• Edited

Hi

Why there are no "[ROM][UNOFFICIAL]" builds of GrapheneOS? In XDA Forums you will find hunderts of such LineageOS builds.

Anybody can share a gossip why?

I prefer more Desktop like hardware (example Pinebook), but there is no GrapheneOS which seems the most secure OS.
Happy day

  • de0u replied to this.

    Because unofficial builds on unsupported hardware is insecure and should not be called GrapheneOS.

    That wouldn't be GrapheneOS. An unofficial GrapheneOS build would be a build of the OS as it is, for the supported devices, that just isn't signed by the project, but rather a third party.

    If you take GrapheneOS and change things, including porting it to different devices where the same security properties don't exist, it's no longer GrapheneOS.

    Scott Why there are no "[ROM][UNOFFICIAL]" builds of GrapheneOS? [...] I prefer more Desktop like hardware (example Pinebook), but there is no GrapheneOS which seems the most secure OS.

    A lot of the security of the OS depends on a foundation of strong hardware security. Some devices, including some Samsung and Apple devices, have more or less reasonable hardware security, but the manufacturers do not publish enough information for third-party operating systems to make use of that security.

    Further information: https://grapheneos.org/faq#future-devices

    See also the "Many other devices [...]" text here: https://grapheneos.org/faq#supported-devices

      de0u The Pinebook (open Source ARM 64-bit notebook) does not have hardware security features? Also normal notebooks do not publish the specs?

        • Edited

        Scott The Pinebook (open Source ARM 64-bit notebook) does not have hardware security features?

        I didn't claim the Pinebook has zero hardware security! I provided a link to a list of specific features that GrapheneOS requires of hardware platforms -- for example, verified boot. Looking quickly online I am not seeing any information suggesting Pinebook support for verified boot. The list I linked to has 24 items on it. If the Pinebook platform has those 24 (or even a close approximation), great! If not, not great.

        Scott Also normal notebooks do not publish the specs?

        I'm not sure what is meant by "normal notebooks" or "specs". But very few laptops support the specific hardware security features on that list, maybe none. As I wrote, Apple laptops have good hardware security (widely agreed to be better than at least most non-Apple laptops), but details of how to use that hardware are not readily available to all comers. As just one example, I believe I have read that installing Asahi Linux on modern Apple hardware requires a macOS partition to bless the Asahi partition as secure enough to boot (see "stub macOS" and related text on this Asahi wiki page).

        It may seem surprising that most laptops and desktops lack hardware security features that phones have, but surprising things might still be true.

          de0u It may seem surprising that most laptops and desktops lack hardware security features that phones have, but surprising things might still be true.

          Thank you very much for the explanation. I am new to the Android custom ROM scene (was always an iPhone user). I didn't know that mobile hardware is more secure. This was completely new to me, but something similar was said in another thread about cryptocurrencies.

          https://discuss.grapheneos.org/d/13825-on-iphone-i-used-to-use-cryptonow-i-am-now-on-grapheneos/8

          You learn something new every day. I thought mobile phones were toys and wallet gardens for Tinder, Netflix and co.

            Scott I am new to the Android custom ROM scene

            Small clarification : the term ROM is wrong, but many users are used to using it, there is no such thing as custom ROM.

            Scott I didn't know that mobile hardware is more secure

            Well it depends, AOSP is a secure and privacy-friendly platform, but the code can always be modified to make it invasive and breakable, Google takes its platform seriously, third-party OEMs don't really use Android but broken versions of it that don't even respect the minimum standard in terms of security and privacy, for the hardware either. Android isn't really an operating system but a family and its dispersed nature causes it problems.

            Since the Edward Snowden revelations, a new business has sprung up around the sale of privacy-enhancing smartphones. It's a scam, or worse in 99% of cases, because that's how this industry works.

            Scott I thought mobile phones were toys and wallet gardens for Tinder, Netflix and co.

            From what I've observed, this is pretty much the way many users use their smartphones.

              • [deleted]

              Another interesting thing is that no rom uses Gmscompat apart from GrapheneOS, despite it being superior to MicroG and Gapps package.

                [deleted] There are some lesser known ones that do use it, but they don't all deploy it correctly, or fall behind in updating the compatibility layer.

                We know that this is the case because they leave our link to report crashes as the same, so people using other projects report crashes (which occur because the compatibility layer is out of date) to us instead of the project they're using.

                GmsCompat is also used in other products like AphyOS etc.

                Xtreix Here's some reading to get you started : https://privsec.dev/posts/android/android-tips/

                I am very much surprised by this statements:

                F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them here.

                I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as NeoStore. You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead.

                F-Droid does the same like Debian ("package" Apps). I am long-time Debian fanboy.
                This is now considered insecure?

                • de0u replied to this.

                  Scott When it comes to security, details matter. When specific concerns are raised about F-Droid, those concerns may or may not apply to unrelated projects.

                  Debian was one of the distributions targeted in the xz attack. The outcome for them was ok, but that was partly luck.

                  Overall, "Debian does X" does not necessarily mean it's right, and "F-Droid does something like what Debian does, at a high level of abstraction", does not mean F-Droid is right.

                  • Edited

                  de0u As just one example, I believe I have read that installing Asahi Linux on modern Apple hardware requires a macOS partition to bless the Asahi partition as secure enough to boot (see "stub macOS" and related text on this Asahi wiki page).

                  you guys here in the forum are much more technical than me. I didn't understand anything from the linked GitHub wiki.

                  However, I plan to install AsahiLinux as soon as USB-C displays are supported.

                  Isn't that a good idea (security point of view)?

                  I like Linux much better than macOS.

                    Scott I didn't understand anything from the linked GitHub wiki.

                    I cited it as evidence that Apple has not documented their hardware enough for the Asahi folks to manage the machine without macOS being present.

                    Scott I plan to install AsahiLinux as soon as USB-C displays are supported.

                    Isn't that a good idea (security point of view)?

                    It's probably less secure on modern Mac hardware than macOS, but arguably more secure than Linux on a lot of random x86 hardware.

                    Scott Pine64 hardware has notoriously poor security, including the Pinephone. It's a huge step backwards.

                    Scott It doesn't leverage the hardware-based security features that are available, and it's a typical desktop Linux distribution without a modern privacy/security model or features.

                    Scott That's a scam. It's highly insecure and does tons of false marketing.