zrtjjtaher: what you're saying simply isn't how it behaves

and closing app activities is not required for permission changes to take effect

that's not accurate

they take effect immediately and if a permission is actually designed in a way that it requires an app restart the OS does that itself

zrtjjtaher[m]: you should reinstall

Network doesn't require that

<strcat[m] "did you remove permissions from "> I think I do not have enough knowledge of Android/GOS to be able to do that!! :-))

Network also isn't really something we created, we just made a toggle for it

along with proper handling for it being toggled dynamically

rather than just being a low-level non-user-facing install time permission

disabling Network disallows low-level socket access and indirect use of network via INTERNET perm

<strcat[m] "and closing app activities is no"> A user suggested to try to close the app and start it again. I had nothing to lose and tried. As you said, the test was irrelevant.

no app restart required (for any toggles)

I suggest by starting by using Auditor and making sure you do not have device managers or accessibility services

if you have a device policy manager or device manager then that's probably your issue

don't use those

<strcat[m] "I suggest by starting by using A"> what are "device managers" or "accessibility services"?

start by using Auditor to verify the device is running GrapheneOS without either of those kinds of things enabled

I just cracked open the box of a brand new Pixel 5 and am getting ready to, "GrapheneOS-ize" it! :P

device managers can break how the lockscreen works and permissions if you granted them those abilities

<zrtjjtaher[m] "what are "device managers" or "a"> I don't think I installed special things: A 2FA app, VLC, Linphone, Signal, etc... Quite classic, I guess!

<nux "I just cracked open the box of a"> noice

<strcat[m] "start by using Auditor to verify"> Can I use Auditor if I have not used it so far? Since I got GOS from the official site and verified it before install, I did not think I needed to use Auditor (but I am perhaps mistaken!!)

sjsndnjdejd: Yeah, pretty excited about it! I probably didn't need to upgrade from the 4a but the scarcity of ICs and general supply chain issues forced my hand! Who knows if/when it will be too difficult or expensive to upgrade in the near future?!!!

strcat[m]: the internet perm is named network in the permission toggle

zrtjjtaher: you can use it at any time

rny: aware, and it applies to network, not internet

including localhost

should we make a internet-specific one?

do android apps even open sockets for localhost connections?

@_@

@nux  Have fun!  I just installed GOS on a couple of 4as today.  Pretty easy if you use the Web installer.

i dont think i've used one that requires localhost sockets, should apps even do IPC via localhost sockets?

The 5 is out of my price range, though.

<strcat[m] "zrtjjtaher: you can use it at an"> OK, if you tell me that Auditor may help solve my problem, I will look at it and come back if I still have the problem.

Thank you very much for your support, Daniel!!

no it won't help your problem

rosie: I've done a few 4a devices via CLI but never the Web installer. I'm more comfortable with the CLI anyway. I like to see stuff at the CLI as it progresses.

but it will help you determine if you are actually running GrapheneOS and whether you have enabled an accessibility service or device manager

@nux  I don't know whether things have changed since you last installed GOS, but the Web installer is very much the recommended method now.

<strcat[m] "but it will help you determine i"> Not sure how I could not run GOS or how a device manager or accessibility service (not sure what both of these are by the way) could have arrived in my phone but I am happy to try and learn more about the Auditor!

rosie: As long as the cli method is complete and functional, I'll go that route.

zrtjjtaher: if you installed + enabled it in Settings

rosie: I have the evironment already set up on my Arch box so unless things changed drastically, it should be fine.

<strcat[m] "zrtjjtaher: if you installed + e"> Not sure what you mean

zrtjjtaher: have you disabled usage stats special access in Settings?

have you enabled a device manager or accessibility service?

you'll need to provide answers to those questions

as I recommended earlier, start with Auditor

<strcat[m] "have you enabled a device manage"> I don't remember having seen those terms so I guess the answer is simply "no".

did you use the Settings app to disable system apps and disable permissions for them?

it's entirely possible at the moment to break important stuff by toggling off usage stats perm for system apps, etc.

we have added a few things as disallowed that are inherently broken to do but it would be too much for us to go through and disallow doing anything broken

<strcat[m] "did you use the Settings app to "> That's easy! Answer is clearly NO!

<zrtjjtaher[m] "That's easy! Answer is clearly N"> easy to answer, i mean

@nux I fought with Arch for two days before I gave up and went with Debian.  And then I ended up using my Samsung 8 to actually install GOS because I don'

I don't have a computer with a USB-C port.

installing from macOS and Windows works fine too

Arch is the easiest traditional Linux distribution to use (ChromeOS and Android via web install are easier) since it has proper packages available

I don't have macOS, and my only access to Win10 is from a VM inside of Linux (which is not recommended for GOS install).  And I would still have the issue with the USB-C.

i wish arch had an option to not use gnu binutils

In the end, using the Samsung 8 was fine (except the Samsung shut down twice because it was overheating).  After I got GOS on the first Pixel, I used that to install GOS on the 2nd one.

I just couldn't make Arch work for me.

It's very configurable, but it's NOT user-friendly.  And I couldn't find enough documentation that I could make sense of.

<rny "zrtjjtaher: your claim about sig"> And by the way, @rny, thank you for your welcoming words! Much appreciated!!

are you trolling?

I get a strange impression from the replies and the initial story, waiting for more information such as Auditor results

best way to start resolving it is doing a local verification with Auditor

@rny you're right 100% if network permission is denied, the app won't even open. I had no idea that would occur

entry1: it disallows apps from creating network sockets rather than simply making connections fail, some apps don't do proper error handling

it has to do work this way because it prevents leaks

it prevents app listening for connections even via localhost

and prevents them using indirect networking too

the typical approach doesn't work and I don't do things that way

you can get `adb logcat` output and report it to app developers

they can change their code to catch the exceptions

they should be doing that if they write robust code

strcat very cool, my comment wasn't a complaint by any stretch. Thanks for the explanation!

zrtjjtaher: are you checking with Auditor?

<entry1 "@rny you're right 100% if networ"> Yup, never had an issue with that, whenever I'd disable network for signal, it wouldn't not work.

well, I found that discussion odd

so, to go into why it's so odd: they just joined the room a while before they started on this

so, they're a new user to the room

they report having a strange problem that seemingly no one else has ever encountered, which is always odd when we know people have the same small set of hardware and high assurance they have unaltered firmware + entire OS, same as everyone else

the use of exclamation points and the fact they knew who I was based on username is a bit strange

so, new user, just joined the channel, but knows who this is and calls me by my first name, which is just weird for someone who doesn't know me to do in a context where I'm not using my real name

now, unfortunately, this channel is being consistently raided by people aiming to concern troll by pretending to be GrapheneOS users, often with the goal of pretending something is wrong or causing drama/conflict

sometimes it is really hard to tell

but this gives me pretty bad vibes

someone pinged me in PM about it because it gave them bad vibes and that was before certain things like calling me by my irl first name

as a new user to the channel who as far as I know hasn't ever interacted with me and has little reason to call me that

<strcat[m] "the use of exclamation points an"> Yeah exactly, I was in this room like a dipshit for 2 months not knowing who you were. Very low chance of a true new user. I'm glad you give everyone the benefit of the doubt initially.

I needed two/three weeks to find out who strcat[m] is. :')

and I wanted them to use Auditor because it would check if they are really using GrapheneOS + if there is a device manager / accessibility service

didn't seem to go anywhere? no questions about how to use it etc.

it was step 1 to do

Is your IRL  identity supposed to be a secret?  I figured it out pretty quickly the first time I logged in here.  Maybe I'm just more intuitive than most?  I dunno.

and replies to my attempts to figure out what might be wrong were just strange and then they disappeared

could have read the logs

rosie: no, but someone who just joins the channel and is calling me by my irl first name is strange

calling someone by their real name which you have gotten somewhere else when you don't know them is just weird, no?

and I don't get pinged from someone saying that

unless someone knows me why would they me calling me that? you don't find that weird? cause I do

and it's just one of multiple weird, off things about it

Fair point.  Even though I knew your identity right away, I've never addressed you that way, just because I was "brought up" that that's bad 'netiquette.

yeah I mean it is weird to call someone by their real name when you don't know them and they are using a username

strcat[m]: i'll start calling you by your first name after we meet for a coffee :P

I am certainly not meant to be at all anonymous

☕

strcat is a great name, there's only so many unsafe C functions from the C standard library.

I also tend to be a reader/researcher, so I've read a fair amount of the GOS history, as well.  But that also was what set my mind more at ease that I was making the right choice to go with GOS.

in my experience meeting people I've known online for a long time irl we still think of each other via online nicks and only awkwardly use real name to avoid confusing other people

not really at all weird, it's just the nickname you know them by

Its odd no doubt, I'm in the same boat. It would be different if they approached the situation in a different manner too. It isn't like they called you by the first name in a normal way to how they were exposed to the project/room prior, and they didn't sound like they wanted to do your suggestion with any urgency.

I generally try to avoid meeting people IRL that I met online.  Creeps me out a bit.

<strcat[m] "in my experience meeting people "> All good until someone else joins the conversation and gets confused

entry1: yeah I mean look back at it

entry1: from the start, it is weird

entry1: maybe it is really someone with a real problem

they were at least making it seem that way but they do not seem to want to get it resolved

look at the response to asking about accessibility service / device manager

totally possible it is a real issue

not leaning that way

feel like it's an attempt to claim something is wrong and then get reactions to use to attack the project as has happened repeatedly these past months

unfortunate that it happens multiple times a day so if someone does actually have something wrong they are viewed with suspicion

I also get contacted a lot by email by people supposedly compromised that is largely / entirely trolling or people with delusions

waste time looking into it, pretty much always clear they are making stuff up

they'll claim something in the UI is odd and that it means they are compromised and vans are following them around hacking their phone or whatever

it's a daily thing

<strcat[m] "they'll claim something in the U"> Dayum

waste so much time

Do they not have lives

a lot is trolling

Yep, but you/we are giving them the benefit of the doubt still. You have a good approach and attitude because there can be anomalies and it is a mature mindset. It is a shame because you being very helpful and giving detailed explanations to people can cause a headache when there are trolls.

strcat[m]: Their goal is to waste your time. Unfortunate reality...

sometimes it is people who genuinely believe they are being hacked and have some really weird ideas

if someone had something truly interesting to support they'd have to deal with the fact that all these people have wasted my time and made me uninterested in looking at those kinds of emails seriously

btw our servers are under DDoS attacks again today

it doesn't really impact anything

Imagine trying to DDoS a datacenter

it doesn't even slow things down significantly

How stupid are these people

well OVH just diverts / mitigates most of it

and our web services are hardened against it, although need to adjust them into a DDoS fighting mode if necessary

strcat[m]: put them behind cloudflare

:P

the values aren't super strict by default to avoid causing problems for people on very slow connections or CGNAT

Plus this project can get a lot of attention because it comes up as the most secure phone and people with schizophrenia can flock to it. Schizophrenia is a really big thing and I feel so bad for people who have it because they aren't trolling and they have no one to turn to. Good stuff being able to deter the DDoSing assholes

rny: don't need it and won't help if they know the IPs anyway

I might have to put nginx in front of the mail server since they're attacking the mail server now

well another upside is that our users benefit from cloudflare's edge to origin routing

<strcat[m] "calling someone by their real na"> Yes, very weird.

better latencies and potentially throughput on better internet paths

ovh peers are not great

rny: I'd rather set up multiple VPS for grapheneos.org around world and use geodns ourselves

Hi

and still control it

Hi guys. I have a problem

rny: Not sure cloudflare is a good idea for a project which tries to improve privacy

rny: we use round-robin DNS for releases.grapheneos.org now, can add more servers as needed

just using their network and nothing private is being communicated

In my second profile I can't install apps I they downloading fdroid but when I go to install it says "app not installed"

private99: because you can't install an older version there

private99: it's an issue with F-Droid's site: they link an out-of-date version of the app as the main download, recommend reporting the issue to them

Ahh OK

private99: go to the F-Droid page on their site and ignore the main F-Droid download link, instead download the most recent stable release

Thank you

Will try that now

f-droid.org/en/packages/org.fdroid.fdroid see there, the "download f-droid" button is a generic link on every page

and gives you an out-of-date version

it's very strange that they are resistant to fixing this and I think more people need to report the issues it causes

A secondary question. There is an app called "locker" on fdroid which after a certain amount of failing password entry's from the google lock screen it will wipe device

Is that good to use?

Or won't work eight grapheme

Grapheme*

don't know what you mean by google lock screen

private99: I wouldn't recommend using a device manager

The lock screen when entering phone

I recommend reading grapheneos.org/faq#encryption

OK thanks

a software enforced limit doesn't add much

Gonna check that out

even with a fully random 6 digit PIN you are secure against a brute force even if the attacker compromises the OS completely with exploits

they would have to compromise the hardened secure element

to brute force

<strcat[m] "they would have to compromise th"> Ahh interesting

setting a software limit on attempts does very little

That my main threat model which is someone phsically trying to enter the phone

yeah so, a software limit could be bypassed if they have exploited the OS

the hardware-based throttling is far more useful and already quickly throttles to 1 day per attempt

In that scenario I would be better off using a secondary user profile for most things correct ?

the reason it's useful to use a secondary user is primarily because the Owner profile has to be unlocked after booting

in order to use the phone

That hardware based throttling is based on the titan chip ?

private99: that part of it is, yes

grapheneos.org/faq#encryption explains it all

Question about settings:  in Permitted Networks (for system updates), which selection do I need to force GOS to update only over wifi?  It's not clear to me from the Usage Guide.

the SoC encryption support provides hardware-bound, hardware accelerated key derivation

Thanks appreciate it the info and help

that adds a short delay to each key derivation from a passphrase, etc.

This is very good work and really appreciate the community and devs putting in their efforts into this .

it accomplishes little for a weak credential like a PIN

the Titan M provides a Weaver implementation which offers hardware enforced throttling growing with failed attempts up to 1 day per attempt delays

the OS takes your credential, derives key with scrypt

then it has ~10 or so uses of that derived key, for each one it trivially derives a new key with personalization string using sha512

Interesting

one of the uses of the key is sending a derived key to Titan M as part of Weaver, and Titan M gives back a token that was randomly generated earlier

that token is an extra required input to derive the disk encryption keys

So in that case would it be makes sense to put for the owner profile a alphanumeric password

if you don't provide correct credential-derived key to Titan M, it won't give back the token

While secondary profile a 8 digit pin

and it throttles via a secure tamper resistant internal timer

private99: all depends on how you want to use it

private99: encryption is per-profile

owner profile also encrypts certain device-wide data

Ahh

encryption is per-profile based on the profile's lock method

Okok I was gonna do it so they would have to break into owner first and then try again to break into the secondary profile

if you have super sensitive data you rarely need to access, put it in a dedicated user profile with a strong passphrase and rarely unlock the profile

and use the 'end session' button when finished with it

OK that's perfect

which clears away encryption keys from memory/hardware

Thanks for the help and info

for most people, using Owner profile as main profile is fine, and if you have super sensitive data put it in a secondary profile

if you want to take maximum advantage of how things work you can use a secondary profile as your main one

Yah I think IMA prefer that method

so then, you can boot up the device, unlock Owner profile, and create/delete new users, or use it for basic usage

Secondary profile

and your main profile is still at rest

so, as an example, say you want to delete your main profile

if it's a secondary profile

you can delete it without unlocking it

from Owner

the only way to completely wipe Owner is via factory reset, although you could do via recovery wipe data

Hmm

grapheneos.org/faq#encryption has a lot of info

Where is the "end session" button?  Is that only for multiple profiles?

there is no best option or specific recommendation

rosie: it's only for secondary profiles

rosie: end session for Owner is reboot

So in an emergency situation its possibpy to quickly delete the second pro

Suppose you are using the owner profile, you put it into Lockdown mode, somebody gets physical possession of your phone. What do they need to do to bypass the lockscreen, & what does GrapheneOS do to make that job harder?

rosie: since Owner has data needed for other profiles to work, etc.

So there's no way to close all running apps at once other than a reboot?

rhclayto: recommend reading grapheneos.org/faq#encryption

rosie: not clear what you mean by closing all running apps or why you want to do that

doesn't seem related to stuff above

by all apps do you mean all system components? seems to imply rebooting

rhclayto: lockdown simply disables secondary unlock methods, does not do what you seem to think, and 'bypass lockscreen' is not 'break encryption'

rhclayto: you'll need to read grapheneos.org/faq#encryption and ask a clearer question

is it recommended to install it on some older device from 2015 I wanted to first test run it on such

?

rhclayto: lockdown != end session

different options

vanderPoel: no, recommended cheapest device is a Pixel 4a

Hi strcat. I read that FAQ, & it was very informative, but my grasp of the encryption & security mechanisms of GrapheneOS are not I think good enough to map that information onto certain hypothetical scenarios.

rhclayto: well, going to be difficult to answer then, beyond the information that's already there

rhclayto: grapheneos.org/features and grapheneos.org/faq#encryption is really all the info that can be provided

and there is any unofficial list of confirmed phone models ?

vanderPoel: grapheneos.org/faq#device-support

So in the scenario where the session is not ended, what is the procedure someone would use to bypass the lock? Those kinds of scenarios, what protection is offered (or lack thereof) in various states of locked/unlocked, session active/session inactive, would help general users grasp what is going on.

you mentioned an end session button, and that brought up a question I had been wondering about.  With both my Samsung and Pixel 4a, there's a button that will bring up all running apps and let me switch among them.  With the Samsung, there is also a button to close all of the running apps at once.  I'm not finding a similar button on the Pixel

4a.  The end session button you referred to sounded similar, but apparently it's not.

grapheneos.org/faq#encryption covers it

rosie: that button doesn't close all running apps

the recent apps page are user-facing activities not 'running apps'

clearing them away doesn't mean stuff isn't running

Ok, is there a way to close all of those user-facing activities at once?

and 'end session' is simply 'logout' rather than 'lock screen'

and since encryption is per-profile, it was designed to purge the encryption keys in RAM/registers

to put the profile fully back at rest

rhclayto: you're just not going to get better info than we have on the site

rhclayto: this isn't a medium where I can provide more detailed info than we do there, the info on the site is the best you are going to get

unclear what you want to be covered there that's not covered already

and I am aware it is quite detailed but that is necessary

Well, I think it would be great if the GrapheneOS project gets to the point where it can afford to hire professional copywriters, because that FAQ might explain a lot to people who are already well-versed in security & encryption, but it leaves much to be desired for a more general audience.

rhclayto: I don't expect a general audience to end up with a technical understanding of how things work

the FAQ is answering how encryption is implemented

it is a technical answer

it is not giving advice on using the OS, that wasn't the question it is supposed to answer

<strcat[m] "rosie: that button doesn't close"> “end session” doesn’t closes all but closes apps inside the session right?

if you want advice on how to use the OS, that's much different than a technical question

Right, that is what that FAQ gives, a technical underartanding. What it doesn't give is an understanding of what the technical details mean for practical usage in various scenarios.

if you ask a technical question, you get an technical answer

* if you ask a technical question, you get a technical answer

ok one question,  I read it so if I don't have a google phone then graphene os is not for me ? Samsung galaxy 20

rhclayto: so, here's the problem: you're asking how it protects against something and what guarantees it provides, etc.

technical question -> technical answer

rhclayto: you're asking how it would be attacked, etc.

<strcat[m] "technical question -> technical "> Mind-blowing

you aren't asking for usage advice

I asked for a non-technical explanation, actually. The FAQ gives a somewhat technical explanation.

Wow! GrapheneOS install on Pixel 5 was smooth as buttah! :P

rhclayto: you can't really get a non-technical explanation for a highly technical question

you'll need to ask a question that's not so technical then

don't ask how things work on a technical level?

if you ask a very broad, technical question

that is what you are going to get in response

if you ask a much more specific question that's not about the implementation details and how things work that's a different thing

<strcat[m] "rhclayto: you can't really get a"> are you part of the graphene team?

why?

you seem to know alot

.. why? lol

He's just a user

no.. yes. ?

the FAQ answers "How is disk encryption implemented?"

<tor3nduser[m] "no.. yes. ?"> yes, lead dev

vanderPoel, Yes, that's correct.  The only phones supported are in that list.  If you believe that GraphenOS is the right OS for your phone, you have to get one that is supported, rather than try to make GraphenOS fit the phone you have/want.

I asked what an entity who gains possession of your device in locked but session-active mode would have to do to get into your data. I guess you could call that 'technical', it's a matter of semantics, but in nay case it's not clearly answered in the FAQ you referenced.

it is clearly answered there

it's not the question it is answering but it does provide all that info

<sjsndnjdejd "yes, lead dev"> shut up lol

and in the last paragraph it mentions apps being able to use the keystore to keep data at rest

<tor3nduser[m] "shut up lol "> No he actually is

when logged in by locked

If it is a question it answers by indirect inference, then it's not clearly answered to a non-expert audience.

* when logged in but locked

rhclayto: it answers the question

<grapheneos_user_ "No he actually is"> daniel micay?..

lol no.

Here we go again?

This debate could not come at a better time

Or at least a more coincidental time

strcat is daniel micay ?..

rhclayto: do you understand what it means by data being at rest?

<tor3nduser[m] "strcat is daniel micay ?.."> Yes

You guys need a PR department. I mean, insisting that everything is already explained well-enough, in the face of users who say it's not, is just really bad communication.

No, I actually don't understand that or the implications of it.

rhclayto: #grapheneos is not a business

I consider it pretty rude to suggest it is badly written rather than it being a technical answer to a technical question

<rhclayto "You guys need a PR department. I"> That's your opinion. This is a nonprofit

I know it's not a business, but I assume it has a desire to spread its goodness to a wide audience? or just a small insider's group?

if you think that I cannot write documentation and explanations that are non-technical you couldn't be more wrong

akc3n[m]: not even, its just an open source project with loosely coordinated developers

:P

<d​eadlypayload> looking for someone to help me make GrapheneOS rom changes. BTC Reward available.

with a lead developer taht goes above and beyond to write excellent technical documentation

I find it pretty rude implying that the docs there are badly written

only to have users ignore what is being written

😢

the question it is answering is how encryption is implemented

i didnt see a problem with any of the documents.

rhclayto: and the docs are very well written. I used to have a hard time with them at first, but like anything else in life, applying yourself and learning about what everything means...

not "what end users should know about encryption"

that's a different question

pretty straight forward to me.

type of answer varies based on the question

you ask how stuff is implemented and how it would be attacked? that's going to inherently be a pretty technical and nuanced answer to a very broad question like that focused on technical details

I'm not going to give an inaccurate answer or oversimplication so ask a simpler / more specific question if you want a simpler answer

do you understand what it means for data to be at rest?

* rhclayto: and the docs are very well written. I used to have a hard time with some technical wording at first, but like anything else in life, applying yourself and learning about what everything means...

My goodness, you guys take this stuff personal, don't you? I actually asked a specific question, you referred me to a FAQ that does not answer that specific question, you say the answer to it can be inferrred from what is written there, I say I don't feel competent to make that inference, you say 'well, there's nothing that can be done, the documentation is as good as you're going to get', & that it's rude to question the quality of the

documentation. It may be great documentation, for a certain audeince, but completely unhelpful to another. That is what professional copywriters do, write for their audience. it's not an insult to hope for you guys that you can hire the right people to do that job. Grow up.

rosie: So I'm interested to try the Web interface installer at some point, based on your comments. I think it's also interesting that you flashed a phone with a phone! :)

<nux "rosie: So I'm interested to try "> Flashed a Pixel 3 XL a couple hours ago via the web installer. It literally couldn't be simplier

So nevermind.

<nux "rosie: So I'm interested to try "> Well, a smartphone is a computer after all...

th0mcat: Yeah, they've got it dialed in pretty well.

grapheneos_user_: Really? ;)

<rhclayto "documentation. It may be great d"> Chill

<rhclayto "So nevermind."> i agree

rhclayto: doesn't really seem you want a question answered

th0mcat: I haven't tried the Web installer yet but I think I will try it on my next load.

you know if you are really the lead dev on graphene. more power to ya really. you guys do a great job. but my god being nicer would be cool

No, you just can't answer it. And so . . . much . . ego.

th0mcat: I just used the CLI method on a brand new Pixel5 and it was very easy.

@nux  the documentation does state that you can use one phone's browser to flash another phone using the Web installer, but I had initially interpreted that to mean a phone that already had GOS installed.  I would never have thought of it if one of the mods here hadn't suggested it, and by golly, it worked!

rhclayto: if you want a basic high level explanation

rosie: That's pretty cool!

th0mcat: rosie: Now I just need to wait for my Pixel 4a to backup to my Nextcloud instance so that I can import everything over to the Pixel 5.

<rhclayto "So nevermind."> I think you went about this the wrong way and telling the lead developer to grow up isn't very kind. A more suitable question would be "Is there a difference with GrapheneOS data at rest (before unlock) and after first unlock, and are there any known vulnerabilities for companies like Cellebrite (who work with law enforcement) to unlock a GrapheneOS device.

<entry1 "I think you went about this the "> He's banned

Nvm, sorry you're getting attacked today

<grapheneos_user_ "He's banned"> Yep lol

think those are the same person and not acting in good faith

<entry1 "Yep lol"> Hehe

:P

Yeah that was super concern-trolly

again, some very weird stuff going on there

similar to earlier

hope people can see that

How is strcat supposed to write non technical documentation for a technical answer

Makes no sense whatsoever

I wrote nearly all the docs on the site and there are plenty of non-technical docs there

* How is strcat supposed to write non technical answers for a technical question

don't appreciate someone claiming that I'm not capable of writing good documentation and teaching people things in a way they can understand

He was in here yesterday and name dropped JollyRoger, but that could have been a way to seem innocent. For anyone reading the logs or who hasn't seen what was deleted, he insulted the lead developer who was trying to assist him kindly and insulted him again. Another user joined in together.

you can see I asked several times if they knew what at rest meant and was fully willing to explain it in detail

Wow

they wouldn't respond

entry1: who was?

yesterday I mean

<strcat[m] "they wouldn't respond"> "that answer can't stop me because I can't read!"

What it seems like

Yes, you did strcat. Completely justified. strcat rhclayto

can explain what exactly happened yesterday?

there have been raids on the channel in the past few days, as expected

He was in here and said he was referred by PeterEaston to the room. It seemed innocent enough and he could have been lying 100%

entry1: doesn't really seem problematic?

We pointed him to the OT room as well.

Trying to think exactly what he asked. No, he seemed innocent enough but today he acted very hostile towards you.

<strcat[m] "you can see I asked several time"> > rhclayto

tf is going on

<strcat[m] "hope people can see that"> Ya I've been catching on to patterns lately, and thanks for laying out how they operate.

sphinx: and I was going to explain it in detail to them and they kept insulting my writing instead and implying I need to hire someone to write for me

which is actually pretty insulting

and by the way I got involved in open source initially by writing documentation

would installing stock android aosp on a second device provide any type of security or is it pretty open?

linuxwolf: there are no official AOSP releases as a whole OS

unclear what you mean by 'stock android aosp'

stock is used to refer to what comes on the device from retail / factory

AOSP is the open source OS forked by vendors and others to make stock OSes and alternate OSes for the devices

AOSP doesn't have releases itself

* AOSP doesn't have releases with builds itself

it has source code releases

i guess i meant if you download and build aosp fro. source

from*

<strcat[m] "stock is used to refer to what c"> yea true lol. i just meant nothing done to it

AOSP requires device support code to be added

ah i see

so, you'll need to clarify more what you're trying to do

<strcat[m] "and by the way I got involved in"> archwiki administrator 0 0

you can't simply build AOSP for a device, you need to add the device support code for it

yeah I got involved in editing the Arch Linux wiki and was an administrator there

and I wrote a lot of the content on it

im not trying to do anything. i just wanted to know if any security is implemented in it for my old pix 3a

including a lot of the install guide, etc.

and I've written a lot of other docs

ah ok. i may check that out

some highly technical, some fairly technical, some not very technical at all

FAQ answers vary in how they address it based on the question

<strcat[m] "and I wrote a lot of the content"> That's pretty sweet... Never knew that, thanks! I'm on their lots.

yea really. arch wiki is awesome 😆

the one about how encryption is implemented is meant to be a technical answer, avoiding saying things requiring being a developer to understand, but assuming background in understanding encryption

it's not meant to explain how disk encryption or key derivation work as concepts

it's meant to be an answer for people who want the technical details and understand those topics

if you don't want technical details, that isn't a question/answer for you

if you want advice on how to use the OS, that's not meant for that

what documentation are you referring to?

I'm referring to the fact that I don't appreciate someone trying to imply that I'm bad at writing and need to hire 'professional copywriters' because they don't like the answer I gave to their question

<akc3n[m] "That's pretty sweet... Never kne"> Always learn something new everyday in here. Dude is a walking book of knowledge and releases everything to the world for free and open source. Needs a book written on him, but an autobiography would be the best tbh because another author would mess it up 😂

that section is supposed to be technical and requires knowing encryption terms

Is there a GrapheneOS forum where one may post devices installed with GOS for sale? I'd list my Pixel 4a on Gazelle or Swappa but I suspect it wouldn't appeal to the average security-unconcious person with GrapheneOS running on it.

that's the point of it

it's actually quite frustrating putting so much effort into writing that stuff and then having that response to it

and once I put substantial effort into making content there I want to use it as an answer, that was the point of writing it

grapheneos.org/faq#notifications here's an example of a section that's meant to get across a lot of non-technical info while providing technical details as a bonus

but that encryption section is literally "how is encryption implemented?"

which from my interpretation what was basically what they were asking here: how is it implemented and how would it be attacked

Probably best just to re-flash it back to Google's OS and sell it that way but figured I'd ask.

<strcat[m] "it's actually quite frustrating "> You're not falling on 100% deaf ears, I can assure you that. Can't imagine your pain when you're the epitome of a "good" person trying to better the world

<strcat[m] "it's actually quite frustrating "> idk i think you guys did a good job. i understand the documentation on the website..

I could make another encryption section about more specific things

I wanted to make one about the keystore

I do not really want to make one with 'advice'

because there is no one size fits all advice

what I can do is explain how things work, like that section

or provide a section on advantages/disadvantages to different approaches

people ultimately have to choose what's best for their needs

there can be more info on encryption there

<strcat[m] "I could make *another* encryptio"> Do you think you would do that then? I would love to learn from it.

As I'm sure others will too

maybe but not as a response to this

I understand. And agree.

stuff like this discourages me from writing it

No. Please. Your writing is amazing. And extremely beneficial to everyone and anyone who wants to learn. Please don't be discouraged by idiot trolls.

anyway if you read that section I think you can see I did try to make a technical answer as understandable as possible but defining terms, etc. isn't in scope

akc3n[m]: +1

<nux "Is there a GrapheneOS forum wher"> Off topic, will answer in that channel

grapheneos_user_: Oh yeah, I forgot about that channel. Thanks!

> All data, file names and other metadata is always stored encrypted.

it says that pretty early

anyway point of the section is not to define terms or how disk encryption works in general

it's specifically meant to say how it is implemented in AOSP with a modern device fully providing the hardware features for it and what GrapheneOS changes

it is not "what is disk encryption?" "how does disk encryption work?" etc

and it's not "what are the security properties of the approach to disk encryption?" either

that's just meant to be implied, for people who understand what it's talking about

The advantages and disadvantages for comparisons in opsec would be huge to read, but again you have a lot on your plate already. You could write a book(s) about the operating system and underlying security features and enhancements and I'd want to read every page. You always remain as impartial as possible, but most laypeople want "absolutes" and ultimately your opinion (even though you always specify their isn't a one

size fits all approach and that it can get too technical). The website is an amazing tool and when people have questions, I always try to link it directly since it answers them better and can answer a ton of other questions that will arise.

yes people want overly simple answers to a very broad a nuanced question

if you ask a question about the security properties and how it could be attacked you really need to start by understanding that section

and go from there

otherwise I could make an overly simplified take on it

and I can't read minds, I can't know if someone really just wants some simple reassurance or basic explanation

if they ask how it works I take that as what it means

> GrapheneOS enables support for ending secondary user profile sessions after logging into them. It adds an end session button to the lockscreen and in the global action menu accessed by holding the power button. This fully purges the encryption keys and puts the profiles back at rest. This can't be done for the owner profile without rebooting due to it encrypting the sensitive system-wide operating system data.

> Using a secondary profile for regular usage allows you to make use of the device without decrypting the data in your regular usage profile. It also allows putting it at rest without rebooting the device. Even if you use the same passphrase for multiple profiles, each of those profiles still ends up with a unique key encryption key and a compromise of the OS while one of them is active won't leak the passphrase. The

advantage to using separate passphrases is in case an attacker records you entering it.

I think this is a really good explanation

I don't understand what is wrong with it

question. what is meant by "user facing" firewall.

linuxwolf: toggles, knobs, frills for end users to change

ah. thanks

Exactly, and you can open a can of worms because you are so often quoted. If there is misinterpretation of the person's question and an oversimplified answer given, it could lead to other people being confused and even more questions.

a lot of care went into writing stuff in a way that it doesn't get misinterpreted and I edit it if that's happening

it has to be nuanced and detailed sometimes

someone having your device while a profile is logged in doesn't mean they inherently get data from it

they would have to exploit the OS

and as it explains in the final paragraph apps can keep data at rest when locked

using keystore

imo those 2 paragraphs are a good answer and a lot of information beyond what they explicitly state is implied by them

there could be a separate question about that kind of thing but it's not going to be what people want since it's all going to have to be nuanced and detailed in the same way

profile logged in means the OS has access to most of that profile's data

not all, particularly when locked, but most, and it's up to apps to use keystore

any plans to implement the ability to utilize the pixel 5s adaptive charging feature?

so, sorry for not putting misleading or dishonest marketing BS / claims on the site like nearly anyone else...

linuxwolf: all the normal charging stuff works fine

linuxwolf: no plans to implement machine learning of your habits to adjust things like brightness, charging, etc.

i was referring to the feature where if an alarm is set then the phone will charge slower throughout that time period to reach 100% just prior to the alarm going off

i think they call it adaptive charging

why'd this be something controlled by the clock app?

its the battery controllers job to decide how many amps to pull from the charger

Thank you for being a good person. I seriously hope you don't get too overburdened with the constant trolling/attacks to just stop what you're doing overall and become probably one of the best blackhat hackers there could possibly be. You deserve more resources and help than you get.

linuxwolf: which uses machine learning type stuff

linuxwolf: and also what happens if you need to get up early and your phone is half charged

we have all the standard charging throttling stuff based on heat, capacity, etc.

🙃

charges slower near max capacity, avoids making it too hot, etc.

standard USB-PD stuff integrated into SoC + battery

very sophisticated already

ML coerces people into 16/8 day-night cycles

:P

<strcat[m] "we have all the standard chargin"> thats good to know. i just noticed yesterday that my phone said it was rapid charging.

which led me to look for a way to turn off rapid charge

Hi, recently I've been noticing from a certain update some apps are not adjusted to System Language. I have Japanese language set on my phone, it used to be that the software downloaded would correctly show Japanese but now they all revert to English for some reason. Noticable apps are Google Maps, Google Photos, Deezer, Shazam and many more. I would appreciate if anyone knew what went wrong. Thanks a lot

entry1: ah, crap, looks like I got back a little late. He appeared on my github asking me some questions. Some I answered, but a few I didn't exactly feel qualified to answer so I just linked the FAQ and the IRC channel. Nevermind that though, if he's been disrespectful, that has noplace here.

Ah well. In the future, I might take my old drafts down because they're only up there for historical preservation, they're not curated.

For the record, the existing documentation's much better than what I could do, with my understanding of the operating system at this point in time. I'm not sure I could break it down much further without it starting to sound condescending...

<d3nm6ugnffwftn2j "Hi, recently I've been noticing "> If you use aurora Store that could can be where the issue is from

<dhsjwbbsjxndbs "If you use aurora Store that cou"> I see. Is it because their recent 4.0 update that doesn't do language spoof very well?

It pretty widely reported after v4 release

a lot of new shared accounts are UK Google accounts

you can use a Japanese account download, apps that are more localized to Japan

Oh that's the reason why. I'll go and try that. Thanks a lot for the help!😄

<TheJollyRoger "entry1: ah, crap, looks like I g"> Oh no worries! Thanks for all your help in the room to and to pointing him here! It was a shame it came to that and I only mentioned your name since I remember him joining yesterday and mentioned how you helped him out. Wasn't calling you out whatsoever my man

entry1: Oh, hehe, no callout taken mate! Thanks for the heads-up, all is well.

Sorry if that was a bit gruff.

Wasn't my intention!

You're not referring to me right? (Not to make things about myself lol)

entry1: oh no no no, not referring to you, ahaha.

You're good P.-)

Spam ^

I'm running into an issue and before I submit a bug report I thought I'd ask here if anyone else has encountered this:

I installed Signal (through Aurora Store) and went through the setup and registration, including restoring messages from a backup, but within a few seconds after that the app closed suddenly. Now when I try to open it it will open to a white screen (for about a quarter of a second) and then close. In my notifications bar it tells me that Signal has

a background connection enabled. I've tried force stopping it and rebooting the phone to no success.

This is my third time trying to set up the app. I did the same thing yesterday with the same problem. I then uninstalled Signal and reinstalled it but did not restore from a backup. But because I want my old messages I then tried setting it up again today and once again restoring from a backup. Anyone have any thoughts? Or should I just submit a

bug report? Thank you.

Hello hopethisisuniq, I'm running the latest of Signal, haven't seen what you're seeing. If you have access to the developer options, you can capture and send a tombstone.

OK I'll do that

Hmmm this is happening on a secondary user account so maybe I can't activate developer options?

Hmm, haven't had any problems with Signal on a secondary user account either.

I more meant that I can't seem to activate developer options from within a secondary account. I'll try to replicate this in the phone's owner account

Great!

Hmmm... reinstalled and registered signal on my owner account and now it isn't crashing. I'll try to figure out how to replicate the problem but if I guess I'll try reinstalling it on the secondary account where I was running into the issues.

*if I can't replicate the crashes

OK now it's crashing again and I tried to capture a bug report but I'm not sure if I'm doing it right:

I went to Developer options and clicked on Bug report. I then opened signal to replicate the issue and then clicked on Details under the bug report notification. I gave it a title and summary and clicked Save and then chose to share it. And then it went to a blank screen. Am I doing this right?

Hello All!

<ihopethisisuniq "Hmmm... reinstalled and register"> I think for GrapheneOS you still have to install an actual Signal .apk and not the Aurora store/Google Play version? I think that might be your problem.

i have graphene installed on my Pixel 4a. anybody know why, when enabe DND, that DND doesn't work unless I enable DND and have to cut my Volume all the way down, also, to get DND to work?

<Delta[m]1 "I think for GrapheneOS you still"> The aurora store gets the same apk from playstore

Should not matter

<helloworldkk87[m "The aurora store gets the same a"> I meant this signal.org/android/apk

That version just has the bult in updater

And notifications

Notifications work on both

They never used to

Right

You used to have to specifically install this version for GrapheneOS, which was completely independent of Google services

i.e the notifications

Right

Also lets take this to off topic

<Delta[m]1 "You used to have to specifically"> Which one

#grapheneos-offtopic:matrix.org

<kskdj[m] "Which one"> The .apk offered on their site

wth just happened?

wth just happened? anybody know?

Hey guys what is the "sensors" permission?

That explains it well

That explained it very clearly. Thanks for sharing that resource

!PrivacyGoods has joined the Telegram Group!

Hi, I am preparing to flash my Pixel 4a 5g with GrapheneOS. In the official Web installation guide, it says to turn on oem locking, but it says nothing about enabling USB debugging. Is it correct to leave USB debugging off? I was under the impression this was needed.

Sorry for this question, I am doing this for the first time and just like to double check so as to avoid bricking my phone

*oem unlocking* of course

lkjlpojnk: yes, don't deviate from the guide

Ok, so I leave USB debugging toggled off, correct?

correct

Thanks!

Hot Limited Item!!! ebay.com/itm/333952068836

Hot Limited Item!!! ebay.com/itm/333952068836

Tf is this xd

Some random spamming

Hi, I am in the process of flashing GOS via WEB Installer and ran into an error

the Web Installer says "Error: Unable to claim Interface", and the device shows fastbootd with the options to reboot system now, enter recovery, reboot to bootloader or power off

<lkjlpojnk "the Web Installer says "Error: U"> reboot again to bootloader, flash it using different usb port or usb cable

<DHFuchsiaOSwhen "reboot again to bootloader, flas"> Try doing this btw (assuming the cable that came with the phone is not used)

I am using the original cable and no adapter. Should I use a different port?

Hello, this is off topic, but everyone here seems to be intelligent on the subject of privacy and security.

What messaging app, would you guys suggest ? Signal ? or FOSS-Molly ?

<lkjlpojnk "I am using the original cable an"> Yeah

I rebooted into bootloader, plugged the cable into a different port and pressed the Flash Release button, but it says "Error: An operation that changes interface state is in progress."

#grapheneos-offtopic:matrix.org

<lkjlpojnk "I rebooted into bootloader, plug"> Refreshing may help

<OffTopic "What messaging app, would you gu"> A shorthand answer, FOSS-Molly for having separate passphrase and having encryption at rest, Signal for lesser parties to trust

<OffTopic "What messaging app, would you gu"> (Also, the offopic room is at #grapheneos-offtopic)

Thanks, refreshing worked.Its flashing now

Ok, thank you !!

Thank you so much DHFuchsiaOSwhen , the installation worked perfectly with the other port

Hi, how do I verify apk files on GrapheneOS?

<lkjlpojnk "Hi, how do I verify apk files on"> If you are trying to on your phone I believe f-droid.org/app/com.oF2pks.classyshark3xodus will show the sha256 of apks

Anyone have an issue with occasions of GrapheneOS on a Pixel 3XL freezing up? I'm trying to figure out if its just if I have to many apps running in the background or something.

<Stephen[m] "Anyone have an issue with occasi"> I have the same problem

But I'm on a 4xl

I usually check RAM usage, but mine typically stays at 3.4gb/3.8gb

Maybe related btw: GrapheneOS/os_issue_tracker #531#issuecomment-812075727

I'll check it out

Ah, yes. Sounds like it is related. I usually notice it on my phone if I'm watching newpipe, vinyl music player, or bromite. But it is really random. I need to see if I can log what happens before it freezes

Does anyone know how I could go about logging data when the phone freezes up?

<Stephen[m] "Does anyone know how I could go "> Bug report toggled on in developer options

or adb logcat with adb debugging on

Good stuff. I'll try it out

<DHFuchsiaOSwhen "Bug report toggled on in develop"> So I would probably just run the bug report right after a SystemUI freeze correct?

Hello guys

Sup

I'm interested in GrapheneOS for my personal device. But, I'm wondering if there's an easy way to figure out which of my apps do NOT use the Play Services library.  Are there any ways to determine this without first trying to install & use the app?

Also, since Project Treble is using play services to distribute OS updates, as far as I understand it, how does that work for OS updates for GrapheneOS?

And as an Android app dev, would I need to skip using a lot of the AndroidX libraries and such in order for apps to work on GrapheneOS?  Or is it strictly things like maps, gms, and other play-* maven artifacts that won't work in GrapheneOS?

Is there an easy way to install GrapheneOS on the standard emulator bundled with Android Studio, so I can test it out?

who here uses signal with grapheme?

no matter what I do I can't get it to vibrate or ring when someone texts or calls. its permanently stuck on silent. how do I get it off silent?

I haven't tried it, but have you gone to the Settings app to the Signal settings, and adjusted the notification channel settings there?

<cacheline "I haven't tried it, but have you"> Yes, I would check this

its under settings accounts then signal?

Long press on the Signal icon and choose the app info option (may look like an "i" in a circle)... then click Notifications

Will look approximately like this: i.stack.imgur.com/zpwUb.jpg

The UI tends to change slightly across Android releases, so it may look somewhat different.

<p8tuahpirua5ra[m "its under settings accounts then"> Settings>apps and notifications> notifications

it's turned on

but still stuck on silent

Are you getting a notification for background connection enabled on signal?

Well, it's more than just turned on.  In Android 8, they added "notification channels", so apps could have different settings for various types of notifications (vibrate, sound, blinking led, etc).  You need to adjust all the settings for the notification channel in question

yea I am

<cacheline "Is there an easy way to install "> Have you checked the build page on Grapheneos.org?

it's there but its not showing right now

how do you turn it on?

Mine just shows up when the signal background service is running

You could try force stopping, then open the app, see if that does anything

akc3n[m] not as of yet.  So, I'll need to build for an emulator target?

I restarted my phone now it shows up

<cacheline "akc3n not as of yet.  So, I'll n"> Please read grapheneos.org/build it has all the information

Another thought occurs to me: since GrapheneOS doesn't have the Play Store, how can I obtain an app if it's not on F-Droid?  Do I have to hope the devs published an APK somewhere that I can sideload?

I use apkpure

Also the Aurora Store is a good opt

<p8tuahpirua5ra[m "I use apkpure"> Might want to double check those apks b4 u install

Interesting.  Seems to have a few apps I use just from a basic perusal.  I even see my company's app there.  So, super curious, how do they do it?  Do they just manage to scrape the Play Store? (Not upset about it, genuinely curious)

<p8tuahpirua5ra[m "I use apkpure"> apkmirror publishes hash and cert fingerprint

signal still won't allow me to get notifications

the message shows up butnit won't vibrate or ring. its stuck on silent

<cacheline "Interesting.  Seems to have a fe"> I believe it uses fake gmail accounts generated and they use those to allow you to download apps

Anyway to send a link to screenshots of the Signal notifications settings you used?

They call it their tokenizer or something

So, it proxies the download?  Or it uses the accounts to get the APK and mirror on their server?

<cacheline "Interesting.  Seems to have a fe"> Aurora - App Store

<cacheline "So, it proxies the download?  Or"> Not sure, but lots of info on their telegram server and gitlab I think

aurora-store.en.softonic.com/android <-- this?

<t​hemikep> java.io.FileNotFoundException: open failed: ENOENT (No such file or directory) at android.os.ParcelFileDescriptor.openInternal(ParcelFileDescriptor.java:344) at android.os.ParcelFileDescriptor.open(ParcelFileDescriptor.java:231) at androidx.core.content.FileProvider.openFile(:2) at android.content.ContentProvider.openAssetFile(ContentProvider.java:2004) at android.content.ContentProvider.openTypedAssetFile(ContentProvider.

Yes, but I feel like softonic is sketch, its on fdroid f-droid.org/en/packages/com.aurora.store

<t​hemikep> I get thsis error when I try to update some Apps via Aurora

<p8tuahpirua5ra[m "no matter what I do I can't get "> Via Home screen bubble then click on the settings icon

Stephen[m] well, I was wondering more about if there's a web interface for Aurora, just so I could see what they have while on my laptop :-)

thanks, for all the info btw

Ah gotcha. Its an exact mirror of the play store, so it should have all the same apps

*I think

Sweet...  I love Android, but am increasingly leery of Big Tech's hooks into everything.  Just trying to figure out the pieces to do a switch & what apps, if any, would break for me in switching over

Switched from Android to GrapheneOS some months ago...with F-droid and Aurorastore for Banking Apps absolut great decision in my opinion! Thx to the Dev(s)! And also great having to possibility to support via Monero!

Z​1fX4DYhtGBmPVPUcHFh shared a photo on Telegram with caption: ''

<Stephen[m] "Might want to double check those"> You mean chexk the apk from aurora store?

<mrx777[m] "You mean chexk the apk from auro"> I was just thinking it is probably a good idea to check hash of the apk if its downloaded from the internet

What is the fastest way to install apps on Graphene?

Fdroid, then Aurora if you need apps from the play store

If you install apps from Aurora store they are verified. No need to check hash

<Stephen[m] "I was just thinking it is probab"> Maybe downloading the apk via the official website and install it via adb

<helloworldkk87[m "If you install apps from Aurora "> You sure??

Well 99% sure :D

If you check auroras website they probably go into some detail about it

Also there is off topic channel where we usually talk about this kinda stuff

You can join here -> #grapheneos-offtopic:matrix.org

With Graphene you can create a image and deploy it on other devices?

I need help. why is my entire phone silent?

texts from anything don't make a sound or vibrate

Go to..

<p8tuahpirua5ra[m "texts from anything don't make a"> Try Settings > Display > Advanced > Lock Screen > Notifications on lock screen

Settings > Apps &Notifications > make sure the settings is right.

notifications on lock screen what should I put it as?

Depends

I use show notifications when decice unlocked

that didn't do anything

all it did was show apps running on my lock screen. still no sound

Ohhh it has nothing to do with that

Settings - Sounds - ring & notification volume ???

don't mean to be dense but just making sure you've checked the system settings

P (@p​pp1234ppp) has joined the Telegram Group!

Hi! I have a pixel 5 and a Pixel 4a with GrapheneOS, on both i experience some problems with SMS, but only in alternative profiles not the owner profile. Sometimes I get a notification about SMS but i cant find the SMS, i know there should be one as I have tried texting myself. This happens almost everyday and it works again when i restart the phone, at all times the notifications only vibrates no sound even if

the settings say it should make sound and the volume is max

Owner profile no problems

With the default messaging app I always receive SMS but it vibrates only in user profile. The only time I received no notification was with 3rd party SMS apps.

I have the default one

The built in app is pretty ancient. Maybe it doesn't fully support user profiles or there is a setting I haven't figured out.

I want to use signal as SMS app but it seems it cant be signed in on multiple profiles

<bikeman1234[m] "I want to use signal as SMS app "> you could use something like Molly for this, which is basically hardened Signal

But it might be better to ask this on the off topic channel: #grapheneos:matrix.org

ok

#grapheneos-offtopic:matrix.org

oops

* But it might be better to ask this on the off topic channel: #grapheneos-offtopic:matrix.org

For the license of a paid app I need to have a certain email address registered in my OS

How do I accomplish this without a native email app?

"The Pro version will only work on Android devices where this email is registered as an Android account." it says on the paypal payment page

<odinos[m] "For the license of a paid app I "> There isn't an email exactly registered in an OS. You can just have access to the email?

Unlike a Google account signed in or an iOS email

I dont understand

odinos[m]: don't quote me on this, but if I recall correctly, paid apps are handled via Play Services. Some aspects of play services are privacy invasive and need to be deeply integrated into the operating system in order to function, so GrapheneOS does not bundle them.

In other words, the device needs to be linked to a Google account.

No this licensing method was specifically made for people without play services

Alright, you'll have to take it up with upstream directly, then.

Yep, you'll have to take it up with them, then.

I can't help you with that, unfortunately.

Well their dev is saying to contact the rom dev

I just need to register an email as android account

youre saying this is not possible? regardless of the licensing thing

Well, under settings that's handled by the app.

When I press add account in OS settings there is no option to enter an email

Yeah. That should be handled by the app.

what app

The app you're trying to use.

Apps like Signal, Linphone, OpenKeyChain that use account sync should populate that automatically.

On other roms adding an email account is handled by a default mail app

I'm only asking how I can achieve this in GOS

Yeah. I think I'm out of ideas for you, someone else is going to have to step in here.

Sorry mate.

okay no problem

(I'm not a developer, I'm just the channel greeter)

(So ahoy!)

greetings. would there be a reason that my PIN is no longer working?

Ahoy!

Your unlock pin?

ya. my unlock PIN isn't working. I literally unlocked it, 2 seconds later attempted to turn off Location from top pulldown menu, and it requested a PIN. I entered the same PIN to unlock the device in the first place, and it's not working

Might've mistyped it?

I'm on my  13th attempt... have meticulously entered to ensure no extra numbers, right order, etc etc

That's all I can think of. A few people here have ended up forgetting their lock pins and having to start over again by resetting from recovery.

Dunno, there's not much of a reason this would happen.

I have no problem doing that... it's just really weird... I'll attempt to reset & see if I can replicate the problem...

Sure. If you need to reset via recovery I'll walk you through the process.

In the absence of an online guide, that would be incredible

Sure. Alright, so... first thing first, this is the only warning you will get when doing this: if we reset your phone via recovery, there is no way back, because the security chip will shred its access tokens and generate new ones. So even if you do find the password at a later date, even if the SSD is intact, the contents can't be recovered.

So try to exhaust all other options before we try this, if there's anything you value on that phone.

There is no "oops" switch.

Understood. Luckily only installed last week, so losing valuable info is a non-issue

Great! Ok, so the first step is, we're going to reboot to the bootloader, I want you to power off your phone via the power menu.

Once it's powered off, I want you to press and hold down the VOLUME DOWN key, then press and hold the POWER key until you see the black "Fastboot Mode" screen.

Once you get there, use VOLUME UP or VOLUME DOWN to scroll through the options until you get to "Recovery mode" Select it by tapping and releasing POWER once.

You'll see the yellowscreen "different operating system" warning (you can skip it by double tapping POWER) followed by the OEM logo, and then it'll drop you at a black screen with the Green Robot lying on its back with a "!" and "No Command."

Once you see that, I want you to do this part very quickly:

You need to quickly press and hold POWER, then tap and release VOLUME UP then let go of VOLUME UP and then let go of POWER.

You should arrive at a menu labelled: "GrapheneOS Recovery" which should have several options, "Wipe Data/Factory Reset" should be near the middle of the menu.

This should get you back to a fresh start of GrapheneOS.

Ahoy! Thanks TheJollyRoger

Arr, hope this helps!

I couldn't replicate the issue, but I believe last boot I didn't allow apps access to location at all. This boot I allowed location upon permission

Hi, does anyone know how I can sync my Pixel 4a 5g with my laptop running Ubuntu 20.04? If I connect it via USB-C cable, it can be mounted, however the file browser shows the phone as empty and I cannot modify anything

<osm2lis "Hi, does anyone know how I can s"> Did you enable data transfer on the device itself when you have it unlocked?

I don't think so. How do I do that?

Got it, thanks for the pointer!

No problem! Sorry, missed that message earlier. Glad you got it, very common question

Hello

Is it possible to install GrapheneOS on a nexus 6P

chile09[m]: No, the supported devices are on the website

So it's just the Google Pixel models?

chile09[m]: Yep

Is there something which prevents GrapheneOS from being ported to a different device?

<chile09[m] "Is there something which prevent"> rtfm

chile09: the security/privacy goals of GrapheneOS only can be accomplished on Pixel devices at this point in time. You could port it but it wouldn’t be the same.

*

tony_l: you can point people to documentation without being a dick

Lol

So the pixel has certain firmware features unavailable in other devices

It has IOMMU support

This also shines alot of light on topic:

Hello everyone, my graphene device keeps autocorrecting my words to english words, i already switched off settings -> system -> language and input -> spellchecker , but I can't find autocorrect?

Cliff You have to go into the keyboard settings, I believe.

Lynn 🏳️‍🌈: could you point me in the right direction

Settings -> System -> Language and Input -> Virtual keyboard -> Select your keyboard

Hi, does anybody had a problem with ReactNative apps and update 2021.03.19.14 on Pixel4a devices? I'm getting a SIGSEGV on startup. On 2021.03.06.00 the crash wasn't happening, same App version. Thank you

*on app startup

Lynn 🏳️‍🌈: finally found it thank you!

This is the SoC -> qualcomm.com/products/snapdragon-730g-mobile-platform

jcenny[m]: Do you have an example for a reactnative app?

yes, the app that's crashing is com.sella.BancaSella ( libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x430979814030 in tid 19921 (mqt_js), pid 19866 (ella.BancaSella)

banking app

Cloud (@S​pektrum_light) has joined the Telegram Group!

<S​pektrum_light> Hello all; I'm really intrested in degoogling my phone, but I saw that grapheneOS is exclusive to pixels; tho in the build section of the website there are generic target: my question is: is it worth it build a rom for a generic target (because apparently you lose like 70% of graphene features) =

Is it possible to get gesture typing working with the graphene os keyboard?

jcenny[m]: I just istalled and started "etesync" github says its also react native and it works on my pixel 4a.

<GrapheneOS-Teleg "<Spektrum_light> Hello all; I'm "> Not in my opinion. And if you think GrapheneOS is just de-googled phone you are missing 95% of the point. GrapheneOS is to protect you from memory corruption vulnerabilities and software exploits, and contain apps you've installed on your device and prevent them from exploiting your operating system. And alot the security is tied to the hardware and only Pixels

have it right now

Just my opinion tho

failbetter[m]: It may be possible, but there need to be someone who puts time and effort in it to make it reality

snoopy: yes, not all apps are behaving like the com.sella.bancasella. I'm trying to understand why that app is crashing.

jcenny[m]: Maybe the app got an update?

nope, same version

And crashes if it doesn't find a stock android with google? :x

working before grapheneos upgrade

it was complaining about google services missing, but it was working fine

The crash log is always the same

this: facebook/react-native #25060 is a very similar error

I assume the app isn't open source?

Yes, that's not opensource

I don't see much changes in the update, not sure what could've happened here

could a full crash log help in finding the problem?

jcenny[m]: More information is more helpful, I guess

Should I have to file a bug on github?

Got a question. I run graphene with mullvad VPN always on and DNS is the mullvad adblock server.

I want to install one of those VoIP apps like textme or textfree from the aurora store . however I noticed it has a lot of trackers on it. If I download it is the app sandboxed or will it be able to report and track what I do across graphene os and websites I visit

What information about the phone will it have other than phone model? Will it have android I'd ?

Hello. Is there any open source / trusted MDM for pixels with graphenos on them?

Hello private99[m], apps are always sandboxed, and with respect to "trackers" on Aurora store,

arcibald[m]: There aren't. We recommend against third party device administrators, they present a lot of attack surface

private99[m]: with respect to trackers on Aurora Store, something you ought to know is that just because an app includes a library such as firebase, that's not actually a sign of it being invasive or not. It's actually at the discretion of the app developers to use the librariesand what for.

Consequently, them merely being included is not a "smoking gun" of the app being invasive, nor is the lack of them an indication that the app is trustworthy.

Because it's up to the app developers to determine how they are used and what they do.

private99[m]: apps on GrapheneOS are always sandboxed, all the time, and this cannot be turned off nor disabled by you. Apps are only able to see what data you permit them to see, and they can only enumerate other apps within their own respective profile.

Sandboxing cannot be disabled by you, nor can apps "opt out" of it. Similarly, interprocess communication (which is limited to apps in the same profile) is a two-way street: even if an app was written by the NSA that whitelisted every other app in the world for interprocess communication, that wouldn't count for anything unless all the other app authors that they wanted to communicate with

became complicit.

Does anyone know how to verify that secure boot works properly?

Or just point me in the right direction

<ahmouse "Does anyone know how to verify t"> First you must check the device boots correctly after locking the bootloader, then you verify the authenticity of the OS with Auditor.

> <@freenode_ahmouse:matrix.org> Does anyone know how to verify that secure boot works properly?

* First you must check the device boots correctly after locking the bootloader, then you verify the security of the OS with Auditor.

@room Copperhead stopped most of their attacks on the project a couple weeks ago. It's likely that will be coming to an end in the near future. Unfortunately, there are others doing far worse things than Copperhead has ever done. CalyxOS and their community are engaging in incredibly underhanded attacks on the project involving harassment, bullying and spreading misinformation about the project. Itworse than anything

Copperhead has ever done. They attempt to portray us as the perpetrators for correcting their false claims and defending ourselves from them. It's not the case.

* @room Copperhead stopped most of their attacks on the project a couple weeks ago. It's likely that will be coming to an end in the near future. Unfortunately, there are others doing far worse things than Copperhead has ever done. CalyxOS and their community are engaging in incredibly underhanded attacks on the project involving harassment, bullying and spreading misinformation about the project. It's worse than

anything Copperhead has ever done. They attempt to portray us as the perpetrators for correcting their false claims and defending ourselves from them. It's not the case. They've already done immense damage and we're working on putting together a plan to start addressing it.

any further raids on the channel, concern trolling, harassment, etc. is unlikely to be connected to Copperhead but rather most of it is now perpetrated by CalyxOS and their core community including people they support and collaborate with

* grapheneos.org/faq#device-support

What’s going on with calyx?

im not very familiar what is happening with the Copperhead thing?

that is it about exactly?

(i just know that it was the predecessor of grapheene os)

* grapheneos.org/history

I know copperhead was trying to sue the dev from here

I'm also quite confused. What exactly is happening? I'm really out of the loop

But I didn’t know anything about there being something funky with calyx

Yeah, what's going on with Calyx?

vata0: Copperhead spent multiple years waging an all out war against us attempting to wipe out the project to benefit themselves

I'm out of the loop as well.

Felix: pretty sure there’s a post on this sub Reddit about the copperhead shit

because they see it as a competitor which harms their profits since GrapheneOS is much better, is the original project, and is free open source software

i see

btw why the hardened malloc?

what is the issue with the original one

* i see

btw why the hardened malloc?

what is the issue with the original one?

<vata0[m] "Felix: pretty sure there’s a pos"> Sure thing.

backup acc; moved to @java:furry.lol: github.com/GrapheneOS/hardened_malloc/README.md

is LineageOS any good?

I thought y’all was friendly with calyx

<chile09[m] "is LineageOS any good?"> i like it a lot

I’ve never heard them say anything bad and I’m in there a lot

<vata0[m] "Felix: pretty sure there’s a pos"> Alright, I'll check it out

<backupaccmovedto "i like it a lot"> The security isn't as good as graphene obviously

true

it has more user freedom

you can root it

and microg is available

<chile09[m] "is LineageOS any good?"> It may be FLOSS, but it is a really big downgrade on security due to it depending on an always-unlocked bootloader.

<chile09[m] "is LineageOS any good?"> Really good privacy but not as secure

Depends on what you want to do with your Android ROM.

Hi guys, Lineage isn't topical to GrapheneOS, but I'll entertain this one.

<jj1013[m] "It may be FLOSS, but it is a rea"> it can work with locked bl

<backupaccmovedto "you can root it"> microG is not even near deGoogled.

<jj1013[m] "microG is not even near deGoogle"> im aware

Also, root is also a security downgrade.

but its useful

i

* but its useful

LineageOS trades user freedom for security.

So, with respect to the old security and privacy debate, I'll put it this way: Privacy is a byproduct of security, and security is a prerequisite for privacy.

Just depends on what you want.

i dont think it should be in there by default

but the posibility to install it

<backupaccmovedto "but its useful"> Not really

That's our philosophy; GrapheneOS and LineageOS are very different projects, and are intended for two very very different audiences.

If you want to play System Administrator or Power User with your phone, be my guest on Lineage, but be aware that LineageOS sees much of the security mitigations and policies as being antithetical to their approach to cater to power users who desire to do what they want, and don't want security to get in the way.

<Felix[m]4 "Really good privacy but not as s"> could you explain further please; it is topical because both are Android ROMs and comparing them shows how they are different and potentially better/worse

Ultimately, I chose GrapheneOS because I learned the hard way numerous times that sometimes being a power user isn't necessarily a compliment.

<exifran[m] "Not really"> it depends on what you want

vata0: the leader of their organization has directly participated in bullying/harassment against me and supports / promotes a content creator who is literally obsessed with me and essentially stalks me across platforms while organizing raids on the channel + harassment

i wouldnt say, that it caters to different audiences. i would like to see a bigger overlap, with lineageos qol features and grapheneos security

vata0: it's unacceptable, and it's at the point where I'm willing to ban people simply for supporting a project engaging in that

the fact that they spent months putting together a bunch of lies/misrepresentations and doctored 'evidence' to misrepresent me defending myself like this against their attacks is ridiculous

Dam

they have caused immense harm

going forward there is zero tolerance policy

<chile09[m] "could you explain further please"> Well for starters, it doesn't include Google service stuff out of the box which is good for privacy. It requires an unlocked bootloader though which is trash for security

if you support a project engaging in that, you aren't welcome here