-
strcat[m]
please read the FAQ sections on this, it's more than one section
-
strcat[m]
and again, if people want more devices to be supported, they're welcome to work on it
-
strcat[m]
they're not welcome to complain about it here
-
strcat[m]
it will result in a ban, it's a tired topic
-
CaptainBlackton
Yes, I was starting to read the other sections too, but I wanted to thank you in the meantime. And the reason I would doubt Google hardware is because Google's whole business model is based on spying. But I'm just saying "guilty by association" without any hard evidence to believe the hardware has loopholes in it. That's why I was asking, because I figured someone here might actually know what the hardware is
-
CaptainBlackton
like, unlike me.
-
strcat[m]
so, yes, you don't know what you're talking about, and you have weird ideas about Google, so you're here spreading FUD
-
strcat[m]
please read the FAQ and don't do that in the future
-
CaptainBlackton
OK
-
strcat[m]
if you want further device support, work on it
-
strcat[m]
you'll have less security with other currently available devices though and at best they will offer comparable privacy that's more prone to being bypassed
-
strcat[m]
there are not better devices available right now
-
strcat[m]
we welcome contributions, but complaining about something like lack of broader device support here isn't productive
-
strcat[m]
as it states on that page the goal of the project is not broad device support and devices need to meet a basic set of requirements, which most don't
-
strcat[m]
I think the FAQ sections cover the high level details well already
-
strcat[m]
other devices that are reasonably secure and meet the basic requirements tend not to support using a different OS, and if they do, they usually don't support installing it securely with the standard hardware-based security features
-
strcat[m]
there are not many devices that could be supported and in fact no one has identified another one meeting even basic, limited requirements at this point - but that's largely because people have not worked on doing that
-
whatisthematrix[
I have a pinephone? Anyone else want to try and get grapheneOS on it?
-
Golli[m]
Please don't think that will be secure.
-
ompe[m]
The OS is custom made for the types and specs that are listed on the web page. You could try to flash an unsupported phone, but don't expect it to get you a good result.
-
JTL
At most I see pinephone beiing a device for testing shit :P
-
Golli[m]
The Pinephone and Librem 5 aren't ready to support a good security model.
-
Golli[m]
The only things they can currently offer is hardware switches (useless btw) and easy to replace parts.
-
JTL
pmuch
-
JTL
and outside of "prototype/devkit" units, barely anyone has a librem 5 lol
-
JTL
Mehhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
-
louipc
userman23[m]: maybe just dns problem?
-
Dylanger[m]
> <@golli:matrix.kiwifarms.net> The Pinephone and Librem 5 aren't ready to support a good security model.
-
Dylanger[m]
> The only things they can currently offer is hardware switches (useless btw) and easy to replace parts.
-
Dylanger[m]
Yeah I heard someone flipped it one day
-
Dylanger[m]
And it didn't do anything
-
louipc
wat
-
louipc
it would be cool to see grapheneos on android one phones
-
TheJH
Golli[m]: what makes the hardware switches useless?
-
louipc
i'd think that would be the next step after pixel
-
Dylanger[m]
<louipc "i'd think that would be the next"> Next step I believe is getting a relationship with an ODM, I don't know tho
-
louipc
after web flash tool, after app store, after... stuff
-
Golli[m]
I'm not on about them not working, they work and they do their job, but having the switches as physical things instead of a toggle in the software is utterly unneeded.
-
louipc
yea maybe
-
louipc
Dylanger[m]: what just to remove the 'alternative OS' boot warning? :p
-
Golli[m]
And if you think the Librem 5's lockdown mode is useful, why would you not use a notepad and pencil or even one of the eink devices?
-
Golli[m]
Plus
-
Golli[m]
> The hardware itself lacks many modern security features too such as proper verified boot, a hardware-backed keystore (some PGP smartcard is not equivalent) and more.
-
Golli[m]
-
Golli[m]
I think someone posted this before.
-
obi[m]
<Golli[m] "I'm not on about them not workin"> it's utterly the intended point
-
TheJH
Golli[m]: that article looks a bit... unhinged to me. e.g. AFAICS the accelerometer paper it points to talks about placing an accelerometer on the chest, and only for detecting *whether* speech occurred, not what was spoken
-
whatisthematrix[
<Dylanger[m] "Next step I believe is getting a"> ODM? == phpne maker?
-
TheJH
Golli[m]: which is miles away from being able to record actual audio of a conversation
-
whatisthematrix[
<louipc "Dylanger: what just to remove th"> Yeah that irks me. Only irk I have.
-
strcat[m]
whatisthematrix: that's going to be there on anything other than a device built to run the official GrapheneOS releases
-
hypokeimenon[m]
Keep linux phone discussion in the #grapheneos-offtopic:matrix.org room please
-
strcat[m]
whatisthematrix: Pinephone does not meet the most basic privacy and security requirements for GrapheneOS, you could only make an incomplete unofficial port
-
strcat[m]
Android is Linux-based, those aren't "Linux phones" as opposed to regular ones
-
a7-j7b5g5[m]
Android is possibly getting mainline Linux so they'll just be userland differences soon
-
strcat[m]
Golli: the issue with hardware kill switches is that they're generally not properly designed, and they only defend against an attacker that has already compromised the device, obtained the data and can exfiltrate data whenever a network or another approach is available
-
strcat[m]
a7-j7b5g5: I think you're confused if you think traditional Linux distributions use mainline Linux
-
strcat[m]
a7-j7b5g5: Android works fine with a mainline kernel, but you wouldn't use that in production
-
strcat[m]
mainline means the x.0 releases from Linus without any patches applied
-
whatisthematrix[
What are most android devices -- patched kernels then?
-
strcat[m]
only the x.0 releases are mainline, other releases come from forks
-
strcat[m]
whatisthematrix: Linux distributions, including Android, don't use mainline Linux kernels for the most part
-
TheJH
whatisthematrix[: FYI there are official "stable" Linux kernel releases with names like 5.4.3; those are not "mainline", but they are official upstream kernels that you can download from kernel.org
-
a7-j7b5g5[m]
I know not kernel.org mainline but google is working for a shared kernel shared between phones
-
strcat[m]
there's a kernel.org repository forked from the mainline kernel repository providing stable / longterm branches downstream from it, and those are what nearly every forks for their actual kernels
-
TheJH
whatisthematrix[: and then android has more stuff piled on top of that
-
strcat[m]
the stable / longterm kernels backport a subset of bug fixes including a lot of security fixes
-
strcat[m]
Android works fine with mainline or the kernel.org stable / longterm branches, it doesn't need modifications
-
strcat[m]
the Android common kernel has branches based on each stable/longterm branch backporting a bunch of extra bug fixes along with backporting features and performance improvements
-
strcat[m]
and it adds a few optional downstream features
-
a7-j7b5g5[m]
Project mainline was announced a while ago. So you can use a kernel.org kernel on all new android phones if google sees its worth it
-
strcat[m]
a7-j7b5g5: you're making misleading statements that aren't accurate
-
strcat[m]
that's not what project mainline, it doesn't refer to mainline Linux kernels
-
strcat[m]
and Android already works with a mainline or stable / longterm kernel
-
strcat[m]
the Android common kernel doesn't have mandatory changes from them anymore, only optional ones
-
strcat[m]
device support is a separate thing orthogonal to Android support
-
strcat[m]
and Android does not require kernel changes since some time ago
-
strcat[m]
there are only optional changes via the Android common kernels: many additional bug fixes, backported features, backported performance improvements and various frills like VMA naming
-
a7-j7b5g5[m]
I know that. I'm just saying I seen a article about mainline how google is exploring one kernel for all devices
-
strcat[m]
it's not what project mainline refers to
-
strcat[m]
it's a different meaning of mainline not to do with Linux
-
strcat[m]
and it's not the same topic as Android support - all mandatory features are fully upstream already
-
strcat[m]
Android works fine with a mainline or stable / longterm kernel
-
strcat[m]
sure, you have to have support for the hardware - as with any other Linux-based OS
-
strcat[m]
* sure, you have to have support for the hardware implemented - as with any other OS - and there is a lot of hardware not supported or only partially supported upstream
-
strcat[m]
it takes years for hardware support to make it upstream, and it's rarely completed there
-
strcat[m]
and if you're using a longterm kernel branch suited for production usage, that isn't receiving any newer hardware support, only bug fixes
-
strcat[m]
the stable and longterm kernels in the linux-stable repository forked from the main repository only get bug fixes
-
strcat[m]
the newest longterm branch is 5.4, that's the newest choice you could make if you were putting together a product right now
-
strcat[m]
perhaps it takes you a year to make the product and develop all the drivers, etc. and you work on starting the process of landing stuff upstream once it's ready
-
strcat[m]
the product launches
-
strcat[m]
a year later, a lot of support for it has landed upstream
-
strcat[m]
5.4 is never getting that, and it's 2 years old
-
strcat[m]
and right now, support for devices is rarely ever completed upstream and only even starts to resemble usable support 3+ years after hardware becomes available
-
strcat[m]
so you could perhaps build a device with an obsolete SoC without proper support from 3 years ago using Linux 5.4
-
strcat[m]
anyway that doesn't have to do with Android specifically
-
strcat[m]
Android itself works fine with a mainline or stable / longterm kernel
-
strcat[m]
a sane production product is going to use a longterm kernel, and the Android common kernel longterm branches are highly advisable to have more bug fixes and backports of important security features, performance improvements, etc.
-
» Lia[m] is curious how would GKI affect the device support time by Android 12
-
strcat[m]
a7-j7b5g5: the generic kernel project you're talking about is about defining a stable ABI for a longterm kernel branch so that all drivers for hardware support that aren't already available in it can be separately updated - it does NOT get rid of the need for those drivers
-
strcat[m]
they are STILL tied to a specific longterm kernel version, you STILL need them for hardware support, and you STILL need updates to them
-
strcat[m]
sure, it lets you update the base kernel separately from out-of-tree drivers
-
strcat[m]
doesn't change that the drivers need to be supported and doesn't change that the drivers are tied to a specific longterm kernel branch
-
strcat[m]
in theory, if all the drivers were landed upstream, you could pick a newer longterm kernel branch, spend a long time fixing all the regressions including making the drivers all work properly again
-
strcat[m]
and then ship an update to that newer longterm kernel branch
-
strcat[m]
which, due to the high rate of Linux kernel regressions, will likely have serious regressions that slip through to users and need to be continue to be fixed
-
strcat[m]
and also, code being upstream does not imply it is maintained, and it does not imply it will continue working
-
strcat[m]
there is tons of churn, and those drivers are not being regularly tested, people have to notice the regressions on specific hardware and then deal with getting it fixed
-
strcat[m]
it doesn't remain in a working state, you have to pick a new longterm branch and fix everything, even if you got all your drivers upstream
-
strcat[m]
you can't just update to each new longterm branch even if all your drivers are upstream because half of them are going to be in a broken state with varying degrees of serious bugs for any given kernel version
-
strcat[m]
you have to invest in updating to it, and that's after upstreaming all drivers
-
strcat[m]
and your drivers might not be accepted, you may have to heavily change / rewrite them in order to get them accepted
-
strcat[m]
you may get conflicting demands from different people
-
strcat[m]
it requires a huge effort to get it all landed there, and it's not going to magically keep working through all the churn, you need to invest in testing the hardware with mainline and continue to keep your stuff working through continued maintenance (it's going to keep breaking and needing to be fixed, and mainline releases are not delayed for reasons like that)
-
strcat[m]
if it works for Linus on his hardware, he's going to release it
-
strcat[m]
that's the standard
-
strcat[m]
there are mainline releases where an entire architecture is broken
-
strcat[m]
I think if you've used a mainline kernel with a rolling release Linux distribution on a laptop, even a very common laptop used by a lot of kernel developers with common hardware used by a lot of them
-
strcat[m]
you'll be aware that hardware support regresses, over and over in different ways
-
strcat[m]
you get an update an suspend doesn't work anymore - maybe one day it is fixed and works again, maybe not
-
strcat[m]
maybe sound breaks, maybe Wi-Fi, maybe some aspect of USB (USB is perpetually broken in different ways)
-
strcat[m]
you can't actually ship mainline kernels for anything serious, you use longterm branches, and you probably need bug fixes beyond what's there
-
strcat[m]
and even stable / longterm kernels have this issue despite ONLY fixing bugs because they are not broadly tested / reviewed either
-
strcat[m]
you can't just safely ship those bug fix only LTS updates without careful testing
-
strcat[m]
so for example, right now, Qualcomm is developing future SoC generations and their driver support, they're probably developing drivers for the Linux 5.4 LTS branch right now, for unannounced hardware
-
strcat[m]
so they'll launch the hardware, and start upstreaming support for it (which they do)
-
strcat[m]
phones will launch with it shortly after (since they had access before it was public)
-
strcat[m]
that's how hardware launches work in general
-
strcat[m]
so N years later maybe there is near full support in mainline
-
strcat[m]
up to a year after that a new LTS branch is created which now has the full hardware support
-
strcat[m]
and it can then be fixed there to work fully
-
strcat[m]
so basically, in an ideal scenario right now, where the company heavily invests in upstreaming support post-launch, maybe you can use the upstream longterm kernel without anything out-of-tree ~2-3 years post launch
-
strcat[m]
so, in theory, if the company wanted to, they could do all that and then migrate to that newer LTS
-
strcat[m]
and then invest in migrating to future LTS versions
-
strcat[m]
so yeah ideally that would happen
-
strcat[m]
they have to keep maintaining all the userspace code and firmware too
-
strcat[m]
the lifetime of LTS kernel branches is not really the bound on device lifetime yet
-
strcat[m]
they'd need to be supported 4+ years for that to start being the case
-
strcat[m]
even then.... hardly any resources are actually invested in the kernel.org longterm branches
-
strcat[m]
it's a few people doing most of the work part time
-
strcat[m]
they have other stuff they work on too
-
strcat[m]
a company that assigned 5 full time employees to maintaining a Linux kernel LTS branch would be putting in more resources than the total sum of the resources put into it by EVERYONE ELSE in total
-
strcat[m]
the kernel.org longterm releases are mostly gregkh allocating a fair bit of his time to backporting things, mostly changes marked in the commit message as being sensible to backport to stable kernels, and a few other people dedicating some time of their own
-
strcat[m]
occasional contributions from others
-
strcat[m]
hardly any systemic testing, hardly any review, etc. just like the rest of Linux development
-
strcat[m]
people have this idea that because a huge amount of resources goes into adding code and making it increasingly more complex to add features, make it scale better, etc. that there are similar resources put into stability, testing, review, security, etc. but it's not the case at all
-
strcat[m]
and also having most drivers in-tree as part of the same git repository due to lack of a stable ABI for drivers means there's a ton of churn for that
-
TheJH
strcat[m]: there are stable ABIs for some driver things. they're called VFIO and FUSE and so on :P
-
strcat[m]
TheJH: ideally all drivers would be in userspace via versioned ABIs
-
TheJH
strcat[m]: why even versioned
-
strcat[m]
TheJH: so you can fix privacy, security, stability, performance issues in the ABI
-
strcat[m]
and then if you don't need older drivers you can turn off the legacy support
-
strcat[m]
but yeah no changes that aren't actually important
-
TheJH
strcat[m]: and for many of these things the kernel-side APIs are already in place
-
strcat[m]
what google is doing for generic kernels is not as impressive or useful as it sounds
-
strcat[m]
they are just freezing a subset of the ABI within an LTS branch
-
strcat[m]
it has no benefit to us
-
TheJH
strcat[m]: one of my favorite examples is how bluetooth keyboards/mice work
-
strcat[m]
just like APEX has no direct benefit for us
-
TheJH
strcat[m]: where actually a userspace daemon is injecting input events
-
strcat[m]
the only benefit of APEX is that now something can be made an APEX to make it have out-of-band updates
-
strcat[m]
so therefore
-
strcat[m]
they are not going to be inclined to just remove it from AOSP to do that
-
strcat[m]
* they are not going to be inclined to just not implement things in AOSP to avoid that issue
-
strcat[m]
so for example, they did U2F/FIDO2 support in Play services so that they could bring it to existing devices and update it out-of-band
-
strcat[m]
now, it could be done as an APEX instead, and could be added via an existing APEX
-
Dylanger[m]
<strcat[m] "the only benefit of APEX is that"> I'm worried Google will 🔪 AOSP via slowly claiming AOSP components, building them and providing them as blobs
-
Dylanger[m]
* I'm worried Google will 🔪 AOSP via slowly claiming AOSP components, building them and providing them as blobs/apex update-able
-
strcat[m]
they haven't shown any sign of doing that and the APEXes are built and tagged in AOSP
-
strcat[m]
if they aren't open source they wouldn't be part of AOSP anymore
-
strcat[m]
so then it's not an APEX
-
Dylanger[m]
Fair point
-
strcat[m]
it's some app you install
-
strcat[m]
* so then it's not an APEX for the base OS, it's something else
-
strcat[m]
Dylanger: they've already been able to put whatever they want in Play services and yet
-
strcat[m]
actually take a look at what they've put there
-
strcat[m]
Play services is 99% clients for Google services
-
strcat[m]
sure, there is 1% of it that is not actually directly tied to Google services and really should be in AOSP but it's only a few things
-
strcat[m]
and I don't think that it would have happened if the OS had already been split into APEX components
-
strcat[m]
Dylanger: so for example, engineers at Google wanted to ship U2F / FIDO2 support - if they added it to AOSP, it would show up on Nexus devices in the next major release... and most users wouldn't get it for a long time since they don't use devices closely following the updates
-
strcat[m]
Dylanger: and, before APEX, shipping updates to that functionality would require the device maker to update it
-
strcat[m]
Dylanger: so, they had a major incentive to shove it in Play services despite it not belonging there - because it does things a regular app cannot do, so it can't just be a regular app
-
Dylanger[m]
Huh, I see
-
strcat[m]
Dylanger: it's different now, due to APEX and them mandating that vendors shipping Play services agree to shipping Google builds of many APEX components (which are open source and tagged on AOSP repos)
-
strcat[m]
Dylanger: APEX is part of AOSP and the releases for 'Mainline' are tagged
-
strcat[m]
Dylanger: it has no use to us
-
strcat[m]
November update for AOSP was released, we updated the OS to it
-
strcat[m]
we have no use for building the November APEX release and shipping it separately via an app repo
-
strcat[m]
we updated the OS anyway, it has the updates
-
strcat[m]
Dylanger: same goes for their generic kernels, we don't have a use for it
-
strcat[m]
and we want minimal attack surface and complexity so we'll still be building specialized kernels
-
strcat[m]
it would be a regression from how we do things now if we actually switched to that
-
strcat[m]
Dylanger: in fact, they're going to make our life harder with that
-
strcat[m]
because they're going to build most of the drivers as dynamic kernel modules and then they won't be testing not having them as dynamic kernel modules
-
strcat[m]
so, great, a whole bunch more initialization race conditions where drivers try to initialize themselves before the firmware for the hardware can be loaded from vendor
-
strcat[m]
and in general, the developers of the drivers no longer testing / supporting not building it as a dynamic kernel module
-
strcat[m]
it will become more difficult for us to build minimal kernels specialized to devices
-
strcat[m]
I am not looking forward to it
-
strcat[m]
it has no value to offer us
-
Dylanger[m]
Oof
-
strcat[m]
just pain
-
strcat[m]
it does not mean the drivers will be supported longer
-
strcat[m]
I guess the value it will offer is that they'll start shipping LTS updates ASAP themselves
-
strcat[m]
and it'll be easier to ship the LTS updates
-
whatisthematrix[
Oooof
-
strcat[m]
but the drivers still need their own maintenance / updates
-
strcat[m]
and it's going to be harder for us to build them the way we want with maximum CFI granularity, etc
-
renlord
speaking of cfi granularity, was anyone able to figure out the media bug with vanadium some releases ago
-
renlord
the actual root cause?
-
Lia[m]
<renlord "speaking of cfi granularity, was"> Which media bug?
-
renlord
-
scm5168[m]
Hello! I've been unable to receive (but can send) MMS messages on my pixel 2 since updating to android 11. Using Verizon MVNO Page Plus. I've tried resetting network settings, toggling airplane mode, and using signal. Reading through issue 153 on Github, adding the relevant APNs to an XML file fixed a similar problem for Visible. Would I need to do the same for Page Plus?
-
Lia[m]
<scm5168[m] "Hello! I've been unable to recei">
GrapheneOS/os_issue_tracker #153
-
Lia[m]
Maybe was related, but was for mobile data, sorry
-
Lia[m]
-
fvbdxj
Thanks for making GrapheneOS, I been liberated
-
renlord
that is a particularly odd sensation to derive from an OS
-
Lia[m]
<renlord "that is a particularly odd sensa"> I get what you mean
-
Lia[m]
Freed from Google's privacy invasion? Yes
-
Lia[m]
Freed from practicing opsec? Nah
-
Lia[m]
GrapheneOS + good security practice is a great combinarion
-
renlord
i dont necessarily agree that google is out and about invading people's privacy, more often than not, they do offer you a choice to opt out if you really mind.
-
scm5168[m]
<Lia[m] "Maybe was related, but was for m"> I tried adding the APNs using activity launcher; no change. I tried resetting the wifi, networking, and bluetooth again, also no change. I guess I'll do a factory reset next. Thanks
-
Lia[m]
<renlord "i dont necessarily agree that go"> It's okay, but the mere fact that gms exist is a pain to deal with and has consequence with the app ecosystem as a whole
-
Lia[m]
<renlord "i dont necessarily agree that go"> Like the nonfunctional opt out of ad ID that still sends it to FB SDK?
-
Lia[m]
<renlord "i dont necessarily agree that go"> The default and nagging methodology to opt to privacy invasion is a pain to deal with. And it's not only Google who has problem with stock OS, the carrier vendors too
-
renlord
perhaps to poweruser, it is perceived as a nagging, but to the laymen, it could be their first-time being informed of a particular convenient feature
-
Lia[m]
<renlord "perhaps to poweruser, it is perc"> That's fair
-
renlord
that being said, most laymen do not particularly care about erosion of their privacy and would elect to enable features that compromise privacy while providing increased convenience and user experience.
-
Lia[m]
<renlord "that being said, most laymen do "> Yeah, sadly.
-
Lia[m]
Socially engineered to prioritize convenience over anything else.
-
renlord
RE: Android ad ID, iiuc, Apple IDFA has the same problem also?
-
Lia[m]
<renlord "RE: Android ad ID, iiuc, Apple I"> I cannot vouch this for myself as I never used for iOS, but there are reports that apps has to respect the opt out or will not be accepted to App Store
-
renlord
-
a7-j7b5g5[m]
Most users don't care because ignorance is bliss
-
Lia[m]
<renlord "
techcrunch.com/2020/11/1"> Ngl, it's getting a little OT, but not too surprised about this news.
-
cn3m
Apple IDFA had been fully opt out for a long time
-
cn3m
It is now auto opt out
-
cn3m
And it’s a real opt out unlike the Android version which is a soft opt out and requires the app dev to play nice
-
cn3m
iOS setup is equivalent to the AOSP setup. Just avoid the Play Services option as it still lets apps get the ID and they are sent in
-
Lia[m]
<cn3m "And it’s a real opt out unlike t"> Is it (borderline) useless unless you disable gms?
-
niky
Hello everyone, hope you all are doing well .. I have just received my pixel 4a and im very excited to flash gos on it . Is there anything i should know before installing it ?
-
Lia[m]
<niky "Hello everyone, hope you all are"> Is the bootloader unlockable
-
Lia[m]
And did you not buy it from Verizon (any Verizon Pixel is impossible to unlock bootloader)
-
niky
yes the bootloader is unlockable & its not a verizon pixel
-
niky
before i flash gos , do i have to save the original company firmware if in case i have to go back to it from gos?
-
Lia[m]
<niky "before i flash gos , do i have t"> There is already a image file on Google website just in case you want to flash stock again
-
niky
okay got it
-
Lia[m]
<niky "before i flash gos , do i have t"> No need, just update then follow the instructions at grapheneos.org/install
-
niky
I need to run whatsapp on my gos pixel 4a for my university. What would be the best way to do so ?
-
niky
add a different user and install it there?
-
Lia[m]
<niky "add a different user and install"> Yes
-
malicoye[m]
I personally don't like multi user experience. It slows down my device
-
Lia[m]
<malicoye[m] "I personally don't like multi us"> It's okay. Not for everyone, but it's a small price to pay for better isolation
-
malicoye[m]
What are the downsides of having whatsapp in the Main profile?
-
Lia[m]
<malicoye[m] "What are the downsides of having"> IPC risks
-
niky
what does IPC stand for?
-
Lia[m]
<niky "what does IPC stand for?"> Interprocess communication, like intents from one app to another
-
niky
does it mean the apps sharing data and talking to each other?
-
Lia[m]
<niky "does it mean the apps sharing da"> Yes
-
malicoye[m]
Is it actually proven at all?
-
Lia[m]
<malicoye[m] "What are the downsides of having"> It won't slow down if you only use like two to three
-
malicoye[m]
What data other apps do give to WhatsApp?
-
Lia[m]
GET links, from WhatsApp to Vanadium
-
Lia[m]
<malicoye[m] "What data other apps do give to "> Using share button, one of the apps it fetches is whatsapp
-
niky
and also i saw a reddit post sharing a way to install a service that fakes g services so gos can run gcam can that be installed in the main user or i should install in another user with whatsapp ? or another user altogether ?
-
malicoye[m]
So WhatsApp can sniff links from vanadium? All or some certain? What happens next?
-
malicoye[m]
niky I have that service running in my main profile. Gcam works 9 out of 10
-
Lia[m]
<malicoye[m] "So WhatsApp can sniff links from"> Data exflitration risks, which does not respect INTERNET permission (though it might be granted most of the time iff there is waited notifications), or downloading undesirable files
-
Lia[m]
On the other side, it will not be sneaky or cloaked at all
-
Lia[m]
As it requires Vanadium to be focused to do that intent (IntentDispatcher)
-
Lia[m]
(Opening urls, that is)
-
Lia[m]
If you want to use it in main user, just don't give it permission besides Network, and if there is no notifications to wait, disable Network access/permission.
-
Lia[m]
Never give it storage access
-
Lia[m]
Downside of putting it in secondary user is you need to be there to access notification, if WhatsApp has notification for no Play servcies OS
-
malicoye[m]
That's what I do. Though I have to give it storage access for a second in order to download an attachment sent to me. In all other scenarios only Network permish is given by me
-
Lia[m]
<malicoye[m] "That's what I do. Though I have "> I'd delete all the files, or send it to Signal self message before giving it access to all files due to danger of it tagging and identifying profile.
-
Lia[m]
Any app that needs All Files access for me is isolated in secondary user, as it can do anything with that permission (by its definition)
-
snowfur[m]
<Lia[m] "Never give it storage access"> The Problem then is WhatsApp won't make BackUPs of your messages anymore (and WhatsApp annoys you a bit as well?)
-
Lia[m]
Then isolate it.
-
Lia[m]
On secondary user
-
Lia[m]
Question, does WhatsApp has notification in GrapheneOS
-
malicoye[m]
Notifications work perfectly
-
snowfur[m]
<Lia[m] "On secondary user"> But then you would need to switch the User to get new messages wouldn't you?
-
Lia[m]
Yes
-
Lia[m]
It depends on your usecase
-
Lia[m]
What you are willing to sacrifice
-
malicoye[m]
I can't send an attachment from WhatsApp to Signal without giving whatsapp File access permish
-
niky
liam so if i want gcam on gos using that fake g services is it okay for it to be in main user ?
-
Lia[m]
<niky "liam so if i want gcam on gos us"> Do at your own risk
-
niky
is there any way to isolate an app in the main user space?
-
niky
some alternative to 2nd user way
-
Lia[m]
<niky "is there any way to isolate an a"> There is no way without giving up ownership to that user.
-
snowfur[m]
<niky "is there any way to isolate an a"> Profiles and Work profiles
-
Lia[m]
(By definition of device admin permission on work profiles)
-
Lia[m]
And it is not recommended.
-
Lia[m]
Use at your own risk, if Shelter is hacked, that whole user/profile is at risk
-
Lia[m]
I'd do it on secondary user. Like, use primary user for light stuff, and the univeristy stuff on secondary user.
-
Lia[m]
I don't like mixing up my digital footprints
-
niky
so is it okay if i install gcam n whatsapp both in the secondory user ? or should make a 3rd one ?
-
Lia[m]
<niky "so is it okay if i install gcam "> It's okay
-
niky
any list of apps recommended for gos which i can check out after flashing ?
-
Lia[m]
At the moment, gcam is better as it utilizes the scoped storage.
-
niky
scoped as in sandboxed right?
-
Lia[m]
<niky "scoped as in sandboxed right?"> Not really. All apps are sandboxed in one profile but can talk to each other.
-
Lia[m]
-
Lia[m]
<Lia[m] "
hub.libranet.de/wiki/and"> There is no exact recommendation as it depends on your use case, but there are criteria on what apps to use, and this depends on your use-case.
-
Lia[m]
Do it at your own pace
-
Lia[m]
Alternative to gcam is Open Camera and it is updated with Android 11 scoped storage in mind.
-
Lia[m]
-
niky
is open cam good with low llight photos ?
-
niky
if so then i wont go through the trouble of installing gcam
-
» Lia[m] > <@freenode_niky:matrix.org> is open cam good with low llight photos ?
-
» Lia[m] doesn't use camera as much as night so can't tell (or uses flash frequently)
-
niky
oh ok
-
Lia[m]
-
niky
thank you liam for all the instant replies and helpful advice
-
niky
Is there anyway i can join this irc channel on my gos pixel using an app or so?
-
niky
And lastly is there anyway i can help the gos development and community?
-
Lia[m]
<niky "Is there anyway i can join this "> I've heard of revolution/weechat, but unsure if that's user friendly,
-
-
niky
what do you use for joining irc channel? @lia
-
niky
Btw any suggestions for a windows pc user for priv n security?
-
niky
should i dual boot a specific version of linux?
-
Birdie[m]
<niky "Is there anyway i can join this "> I use element (riot.im) on my gos devices.
-
anupritaisno1[m]
<niky "Btw any suggestions for a window"> grapheneos-offtopic and
madaidans-insecurities.github.io/security-privacy-advice.html
-
niky
thank you Birdie[m] & anupritaisno1[m]
-
anupritaisno1[m]
This is important. We need help. There is a lot of misinformation being spread about grapheneos by several people. We need people who can help us clear this up. Please pm me if you want to help
-
ChristopherPrime
<niky "Btw any suggestions for a window"> Im using schildichat for matrix
-
darbubu[m]
Hello. I don't have Internet connection with WLAN after OS update today in pixel 3a. Maybe any ideas, how it can be fixed? Connection over 4G is fine...
-
Lia[m]
<darbubu[m] "Hello. I don't have Internet con"> Could be hardware defect, WLAN works fine in 3a in latest update here
-
Lia[m]
Try rebooting, forgetting and reconnecting to network/WiFi
-
darbubu[m]
OK. Befor update it worked fine :( i will try with reboot
-
darbubu[m]
<Lia[m] "Try rebooting, forgetting and re"> OK. After second reboot works fine :)
-
fakhx[m]
hi everyone i hope you're al having a good day :)
-
anupritaisno1[m]
This is important. We need help. There is a lot of misinformation being spread about grapheneos by several people. We need people who can help us clear this up. Please pm me if you want to help
-
nscnt
fakhx[m]: Hello. Thank you, I hope you do too c:
-
-
Dylanger[m]
iirc FDE got sunsetted back in Android 10, could have even been Android 9, TL;DR you're not supposed to use at all anymore
-
-
r0tt0r[m]
<r0tt0r[m] "> <@fakhx:matrix.org> planning t"> well i have p4a, sry cant tell for p4/xl
-
-
falkensmaze[m]
Any plans of fixing this?
-
fakhx[m]
<Dylanger[m] "iirc FDE got sunsetted back in A"> yes in android 10 , both FBE and FDE have their own advantages thats why i prefer to use both and was wondering if in GOS we have that possibility
-
falkensmaze[m]
When making a screenshot, the resolution of image to edit is pretty... bad
-
falkensmaze[m]
Think this is because the editor attempts to show image for editing in this small resolution that appears in bottom left corner
-
fakhx[m]
<r0tt0r[m] "well i have p4a, sry cant tell f"> unfortunately not working with pixel 4 / xl , source :
androidcentral.com/open-camera-app-…brings-4k60-video-recording-pixel-4
-
fakhx[m]
-
nscnt
falkensmaze[m]: That's dependend on what app you use to crop your screenshot. Gallery (the app) isn't maintained. Use another app if you care.
-
falkensmaze[m]
* Any plans on fixing this?
-
fakhx[m]
-
rny
how do you use both FBE and FDE
-
rny
fakhx[m]:
-
mntr0jannyforjes
Fbe?
-
rny
file-based encryption
-
mntr0jannyforjes
File based encryption
-
rny
so bad this acronym
-
mntr0jannyforjes
Leave it to sales people to create an unneccessary acronym
-
nscnt
falkensmaze[m]: If you have plans to fix it, there might be plans. But as I said it's unmaintained.
-
rny
just rewrite it with android jetpack
-
rny
dont even bother trying to fix it
-
rny
the codebase is obsolete at this point
-
fakhx[m]
rny: i meant i use them both on computer , on my phone i prefer FDE over FBE and since android 10 it's manadatory FBE i was wondering if i can get FDE as well
-
rny
fakhx[m]: no, you cant on android. Its gone for good.
-
rny
-
mntr0jannyforjes
Heh
-
mntr0jannyforjes
Shouldn't it be fbe over fde?
-
rny
how do you even do fbe over fde?
-
rny
if the disk itself is fully encrypted, what even is the point of decrypting the files, just to get a bunch of cipher text?
-
Golli[m]
It's essentially 2 layers of encryption instead of just 1.
-
darbubu[m]
<Lia[m] "Try rebooting, forgetting and re"> I have WIFI connection to my Router, but no connection to Internet. All another deviceses works fine :(
-
-
Lia[m]
<darbubu[m] "IMG_20201129_142528.jpg"> I can't reproduce your issue here
-
Lia[m]
It depends also on the internet speed, probably
-
darbubu[m]
<Lia[m] "It depends also on the internet "> 100Mbit and another 4 stock androids have't any probls :(
-
-
dmctrl[m]
Hi, I have a couple of questions:
-
dmctrl[m]
1. What do people use as a Google Maps alternative? I tried osmand+, but it doesn't seem great for the UK where I live at least
-
dmctrl[m]
2. What's the latest on the GrapheneOS vs iOS privacy/security? I read a detailed answer from Daniel, which was great, but it was around a year old, so it would be good to get an up to date view on it
-
Lia[m]
Reduced privacy, but it may have been causing a problem.
-
darbubu[m]
<darbubu[m] "100Mbit and another 4 stock andr"> Also my pixel 3a habe this Problem only after update today
-
» Lia[m] > <@darbubu:matrix.org> > <@darbubu:matrix.org> 100Mbit and another 4 stock androids have't any probls :(
-
» Lia[m] >
-
» Lia[m] > Also my pixel 3a habe this Problem only after update today
-
» Lia[m] still wonders how could that be as nothing else breaks here, and there were no reports of broken captive portal.
-
darbubu[m]
<Lia[m] "> <@leeya:the-apothecary.club> s"> After reboot looks so, first wifi connection works, but only external connections. All local connections like 192.xxx.xxx.xxx does not work :(
-
darbubu[m]
If i switch wifi off an then switch in, then can't dont works
-
anupritaisno1[m]
This is important. We need help. There is a lot of misinformation being spread about grapheneos by several people. We need people who can help us clear this up. Please pm me if you want to help
-
besamim5781[m]
<cn3m "yeah personally I use macOS, but"> Is there some privacy guide for macOS?
-
niky
Hello again everyone
-
niky
so im trying to get a copy of my pixel4a gcam apk using adb
-
niky
which comm do i have to use
-
Lia[m]
<niky "which comm do i have to use"> A duckduckgo search will answer your question
-
Lia[m]
(The stackoverflow one)
-
Lia[m]
<niky "which comm do i have to use"> adb pull, is the one that pulls apk, but yoy gotta get the path of the apk
-
niky
got it thanks
-
niky
gcam apk is saved on my pc
-
niky
im following techlores guide to install gos but "fastboot flash unlocking" is stuck on waiting for any devices
-
Lia[m]
<niky "im following techlores guide to "> Ah, yeah, shouldn't have followed that.
-
niky
adb devices show the device and i authorized it
-
Lia[m]
Only the grapheneos.org/install is the official installation device
-
niky
okay
-
Lia[m]
Adb and fastboot are different, and the latter is more picky with debvices
-
niky
ohh
-
Lia[m]
Rather, usb cables
-
niky
so is techlores video wrong in any way?
-
niky
im physical connected using the cable
-
Lia[m]
<niky "so is techlores video wrong in a"> Yeah. The installation script works as is and should not be modified.
-
niky
ohh
-
strcat[m]
please use the official instructions
-
niky
one of you guys should reach out to him
-
Lia[m]
<niky "im following techlores guide to "> That video, on release, was known to cause failures on flashing the OS
-
niky
oops
-
refinedanarchy[m
i installed graphene 2 days ago but i did not pulled gcam apk, are there any ways i can safely obtain a copy?
-
Lia[m]
<refinedanarchy[m "i installed graphene 2 days ago ">
hub.libranet.de/wiki/and-priv-sec/wiki/apps
-
Lia[m]
One can verify apps by apps_packages in fdroid
-
Lia[m]
> <@leeya:the-apothecary.club> One can verify apps by apps_packages in fdroid
-
Lia[m]
>
-
Lia[m]
Install that app to see the hashes of apk
-
Lia[m]
Correction, the certificatikns
-
Lia[m]
certification part*
-
niky
I didnt understand this part
-
niky
Next, add the tools to your PATH in the current shell so they can be used without referencing them by file path, enabling usage by the flashing script.On Linux and macOS:export PATH="$PWD/platform-tools:$PATH"On Windows:$env:Path = "$pwd\platform-tools;$env:Path"Sample output from fastboot --version afterwards:fastboot version
-
niky
30.0.5-6877874Installed as /home/username/downloads/platform-tools/fastbootThis is a temporary change to PATH for the current shell and will need to be done again if you open a new terminal. Make sure that the fastboot command works in the current shell before trying to run the flashing script.
-
niky
this is after installing adb on win10 via cmd for fastboot
-
r0tt0r[m]
<refinedanarchy[m "i installed graphene 2 days ago "> it is security related not recommended though you can use cstarks modded pixelcam
celsoazevedo.com/files/android/google-camera
-
r0tt0r[m]
-
niky
Windows:$env:Path = "$pwd\platform-tools;$env:Path" what would this command be for me ?
-
r0tt0r[m]
<refinedanarchy[m "i installed graphene 2 days ago "> but be advised this is not recommended from grapheneOS perspective
-
refinedanarchy[m
<r0tt0r[m] "but be advised this is not recom"> I mean it is sandboxed right?
-
refinedanarchy[m
I use firejail and apparmor on desktop to sandbox non free javascript stuff
-
yzrhjocizuwkjlqo
strcat: Does the Fairphone got the same hardware security standards as Google Pixels and maybe the possibility to run GrapheneOS on it someday?
-
yzrhjocizuwkjlqo
I remember something about you once said, it might get GrapheneOS officially one day
-
jpds
yzrhjocizuwkjlqo: No, it doesn't - they do not have a hardware security chip
-
strcat[m]
yzrhjocizuwkjlqocf: no, I never said that
-
strcat[m]
and it definitely doesn't
-
strcat[m]
what I probably said is that maybe they make an adequately secure device in the future
-
strcat[m]
not up to us
-
strcat[m]
contact them
-
yzrhjocizuwkjlqo
<strcat[m] "what I probably said is that may"> May I ask, is the software security the same, even without the chip? Or phrased another way.
-
strcat[m]
yes, the software security is worse
-
strcat[m]
-
strcat[m]
verified boot and attestation are just two of many examples of what GrapheneOS would not have on those devices
-
strcat[m]
device support is covered well in the FAQ at a high level
-
yzrhjocizuwkjlqo
<strcat[m] "verified boot and attestation ar"> So I guess their stock devices doesn't got verified boot either?
-
strcat[m]
and also, if you think those 2 features are primarily about physical access security, you misunderstand them substantially
-
strcat[m]
yzrhjocizuwkjlqocf: not any meaningful / working implementation
-
strcat[m]
and again, those are 2 of many things not available there
-
yzrhjocizuwkjlqo
So all in all, Fairphone is not recommended as a phone I guess, if you care about security at all
-
habbihabbiya3[m]
I was thinking about purchasing a used pixel but the reseller records all serial and imei numbers. Is this a big issue or should I just purchase a new device ?
-
jpds
Even Google records the IMEI
-
habbihabbiya3[m]
i see, can someone do anything malicious with that information ? Someone who is not a state level player/
-
jpds
Not really
-
-
dontaskme[m]
<niky "im following techlores guide to "> I had exactly the same issue but I was following the official install instructions. Was resolved by installing Google USB driver
-
strcat[m]
oxygenxc: follow the official instructions at
grapheneos.org/install
-
strcat[m]
oxygenxc: Pixel 4a 5G and Pixel 5 are not supported and don't yet have maintainers working on them
-
strcat[m]
-
strcat[m]
it has information on supported and recommended devices
-
oxygenxc[m]
<strcat[m] "
grapheneos.org/faq#devic"> thank you so much! i already went through it but to be honest haha didn’t understand a thing just that they are most pixel phones but not the 5 yet.. and i have read it has some new boot img stuff and i just wondering if its not gonna be supported for while!
-
whatisthematrix[
<strcat[m] "oxygenxc: Pixel 4a 5G and Pixel "> Okay fair enough. I know quite a few people have asked this and did not get an answer so I will tell them from now on. Thanks
-
jayell[m]
argh, TheJollyRoger: can someone point me to a comprehensive guide to android 11 or AOSP 11? like to see at least cursory coverage of ALL the settings. i have scoured googles support site and their android dev site to no avail
-
TheJollyRoger
jayell[m]: sorry, I'm not sure what you mean.
developer.android.com/about/versions/11 has quite a bit of information on behaviour changes, new privacy features, and the new APIs on Android 11.
-
cmattern_
Greetings, any suggestions on how to bridge the security gap created when FairEmail to access gmail which, absent Google services, requires us to use a 16 lower alpha app password instead of 2FA?
-
jayell[m]
what is was hoping to find was a users guide of sorts, where for all settings (esp ones that have no "i" circle with basic explanatory text) some explanation was given along with possible best practices for configuring said setting. thisnis to aide a freind who is not tech challenged but is considering switching from ios to gos. for example : under 'Security' there is 'Device admin apps' and also 'Trust agents'. he is
-
jayell[m]
looking for simple (or more in depth) info on what these are for. is there a reference that correlates directly to the settings menu?
-
TheJollyRoger
jayell[m]: ah, that makes more sense. let me do some digging and I'll try to get back to you.
-
TheJollyRoger
That said - the defaults on GrapheneOS are set very deliberately, you won't gain (and indeed, can definitely lose) any security by futzing with them.
-
jayell[m]
thanks matey. thats what i thought. however, be nice the see "why" a given setting is configured the way it is. and why that choice was made is default has deviated from stock android.
-
TheJollyRoger
jayell[m]: Completely understandable! I'll keep looking. I'm actually unsure about many of these things, but if I recall right, Device Administrators were historically used for applications that were granted special privileges and this *used to be* intended for companies to implement management apps into the phone.
-
TheJollyRoger
These apps could do things like remote-wipe, install other apps, execute a shell, since they were supposed to be for your company to manage the handset.
-
TheJollyRoger
However, these are in the process of being depreciated since the attack surface presented there is huge.
-
yzrhjocizuwkjlqo
My understanding with the Titan chip, is that it encrypts the phone with "lots of bits" and only release the decryption key, if the correct password is given.
-
yzrhjocizuwkjlqo
For phones without an secure chip, does that mean it just encrypts with the password instead? Like 6 numerical characters would be just 9.7 bits?
-
TheJollyRoger
yzrhjocizuwkjlqo: you're close. If I recall right there are other secret parts of information that the Titan uses (I'm not sure of all of them) for key derivation but you're correct that the Titan is capable of bolstering the strength of a short pin. With respect to phones without a security chip, it tends to vary depending on the phone's CPU and the OEM's attentiveness to security.
-
TheJollyRoger
I think around 2013 or so, Apple would actually combine the four or six digit pincode with a unique identifier contained in the phone's CPU, but that was seven years ago and phones have moved on considerably since.
-
yzrhjocizuwkjlqo
<TheJollyRoger "yzrhjocizuwkjlqocf: you're close"> Titan M is close to Apples Secure Enclave, right? How can Cellebrite then brute force an iPhones standard 6 pin in a couple of hours/days if the secure chip should stop that? I'm talking about Apples security chip here, as that's the only info we got about adversaries with lots of money trying to get into phones.
-
TheJollyRoger
The Titan M is very different than Apple's Secure Enclave Processor; if I recall right what they were doing to brute force the SEP was they were spoofing the time. The Titan M contains its own timer, for this reason.
-
TheJollyRoger
And its timer doesn't answer to the host clock.
-
jayell[m]
on a similar note, why do i have 127 out of 127 apps being granted 'sensors' permission on fresh gos install? many are clearly not user facing apps. do all these system apps require the permission? also, clicking 'show system' or 'hide system' does not seem to hide the many system apps like it did in my pixel 2 running an earlier "hardened-android-that-shall-not-be-named".
-
TheJollyRoger
jayell[m]: The reason GrapheneOS has chosen to give Sensors by default is that the Sensors and Network permissions aren't a part of the Android specification. Apps have no way to specifically request them in their manifest.
-
TheJollyRoger
So rather than break all your apps by default, GrapheneOS chose to grant them but allow you to make the call; remember that apps you install as a user are installed in a "Stopped" state, and cannot initiate until you launch them manually.
-
TheJollyRoger
So you can choose to disallow them from the beginning, however with respect to system apps, help is wanted there.
-
TheJollyRoger
This would likely require adding Sensors and Network to the manifest, one by one, to every single app.
-
TheJollyRoger
And then rebasing them each time.
-
TheJollyRoger
*each time those system apps change.
-
TheJollyRoger
So it's not that they require sensors, it's that they have no way to ask "pretty please, can I have sensors" whether or not they actually do.
-
TheJollyRoger
And GrapheneOS keeps this around for compatibility in that event.
-
vsinghsanwal[m]
Hi! Can anybody confirm whether Bluetooth headsets like the Samsung Galaxy Buds+ (plus) work well with GOS? How about the app? Thank you!
-
yzrhjocizuwkjlqo
<vsinghsanwal[m] "Hi! Can anybody confirm whether "> Not sure about the app. But the headset works just fine
-
TheJH
TheJollyRoger: you could kinda turn them into runtime permissions though, right? let systemui synchronously pop up a dialog when an app tries to access a sensor for the first time?
-
TheJH
TheJollyRoger: or are there a lot of apps that just access sensors for no good reason?
-
vsinghsanwal[m]
<yzrhjocizuwkjlqo "Not sure about the app. But the "> Thank you!
-
TheJollyRoger
Hi TheJH! I'm actually not sure, unfortunately, I'm not a developer :(
-
TheJollyRoger
Sorry I don't have much more information than that.
-
jayell[m]
<TheJollyRoger "So you can choose to disallow th"> ok jolly roger, regarding these apps,what is meant by 'help is wanted there."? surely someone else has done what i am about to try and denied most of them. whats the worst that could happen?
-
-
TheJollyRoger
jayell[m]: When I say "help wanted there" I mean help is wanted to add the permissions to the manifest the proper way so you don't see those permissions show up for those apps.
-
jayell[m]
ok. understood. any ideas what system apps need any of these? obviously the "Imprint" is needed by system unlocking app, and i know proximity sensor is used by phone app to turn off screen during a call.
-
TheJollyRoger
I don't, sorry.
-
yzrhjocizuwkjlqo
<vsinghsanwal[m] "Thank you!"> I didn't see you wrote Galaxy Buds plus.
-
AppAraat[m]
PSA: Be weary of updating Element Android from F-Droid on a P2: It might stop working.
-
cyborgninjaneer[
Fucking kick bot
-
cyborgninjaneer[
Is grapheneOS compatible with browser VR? Doesn't seem like it works
-
louipc
cyborgninjaneer[: you know if it even works on chromium?
-
cyborgninjaneer[
I don't know whether it's google dependent or not
-
cyborgninjaneer[
I tried Vanadium and nothing seems to support it.
-
cyborgninjaneer[
I was just curious
-
louipc
just found an article from 3 yrs ago that uses some special build of chromium.
-
louipc
probably need chrome or some other browser that supports it
-
cyborgninjaneer[
I know stock pixels will do VR on Google Chrome.
-
cyborgninjaneer[
It's probably all Google software then.
-
Coffee[m]1
Anyone use Signal on GOS? Does Signal use it's own push notification system and does it work good?
-
louipc
cyborgninjaneer[: but thats not the only browser. i dont believe grapheneos is the limiting factor really
-
louipc
try other browsers
-
louipc
Coffee[m]1: yea it works
-
Coffee[m]1
louipc thank you
-
cyborgninjaneer[
Use the website build of Signal for GOS.
-
Coffee[m]1
Got it! Thank you
-
Coffee[m]1
I heard there was talk of GOS supporting microG in the near future? Is this true?
-
louipc
something like that. without spoofing tho
-
louipc
only as an app not tied to the system
-
louipc
its not currently possible