it "a few patches" is really selling the project short.

Hi Johnwake, I will be with you in just a sec.

Thank you

What problems are you having at the moment?

(I may need to ask you a couple questions to do some sanity checking, since I will not be over your shoulder)

aeonsolution[m]: Cheers

Ahoy JTL!

So I tried flashing the phone, however the os isn't installed

it just goes back to stock android

Hi Johnwake, could you be more specific. It's hard to diagnose the problem without any background.

I think I have an idea of what happened, but what are you seeing right now, is the bootloader locked or unlocked?

hey

unlocked

Also, what host and version of fastboot are you using?

minimal adb

Could you tell me the output of `fastboot --version` and what host operating system is the computer running?

You'll need to be specific, remember that I'm not sitting there next to you looking over your shoulder.

Are there any other kernel patches except for the malloc?

fastboot version eac51f2bb6a8-android

duke_h3: Yes, look under kernel_google_[device codename]

Johnwake: yep, probably an outdated or incorrectly versioned release of Fastboot.

You're going to need to download the correct version of fastboot - incorrectly versioned or out of date versions of fastboot can brick your device.

What operating system are you running?

windows atm

Ok, great hang on a sec.

duke_h3: I suggest you look at the GrapheneOS repository on github: github.com/GrapheneOS

Wait, the hardend malloc is not a kernel patch?

Johnwake: developer.android.com/studio/releases/platform-tools You'll need to download the latest one from here for Windows.

You will also need to remove /all other versions of fastboot/ from your computer.

Remember, you can *softbrick your phone* with old and incorrectly versioned/numbered versions of fastboot. Your safest bet is to download platform tools directly from Google.

It's likely that the version you used had broken autodetection.

How can I remove the old versions? TheJollyRoger

duke_h3: it's not just a kernel patch, it's also integrated into the hardened Bionic C library which is unique to this project.

Johnwake: you'll have to delete or uninstall them.

When you type `fastboot --version` at the prompt, it should return something like `fastboot version 30.0.something`

It must at /least/ be version 29.0.something in order to safely install GrapheneOS.

I am trying to asses the improvements you are doing the security model of the device

One key issue is be able to protect sencitive date

One key issue is be able to protect sencitive data

like keys

duke_h3 are you a developer?

yes

I write code

But now adays I do mostly arcitecture

You actually should be in a much better position to read it than I am, then. I'm just the greeter and the friendly face/installation help guy around this channel.

I can understand some of these concepts at a very abstract level.

The GrapheneOS threat model is to help mitigate and protect against exploits, such as memory corruption/slab corruption exploits on Linux.

And Bionic C.

One thing that we are looking for is to protect the clients sensitive data like keys that could be very valuable

It also uses strong encryption for the disk, which is always on, utilizes the full hardware security features of the phones, and implements remote attestation to ensure that you can prove the operating system you installed is the one you think you installed,

while the operating system is online.

duke_h3: in all honesty that's very very vague.

And one of the threats we are looing into i the potental for "bugs" like stagefright

I assume you are familiar with the concept?

Stagefright's been mitigated on the factory operating system from Google, long ago. You can actually run a CTS test for it, and stagefright is one of the test cases.

Under cts-tradefed, run "security-bulletin"

This was a long time ago.

Outside of that example, it's been one of GrapheneOS' core goals to try to mitigate exploits.

TheJollyRoger obiosly, but its safe to assume that simelar threats are still out there

Of course, that's why you keep your operating system up to date.

well I was hoping that GOS had a higher abition

I'm not quite sure what you're getting at, can you be more specific?

Hey TheJollyRoger I am having some troubleinstalling the new fastboot

to build in security walls so that a big like SF could not be implemented

<duke_h3 "well I was hoping that GOS had a"> What is that supposed to mean? lol

I'm not sure which program to run

Because honestly what you're asking is not making much sense, it's very vague, and if I'll be bluntly honest, it feels like you're essentially trying to ask me to See The Future.

Also, I am not affiliated with the Graphene OS project so ignore me.

hypokeimenon[m]: heh, well, at least we're on the same wavelength.

Our assesment is that a lot code in a big project like android is too large to auidit in a safe way

Johnwake, have you uninstalled all previous/old/obsolete versions from your computer, and downloaded the latest version of fastboot?

And much of the code is written in a way that allows bugs to be inserted

or mistakes are made

duke_h3: right now GrapheneOS has expressed dissatisfaction with the state of the Linux kernel when it comes to security, or the lack of it. But right now we're working with the hand we've been dealt.

yes

If you've got a Microkernel and Qualcomm reference SoC that's been fused to accept our own firmware, we welcome your contributions.

So we where looking into the concept of separating stuff so that unsafe android code could be run on the phone

I couldn't find a way of uninstalling it

and keept separate from the sencetive data

Johnwake: you'll need to delete the old fastboot, then.

"I thought the Graphene project had more ambition..."

"Our assessment is that Android is too large to audit in a safe way..."

This is a strange way to converse with a project trying it's damndest to be as secure as is feasible.

I'm just having trouble finding a way to delete it

I could my linux pc if that makes things easier

I think you are doing a excelent job

And I really liked the concept you hade on your webpage

Johnwake: You'll need to do the same thing, do not install platform tools from your operating system's software repositories, download it from Google.

If you already have, uninstall it.

Johnwake if you are on windows you can just delete the folder

Talking about the Xen

Well, again, as mentioned on the roadmap, adopting lofty goals like that is contingent upon the project being able to not just survive, but also thrive as a non-profit open-source project. If you've been at the development game for 20 years, we could use those skills.

Yes, that was the plan

I just need to understand where things are, and what resources I need to request

My current fastboot version on my linux pc is version 1:8.1.0+r23-5~18.04.

Is this the up to date version?

Johnwake: you'll need to uninstall it, that version will create you a brick.

No. If it doesn't say at least 29.0.[a number], you're going to get a softbrick.

How can I uninstall it?

Please uninstall that version of fastboot and download platform tools from the link I sent you.

What operating system are you running?

mint

Oh man.

lol

either su to root and run `apt remove fastboot` or run `sudo apt remove fastboot`

If I recall correctly.

strcat (@freenode_strcat:matrix.org): when does update engine verify during a streaming OTA?

Johnwake: I have a script that should help prepare mint. Let me go and get it.

thanks

Save that someplace, and `chmod u+x prepare-mint.sh`

anyone else notice that switching an app using gesture control doesn't immediately disable scrolling in apps?

nice guide ty

Johnwake: it's more than a guide! It's a shell script.

You'll be able to download it and run it as if it were a program and it will do all that automatically for you.

I strongly recommend you do it this way by running it as a script.

Rather than run the commands manually.

I'll open oit on my linux pc then

Yes, this is for debian based Linux /only./

Ok

How would I run it as a script?

Open a command terminal for me?

TheJollyRoger do you know if any of the architects are around?

Ok it is open

I understand that chat is prob the worst plattform to try to ask my questions

duke_h3: indeed, the lead developers do hang out in this channel. I would highly suggest though coming up with very specific, very focused questions to ask them though, /before/ you start asking them broad and vague ones.

I can help you with that if you'd like, because I do not want to waste their time, and they would not like their time to be wasted either.

I work partly over at Bodhi Linux, so I know that drill

Johnwake: I would like you to run `wget raw.githubusercontent.com/Peter-Eas…sy-installer/master/prepare-mint.sh && chmod u+x prepare-mint.sh`

And I have to say guys like you do a very good job

and the projects would not survive without you

Before you do anything more, I HIGHLY ENCOURAGE YOU TO open it in a text editor and make sure I haven't snuck in something like a "delete everything/nuke your computer" command in there.

HA HA HA

copy all the bitcoin keys to the internet

lol

duke_h3: if you want highly protected data, you would do best copying the design brought in on Pixel 3

Using strongbox

Its a load of work to set everything up properly

Hey, I tricked someone into running `curl -s [file] | bash` once :D Fortunately, all it did was print a skull-and-crossbones ascii art onto his terminal :P.

&& chmod u+x prepare-mint.sh

Do I put these last terms in the same line?

Yep! && is Unix for "and if it went successfully, run this next command."

nice

Once you're /completely/ confident that I haven't snuck in a "nuke your computer/install malware/steal your bitcoin keys" command into that script, the command to run it is,

`./prepare-mint.sh`

and the apps that would hold the precious data would need to be set up to make full use of strongbox

What dazinism said! The strongbox keymaster API is pretty neat: keys check in, and can't leave.

I don't quite fully understand how it works though.

So the android documentation on it is a must-read.

By the sound of it, it's a full API with all sorts of functionality that can be used for a lot of different things involving cryptographic operations that need to be kept separate from the host or while the host is locked.

ok it is running

Great.

This must of taken you a while to produce

Keep an eye out on what it prints to your screen, I tried to make it so that it walks you through what it's doing.

I think i'm downloading something from google

Heh, well, a little bit, I just collected most of the stuff I was telling most users to do.

Yep, it's downloading platform-tools-latest.

I am now ready to install graphene os

Great!

I'll redownload the file then try to flash it once more

Hopefully this got all the dependencies. Occasionally we've had some users come in with strange or unusual configurations for Mint that have produced errors, but this covers like ~90% of cases.

Sure.

From this point, you should be ready to follow the official instructions; that said, if you get a "<waiting for device>" when you type in fastboot flashing unlock or any operations involving fastboot, you will need to reboot the computer, because udev is not reloading its rules. This can be "fixed" by simply restarting.

This should hopefully help. If it goes wrong, be sure to save the logs of what happened, because they contain valuable information that can help us figure out what went wrong.

(If you're in the 10% with an unusual configuration or are missing dependencies that weren't installed)

Thank you

You're welcome!

Oh yeah.

One more catch...

Well I will get a Pixel 3 in the coming days

Use the USB A-to-USB-C cable that came with your phone, or if you didn't get one, make sure it has full tracing. Plug it directly into your motherboard, don't plug it into a front port.

Then we shall see

Hey right on.

Btw, we are runing a webTV channel

for the PirateParty here in Sweden

The thing is that a lot of vendors are kinda lackadaisical about supporting all the traces with front USB ports, and fastboot uses all the traces

we could make an episode on the project

Arr!

wait a moment

My fastboot version is still the same as before

Ok, that's bizarre.

can you search up `apt search fastboot` and see if apt is still reporting fastboot to be installed?

I don't think so

if it isn't, apt is broken... and we've had this happen before.

Can you search it up and see if it says installed?

I don't see that phrase

can you type in `which fastboot` and paste the answer here?

if it's in anywhere but /home/[username]/GrapheneOS, then your operating system is holding onto broken packages.

says /usr/bin/fastboot

Yep, your operating system is holding onto broken packages.

This happens a lot with Mint.

Hang on a sec.

can you run `sudo apt purge android-sdk-platform-tools-common -y && sudo apt autoremove -y` for me, then run `which fastboot` a second time?

And tell me if it still says /usr/bin/fastboot ?

sure

Don't worry... we've had bucketloads of problems with Mint before, this is nothing new.

Do I need to type " ` " when I type the command?

Oh no no no, the backticks are just there to differentiate what I'm saying from the command syntax.

cool

Still the same fastboot

and location

Ok. Last resort. `sudo mv /usr/bin/fastboot /usr/bin/fastboot.old && which fastboot`

This is a pretty awful hackjob to temporarily rename it but Mint itself can't get much worse.

is the " && " spaced?

Yes.

missing destination file operand after `/usr/bin/fastboot/usr/bin/fastboot.old`

You need to properly space your commands -- you omitted a space.

Please type those commands (minus the backticks) exactly as I type them.

Ok

ok

it says cannot stat `/usr/bin/fastboot

but my fastboot is in the graphene folder

Please type in, exactly as I type it:

sudo mv /usr/bin/fastboot /usr/bin/fastboot.old && which fastboot

Copy that exact line.

That whole line, please.

ok

This /needs/ to be done exactly. Please do not try to take shortcuts; the computer won't like it.

I followed your intructions

What do you see for `which fastboot`+

*`which fastboot`?

I get /home/land/grapheneos/platform-tools//fastboot

however

When I copy and pasted your cmd I got `mv: cannot stat `/usr/bin/fastboot` : No such file or directory

Ok.

Can you check fastboot version with `which fastboot`?

Er,

Sorry,

can you check fastboot version with `fastboot --version` ?

Sorry, my mistake.

for fastboot --version I get bash: /usr/bin/fastboot: no such file or directory

post output of `export path`

post output?

nothing happened

er, sorry, can you close that terminal window, open another one, and try `echo path`? My mistake

Sorry, my mistake there.

gave me "path"

Sorry `echo $PATH` ahahaha sorry.

Brainfart there.

Sorry.

Phone rang.

No worrys

I'm glad your helping me at all

I got /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/land/GrapheneOS/platform-tools/:/home/land/GrapheneOS/platform-tools/

Hang on a sec, it's still giving you an incorrect fastboot version even with path set and the old fastboot moved to "fastboot.old"?

I'm not sure

wait

when I type fastboot --version

I got 30.0.01-6435776

Ok, great, it's working.

Proceed to install GrapheneOS.

installed as /home/land/grappheneos/platform-tools/fastboot

dude

Thank you so much!

You're welcome :)!

We're weathering the storm! Okay! The next step is going to be to flash... now if you're missing some dependencies, Mint may complain. There's a good chance you aren't, but keep an eye on the backbuffer.

got ya

One more question

what is the factory image?

The factory image, in common parlance, is actually a zip file containing an installer script, the firmware for your phone's modems and radios, and also the system image, which is itself going to be in another .zip file.

The system image is a pre-built operating system image, which is signed, and verified by the bootloader itself.

Which device do you have?

pixel 3

Got it. You'll want this one then, for the Pixel 3 (with the glass back, NOT the 3a). releases.grapheneos.org/blueline-factory-2020.05.05.02.zip

This will work on the 3 only. It will not work on the 3a.

Understood

Once you download it, unzip that file to anywhere you like, and follow the instructions (you do not need to unzip it to platform tools, and in fact I recommend against this)

Inside, you'll find another .zip file, and a file called "flash-all.sh". That "flash-all.sh" file is the installer file, which will take care of the rest.

Make sure to lock your bootloader after installing; all GrapheneOS phones have the entire system image signed and validated and bitwise identical right down to the very last bit.

This ensures that the operating system you run, is the same as the operating system I run on my Pixel 3, as well as every other Pixel 3 running GrapheneOS that has its bootloader locked, and is validated all the way back to the signing keys, and you can use attestation.app to prove it.

The program won't run

Can you tell me the error message?

Should I run it through the cmd?

(Remember, I'm not sitting next to you and I'm essentially flying blind)

Understood

Yes, you will need to execute it using `./flash-all.sh`

cmd prompt it is

Where does the BuildID come from in this step?

./vendor/android-prepare-vendor/execute-all.sh -d bonito -b $BUILDID -o vendor/android-prepare-vendor

You'll need to cd to where it's been downloaded and run it from there.

I thought it was emmited by the choosecombo output?

BrokenCog: it should be on... just a sec.

CD?

BrokenCog: developers.android.com/android/images - do you see something that looks like "QQ2A.200501.001.B2"? That's the build ID. You will need Dan V's patch to the script or it will fail with a "URL Not Found" error.

Johnwake "cd" (remember that in Linux, commands are cAsE sEnSiTiVe!) means "change directory"

ah, I had that patch and thought it was only for a previous graphene release ... guess I need it again.

RattlesnakeOS/android-prepare-vendor 32e6e21 This one.

thansk

also, that link to the android/images is 404, but was this what you were linking:

or this: grapheneos.org/releases#bonito-stable

ok

I think it's finished

BrokenCog: Whoops. Sorry, it should be developers.google.com/android/images , sorry >_<.

okay, so "QQ2A.200501.001.B2" not "QQ2A.200501.001.B2.2020.05.05.02" ?

Johnwake: Awesome! It will reboot to "fastbootd" you're going to need to select the option "reboot to bootloader"

or ... trial and error ? :)

BrokenCog: I think the first one, QQ2A.200501.001.B2, give that one a try?

then lock the bootloader right?

Johnwake: yep! Lock your bootloader!

yes, that's the correct one. It IS also output by choosecombo/lunch.

ok it is locked

Do i START?

Johnwake: okay! Start it!

caps

dude

yes

yes

Can I unplug my device?

Splice the mainbrace! Welcome aboard the ship, matey! :)

Yep! Unplug your device.

You can optionally decide to turn "OEM unlocking" to off if you like.

I should

Thank you TheJollyRoger

You were such a big help

Thank you

Anytime :).

I hope GrapheneOS serves you well! If you like, you can get Signal from signal.org/android/apk <- this is the only place you should be getting Signal from if you cannot compile it yourself.

I'm glad I made the investment

thanks again

While F-Droid is far from ideal and contains a lot of old and outdated applications which are liable to stop working, if you, you can navigate to f-droid.org and install it from there if you like.

Anytime :)

it was either this or the librem 5

There's a short usage guide at grapheneos.org/usage

Hehe, well, you certainly made the right choice here ^_^.

great ty

If you're interested in knowing more about GrapheneOS and the security features on it I can show you around a little bit but most of the security features, such as verified boot, function transparently, and there is no knobs/tunables/tweaks, etc.

However I can certainly show you around Auditor, which I highly recommend you use.

sounds good

attestation.app/tutorial will tell you how to use the local or remote verification: One of the things that makes the Pixel 3 so secure is the presence of the Titan M HSM embedded in the phone.

That Hardware Security Module has a private key in it, the certificate of which is validated by a batch key, which is then validated vendor key, which is then validated by Google's root certificate.

It's funny how Graphene os is only on the "Google" Pixel

So the interesting thing is that remember the verified boot we talked about earlier? The Titan is in a very privileged position and while it can't control the phone (it can only run signed code), it can actually attest to the authenticity of the digital signature on the phone's system image.

dayum

Thats pretty cool

It can even do this if the operating system tries to lie about its own authenticity!

=$

So if for instance, let's say you somehow download malware, and somehow that malware escapes from the SELinux sandbox, breaks the Linux user model, and manages to modify your system partition...

The next time your phone dials in to submit an attestation, the Titan will detect that tampering has occurred since the signature won't match.

And it'll be able to warn you "Hold it! Something's not right!" and send that warning to another (hopefully not compromised) system.

The attestation's under your control as a user as well, you can turn it on and pair it, or un-pair it anytime you like.

Heh well... the irony many people have pointed out of wanting to get privacy from Google... and needing to buy Google handsets isn't lost on me... but there's a good reason for it:

The funny thing is that Google actually is probably the best vendor for it: they're actually the most helpful when it comes to providing support for the handsets. They provide all their tools as open source and the entire system pretty much as open source, and they even make firmware available to us (although you have to ask for it)

They also have gone out of their way to allow us to run our own system images on their phones with full hardware security features enabled: most other vendors will only allow you to run different operating systems on their phones if you cripple the bootloader security.

Samsung, for instance, if you want to run your own system image on their phones, you must /permanently cripple/ bootloader security forever, and then the phone will never be the same again.

huh....

Yeah. Google also is probably the best in terms of firmware security and diligence. They actually take their firmware security seriously, and even have gone so far as to implement Insider Access Protection which is the neatest thing since sliced bread.

One question

Firmware absolutely, and should be updated, and treated like any other component of the software stack; it must be kept up to date to mitigate exploits.

The Titan M won't allow the firmware to be updated /unless/ it recieves the password.

So this deters an attack where a very determined adversary confiscates your phone, takes it to Google or to Qualcomm, and then uses legal or extralegal pressure to get them to sign rogue firmware.

Yeah what's up?

How do I sync my contacts from my sim card?

Even if they were to find an exploit for the operating system, root your phone, and try to push an update to it, that IAP prevents the phone's firmware from being updated unless *you* do it.

Ah, huh. I've actually never tried that on GrapheneOS before, heh.

I didn't even know storing contacts directly on the SIM card was still possible, I thought the phone industry had started to move toward depreciating that function.

For sure

Yeah, sorry. I don't know if there's an easy way to do it without simply copying the contacts off by hand :(.

No worrys

I use an app called "dumb phone assistant" to copy from and to sim cards

The contacts app can accept properly formatted .vcf files but--

Oh splice the mainbrace!

fll[m] to the rescue!

The security of GrapheneOS is crazy. It's a fucking dream, actually.

Yeah!

I like the hardware bound encryption the best and a long passphrase.

I find it very difficult to memorize eight random digits or like a password generated by KeePass, but it's relatively easy for me to memorize four distinct dictionary words.

Much easier for me to type too.

(Even though a four digit pincode is enough, thanks to the Titan and the increasing lock timeout.)

As well as the Android compartmentalization, that's a huge one.

Johnwake: if you're familiar with or you've used Android before, you'll notice that there are two new permissions GrapheneOS has that are unique to it: Sensors, and Network. Turning off Network permissions will prevent the app from dialing out, and turning off Sensors will zero out sensor input.

Yea I saw

Something you might consider getting if you use F-Droid, is OpenCamera. Turn on the "Camera2" API and watch the quality of your pictures *skyrocket*

I have a six digit pincode but will probably eventually shift to some some sort of passphrase if it's better from a security perspective. But you know, Titan M and all.

Yeah. The passphrase for me is sorta force of habit. It's just easier for me to memorize it.

it would be cool is you guys added a usb kill switch

There is

Kinda

Also use Bitwarden but should shift to Keepass as it's a lot better from a security perspective.

Not required actually -- while the phone is locked, it won't allow new gadgets plugged into it unless those gadgets were plugged in *before* it was locked.

When you plug in, it won't let the phone do anything but recieve power.

Unless you select to allow it.

Bitwarden is pretty terrible

(Although you can change this default behaviour in Developer options, I strongly recommend you leave it as the default, the defaults are set to be secure. That function is only done to save developer time for engineering and testing only! Please don't use it!)

Yeah I agree. I heard there was some weird blackbox tracker shit and their server hosting is insecure. Plus it's a cloud service and those are terrible for passwords.

Cloud service is fine

Forcing account management through website is sketchy

That's true

Now there is one thing you should know about USB killing...

Unlike the iPhone X, the Pixel 3 doesn't have USBKiller Protection.

So if you plug a 10,000 volt USB Killer into an iPhone, it'll ground out and will probably be fine, but a Pixel 3 will be fried.

Not really a security issue

It's worth noting though

So even if you're protected from JuiceJacker attacks, *please* don't plug it into devices that are designed to send 10,000 volts into your phone.

Heh, yeah.

TL;DR don't plug shit in unless you know what it is.

Yeah.

Which I mean goes along with "don't install apps that you don't trust" or "verify your sigs" or "don't click on random links" or "don't send 8 Bitcoins to the Nigerian Prince".

Yeah.

Because the most insecure part of any system (besides Ubuntu) is the user.

I think there's a YouTube channel where someone actually "destructively tests" cellphones and I think one of them he destroyed a Pixel 3 by giving it a 10,000 volt surprise. Interestingly enough, the screen remained fine for a second, but the phone was *gone*.

like, boom, instant death.

I sent 6 I'm okay right?

Ahahaha XD

Open Camera's UI man

bet

I mean look at it

It's... it's a little bit clunky :(

OK and that's an understatement X(

Still better than my Leafpic Revived icon

I would just use Simple Gallery but I hate the UI of those apps for some reason.

I actually find UI design pretty important tbh. I know that's probably not the best but I have chosen some apps over others simply because they look better.

(When there is no other major difference, that is)

I'll catch you guys later

Thanks again TheJollyRoger

Anytime!

<miniblue[m] "Also use Bitwarden but should sh"> Same. Though a couple things:

Well honestly the whole appeal of Keepass is the offline element. I think you can sync it with some stuff but not sure what.

I mean, it's nice to have a synced database between Grapheme, macos, etc for all regular and mundane accounts

Like, very nice

If it was an encrypted database via WebDAV for Keepass

It'd be great. But there's only one open source Mac client doing that, not any on Android that I could find

maaan.. can't wait until the bluetooth audio fix rolls out I'm dying here

I use syncthing to keep my files synced between devices, including keepass db. might be something you could explore

Thanks! So wait, whenever I connect the bluetooth headphones in LDAC and no music plays but calls are okay

That's a bug in graphene and not the app being stupid?

yeah that's a bug in graphene

if you are trying to use bluetooth audio and it plays from the phone speaker it's this: GrapheneOS/os_issue_tracker #137

MadCamel: not a bug in graphene os

its an upstream bug that got uncovered by Graphene OS

bseeinu[m]: it is patched now with an appropriate fix by valldrac. Wait for next release.

yeah I know. was leaving out the gory details.

MadCamel: its not even gory detail, what you said was flat-out incorrect.

ok whatever you say boss

I'll refrain from helping people anymore since nobody likes my generalizations. Peace.

Sweet, thanks for uncovering it!