00:02:23 Thank you 00:11:15 Noticed when using the Vanadium that there is no longer a back button on the lower left so when viewing a webpage can't get out of it without closing the browser? 00:19:37 creighton: not something that changed in Vanadium 00:19:44 creighton: https://grapheneos.org/usage#system-navigation 00:20:07 you go back by swiping from left or right edge of the screen (anywhere other than the navigation bar) 00:23:11 is there any way to hide the advanced boot screen for GrapheneOS (the one where it shows you can pause booting with the power button until it goes to the Google logo then GrapheneOS logo)? 00:23:35 i made sure to disable OEM unlocking 00:28:07 double tap power 00:28:23 there's no way to hide it, that would violate the requirements of the verified boot implementation 00:28:36 it must show that screen when using a custom key flashed to the secure element 00:28:48 if there was a way to bypass it, that would be a vulnerability 00:29:08 (a minor one, if it didn't actually allow bypassing verification beyond that, but a vulnerability nonetheless) 00:29:11 ah i see 00:29:27 if you double tap power to pause+resume it skips the screen 00:29:31 if you really care about those 5-10 seconds 00:46:24 Good tip in a pinch for time 01:21:40 is there any way to disable 5G in GrapheneOS if I have a Pixel 4a 5G for Pixel 5? 01:23:19 use either 4G or 4G only mode 01:23:47 is there any way to disable 5G in GrapheneOS if I have a Pixel 4a 5G for Pixel 5? I figured its at the service level but didn't know if there were specific setting in the OS I could toggle. 01:24:35 > <@joe:joe.vg> Hello people. I am new to GrapheneOS (I bought a Pixel 4a 5G especially for that). 01:24:36 > 01:24:37 > First, thanks for giving us a privacy-friendly and secure alternative to Android! 01:24:39 > 01:24:40 > I have searched a lot but didn't find answers to those quick questions regarding customization (I guess the answer is no to all of them, but I am trying 😉 ) 01:24:41 > - Is there a way to select which side you want the clock? 01:24:42 > - Is there a way to hide the battery icon (keeping just the percentage)? 01:24:44 > - Is there a way to hide the VPN icon (I use the AlwaysOnVPN + network killswitch, so no I don't need to keep an eye on the icon.). I was able to access the SystemUI Tuner hidden settings, but there's nothing for the VPN 01:24:45 > 01:24:46 > Note that I come from a less-secure ROM (LineageOS) which had those customization available. I am not a security expert so maybe there's security concern with any of those that I don't realize. 01:24:48 > 01:24:49 > Thanks for your time and thanks again for that ROM! 01:24:50 01:24:52 I hid the icon on the lock screen by changing: settings -> Apps & Notifications -> Notifications -> Notifications on lock screen -> Hide silent conversations and notifications 01:26:05 VPN icon that is, dont think you can hide the battery icon. 01:26:58 Cliff I don't have it on the lockscreen but I am willing to hide it from the status bar (sorry it wasnt clear ahah). Thanks for the answer 01:27:36 > <@strcat:grapheneos.org> use either 4G or 4G only mode 01:27:37 01:27:38 Awesome. Would that be "Preferred network type" under Settings>Network & Internet>Mobile Network? 01:27:39 > <@grapheneos_user_pi:matrix.org> Joe: I don't think you can do those things, sorry; they're not in AOSP to my knowledge either. 01:27:40 01:27:42 Thanks also, that's what I thought 01:27:49 stonjjohn: yes 01:28:06 4G is a standard mode, 4G only is a GrapheneOS feature for disabling 2G/3G 01:28:25 4G is a standard mode (they set the maximum protocol version), 4G only is a GrapheneOS feature for disabling 2G/3G 01:28:30 4G is a standard mode (they set the maximum protocol version), 4G only is a GrapheneOS feature for disabling 2G/3G too 01:35:33 > <@strcat:grapheneos.org> 4G is a standard mode (they set the maximum protocol version), 4G only is a GrapheneOS feature for disabling 2G/3G too 01:35:34 01:35:35 Mine says ...LTE, LTE only but I'm confused because I've read articles stating that 4G and LTE are not synonymous. So would my Pixel 5 give the following options ...LTE, LTE only, 5G, 5G only? 01:36:24 they are synonymous 01:36:44 > <@strcat:grapheneos.org> they are synonymous 01:36:45 01:36:46 OK, thanks for the clarification! 01:37:04 your carrier chooses which one to use in the configuration they supply to be included in the OS 01:37:21 they can also choose other things like if they want to add an extra fake signal bar 01:37:45 interesting 01:41:09 I don't have 5G options on my 4a 5G, is it normal? 01:41:51 if your carrier doesn't support it, you wouldn't have those options 01:41:59 The auto reboot feature is really cool! 01:42:00 it lists values your carrier supports 01:42:16 Ah, make sens, thanks 01:42:17 it's a carrier-specific configuration menu 01:52:52 why am I still on the 05-29 build? when I check for updates on both stable and beta nothing new gets installed 01:53:48 read https://grapheneos.org/releases#about-the-releases and https://grapheneos.org/usage#updates 01:53:55 look at the releases listing on the releases page 01:54:54 oh okay I see. thank you 01:55:27 release will not be available for the Pixel 4a (5G) and Pixel 5 until the kernel changes are ported 01:55:33 there are issues caused by the substantial upstream changes 01:55:40 people are welcome to help 01:55:51 there may not be a release for them for quite some time, did not make sense to delay it for other devices 01:56:09 there's a shortage of device maintainers 01:56:24 days of work from multiple people has already gone into this porting 02:29:03 what would be the first step I could take to help? I have a pixel 5 that I can test on 02:54:38 how can I clear all contacts. clearing storage of contacts doesn't do it, almost every contact I have now is linked to a duplicate for some reason. not sure if that's normal 02:55:46 also is changing contact color possible? 02:59:04 Sean: need development help, not testing until we have it working 02:59:27 @b1101 contacts app is a frontend, not where contacts are stored 02:59:34 they're stored in the Contacts Storage component 02:59:37 you can clear that 03:00:29 I ended up manually selecting em all, then deleting. then reimporting a vcf I had. no more dupes 03:03:22 how about colors? 03:11:10 The new notification for camera and mic use are cool 03:11:43 Is there a way to see the recent use too? 03:24:45 > <@wsahkgjhmma:matrix.org> Is there a way to see the recent use too? 03:24:46 03:24:47 Only recent notifications, not use. That is only an iOS feature at the moment. 03:25:04 Not use of camera/mic* 03:59:24 I love graphene. You guys rock 04:12:38 thanks 04:12:56 wsahkgjhmma: recent use will be shown properly in Android 12 04:13:08 wsahkgjhmma: there's a preview implementation in Android 11 but it's very flawed and we won't be enabling it since it's misleading 04:49:25 Hi guys. I am new here and trying to install GrapheneOS into my Pixel 3a. During the " Flashing factory images " process, after I've clicked the " Flash release " button, I've got an error message " Error : The device was disconnected. ". 04:49:26 04:49:27 May I know how to solve this problem? 04:59:50 aa3b: likely an unreliable USB connection 04:59:55 use USB-C to USB-C if you can 05:00:01 install from another phone if you don't have USB-C on your computer 05:00:24 alternatively you need a high quality USB-A to USB-C cable, most of them are trash and non-spec-compliant / broken 05:05:07 > <@strcat:grapheneos.org> aa3b: likely an unreliable USB connection 05:05:09 05:05:10 Thanks for your prompt reply. I'll try. In short, I need to go back to square one after changing the cable. Am I correct? ( Sorry for my stupid question, but this is the first time I tried to root a phone ) 05:05:26 aa3b: no just flashing step if you unlocked successfully 05:05:34 you should reboot phone back to bootloader interface but it will still be unlocked 05:05:47 there's a restart bootloader action you can choose from the menu 05:05:56 or just turn it off and use the same volume down thing to go back there 05:07:11 I got it. Thanks. I will try again after the said cable is found. 05:07:51 aa3b: if you have access to another Android phone with USB-C you can use USB-C to USB-C cable to install from that other phone 05:07:55 web installer works on Android 05:14:16 > <@strcat:grapheneos.org> aa3b: if you have access to another Android phone with USB-C you can use USB-C to USB-C cable to install from that other phone 05:14:17 05:14:18 I got it. 07:57:08 > <@aa3b:matrix.org> I got it. 07:57:09 07:57:11 After used a USB-C to USB-C cable, looks the " Flash release " was started until processing " fastboot mode ". There is an error " Error : The requested file could not be read, typically due to permission problems that have occured after a reference to a file was acquired. " My Pixel 3a showed a " fastbootd " screen with couple options such as " Reboot system now "... 07:57:12 07:57:13 May I know what shall I do if I was stuck here? 08:28:36 Hello Sir/Mam, 08:30:50 I am using Xiaomi Redmi 5A Model :- MCI3B (RAM: 3gb, Internal Storage:- 32gb).....That Description Link Is (https://www.gsmarena.com/xiaomi_redmi_5a-8898.php) 08:31:13 Grapheneos Support My phone Or Not ? 08:36:24 I am using Xiaomi Redmi 5A Model :- MCI3B (RAM: 3gb, Internal Storage:- 32gb).....That Description Link Is (https://www.gsmarena.com/xiaomi_redmi_5a-8898.php), so Qt is Grapheneos Support My phone Or Not ? 08:40:49 > <@oo7devidanderson:matrix.org> I am using Xiaomi Redmi 5A Model :- MCI3B (RAM: 3gb, Internal Storage:- 32gb).....That Description Link Is (https://www.gsmarena.com/xiaomi_redmi_5a-8898.php), so Qt is Grapheneos Support My phone Or Not ? 08:40:49 08:40:50 https://grapheneos.org/faq#device-support 08:44:08 Pixel 5 (redfin) 08:44:08 Pixel 4a (5G) (bramble) 08:44:09 Pixel 4a (sunfish) 08:44:10 Pixel 4 XL (coral) 08:44:12 Pixel 4 (flame) 08:44:13 Pixel 3a XL (bonito) 08:44:14 Pixel 3a (sargo) 08:44:15 Pixel 3 XL (crosshatch) 08:44:17 Pixel 3 (blueline) I don't know about it & not understand so please guide me...so i am provide the link of my phone description 08:49:10 No, only Google's Pixel phones are supported at the moment 08:51:27 oo7devidanderson: please read the paragraphs below that list (in the link I provided initially). It explains everything. 09:02:57 Thank You. 09:28:22 FYI, tag RQ3A.210605.005.2021.06.09.13 does not exist in Github's platform_manifest, leading to broken links on the grapheneos.org/releases 09:29:04 (tags not pushed?) 11:30:49 hello, GrapheneOS is based on android 10 or 11 ? 11:31:55 11 11:31:58 > <@guillaume47:matrix.org> hello, GrapheneOS is based on android 10 or 11 ? 11:31:59 11:32:00 Mine says Android 11 (4a 5G) 11:33:37 Can the GPS work normally with Graphene ? 11:34:23 GrapheneOS follow Google updates very closely (re @GrapheneOSBridgeBot: hello, GrapheneOS is based on android 10 or 11 ?) 11:34:27 GrapheneOS follows Google updates very closely (re @GrapheneOSBridgeBot: hello, GrapheneOS is based on android 10 or 11 ?) 11:34:30 > <@guillaume47:matrix.org> hello, GrapheneOS is based on android 10 or 11 ? 11:34:31 11:34:32 Android 11 QPR3 11:34:50 > <@akc3n:tchncs.de> Android 11 QPR3 11:34:50 11:34:52 thx 11:35:42 > <@guillaume47:matrix.org> Can the GPS work normally with Graphene ? 11:35:42 11:35:44 Yes. 11:37:56 How it work for geolocation services ? 11:38:26 I thought we need microG for that 11:41:06 guillaume47 please read https://grapheneos.org/faq 11:43:20 thanks but i didn't see the answer on the faq 11:44:19 from the FAQ: "The baseband implements other functionality such as Wi-Fi and GPS functionality, but each of these components is separately sandboxed on the baseband and independent of each other." (re @GrapheneOSBridgeBot: thanks but i didn't see the answer on the faq) 11:45:04 also this "On devices with a Qualcomm baseband (which provides GPS), when location functionality is enabled and being used, GPS almanacs are downloaded from https://xtrapath1.izatcloud.net/xtra3grc.bin, https://xtrapath2.izatcloud.net/xtra3grc.bin or https://xtrapath3.izatcloud.net/xtra3grc.bin which are currently (as of September 2020) hosted via Amazon Web Services. GrapheneOS has modified all references to these ser 11:46:12 I think he's asking about how GPS can be used with Google Maps without play services 11:47:44 > <@thatcher:matrix.org> I think he's asking about how GPS can be used with Google Maps without play services 11:47:44 11:47:45 No i don't want to use google map. I'm just wondering if the gps chip can work fine for fix the location. 11:48:22 You lost me 12:00:13 Where do i find those options? (re @GrapheneOSBridgeBot: Not sure if that's possible by default (don't think so) but you can work around that by specifying default runtime permissions of a work profile then adding it. Its not the most optimal solution.) 12:00:41 Or how can i do that? Im not very tech guy 12:01:29 > <@guillaume47:matrix.org> No i don't want to use google map. I'm just wondering if the gps chip can work fine for fix the location. 12:01:29 12:01:31 Enable location services globally and check that its working with satstat if you like. 12:01:32 12:01:33 There's per app permissions as well. So if you'd like it to work better, then either give the app background access rather than only foreground or leave it in the foreground until it gets a lock. 12:04:16 > <@akc3n:tchncs.de> Enable location services globally and check that its working with satstat if you like. 12:04:17 > 12:04:18 > There's per app permissions as well. So if you'd like it to work better, then either give the app background access rather than only foreground or leave it in the foreground until it gets a lock. 12:04:20 12:04:21 thx 12:30:38 > <@bitgestalt:matrix.org> FYI, tag RQ3A.210605.005.2021.06.09.13 does not exist in Github's platform_manifest, leading to broken links on the grapheneos.org/releases 12:30:39 12:30:40 4a 5g and 5 still being finalized and they can't tag the kernel repos for those, and manifest yet. 12:30:48 > <@grapheneosbridge:grapheneos.org> Where do i find those options? (re @GrapheneOSBridgeBot: Not sure if that's possible by default (don't think so) but you can work around that by specifying default runtime permissions of a work profile then adding it. Its not the most optimal solution.) 12:30:48 12:30:50 @Jeremy sry I don't know exactly how to do that. Just know there's such a possibility if you really wanted to. 12:49:37 Is asking a question here the same as asking on the GrapheneOS Element ? 12:53:30 yes 12:53:32 it's bridged 12:53:54 you can see most stuff is being shown via the bridge bot since it's from Matrix 12:54:04 and a bit from IRC 12:59:10 strcat hello bro! 12:59:10 You were right as usual. The whole issue for this specific app is coming from them self.. Check their answer below: 12:59:11 "Further to your message, we would like to inform you that HSBC Mobile Banking Application cannot be used due to the absence of Google Play application on Huawei cell phones due to the Google embargo." 13:00:32 Even though we are not using huawei.. The thing is I am using another HSBC app from different country and thanks god is working properly but still the issue is from their side so I just have to wait.. 13:01:56 Also I red the lesson about the passwords 😁 proper info for all if us so thank you! 13:02:10 Also I red the lesson about the passwords 😁 proper info for all of us so thank you! 13:03:28 Thanks. Strcat, I have been stuck on my 3a XL for a few days now. Is there anywhere I can dial into exactly my problem? 13:03:29 In summary, I tried the web installer using Chrome OS, blah blah blah, at the end it said Error Undefined. You told me to redo, but that was worse. It then said it couldn't re-download nor flash 13:03:30 So I went to my Linux terminal (where last year I successfully installed GrapheneOS on a 3aXL, flawlessly 13:03:31 This time, when I hit ./flashall-sh it downloaded but didn't complete. 13:03:33 So now I am stuck on fastboot recovery screen 13:03:34 I can rescue and recovery, even tried to install original Android 11, keep getting Error 21 13:03:53 So its not bricked but not getting better 13:04:06 sounds like an unreliable USB connection 13:04:10 need a proper USB connection to the device 13:04:40 if you have another phone install it from there via USB-C + Vanadium/Bromite/Chrome 13:04:58 I get a GrapheneOS recovery title but deadends 13:05:13 yes it's not finishing flashing because USB connection drops 13:05:21 try using another phone to install if you have one 13:05:43 I only have one pixel now 13:05:53 it doesn't have to be a Pixel really 13:05:54 The other took a swim 13:05:56 just another Android phone 13:06:01 we just only officially test on Pixels 13:06:22 try another computer if you have one 13:06:32 or at least clear a lot of space and look into if any software is interfering 13:06:54 and get a new high quality Anker/Google/Apple USB-A to USB-C cable if you can't use the USB-C one that comes with the device 13:07:22 You lost me. What to do with my present CL and do I go back to the ChromeOS or Linux CL? 13:07:40 my present XL 13:08:11 I had same issues couple of times and believe or not your cable is the mist important! 13:08:32 > <@strcat:grapheneos.org> and get a new high quality Anker/Google/Apple USB-A to USB-C cable if you can't use the USB-C one that comes with the device 13:08:33 13:08:34 Most of the time they does not work properly. 13:08:43 Just buy a proper USB-C cable and you are done 13:09:17 @AbuMubarak1378: you just need to finish installing, and that won't happen with a broken cable / port / computer 13:09:23 so you'll need to resolve whatever the problem is 13:09:32 perhaps the cable, perhaps your computer lacks enough free space 13:09:36 I have done this with Mac and Linux and the best way is Linux + proper USB-C cable 13:09:39 Why is the cable never mentioned in any instructions? 13:09:39 I have the cable it came with 13:09:54 Don't hesitate just spend $10-15 and sort your issue 13:10:11 My computer has enough space 13:11:13 abumubarak those cables are for transferring files and media just simple stuff.. Sometimes they work sometimes not so to make your life easier just buy proper cable and that's it bro 13:11:32 Ok 13:12:19 the cable is heavily talked about in the instructions 13:12:35 https://grapheneos.org/install/web#prerequisites 13:12:41 > You need a USB cable for attaching the device to a laptop or desktop. Whenever possible, use the high quality standards compliant USB-C cable packaged with the device. If your computer doesn't have any USB-C ports, you'll need a high quality USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on a desktop computer case. Connect directly to a rear port on a desktop or the ports on a 13:14:04 I was thinking maybe with Google update, do they install anything to affect installing GrapheneOS? 13:22:01 told you the issue already 13:22:05 USB connection 13:22:26 nothing to do with the Pixel 13:22:38 Got it. On my way to the local computer store 13:22:53 Get Anker cable there 13:23:08 Most cables are broken, those ones are expensive but work 13:30:04 Thanks (re @strcat: Most cables are broken, those ones are expensive but work) 13:31:39 I swear by Belkin too 13:37:23 Could just be that one of the ports on the motherboard are broken 13:37:29 Try a different port 14:49:57 I moved from stock android to grapheneOS on Pixel 3A. However, it brought over my old cellphone provider's network settings, which I can't seem to clear. It doesn't connect to my current network 14:51:20 voice and SMS works, it's only the mobile data that has the problem 14:52:31 eSIM isn't cleared by factory reset / reinstalling, if that's what you mean 14:52:36 it works like a regular SIM 14:52:54 I never had eSIM 14:54:18 I am assuming it brought over old settings, because I can't connect, also I see the name of the old provider under settings 15:00:48 I don't know what you mean by old settings then 15:00:51 it would have just gotten them from your SIM 15:01:04 no state from the old OS is carried over, that didn't happen 15:01:05 Just confirmed, the APN I see is brought over from my old service provider 15:01:12 then it's from your SIM 15:01:30 it doesn't match my current SIM. 15:01:37 you had that old SIM in the device 15:01:41 no data is carried over from the old OS 15:02:00 not possible, it couldn't decrypt it even if it was there 15:02:04 and the storage was formatted 15:02:12 so, what you're saying happened did not 15:02:29 my old SIM is long gone. I was using with stock android with my new SIM for a few months. 15:02:38 okay, old data can't be carried over 15:02:39 jandroid: we get APNs from the stock ROM so it might appear as if they were carried over but they weren't. If you have a problem with your carrier you need to bring it up with them 15:02:40 didn't happen 15:02:52 anupritaisno1: not relevant 15:03:11 anupritaisno1: no point jumping in without reading all of it 15:03:45 the new OS cannot read data from the old OS even if the data wasn't formatted, which it is 15:03:51 it's encrypted in a way that it's not possible 15:03:55 so, that's not what happened 15:03:56 Is there a way to clear APN data somehow, I can't even delete it 15:04:01 you had the old SIM inserted or an eSIM 15:04:13 jandroid: it's from your SIM card 15:04:16 it's not really data 15:04:31 it's just the configuration baked into the OS for your carrier 15:04:37 if you had an eSIM that is still around 15:05:40 1. the provider never supported eSIM. 2. I've been using the new SIM for a few months now. So, I don't understand where it's picking up old provider info from. 15:05:51 it's not what's happening 15:06:05 it comes from eSIM / SIM 15:06:15 the OS just shows you relevant APNs for your carrier 15:06:22 those aren't really data, it's hard-wired 15:06:30 each carrier has APNs hard-wired into the OS for it 15:06:36 Is it possible to reset/ delete the APN? it doesn't allow me to 15:06:38 that's why you can't remove them, they're not data 15:06:51 jandroid: it's not data, so no, you can't remove it 15:07:03 you can put in a different SIM card (eSIM also relevant) and it will show different APNs 15:07:41 you're going to need to be more specific about which carrier you have and show the exact data from there 15:07:48 that you don't think should be there 15:07:48 like I said, my problem is- the APN doesn't match the SIM card. used to work with stock. Also, never used eSIM 15:08:04 no data is carried over to the new install 15:08:10 that's not how it works and isn't actually possible 15:08:12 it can't decrypt it 15:08:15 my old carrier- visible. my new carrier- Spectrum 15:08:54 both Verizon MVNOs 15:09:11 BTW can you check the other chat real quick strcat 15:09:27 yes, but the MVNO id, MCC, MNC etc show visible data 15:10:48 Also, when I go to Mobile network, I see visible_usxxxx under Settings version. 15:29:01 None of this explains why it works with stock, but not graphene. I will reset it to stock and see what happens to the APN settings 15:38:02 eSIM 15:46:03 Hi all! 15:46:04 Any ideas why I'd be receiving "Signature verification failed, error: 21" when trying to install GrapheneOS via sideload method for Pixel 4 XL? 15:50:55 stonjjohn: it means your download was corrupted 15:50:59 download again 15:51:05 could also be wrong device 15:57:51 or using the wrong update package 15:57:54 Pixel 4 XL is coral 16:07:21 Installed problem : 16:07:22 16:07:23 After used a USB-C to USB-C cable, the " Flash release " was started until processing " fastboot mode ". There is an error " Error : The requested file could not be read, typically due to permission problems that have occured after a reference to a file was acquired. " My Pixel 3a showed a " fastbootd " screen ( GrapheneOS Fastboot menu ) with couple options such as " Reboot system now "... 16:07:24 16:07:26 May I know what shall I do if I was stuck there? 16:08:08 > <@anupritaisno1:m.apex.to> could also be wrong device 16:08:09 16:08:10 is there a published hash for each .zip so I can verify I've downloaded an uncorrupted package? 16:09:14 stonjjohn: it's doing that for you 16:09:16 it's signed 16:09:24 it the hash of itself inside itself, signed by a signature 16:10:00 have you confirmed that you're downloading the correct update? 16:10:48 > <@strcat:grapheneos.org> have you confirmed that you're downloading the correct update? 16:10:48 16:10:50 Yes and I've downloaded it multiple times. 16:12:51 stonjjohn: what do you mean by this 16:12:56 > when trying to install GrapheneOS via sideload method for Pixel 4 XL? 16:13:00 you cannot install GrapheneOS that way 16:13:05 I thought you were trying to update 16:13:11 that's the problem 16:13:20 you need to follow the install guide, you can't install GrapheneOS with an update package 16:13:25 https://grapheneos.org/install/ 16:14:26 you need to unlock, flash the firmware + OS + verified boot key (verified boot key cannot be written by the OS, so there's no way sideloading to recovery could do that) and then lock 16:14:36 recovery cannot unlock, write the verified boot key or lock again after 16:14:49 and it does signature verification 16:14:49 ok, I ran into issues with the install guide and one of mods showed me how to install via sideload using the OTA release... 16:15:13 you're on the stock OS so it's verifying with the stock OS signing key 16:15:17 the install guides on the site are the ONLY supported ways to install 16:15:24 there is no install method via sideloading, it cannot work 16:15:32 you must unlock, flash and lock via fastboot 16:15:53 if you don't have a reliable USB cable, get one 16:15:57 most USB-A to USB-C cables are broken 16:16:13 Ok, gotcha! will go back to the install guide. 16:16:17 if you have issues installing ask for help with that 16:16:22 don't try to use some unofficial method 16:17:41 roger! 16:25:22 strcat: would you please help? 16:28:27 please just ask the room for help with your questions 16:28:33 don't know what you want help with anyway 16:29:24 Sorry!!! 16:29:25 16:29:26 Installation problem : 16:29:28 16:29:29 After used a USB-C to USB-C cable, the " Flash release " was started until processing " fastboot mode ". There is an error " Error : The requested file could not be read, typically due to permission problems that have occured after a reference to a file was acquired. " My Pixel 3a showed a " fastbootd " screen ( GrapheneOS Fastboot menu ) with couple options such as " Reboot system now "... 16:29:30 16:29:32 May I know what shall I do if I was stuck there? 16:30:14 aa3b: seems you don't have enough space 16:30:24 or you're using a private browsing mode (don't do that, not enough room is provided) 16:31:58 > <@strcat:grapheneos.org> or you're using a private browsing mode (don't do that, not enough room is provided) 16:31:59 16:32:00 May I know how can I solve the space problem? 16:32:01 16:32:02 Besides, I am trying to install the GraphenOS by another Android phone ( Chrome ). I can't find any setting about private browsing mode. 16:32:39 you don't have enough free space on the phone 16:32:42 clear up space 16:32:47 remove a bunch of files and apps 16:33:01 clear app caches, clear app data you don't need 16:33:27 it needs room to download/extract the images as part of installing on the other phone 16:33:29 you don't have enough 16:34:48 I see. Regarding private browsing mode, do you guess it is related to VPN? 17:02:00 Followed the CLI guide and I get this: 17:02:00 Resizing 'product_b' OKAY [ 0.007s] 17:02:02 **Sending sparse 'product_b' 1/2 (262140 KB) FAILED (Error reading sparse file) 17:02:03 fastboot: error: Command failed 17:02:04 Rebooting into bootloader FAILED (Status read failed (Too many links)) 17:02:06 fastboot: error: Command failed** 17:02:07 Press any key to exit... 17:02:08 17:02:10 I'm using the factory USB-C cable the Pixel came with on Win10 (followed the guide to a "T") Just rebooted the PC before doing this too. 17:02:11 17:02:12 I also tried the web installer and it hung at "writing products" 17:02:13 17:02:15 I have the latest fastboot release installed. 17:05:26 stonjjohn: do you have enough free space 17:05:50 stonjjohn: also pretty sure that's just an indication of a bad USB connection for both 17:05:54 USB connection is dropping 17:06:05 use a different port and make sure cable is fully plugged in 17:06:10 seems your computer has broken USB-C 17:06:23 you won't be able to install without a reliable USB connection, it's the #1 issue people encounter as explained on the page 17:06:40 no reliable USB connection -> not going to be installing it 17:06:47 you need to fix that 17:06:52 Does anyone else have this battery issue with signal???? 17:07:18 My battery drains as if it’s broken 17:08:11 > <@strcat:grapheneos.org> stonjjohn: also pretty sure that's just an indication of a bad USB connection for both 17:08:12 17:08:13 free space on the PC or the browser? If I was using CLI, the PC has more than enough free space (22 GB) if by browser, I'll try clearing out cache, etc. 17:08:35 22GB is not probably not enough free space for web install 17:08:52 since the browser won't give out a couple gigabytes of space to a site if you hardly have disk space overall 17:09:14 it only needs a couple gigabytes but the amount it's allowed to use is proportional to overall free space 17:09:56 OK, I look into more USB cables. I was using the factory cable that came with the Pixel. I'll try others and other ports as well. 17:11:21 the cable that comes with it is fine 17:11:23 that's not the issue 17:11:35 the issue is bad USB ports / drivers on computer and lack of space for web installer 17:23:55 Did something change that would prevent a RQ2A.210505.002.2021.05.29.09 device from upgrading? 17:24:25 I see the notification come up for the download, it gets to 100%, then the updater crashes 17:27:45 no 17:28:00 which device? 17:28:07 4a 17:28:09 do you have enough free space? 17:28:19 Yep, 75G free 17:28:20 and what do you mean crashes? 17:28:22 ideally get logs 17:29:59 Even if I press "Check for updates" in settings, it boots me back into the system settings 17:30:18 get logs 17:48:13 I'm thinking about installing GrapheneOS on an old Pixel 3 to use as a hardware cryptocurrency wallet. 17:48:13 Can anybody here confirm if the Metamask Mobile APK can be sideloaded and properly functions? 17:56:05 Found it, logcat showed "An update already applied, waiting for reboot" 17:59:06 probably just the known UI issue 17:59:25 we need to make it use a foreground service for monitoring update_engine 17:59:50 and also it could deal with that error better somehow 17:59:58 the API from update_engine for apps is not good 18:00:05 the API from update_engine for update apps is not good 18:25:04 Do I need to make sure that my device is up to date before installing GrapheneOS? 18:28:22 Ideally yes 18:28:43 Please read the official installation guide as this question is answered there 18:32:10 Oh yes, my bad for not reading that part first. 19:17:50 hey guys can you recommend a usb-c to usb-a cable? 19:22:05 > <@chr0n05:privacytools.io> hey guys can you recommend a usb-c to usb-a cable? 19:22:06 19:22:07 Belkin get the recommendation from me. Others Anker or Aukey. 19:29:20 all right, thank you 20:15:52 > <@hooly:tchncs.de> Haven't seen that feature yet, but there is a toggle in the drop-down menu that disables the cameras and apparently the microphone, too. 20:15:53 20:15:54 There is a toogle to disable the 'cam/mic usage indicator' in the status bar? Where can I find it? 20:16:28 You might need to enable it in developer options. 20:23:51 Thanks. There is a sensor toogle. This toogle deactivates all sensors. 20:23:51 I've asked if there's a chance to disable the status bar indicators which appear when can/mic is in usage in background. 20:26:45 camera/microphone/sensors usage is never permitted in the background 20:26:56 and no, obviously there won't be a toggle to disable it, it defeats the purpose 20:27:43 hi I have a question about WiFi triangulation. I thought it was something that was not included in AOSP but it seems I may have been mistaken. 20:27:53 what do you mean exactly? 20:27:57 is WiFi triangulation baked into aosp? 20:28:02 define what you mean 20:28:07 there isn't a location service for it 20:28:22 the OS can't figure out location based on nearby Wi-Fi networks 20:28:23 how an android phone is constantly pinging WiFi networks around it to track its location 20:28:29 Android doesn't do that 20:28:34 stock OS or not 20:29:30 the stock OS has an opt-in feature for sending nearby Wi-Fi network names and Bluetooth devices to a Google service which returns back a guess of the location 20:29:37 the stock OS has an opt-in feature for sending nearby Wi-Fi network names and Bluetooth devices (separate toggles) to a Google service which returns back a guess of the location 20:29:48 it doesn' 20:29:54 it doesn't "ping" them 20:30:21 that's part of Play services, it doesn't exist as part of Android itself 20:30:41 wait what? if I buy an android phone from a retail store and activate it, isn't it constantly checking for wifi networks around it? 20:30:54 no, only if you opt into that in the initial setup wizard 20:31:00 and it doesn't ping them 20:31:10 it sends a list of them with signal strengths to a Google service 20:31:21 but I'm talking about a stock phone, not with a custom ROM 20:31:22 and Bluetooth devices, and similar for cell towers 20:31:29 I answered for the stock OS on a Pixel 20:31:37 GrapheneOS isn't a ROM, it's an OS 20:31:58 All went well until Flash release said Error: The requested file could not be read, typically due to permission problems that have occurred after a reference to a file was acquired (re @strcat: Get Anker cable there) 20:32:16 the boot ROM on the SoC is a ROM, i.e. tiny a read-only piece of firmware that cannot be updated since it's baked into the SoC and is what loads the next stage 20:32:45 apexibex: GrapheneOS has no supplementary location services, just GNSS (GPS, etc.) + A-GPS 20:32:55 > <@strcat:grapheneos.org> it sends a list of them with signal strengths to a Google service 20:32:56 20:32:57 so it sounds like this is what I mean 20:33:20 in theory, you could still use a maps app that asks for the location permission and then uses nearby Wi-Fi networks, Bluetooth devices and cell towers itself 20:33:26 it's just not provided by the OS 20:34:45 > <@strcat:grapheneos.org> that's part of Play services, it doesn't exist as part of Android itself 20:34:46 20:34:48 OK so it is not part of aosp, but it comes with gapps 20:34:52 I don't know if Google Maps knows how to do that internally without Play services 20:34:56 it might be available as an option 20:35:13 regardless, needs location permission, as it should 20:35:28 apps can't access that info with Location permission enabled + Location enabled (which makes the Location permission actually work) 20:35:44 I heard that even if you turn off Bluetooth and WiFi in location services settings in android, the WiFi pinging still persists 20:35:53 apexibex: there is no pinging 20:36:01 apexibex: on stock OS or otherwise 20:36:40 apexibex: and no, it doesn't persist when you turn off Wi-Fi and Bluetooth scanning, which are toggles 20:36:57 apexibex: and no, it doesn't persist when you turn off Wi-Fi and Bluetooth location scanning, which are toggles 20:37:21 it's separate from the main Wi-Fi / Bluetooth toggles 20:37:23 it's off-topic 20:37:27 GrapheneOS doesn't have support for this 20:37:46 if it did, it would be entirely local, so those toggles would have no privacy impact 20:38:00 there aren't useful public databases of Wi-Fi or Bluetooth device locations 20:38:17 and the public databases for cell towers are very bad / unreliable, full of inaccurate data and very bad coverage 20:38:51 so it would be possible to include a location service with support for using a local db of cell towers but there isn't actually a good db available for people to use 20:38:52 > <@strcat:grapheneos.org> there aren't useful public databases of Wi-Fi or Bluetooth device locations 20:38:53 20:38:55 doesn't Google (at the least) have a public database of all available WiFi devices? 20:38:59 apexibex: that's not public 20:39:13 there's wigle.net 20:39:15 apexibex: Apple's isn't public, and Mozilla's much worse one isn't public either 20:41:15 apexibex: not a public db 20:41:33 apexibex: a semi-public way to query their private db, sure 20:41:39 > <@strcat:grapheneos.org> apexibex: and no, it doesn't persist when you turn off Wi-Fi and Bluetooth location scanning, which are toggles 20:41:40 20:41:41 So you're telling to trust those toggles on stock android? I still don't believe "them" its really off even when you toggle it off. 20:42:10 bearbyte: it works fine, and as stated many times, baseless conspiracy theories and allegations do not belong in these channels 20:42:34 also off-topic 20:42:39 as stated above 20:43:17 StrCat, I am the one you told to get the Anker cable. All went well until Flash release said Error: The requested file could not be read, typically due to permission problems that have occurred after a reference to a file was acquired 20:43:59 It was mostly all a conspiracy theory before Snowden as well ;) 20:44:22 @AbuMubarak1378 you don't have enough space 20:44:32 bearbyte: not interested, not permitted in these channels 20:44:54 ok, got you 20:45:08 thanks, lemme go back to the drawing board 20:45:19 @AbuMubarak1378 you need more disk space, or you're using private browsing mode 20:45:41 gotta be space, i dont use private browsing 20:48:39 thanks for your excellent work on grapheneos! been running it for a few days and i'm very satisfied. is there any way to run PWA:s in separate cookie spaces? web apps from Vanadium that is 20:48:47 bearbyte: you talk about it as if people are not looking at the code, what the code is doing in practice and what network requests are made 20:49:09 @sebbz no but every origin will have all state fully partitioned in the future 20:49:18 nearly everything other than cookies already is 20:49:27 very nice, thanks 20:49:40 (cache, network connections, network state, etc. are already all partitioned) 20:52:02 > <@strcat:grapheneos.org> nearly everything other than cookies already is 20:52:02 20:52:04 where are cookies being tracked 20:52:14 not clear what you mean 20:52:17 where is cookie partitioning being tracked 20:52:22 How do you recommend separating apps into profiles? 20:52:29 duck: Vanadium issue tracker 20:53:00 duck: they're removing what browsers call third party cookies upstream and replacing them with other things we won't be offering 20:53:07 duck: but that's a different thing than what we want 20:53:24 duck: 'third party cookies' in browsers doesn't really mean the obvious thing 20:53:46 it's a different thing than fully partitioned state like Chromium already has available for cache and other things, which we want for cookies too 20:53:52 Hi. Does anyone have issues building RQ3A.210605.005.2021.06.08.06 from source ? The images are building just fine but the phone gets stuck at the Google logo and simply won't boot. Device is Pixel 4A 5G 20:53:59 the technical term for what we want is to split up cookies based on network isolation key 20:54:18 user4489: that release didn't work for Pixel 4a (5G) and 5 so it wasn't shipped for them 20:54:22 > <@strcat:grapheneos.org> duck: they're removing what browsers call third party cookies upstream and replacing them with other things we won't be offering 20:54:23 20:54:24 so chromium isn’t planning to work on this upstream 20:54:32 > <@strcat:grapheneos.org> duck: Vanadium issue tracker 20:54:32 20:54:33 can’t find it 20:54:51 user4489: the current release is still being worked on and all repositories other than the Pixel 4a (5G) and Pixel 5 kernels + the overall manifest are tagged but not those until it's done 20:55:16 > <@duck.:privacytools.io> can’t find it 20:55:16 20:55:17 https://github.com/GrapheneOS/Vanadium/issues https://github.com/vanadium/issues/issues 20:55:19 > <@inteference:matrix.org> How do you recommend separating apps into profiles? 20:55:20 20:55:21 https://freenode.logbot.info/grapheneos/20210424#c7758929 20:55:28 duck: https://github.com/GrapheneOS/Vanadium/issues/18 20:55:43 Eridan: that 2nd link is something else 20:55:46 Understood. Thank you ! 20:57:46 > <@strcat:grapheneos.org> Eridan: that 2nd link is something else 20:57:47 20:57:48 oh vanadium issue tracker is different from graphene vanadium issue tracker? 20:58:02 Eridan: you linked to another project called Vanadium 20:58:15 > <@strcat:grapheneos.org> Eridan: you linked to another project called Vanadium 20:58:16 20:58:17 oh i did? im sorry lol. 20:58:30 Eridan: your first link was correct 20:58:31 2nd was something else 20:58:49 > <@akc3n:tchncs.de> https://freenode.logbot.info/grapheneos/20210424#c7758929 20:58:51 20:58:52 What's that? I don't see any mention of profiles there 20:58:59 inteference: that logbot link, if you scroll up a bit, there's more details. Hopefully it will help you better understand. 20:59:00 20:59:01 Also, quick fyi, you need to have the same version of the app installed in each profile if you want to see said app in multiple profiles. 21:00:26 > <@inteference:matrix.org> What's that? I don't see any mention of profiles there 21:00:27 21:00:28 What really, shoot sorry I must have pasted the wrong link. I could have sworn the first few words in the sentence mentioned profiles. 21:00:30 I'll double check now though. 21:00:35 > <@strcat:grapheneos.org> duck: https://github.com/GrapheneOS/Vanadium/issues/18 21:00:36 21:00:37 has there been work recently on this front paritioning cookies especially 21:00:49 duck: upstream, yes, not by us 21:01:18 has there been work recently on this front keying cookies especially 21:01:29 duck: but as I said they have somewhat different medium term goals (removing third party cookies) 21:01:32 inteference: nope, definitely the right link I sent. It does mention profiles in first sentence. If you scroll up/down a bit you can learn more about it from that discussion. 21:01:38 not clear they would provide what we want as an option any time soon 21:01:41 probably has to be made by us 21:02:25 inteference: nope, i definitely sent you the right link. It does mention profiles in first sentence. If you scroll up/down a bit you can learn more about it from that discussion. 21:04:56 not seeing any benefits to partitioning cookies if there are no third party cookies 21:09:38 third party cookies as defined by all the major browsers doesn't mean what you think 21:09:48 said above it doesn't mean the obvious thing 21:10:16 it means something that only makes sense to browser developers after years of brain damage from web technologies 21:17:31 we have some good progress on getting working Pixel 4a (5G) and Pixel 5 kernels 21:17:44 shouldn't be any huge blockers to it now 21:18:05 and then we can push those out into Beta hopefully by tomorrow and then tag release 21:18:41 mention that chromium is using the strongest available implementation of state partitioning 21:19:03 is there a reason why the tor browser et al is weaker 21:19:19 is there a reason why the tor browser et al’s implementation is weaker 21:20:51 or does it relate to its relative insecurity 21:28:38 found an app on f-droid called WebApps which isolates web apps from each other 21:28:52 duck: Chromium enforces this stuff with the sandbox, Tor Browser sandbox can only protect the OS from the browser (poorly), not sites from each other 21:29:05 duck: and it's very vulnerable to Spectre and other side channels, doesn't have the proper mitigations for them 21:29:22 the proper mitigations are based around process isolation, which it doesn't have available in a strict way between sites 21:30:16 also worth noting: web extensions essentially bypass isolation between sites, each site is in a strict sandbox in Chromium but web extensions have a single sandboxed process each with access to every site 21:30:38 that's just how the API was designed, it would need to be redone to change that 21:31:07 web extensions make the browser sandbox much weaker, and weaken the defenses against side channel privacy leaks substantially, along with introducing their own serious leaks 21:31:48 couldn't I just route vanadium browser traffic through tor with orbot? 21:32:19 > <@strcat:grapheneos.org> the proper mitigations are based around process isolation, which it doesn't have available in a strict way between sites 21:32:20 21:32:22 Is this going to change in a future release? 21:33:40 Demi Obenour: they're very slowly catching up to where Chromium was a couple years ago 21:33:54 in some ways, not others 21:34:07 they do plan to provide that kind of isolation, but they don't 21:34:17 there are a lots of pieces of it being made 21:34:36 Demi Obenour: on mobile, Firefox has no sandbox whatsoever beyond the app sandbox they don't have any choice about 21:34:52 it's not even multi-process at all on mobile 21:35:15 the Chromium layer-1 sandbox is provided by the OS to every app via isolatedProcess too 21:35:28 you only have to make a better seccomp-bpf filter than the app sandbox one like Chromium does 21:36:04 so it's not like other apps have to write the sandbox implementation, just use / design around it 21:36:20 pretty easy for say, a messaging app, to decide to put something like image parsing into a sandbox since the OS provides a high-level one for them to use 21:36:48 > <@strcat:grapheneos.org> Demi Obenour: they're very slowly catching up to where Chromium was a couple years ago 21:36:48 21:36:50 Why did Firefox get so far behind? 21:36:55 very high-level, i.e. you declare a normal service component and turn on a boolean and then it's sandboxed 21:36:59 very high-level, i.e. you declare a normal service component and turn on a boolean and then it's sandboxed 21:37:05 Demi Obenour: day 1 of Chrome existing? 21:37:32 Chrome didn't originally isolate sites from each other for real but it did put them in separate sandboxed processes 21:37:43 it didn't enforce the boundaries until a few years ago though 21:38:08 i.e. they were separately sandboxed but they didn't enforce all the rules about data, site boundaries, etc. *outside* the site sandboxes 21:38:32 and also they allowed sites to end up in the same process in some cases 21:38:37 like iframes 21:39:00 and so the site being included in the iframe by the other would need access to their usual data, etc. 21:39:03 breaking isolation both ways 21:39:16 anyway, now properly configured sites are very strictly isolated in Chromium 21:39:35 Demi Obenour: Firefox doesn't support a lot of the most important security features for site security too 21:39:41 Demi Obenour: such as Trusted Types 21:40:04 Demi Obenour: https://twitter.com/DanielMicay/status/1402655884111757319 21:40:14 thread about that there (+ Edge blog post about it) 21:41:09 among other thing, Firefox is missing Trusted Types, the single most important security header feature by far, the fetch security headers (minor), CSP hash-source support for external files (which is really annoying since it's hard to use it for Chromium until other browsers support it) 21:41:26 they don't use modern compiler mitigations 21:41:36 Or legacy mitigations 21:41:50 Firefox still doesn't even use FORTIFY_SOURCE on Android lol 21:42:39 > <@strcat:grapheneos.org> Demi Obenour: Firefox doesn't support a lot of the most important security features for site security too 21:42:39 21:42:41 Oh wow 21:42:56 Is this just because of Google’s additional resources, or is there something else behind the difference? 21:42:59 Demi Obenour: I want to use hash-source in the GrapheneOS CSP across our sites to whitelist each script but I can't because it breaks Firefox/Safari since they don't understand what's happening but still try to enforce it 21:43:12 Demi Obenour: Google certainly has drastically more resources focused on security 21:43:16 > <@strcat:grapheneos.org> Demi Obenour: I want to use hash-source in the GrapheneOS CSP across our sites to whitelist each script but I can't because it breaks Firefox/Safari since they don't understand what's happening but still try to enforce it 21:43:16 21:43:17 User-agent sniffing? 21:43:27 Demi Obenour: then that breaks when user agent is inaccurate for whatever reason 21:43:33 or all the forks changing it 21:43:57 > <@strcat:grapheneos.org> Demi Obenour: Google certainly has drastically more resources focused on security 21:43:57 21:43:59 Is Mozilla doing the best they can with the resources they can, or are they not trying hard enough? 21:44:17 Demi Obenour: it's pretty clear security is not a priority for them and they laid off a ton of their security people and the entire Servo team 21:44:32 they laid off 25% of the employees and somehow most of their security work was part of that 21:44:36 shows what their priorities are 21:44:47 > <@strcat:grapheneos.org> shows what their priorities are 21:44:48 21:44:49 Yup ☹️ 21:45:20 afaik they basically laid off the whole infra security team, etc. 21:45:30 I am really worried about a Blink monoculture. 21:45:43 > <@strcat:grapheneos.org> afaik they basically laid off the whole infra security team, etc. 21:45:44 21:45:45 Dang!!! What should I replace Thunderbird with? 21:45:47 there's still WebKit which is horrible 21:45:53 Demi Obenour: replace email with Matrix? 21:46:04 email is pretty thoroughly awful 21:46:05 > <@strcat:grapheneos.org> Demi Obenour: replace email with Matrix? 21:46:06 21:46:07 Not always an option. 21:46:16 well I treat email as this incredibly awful/gross legacy thing like SMS 21:46:39 > <@strcat:grapheneos.org> well I treat email as this incredibly awful/gross legacy thing like SMS 21:46:40 21:46:41 It is, but that does not mean I can avoid using it! 21:46:50 Especially in the context of mailing lists. 21:47:09 I use mutt in a sandbox for my grapheneos.org email and the gmail web interface for that legacy email 21:47:19 > <@strcat:grapheneos.org> I use mutt in a sandbox for my grapheneos.org email and the gmail web interface for that legacy email 21:47:20 21:47:21 What is your sandbox? 21:50:02 Serious question; I use (and develop) Qubes OS, but I know there are other sandboxing tools available. 21:50:41 > <@strcat:grapheneos.org> there's still WebKit which is horrible 21:50:42 21:50:43 Would the Web be better off if there was only one browser engine, and that engine was run by a non-profit? 21:51:32 Demi Obenour: probably, it's too complex to have any real competition now 21:51:38 Demi Obenour: Chromium should be like LLVM 21:52:13 Demi Obenour: Apple let go out tightly holding onto LLVM/Clang, Google could do the same with Chromium and just change whatever they want in Chrome, it's not like it means they have to do anything differently with what they ship 21:52:24 imo they would benefit from that 21:52:40 Apple didn't let go out tightly controlling WebKit though, that works like Chromium 21:52:53 and WebKit is awful now 21:53:04 I can think of one important use-case for an alternative engine: embedded “browers” that are really just HTML5 user interfaces. 21:54:14 I put “browers” in quotes because these are not actually web browsers, and using them on untrusted web content would be incredibly foolish. Their purpose is to run trusted code with minimal resource requirements. 21:55:29 > <@curiousforever:privacytools.io> I put “browers” in quotes because these are not actually web browsers, and using them on untrusted web content would be incredibly foolish. Their purpose is to run trusted code with minimal resource requirements. 21:55:30 21:55:31 To that end, they would not support features like `eval`, and would default to `trusted-types: none` or similar. 21:55:57 Demi Obenour: Chromium works fine for that via WebView though, just doesn't have great defaults 21:57:12 WebView does have JS disabled by default 22:00:12 Demi Obenour: by default, Android WebView API provides a sandboxed, HTML/CSS only rendering engine for web content with support for extending it 22:00:34 Demi Obenour: Chromium works fine for that via WebView though, just doesn't have perfect defaults 22:00:41 Demi Obenour: you can set it up insecurely but the defaults are pretty reasonable 22:00:55 and there are Android SDK lints for common insecure usage 22:00:59 > <@strcat:grapheneos.org> Demi Obenour: Chromium works fine for that via WebView though, just doesn't have great defaults 22:00:59 22:01:00 Would you mind explaining? Here is what I would like to see from such an engine: 22:01:02 22:01:03 - Easy-to-use, stable C API/ABI 22:01:04 - Runs quickly and has modest memory requirements 22:01:06 - On-by-default protections against XSS etc 22:01:07 - Does not require using TCP sockets to communicate with the embedder 22:01:08 - Good integration with embedders using platform-native GUI toolkits 22:01:09 - Good protection against untrusted multimedia content. All HTML is considered to have come from either a trusted source or be generated via DOM APIs. 22:01:20 I do *not* want it to be able to be pointed at an HTTP server, for example. 22:02:00 WebView API is either Kotlin or Java since it's an Android application layer API 22:02:17 no JS by default, if you do enable JS you have to enable Trusted Types + CSP yourself 22:02:30 it's efficient to use and do stuff across it and the app 22:02:38 > <@strcat:grapheneos.org> WebView API is either Kotlin or Java since it's an Android application layer API 22:02:38 22:02:39 To elaborate: I was thinking in the desktop context here, not mobile. 22:02:41 you can extend it with custom JS APIs with a reasonable API 22:02:47 Demi Obenour: this would work fine on desktop though 22:02:58 Demi Obenour: ChromeOS has Android apps which are exactly the same thing there 22:03:03 > <@strcat:grapheneos.org> Demi Obenour: this would work fine on desktop though 22:03:04 22:03:05 Other than the Java/Kotlin dep, yes. 22:03:22 I basically mean Android is also a desktop OS 22:03:44 and due to ChromeOS apps handle it well 22:06:11 Demi Obenour: basically the way WebView works is you can load an apk asset and then that's the origin for the web context, and then you can have it make requests and use APIs to intercept them, and there are APIs to add JavaScript APIs if desired 22:06:21 Demi Obenour: you could also use it as basically a normal browser, it doesn't care 22:06:27 it has pretty simple config 22:06:35 you have to set up security headers yourself as always though 22:06:46 but most aren't relevant by default since JS is disabled by default 22:07:02 > <@strcat:grapheneos.org> Demi Obenour: this would work fine on desktop though 22:07:02 22:07:03 The idea, yes, although it would obviously need to be implemented differently outside of Android. 22:07:18 Demi Obenour: WebView2 on Windows is probably pretty reasonable 22:07:23 and is Chromium-based (Edge) 22:07:29 not familiar with using the APIs 22:07:47 > <@strcat:grapheneos.org> Demi Obenour: WebView2 on Windows is probably pretty reasonable 22:07:47 22:07:49 The idea for this came from “people love to use Electron but it is such a giant resource hog”. 22:08:02 it also breaks the Chromium sandbox and breaks Content Security Policy 22:08:13 Let’s move this to #offtopic:grapheneos.org. 22:08:19 and isn't generally updated separately from apps like WebView on Android or WebView2 on Windows 22:08:20 sure 22:08:28 it's semi-on-topic but veers off into things that aren't 22:17:52 When you turn off a profile do all the apps and everything get put to hibernation on disk so nothing from that profile is running? 22:18:56 strcat, WE DID IT, Graphene is on and running, thanks a million 22:19:20 @AbuMubarak1378 just make sure to lock and then optionally verify with Auditor to make sure it's all good 22:19:28 As well as the main user profile, I restarted my phone and it saved all the background apps did it hibernate them before restart? 22:19:43 another satisfied customer, one issue though, it froze at the end, and i was unable to lock the bootloader via the web, and right now, its not recognizing the device 22:19:46 @lr6smb when you use 'end session' all the apps in the profile are killed and the encryption keys are purged from memory/registers 22:19:52 rebooting does that for the OS as a whole 22:20:12 lr6smb: Android's app model has save/restore state 22:20:20 apps are supposed to handle having their state saved/restored at any time 22:20:30 the app provides it, the OS just tells them when they need to save their state 22:20:35 the OS does not save their state for them 22:20:43 Indeed 22:20:55 the OS says "you should probably save your state now" a bit after an app goes into bg 22:20:59 basically 22:21:09 (it calls a callback for saving state provided by the app activity) 22:21:25 apps are supposed to do everything via transactions and also support saving state and restoring it 22:21:37 in order for the OS to be able to kill them at any time to save memory, etc. 22:21:43 also it's how configuration changes are handled by default 22:21:57 if you turn on dark theme, change locale, change size of the app, rotate the screen 22:22:08 it saves state, respawns activity with restored state 22:22:09 End session is the same as switching to owner as well? 22:22:21 no 22:22:32 switching to owner leaves it running, end session kills it and purges keys 22:22:40 Oh no way 22:22:51 Interesting 22:22:52 end session is a feature enabled by GrapheneOS 22:23:03 the stock OS kinda has it but it's only for enterprise deployments choosing to enable it 22:23:17 The way you end session is via lockscreen? 22:23:26 either via power menu or lockscreen 22:23:35 if you're currently using it you would probably use power menu 22:23:39 hold power -> end session 22:23:48 Indeed 22:24:01 reboot is like global end session 22:24:05 Without this then the profile is using CPU and also ram 22:24:12 you can't end session on Owner because system data / services run as part of that 22:24:23 Indeed 22:24:24 rebooting is how you end owner session 22:26:04 Fingerprinting vanadium you would appear the same as every chrome user (of the specific version) on the pixel device (using the same update)? 22:26:48 Disregarding any user changed settings that can be fingerprinted 22:28:56 lr6smb: with JS disabled, mostly yeah 22:28:58 with JS enabled, no 22:29:19 you look like a Chrome / Chromium user on a Pixel with Play services disabled 22:29:23 with JS enabled 22:29:28 you can tell Play services is not present 22:29:42 Ahh 22:29:49 anyway you could figure out it is not Chrome on stock Android via JS 22:29:55 requires some cleverness 22:29:56 but you can 22:30:29 So they can basically tell you're a degoogled pixel device 22:30:51 they can tell you're on a device without Play services and with substantial hardening, with JS 22:31:06 you can tell the difference between the stock OS and another OS via timing differences, etc. 22:31:23 Indeed 22:31:23 you can't really hide your OS + device type from JS regardless of what the browser does 22:31:28 as I said requires some cleverness 22:31:30 but it can be done 22:31:40 no browser hides that 22:31:41 none. 22:32:04 So using bromium with js enabled you'd get fingerprinted the same way 22:32:07 Tor Browser doesn't successfully hide your device model / hardware details from a clever site 22:32:11 yeah, you can't really hide that 22:32:15 can just measure performance stuff, etc. 22:32:19 you can get really detailed 22:34:28 So essentially they could figure out that you're a grapheneos user on your specific model but they can't really pin point anything more detailed than that? 22:34:35 right 22:34:56 Indeed 22:35:04 Ok thanks for the help 22:35:05 there is no non-super-sophisticated way to do beyond that (ignoring state that can be cleared) 22:35:24 (or not saved persistently beyond 1 session, via Incognito) 22:35:34 Strcat, i locked the bootloader and it would not start, said, no operating system can be found, so i restarted again from Flash Release, 22:35:36 but in general, that's how it works 22:36:01 @AbuMubarak1378 wasn't a proper install then, did you for some reason use the 'replacing GrapheneOS with stock OS' button... ? not supposed to do that 22:36:07 flash and then lock 22:36:14 if it doesn't work after locking, something is very wrong 22:36:38 lr6smb: best way to minimize impact of fingerprinting is Safari on an iPhone, really 22:37:02 ok 22:37:07 lr6smb: with JS enabled they can determine a ton of browser + OS + hardware info 22:37:24 Is there a way to see all the running user profiles? 22:37:41 lr6smb: even if you just made a build of AOSP and included Play services the same way, as soon as you did something like enabling more compiler optimizations, tweaking the allocator or whatever that can be fingerprinted 22:37:56 lr6smb: no, not a way to see that via UI 22:38:05 lr6smb: beyond switching to each and checking 22:38:53 > <@strcat:grapheneos.org> lr6smb: even if you just made a build of AOSP and included Play services the same way, as soon as you did something like enabling more compiler optimizations, tweaking the allocator or whatever that can be fingerprinted 22:38:54 22:38:55 I just want to be anonymous to the point of not being able to be singled out 22:39:23 So if I share the same fingerprint as other grapheneos users that's fine 22:40:57 But on pc with all different types of hardware configs you can basically be fingerprinted to your setup even on whonix? 22:41:18 > <@lr6smb:matrix.org> So if I share the same fingerprint as other grapheneos users that's fine 22:41:18 22:41:20 You blend in much more via Vanadium because it looks like ordinary Android Chrome browser. When you download an app, they can see if you have Google services compatibility and you would stick out more that way. Use the browser for as much as you can, with the exception of some respected email apps. 22:42:16 Right now I use vanadium to sign into google and bromium for everything else 22:42:20 lr6smb: it's harder from within a VM but they can detect the OS inside the VM and still detect hardware differences, etc. 22:42:38 Shouldn't e.g. Element be better used as an app rather than inside a browser? 22:42:54 lr6smb: it's pretty trivial to detect # of cores, and if you have a nice db of perf info you can determine CPU revision, frequency (approximately), etc. 22:43:03 lr6smb: CPUs perform differently 22:43:09 there are clear ways to differentiate 22:43:12 > <@lr6smb:matrix.org> Right now I use vanadium to sign into google and bromium for everything else 22:43:13 22:43:14 I used to use Bromite, but don't see any benefits over Vanadium personally. 22:43:22 same with GPUs, and those also have drastically different capabilities 22:43:31 you can do feature testing and little performance comparisons 22:43:45 check baseline then compare things 22:43:49 > <@entry1:matrix.org> I used to use Bromite, but don't see any benefits over Vanadium personally. 22:43:49 22:43:50 I use 2 browsers so I don't sign into google on one of them 22:44:05 relative performance of one operation / API vs. the baseline 22:44:11 you can detect allocator, etc. 22:44:20 lr6smb: I don't think this is actually done in practice much just saying it can be 22:44:41 Since whonix is on a VM if you need a new private non fingerprinted version you can limit its performance I guess 22:45:06 we don't claim that you can't tell it's GrapheneOS via the performance impact of hardening, etc. since I'm sure you fairly easy can do that but probably no one does 22:45:19 it's just how things work 22:45:23 it's a constraint you can't really avoid 22:45:34 you're giving them code execution on your machine via JS 22:45:36 within a sandbox 22:45:49 (a multi-layer one) 22:46:16 Yes of course 22:46:48 Idc if I'm fingerprinted as a grapheneos user personally 22:46:50 you could do all kinds of hacks like pinning the renderer to 2 random cores instead of letting it freely use all the CPU resources, etc. but in the end it can still figure a lot out regardless of all the hacks trying to mitigate it 22:47:17 Yeah, that's why Safari + iPhone is a neat combo if you really want to avoid that at all cost 22:47:17 seems pretty pointless, the main mitigation is gaining more users of the browser + OS + device model combination 22:47:21 this is why iPhones are very strong for this 22:47:29 Got it StrCat, i reflashed, rebooted all is well, bootloader locked, etc 22:47:36 God Bless and thank you for all you have done 22:48:19 > <@strcat:grapheneos.org> seems pretty pointless, the main mitigation is gaining more users of the browser + OS + device model combination 22:48:20 22:48:21 This isn't possible on PC tho right 22:48:39 Custom build since my hardware is all different 22:49:53 Which then I'd have to do some hack to try and have a unique fingerprint but for when I need it I guess 22:52:18 I think I'll probably switch all my normal activity on vanadium and choose a different browser for google services 22:52:40 lr6smb: it's kinda possible if it's some wildly popular device + OS + browser 22:53:00 lr6smb: but traditional stuff, no, not really possible 22:53:35 Indeed 22:54:17 lr6smb: the only thing we can really do is slowly make GrapheneOS better and have it gain popularity 22:54:27 lr6smb: to mitigate that 22:54:50 lr6smb: it's not really worth fretting about, it's not feasible to prevent telling it's Vanadium on GrapheneOS via JS 22:56:52 Your option rn is basically to turn off js and be fingerprinted as having no js or leave js on and be fingerprinted as your device. 22:57:51 Can OS settings on android be fingerprinted like let's say auto brightness setting or dark theme? 22:57:52 That's the one thing that is cool about phones is that they have less hardware variables and you can blend in with more people than PCs. Once GrapheneOS gets even more possible and more Pixels sold, it will be sick. Right now Pixels are like 2% of marketcap in North America 22:58:17 That's the one thing that is cool about phones is that they have less hardware variables and you can blend in with more people than PCs. Once GrapheneOS gets even more popular and more Pixels sold, it will be sick. Right now Pixels are like 2% of marketcap in North America 22:58:18 lr6smb: https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme 22:58:30 JS isn't the only way websites can fingerprint browsers. 22:59:01 lr6smb: dark theme is explicitly provided to web sites by browsers 22:59:12 lr6smb: they don't need JS to detect it 22:59:30 lr6smb: look at grapheneos.org for example 22:59:35 toggle dark theme on and off 22:59:41 we even change the favicon based on dark theme via SVG favicon 22:59:56 Indeed 23:00:04 lr6smb: sites can detect some things via JS like screen refresh rate 23:00:07 they can't detect most OS settings 23:00:25 Ahh ok 23:00:34 if you were really clever maybe you could detect screen refresh rate without JS 23:00:58 you could display some massively complex ridiculously page and detect performance of rendering via how fast requests are made 23:01:06 anyway it's not really a realistic way to do anything 23:03:28 lr6smb: it's entirely possible to make a grid using CSS where you detect a mouse cursor moving across it server-side with 0 JS 23:03:29 etc 23:04:03 I've heard mouse movements can be fingerprinted 23:04:35 You think there are people actively developing these types of fingerprinting? 23:05:31 Maybe even scroll speed, reading speed etc 23:06:07 > <@lr6smb:matrix.org> Maybe even scroll speed, reading speed etc 23:06:08 23:06:09 Banking websites do 23:06:31 I have a toggle on my bank website for behavioral checks or something 23:06:36 And it has exactly this in description 23:06:49 Indeed 23:07:26 lr6smb: https://twitter.com/davywtf/status/1124146339259002881 23:07:50 HTML+CSS only 23:08:04 via the fact that you can make CSS hover rules and then load stuff through it 23:10:23 https://matrix.grapheneos.org/_matrix/media/v1/download/nekopon.pl/zwHEbywtjFMqhkHihcGJOmlq 23:10:37 I think whonix tries to beat mouse moving fingerprinting somehow 23:11:17 In the end its probably a losing battle 23:12:54 Some paradigm has to change 23:21:40 > <@lr6smb:matrix.org> I think whonix tries to beat mouse moving fingerprinting somehow 23:21:42 23:21:43 It does not 23:23:12 You're probably thinking of kloak which aims to prevent keystroke fingerprinting 23:23:55 (not to be confused with stylometry) 23:24:33 is it feasible to disable css hover 23:24:53 > <@madaidan.:matrix.org> You're probably thinking of kloak which aims to prevent keystroke fingerprinting 23:24:54 23:24:55 You're right 23:25:07 > <@duck.:privacytools.io> is it feasible to disable css hover 23:25:08 23:25:10 Kinda. A lot of things would break. 23:25:46 Pop out nav menus would probably break 23:25:46 Even my fairly minimal website uses that to display an underline when the cursor is hovering over a header. 23:28:44 > <@madaidan.:matrix.org> > <@duck.:privacytools.io> is it feasible to disable css hover 23:28:44 > 23:28:45 > Kinda. A lot of things would break. 23:28:47 23:28:48 what is qubes doing 23:29:31 seen some things about qubes not doing anything when hover 23:29:41 there isn’t any documentation though 23:31:56 > <@duck.:privacytools.io> seen some things about qubes not doing anything when hover 23:31:58 23:31:59 Can ask a Qubes dev in offtopic about that 23:37:12 lmao privacytools went down 23:37:20 it’s probably just https://groups.google.com/g/qubes-devel/c/wm6ebUPQpdg/m/UP9lDPMsBwAJ 23:37:46 > <@grapheneosbridge:grapheneos.org> lmao privacytools went down 23:37:46 23:37:48 The answer didn't went through? 23:38:01 Not sure what do you mean 23:38:29 (Nvm) 23:39:33 even their statuspage is down 23:42:56 #offtopic:grapheneos.org 23:44:35 > <@duck.:privacytools.io> what is qubes doing 23:44:36 23:44:37 Idk 23:48:20 @coomerhead you mean their Matrix server or what? 23:48:46 doesn't seem down 23:49:50 it was down 23:50:32 privacytools is just unreliable now 23:51:02 their blog and email have been down for weeks 23:57:44 I strongly recommend using a different Matrix server than that 23:58:41 > <@strcat:grapheneos.org> I strongly recommend using a different Matrix server than that 23:58:42 23:58:43 That explains why I have had trouble joining a new server on GNOME!