Is it OK to disable android webview network permissions till they get swapped to GoS parameters

Or disable it completely ?

Lckdyspl7[m]: what are you asking?

GoS grade of service?

Why is aurora telling me I need to update auditor and android system webview?

Both built in apps..

these questions have come up like 40 million times in the past few days, search and ye shall find your answers

<lev[m] "these questions have come up lik"> yeah, it would be nice if the transient newcomers would at least read the information on the website or search the logs. its really discouraging.

I can more understand a little more if they're coming from irc, since having a log to search is a bit less common

but yeah, it's right in the topic lol

i think its great that youve stuck around, thats really the only way you can learn from the community

the transient newcomers treat the channel like a helpdesk and that is just way off lol

oh yeah, I've definitely learned lots of stuff from the chatter here, it's a great community

thats a fairly common mindset, people want immediate answers and not to have to spend any of their own time to attempt to solve a problem

though I don't think it's always laziness, but possibly a lack of confidence in their own ability to solve the problem

and i think the lack of confidence is fine as long as they are willing to be open minded when they are getting help from the community

yeah for sure, gentle urging to read the documentation, or to search for their question, seems warranted

right. absent of that, they are not respecting people's time.

maybe would be good to have a helpdesk of sorts tho

there are also a lot of poeple who are used to a 'product' rather than a 'project'

where the onus is on the provider to make it work, and to help you understand, in all circumstances

the provider doesnt even give app support!

people are lucky if they get a ticket opened lol

GitHub has a discussions feature that lets people ask questions and mark them as answered. You can search, all posts have edit history, etc. And it's integrated with GitHub so you can reference code and issues. So, definitely check it out. Obviously proprietary but who the hell wants to edit and maintain a wiki when you can let users do it in a discussion / stack overflow format instead?

It's in beta

:: installls an UNsupported operating system, expects to be supported ::

is stackoverflow owned by someone?

sounds like github discussions is MS trying to compete in that space

stackoverflow is kind of unmatched there, now that I think about it

Eh I don't think it's competing. It's just bringing communities into one relevant place instead of forcing devs to scatter across various services like discord, slack, etc.

It's good to be decentralized but these newbie questions will NEVER stop unless there is a QA place for them to go to / search. And that doesn't exist. IRC + the logs is not a replacement for it.

yeah, it seems like a pretty reasonable idea, but that's for sure competition, I am not implying malice or anything, it's just better for business for people to stay on your site

Agreed

I was scared! Pixel 2xl recent beta update took 15 min to boot.

hey its beta afterall

Oh snap. Gitter is joining Matrix... hopefully that means more people coming here! :)

> I was scared! Pixel 2xl recent beta update took 15 min to boot.

Yeah it took a long ass time on CalyxOS too

helpdesk for open source project? LOL

I think he meant more of a QA not a help desk. Like stack overflow or GitHub discussions (beta).

why the hell not.

maybe even powered by ai

Howdy! Finally got my ass off reddit to join the real forum

Gotta say, I bought a Pixel 4 XL a few months ago and I could not be happier about this OS

<renlord "Lìckídysplï7: what are you askin"> Well the android webviewer keeps opening itself when I freeze all my apps it shows it opened.

Will it open every time I open vand now or something.?

Didn't notice it beforehand constantly running

I wanna know can I disable it without the phone imploding on me

Lìckídysplï7: the WebView is what provides the web renderer for apps

not sure why you want to disable a core OS component

they are going to crash because they aren't going to handle the exception from WebView being missing if you disable it

I never seen it pop up before, thought it was something new running rougue

lots of app embed web content

Lìckídysplï7: the app id is just temporarily different until we're doing Vanadium WebView builds against

org.grapheneos.vanadium.webview is what it will be called again

Okay that makes abit more sense

it's not used by Vanadium browser

it's a library used by other apps and runs a sandboxed browser rendering process for them

Yeah I am aware of that change 😊

Thanks for clearing that up

Ahh so when I click a link in an app and it brings up the web page in the app, its webview.

Right! 👍

Lìckídysplï7: well

it depends

Lìckídysplï7: if you click a link in an app that usually either opens the browser or a custom tab from the browser

you can tell it's that because it has the Vanadium menu

Lìckídysplï7: apps that use a web rendering widget themselves are using the WebView

a mail client rendering HTML email, lots of embedded forms for login to services, many others things

many apps use it

there are a lot of WebView-based web browsers but that isn't really what I'm talking about

update just dropped for my pixel 3 :D going to go read the patch notes!

Is there a new stable

My phones downloading an update on stable channel, is this a GoS release ? I've disabled seemless updates till I get an anwser

Nevermind just real release stuff

* Nevermind just read release stuff

Hi. I've had some issues with the latest 2 updates. When an audioplayer (not the pre-installed one) run by an added user is paused, the screen goes black and I have to unlock the phone again.

It also happens on play and rewind

howd u install that player

I've tried with AntennaPod, Voice and AudioAnchor

F-droid

It worked fine before the Android 11 update

theres been a lot of problems with fdroid apps on current android

they use old signatures with fake new API

Okay. Thanks.

you might want to try an apk straight from the developer or via aurora store, but app sig will be different, so the data store will be different

probably best to avoid fdroid in the future

Hi, has anybody experienced gcam stopped working with gcam service provider since Android 11 update? I'm wondering what could cause the issue... Thanks!

I should've looked at the issue tracker. It's there already

Is there a known issue with not being able to dismiss or snooze alarms when the screen is locked?When this happens I need to unlock my phone and dismiss it through notifications.

somerand0m: not tried, but think you can tap on the notification on the lock screen?

<louipc "they use old signatures with fak"> That's not related.

* That's not related to the issue.

i see

There was an update a few days ago, and on reboot, my f-droid flashlight app was uninstalled and vinyl music player 'keeps stopping' after its splash screen. Is this kind of thing known/ordinary?

oh yea that is definitely the fdroid thing. apps disappearing

seems like theres a problem with music players tho

cecemimi: yeah, the app disappearing is a problem with fdroid. Think the player acting weird is an issue with Android 11

So i reinstalled flashlight, ok, but vinyl cant work still

Oh ok

Maybe try a different player for a bit?

Sure, will do, recommendations welcome, but will search

It only happens when I run the apps by a separate (not main) user account

[cecemimi](matrix.to/#/@cecemimi:matrix.org): Maybe this is the bug of Vinyl: AdrienPoupa/VinylMusicPlayer #288

Thanks for pointing to that, good to know.

day known Odd. When I leave the device on a flat surface I have the options. But if I pickup the device I lose those options on the lock screen.

@renlord can I pm you?

Shuttle+ works.awesome.as a music player

I like Vinyl player.

Can I usw Ethernet with an usb-c otg Ethernet adapter ? I usw the pi

xel 2 thanks for any advice ...

somerand0m: you can turn off 'lift to check phone' in gesture settings.

syscall: some people have used ethernet via usb otg

I use "Music". Fork of Phonograph just like Vinyl is.

I don't remember the exact differences

<dazinism "somerand0m: you can turn off 'li"> Yep, it works when you turn it off. I guess I'll need to leave it at that for the time being or switch the Google one which works.

<somerand0m[m] "IMG_0454-1.jpg"> What vpn do you use?

I use mullvad.

oh

not a general question :P

I only saw a picture and the sent image part 😂

and not the sent image part*

i cant type /

:/

[makingaliasesisannoying](matrix.to/#/@makingaliasesisannoying:matrix.org): oh, tea

#grapheneos-offtopic:matrix.org

Sorry i was replying to the question above sorry

but thank you

<unknown01234[m] "What vpn do you use?"> Probably not the answer you're looking for but It's a VPN to my home. :)

nice

i think that is cool. I want to do something similar.

/exactly

wireguard as well?

It's only really worthwhile if you have resources at home you want to use or route all your traffic through.

yeah i have the resources

Nah IPSec for the time being but I will transition.

Cool

Anyone using Vinyl music player? Newest relase says android 11 compatible but works randomly or doesnt work

<Erraverunt "Anyone using Vinyl music player?"> I have it, not tested yet

I'll go check

Background player is not on the first drag down menu from top, but on second, and cant close the app from there

<Erraverunt "Anyone using Vinyl music player?"> Works so far for me. A11 on Pixel 4 XL

I use it daily.

Or has the drag down menu from top changed radically that I cant close apps from there any more?

<Erraverunt "Anyone using Vinyl music player?"> It crashes on me

It's literally unusable

Yeah same for me, which device are you on?

The newest aurora store version doesnt crash for me, but doesnt work like it should

froid version crashes instanly

Pixel 3a

I use aurora store

I'm on pixel 3a too

Odd, Aurora Store version crashes on me frequently.

<Erraverunt "froid version crashes instanly"> It's outdated, right?

I'll retry

Yeah I think it is

24.0.169

On Aurora Store

Anyways, I only gave it Storage permission on Media, nothing else.

If it crashes because no network permission, uninstalling it in a heartbeat

App developers need to be competent

Not do stupid crap like crashing when network permission is denied

make a better one :D

<Sheru[m] "Not do stupid crap like crashing"> You realize who is wrong here?

I only gave storage too, doesnt crash but I see that android 11 changed the notification "area" which is causing my problems. Also imo changed for worse

Yeah sure, forcing user to grant internet permission

It plays normally after granting it, then denying it again

Would have been better if apps were designed to run with or without such permission, even Microsoft does this thing

any way to close vinyl from notifications with swiping right, like it was possible before android 11?

Not really

<Erraverunt "any way to close vinyl from noti"> Pausing it in app/notif or force stopping are the only ways

Cant even close vinyl from swiping up from bottom to show running apps and closing it there

Both of these worked before

Yeah, consider checking their issue tracker?

* Would have been better if apps were designed to run with or without such permission, even Microsoft does this thing (as in forced network permission unnecessarily)

Yeah checked it, it only has 1 problem which I have listed (file names not displayed if they have no tags), propably gotta report these problems myself

yay 2-button navigation is back in settings!

lol

Yay

If only it has the same app switching option, but it's better than nothing yay

<Sheru[m] "Not do stupid crap like crashing"> That's not it.

Yeah

It was not the only issur

* Hello everyone. I have a question regarding the Android 11 port. I usually check GitHub to be updated with GrapheneOS development and I see that the "port SELinux policy hardening from Android 10 to Android 11" issue in the Android 11 port milestone is still open with only 2 closed PR's and another 8 still open.

I've been holding back updating my phone to Android because I fear it'll degrade the OS security, I'm a Hong Kong protestor and I'm sure you already know that the authorities are not really friendly around here.

Should I hold back updating until the team finishes the hardening porting or am I safe? I really don't want to take any chances with police around here.

* Hello everyone. I have a question regarding the Android 11 port. I usually check GitHub to be updated with GrapheneOS development and I see that the "port SELinux policy hardening from Android 10 to Android 11" issue in the Android 11 port milestone is still open with only 2 closed PR's and another 8 still open.

I've been holding back updating my phone to Android 11 because I fear it'll degrade the OS security, I'm a Hong Kong protestor and I'm sure you already know that the authorities are not really friendly around here.

Should I hold back updating until the team finishes the hardening porting or am I safe? I really don't want to take any chances with police around here.

[hkprotestor11](matrix.to/#/@hkprotestor11:matrix.org): I've already finished the selinux port

There's a PR with properly cleaned commits already open by me and tested

If you want to see the actual steps for the bringup you can see the whole commit history here github.com/GlassROM-devices/platform_system_sepolicy/commits/11

The entire thing was squashed on the pr branch and sent in

It's just that there's other issues that take more priority than selinux hardening right now

Well thanks a lot for the wonderful work to you and the whole team. So you've done all the work needed and tested but it's like, we can say, in the queue to be committed in the Graphene repos?

Yes

Although everything seems fine on the surface it will take a while to review this

In general, I always prefer that things take as much time as they need rather than do it the EA Games way, publish an unfinished product with first day updates

Given my situation, should I wait and stick to the stable Android 11 release for now or should I update to latest stable? I just don't want to take chances with HK government

Selinux hardening is only for the base system

What we are doing is we mark system apps

By their signature since we sign them ourselves

Then we just out them in a separate selinux context

Thanks for all that info and for being friendly. stay safe everyone

[hkprotestor11](matrix.to/#/@hkprotestor11:matrix.org): and then we remove a few permissions for the base system

Hey guys, is there going to be Pixel 5 support?

<graphene4tw3[m] "Hey guys, is there going to be P"> Maybe. Depends on whether or not someone volunteers to be a Pixel 5 device maintainer.

There is no guarantee this will happen.

hkprotestor11: you should certainly upgrade... otherwise you're missing the 2020-09-05 security update and the substantial privacy and security improvements in Android 11

hkprotestor11: you're hurting your privacy and security by not following along with the updates, we weren't going to hold back an important upgrade just because not all our downstream security enhancements were ported over, and the vast majority is ported over

Hi all, not sure if this is the right place to ask. But all of the sudden Hotspot is not working and I tried the factory reset. Two factor applications also stopped working a few days ago. Looked around and can not see anyone else reporting these issues. Is this to be expected and I need to do a re-install of GrapheneOS?

Auditor has stopped working since the latest update. If I try to manually start an attestation it fails too.

failing in what sense?

provide information including the error message

Failed to verify certificate

How do I create a screenshot with android 11

looks like there might be a date issue

with Titan M

It tells me something referring to a false date. Not before Jan 1 Not after May 23

what date does it show

in the error

Not Before and Not After dates

what are they?

Got it

which device is this

Pixel 3a XL

Running RP1A.200720.009.2020.09.29.20

Last successfull attestation was yesterday before the update

can you see what happens if you set your date to 2016

and then try verifying

on both devices

Sure. moment

all that changed in in the most recent release is that we fixed time sync

I can replicate this on Pixel 4 XL

try the date suggestion I gave above to debug

all we changed in the last release is fixing time sync

this seems like an Android 11 Titan M bug

Auditor is doing what it's supposed to be doing

I am running same build and get the same error. Pixel 3a

it's getting invalid information

from hardware

Now I got that. My date is October 1 2016

Under Settings > Date & time? Manually change the phone to a 2016 date?

alzxjm: try even earlier

2010

seems Titan M is not getting time synced to it properly

seems like a Titan M bug

OK. Brb

Not working with 2010 either

No change for me using 2010

but the date did change

Yes. Did change when I used 2016, too

Can confirm this bug happens

Changing the date to 2022-2023 makes the local verification work

well, Auditor is catching a real problem

I can release an update that stops checking for the problem

I am not sure what to do about that

Occured at latest beta update at sargo

Auditor is correct

Sheru: it's just because the latest update added back network time sync

the network time sync is working properly

ah i see

validity not before 2022

Yeah, apparently that is a problem too

Sheru: erase data for auditor

Alright

pair it again btw

old pairings won't work

Same issue

I'll be right back testing at 2021, 2022

<anupritaisno1[m4 "pair it again btw"> Doesn't really solve the core of the problem does it?

oh yeah i forgot

why would that work

mrxx_0 is typing a novel guys

Hey strcat it has been few months since I am using GrapheneOS and I want to help maintaining a device. I am on a 3a XL atm (this is my primary phone, can't do much on it). I just had my internship's pay and wanted to work on Pixel 5. But we will not get upstream AOSP before months so I prefer working on an older device. The 4a was in my choice, but what suits the best for you since you are working on 2/2XL (near from

the end but sill) 3/3XL and 3a/3aXL ? Maybe I can find a cheap 3a or xl and you prefer working on the 4a ? Tell me :)

just remember that matrix doesn't handle huge messages well and you may need to reset your client if it stops working

anupritaisno1: hahaha you were right

mrxx_0 you should tag me

i do all the new bringups for now

Oh my bad, I didn't know

Glad you were here when I send the message

buy whatever you want

then message me

it'll be quite a while before we support the 5 and later devices btw

we don't even have bendor support going for them yet

* we don't even have vendor support going for them yet

fucking shit keyboard always a typo everywhere

So 3a would be a good choice

4a

It does not

Only when changing the date to 2023 and beyond

Local attestaion will work

Got it anupritaisno1

Sheru reset

it must go

I have reset every single date change

we cannot allow such an invalid certificate to be used

and it is not just auditor

other apps will also be affected

Sheru i mean go to recovery and wipe data

Yeah, ask everyone to reset

Sheru: not necessary

anupritaisno1: you're giving bad advice

people shouldn't ever repair

* people shouldn't ever redo the pairing

anyone who upgraded will just have their proper cert

no

that's not the problem

you're giving bad advice

Huh, it still gives off green at later date (2023 and beyond)

Sheru: yes because as you can see from the output the certificate is being marked as having a Not Before date of 2022

by the secure element

and Auditor is correctly producing an error

it isn't 2022

if a certificate isn't valid until 2022, it isn't valid yet

strcat: sorry

people should NEVER delete pairings when they encounter an error with an existing pairing that was working

i deleted those messages

they should never delete pairings either for local verification or remote verification based on it not working anymore

then you lose the ability to perform a strong verification rather than starting over again with a new initial weak verification

if a strong verification fails that is not a reason to delete the pairing and start over with a weak verification

and if it DID address the problem, how do you know it's not because you threw away the ability to do a strong verification?

you can no longer confirm it's the same device as before or that the old device wasn't compromised

getting an error about an invalid date (look at what it says in the output) is a bad reason to wipe your ability to do strong verifications

Auditor is doing the right thing here - it's finding a problem

I don't know what the cause of the problem is, but it's a real problem being found, some kind of time sync issue

there is not much point of using Auditor if you're going to ignore the problems it finds and treat it as a bug in Auditor

according to the output, the attestation certificate has a Not Before date of 2022, making it invalid

we don't know why that's happening for some people yet

we do know that in the last release of GrapheneOS, we added back working network time updates by fixing our HTTPS network time update implementation

we haven't changed the code that syncs it from the OS to other components

but it seems there's either something wrong with that code, or with the code handling this on those components, including the secure element used by Auditor to generate keys (it doesn't use TrustZone if a secure element keystore is available)

Auditor is correct that it's invalid - it's not an Auditor or AttestationServer bug

it could be temporarily worked around in Auditor / AttestationServer

Shuttle+ works.awesome.as a music player

going to do a temporary workaround for Auditor and AttestationServer

it doesn't need to be validating the date on the first certificate, just the remaining ones in the chain, since the first one has the random challenge in it anyway

seems to work

doing a new release of the Auditor app with a workaround for this

try this

That worked.

if people run into issues with a Beta release we need to know so we can address the issues and push out a new release instead

this is an upstream issue that Auditor uncovers and it seems that when we added back time sync in the last release that triggers this time sync issue in the firmware

it only happens with the secure element keystore, not the TrustZone keystore

so if we were still using the TEE everywhere we wouldn't have run into it but we use the more secure SE (StrongBox) keystore when available

and apparently there are still growing pains with StrongBox

strcat: wait so we don't need to check validity date of the root cert?

we have one of the few apps using it

anupritaisno1: we don't need to check that but the code is still checking it

just the remaining certs in the chain?

anupritaisno1: read what the code is doing carefully

anupritaisno1: the certificates go attestation -> batch -> intermediate -> root

we are only disabling checking Not Before / Not After for our own attestation certificate

and we know that's safe because we are checking that it contains the random challenge

which the Auditor side provided to the Auditee side

so it can't be using a stale certificate anyway - and it would be insecure to actually rely on checking Not Before / Not After rather than the challenge

anupritaisno1: of course, we should be able to check them, but it doesn't downgrade security in any way to only check the batch, intermediate and root time validity

anupritaisno1: I had no reason to only check those when I could just check all of them, but since there is a time sync issue, we can't check the attestation certificate times right now

anupritaisno1: also, this is essentially a permanent issue now

since persistent certificates are going to have the wrong times

but what else can I do about it?

I don't really see what else we could do

we are limited by hardware capabilities

if the secure element doesn't know how to set proper times on the attestation certificate we just can't be enforcing checks on them

each device has unique problems

trying to support a ton of devices in Auditor has proved to be too hard

* trying to support a ton of devices in Auditor has proven to be too hard

without a dedicated maintainer for Auditor device support we can't be expanding device support further in it

<strcat[m] "without a dedicated maintainer f"> but i already said i will be doing it

I thought about it some more

and after this firmware issue is fixed I think we can remove the workaround

Hey all, random request:

I’m in school for software development (finally). I have an assignment that requires an “Informational Interview.” Essentially I am to interview someone currently working in the field that I am studying.

Okay

How does this work

Do you see this message?

yes

Hi, i am in the latest Beta (29.9 but the Bug was also in the Version before) and have a strange bug when using deezer in my Music user profile. When i hit play the screen turns black and then goes on again. Sometime i am getting a Notification while this occurs about the full screen mode enganging or something like that.

Using Pixel 3a

shdudbdjdj: can you get logs from either `adb logcat` or the bug report capture tool in the OS and show them to anupritaisno1

<strcat[m] "shdudbdjdj: can you get logs fro"> I will do so (:

we've heard people say they have issues with the camera on Android 11 and in certain cases with music apps seemingly tied to secondary profiles

but we need more information

I closed the issue currently opened about issues with the camera because it hasn't been productive, not getting answers to my questions or the requested information

I need someone to file an issue that's going to be able to provide the requested information and stick to the topic of the issue (file 1 issue per problem)

if we can't replicate an issue and the user won't help us debug it by trying our suggestions and getting the necessary info, it has to be closed

> <@shdudbdjdj:matrix.org> Hi, i am in the latest Beta (29.9 but the Bug was also in the Version before) and have a strange bug when using deezer in my Music user profile. When i hit play the screen turns black and then goes on again. Sometime i am getting a Notification while this occurs about the full screen mode enganging or something like that.

> Using Pixel 3a

anupritaisno1 Can you pm me? I have a bug report for you. No clue how to start a private chat in this app :D

<strcat[m] "if we can't replicate an issue a"> I try my best to help :D I am good in following instructions:P

GrapheneOS/os_issue_tracker #338 was the camera issue report

was initially filed on the AttestationServer repository twice and I transferred this one here + deleted the other

and I edited out + deleted comments talking about other stuff to keep it on this topic

but... if I'm not going to get info I need from it, might as well give up on it and wait for someone else to file one

I'll probably do another release primarily to push out the new Auditor v21 to everyone

but would be nice to include any other relevant fixes for the next release

<strcat[m] "github.com/GrapheneOS/os"> My camera works find on3a and latest update (:

*on the

I should have done this more aggressive workaround for the time issue originally in v19 of Auditor

> workaround for StrongBox issue discovered on Android 11 Pixels

I implemented the workaround I've switched to now earlier, but I decided to use a less aggressive workaround

since that was working then

since it's a time issue, it seems like time passing has made the problem worse

I suspect the issue is something like time being serialized and sent over to the secure element in a broken way

it's occurring on the stock OS too (that's where we originally detected and worked around it)

it got worse recently, past couple days

I don't think it was connected to our release after all

since people started reporting it on the stock OS

TEE keystore is very widely used and has all these kinds of weird little issues worked out

I was sanity checking absolutely everything so we were bound to find some problems

their key attestation sample doesn't check this

Bye bye!