GNU claiming that GrapheneOS is partially non-free

starkle

I noticed GNU has a statement regarding GrapheneOS on their non-free distros page.

https://www.gnu.org/distros/common-distros.html

GrapheneOS is a version of Android which is described as “open source,” but it seems to include software that isn't free software or even “open source”. For instance, it comes with firmware programs for installation and it appears that at least some of them are binaries without source code. It is said to be “de-Googled,” but includes a way to download and install the nonfree Google Play program.

I don't really care whether GNU considers GrapheneOS a "free system" but I want to clarify if their claims are even correct.

I thought it's been said that the firmware is in fact open source for Pixels, but perhaps not free software. But I can't find a source for that.

Also the degoogled comment is odd, because that is not a stated goal of the project. Even if it were, degoogling seems unrelated to GNU's criteria for an OS being free software. Play Services are also not part of the OS even if you choose to install them. They're just apps.

What are your thoughts?

Xtreix

starkle I thought it's been said that the firmware is in fact open source for Pixels, but perhaps not free software. But I can't find a source for that.

There are no phones with open-source firmware to my knowledge.

Google said it wanted to make the Titan M2 open-source but still hasn't done.

starkle What are your thoughts?

My thought is not to take GNU seriously in any way.

GrapheneOS

starkle Operating systems need to include firmware updates to be remotely secure. The hardware and firmware is still there for one of the insecure operating systems they endorse not updating it. GNU and FSF promote a bunch of highly insecure operating systems and products which causes real harm to users. No need to link this misinformation here. We don't want their endorsement since it simply means an OS is insecure. They even require removing security warnings about insecure out-of-date firmware/microcode because they consider it promoting non-free software. That's scammer behavior. We want nothing to do with it.

de0u

Xtreix There are no phones with open-source firmware to my knowledge.

It would be great if there were, but that is not the state of affairs.

For a while the GNU fork of Android, called "Replicant", sort-of ran on some phones, though many "supported" models couldn't do Wi-Fi, or couldn't do Bluetooth, etc., because there was no open-source firmware for those functions.

Here is a recent status update from Replicant: https://blog.replicant.us/2024/03/replicant-status-and-report-of-the-37c3-and-fosdem-2024-conferences/

Perhaps their approach will eventually bear fruit (that would be great), but at present it's not really resulting in usable phones.

GrapheneOS

Xtreix Major portions of the firmware are open source since the main boot chain components are based on littlekernel, the secure core and TEE run Trusty OS and the Titan M2 has firmware/hardware based on OpenTitan. That doesn't mean it's all open source firmware just that it's heavily based on it, which is a lot more than other hardware.

qw2b1

GNU is very strict on the definition of "free software" and anything that deviates from their (and by "their", I mean Stallman's) idea of free software is automatically marked as "do not endorse", which is usually very poorly worded and makes it seem like anything that is non-free software is the devil's work.

As far as I'm concerned, GrapheneOS does not advertise itself as being open source or free software, because that's not really the ethos of the operating system itself. Even if there is non-free software in GrapheneOS (which technically the Google Play Services installers could count as such, since they are built into the operating system), the main focus of GrapheneOS is security and privacy, not necessarily being free software and abiding by GNU/FSF's criteria for what free software is.

I mean, they don't endorse LineageOS because developers and maintainers add the proprietary blobs to each device they are porting the OS to, which is something that is MANDATORY for the system to even boot or function properly. They also claim they can't endorse LineageOS for having instructions on how to install Google Apps on the device. We're not talking about something baked into the OS like Graphene, but a written guide on the LineageOS website that no one actually needs to follow if they don't want to.

Dumdum

It is said to be “de-Googled,” but includes a way to download and install the nonfree Google Play program.

Uh huh.

qw2b1 GrapheneOS does not advertise itself as being open source or free software

https://grapheneos.org/
The private and secure mobile operating system with Android app compatibility. Developed as a non-profit open source project.

matchboxbananasynergy

GNU is an entirely unserious organization. The specific claims made about GrapheneOS make no sense.

What does "firmware programs for installation" even mean? Are they referring to the web installer, because that's completely open source.

and it appears that at least some of them are binaries without source code

What does this even mean?

It is said to be “de-Googled,” but includes a way to download and install the nonfree Google Play program.

I wouldn't have addressed this in the first place due to how ridiculous of a statement it is, but some people in this very thread are confused themselves, so let me make it clear just so we're all on the same page.

GrapheneOS does not come with Google services, Google Play Services or otherwise.

We provide the option to install Google Play Services in a sandboxed manner. If you don't install that, there are NO Google Play Services by default. GmsCompat, the compatibility layer is NOT a Google service, and is completely open source, as is all of GrapheneOS.

qw2b1 Even if there is non-free software in GrapheneOS (which technically the Google Play Services installers could count as such, since they are built into the operating system),

Are you referring to "Apps" mirroring Play Services, or something else? If you're referring to that, then GrapheneOS by GNU's standards was fine when it had links to get them on the site and not a way to get them from within the OS itself? It would be pretty ridiculous to claim that either way.

All in all, GNU isn't someone anybody serious should listen to in 2024. They haven't had anything relevant to say in years, and that's being generous.

To understand how silly their entire process is, Purism essentially made their phone have firmware that cannot be updated in order to get GNU's certification. Of course, that doesn't mean the hardware doesn't have closed-source firmware. It just means you can't ship security updates to it anymore, and that's a-okay with GNU. It's just silly.

qw2b1

Dumdum I believe that is a semantics issue: Personally, I don't think mentioning open source is not advertising as open source. You can tell by the amount of times they actually mention open source in the FAQ (excluding mentions of AOSP).

Here's LineageOS's headline for comparison:
A free and open-source operating system for various devices, based on the Android mobile platform.

This for me is advertising as open-source. GrapheneOS is advertising as a secure and private operating system.

qw2b1

matchboxbananasynergy Are you referring to "Apps" mirroring Play Services, or something else?

I was referring to Apps, yes. Keep in mind that I mentioned this not because I believe in it, but I was speaking from the perspective of how GNU would see this as "facilitating the installation of non-free software", which is a ridiculous nitpick.

matchboxbananasynergy If you're referring to that, then GrapheneOS by GNU's standards was fine when it had links to get them on the site and not a way to get them from within the OS itself?

Apparently not, considering how they mention that Android (and any of the OSes mentioned on their website) cannot be endorsed because it has proprietary blobs and they nitpick with LineageOS specifically because they have a guide on their website on how to install Google apps, which is never mentioned or linked inside the OS once installed.

For the record, I love and support FOSS projects as much as possible (whether it be "free as in speech" or "free as in beer"), but I also agree that GNU (and by extension the FSF) is incredibly outdated in the way they think and operate.

matchboxbananasynergy

qw2b1 GrapheneOS is of course an open source project, and that is important. It means people can have their own builds of the OS, or that somebody can fork it etc.

We don't mislead people by claiming that something being open source somehow magically makes it more secure, though it can help. "Advertising" as open source can be pretty disingenuous depending on how a project does it.

I think the distinctions are pretty silly in the context of what GNU deems or does not deem "open source". Unless you're doing things that actively worsen security, you will not meet their outlandish and out of touch standards.

In that sense, GrapheneOS is a security and privacy project. We would never consider doing something like what Purism did just to appeal to the GNU crowd if it meant worsening privacy and security.

itsjpb

matchboxbananasynergy wait what did purism do??

matchboxbananasynergy

itsjpb I'm pretty sure there was a blog going into more details about this (trying to look for it), but essentially the firmware of the hardware was made so it cannot be updated so that GNU wouldn't disqualify their OS from certification for being able to provide "non-free" firmware updates.

That means that the firmware cannot be updated and is perpetually stuck on an ancient version. It doesn't get rid of the closed source firmware; it makes it so it cannot be updated.

I hope you can see how that's a hilariously bad idea and is just theater for marketing.

GrapheneOS

itsjpb They're scammers spreading huge amounts of misinformation to promote their highly insecure products.

itsjpb

matchboxbananasynergy lol, destroying their product to please the wizard. sounds about right. i love open source but what a weird community sometimes

Xtreix

de0u I thought the Replicant project had been more or less dead / obsolete for years and so I haven't looked into them for a long time, which is still pretty true in my mind given that the latest version is still based on Android 6. Thanks for sharing that link, I've read it and while I certainly find it interesting, I don't have enough perspective on the situation to judge it properly.

Yes, I think that would be great too.

GrapheneOS Thank you it's very positive. I'd forgotten about TrustyOS !

GrapheneOS

It is said to be “de-Googled,”

GrapheneOS never uses this awful terminology. Perhaps they should get information about GrapheneOS from reliable sources.

but includes a way to download and install the nonfree Google Play program.

Irrelevant. Does not make it non-open-source. Their stance of providing a way to get proprietary software making software proprietary is nonsense. Providing firmware updates doesn't make an OS not open source. They could more legitimately complain about the fact that not all driver libraries across the supported hardware are open source yet, but they will be eventually. Their claims about all these topics are full of outright lies, not simply inaccuracies.

GrapheneOS

Xtreix Android 12 is the oldest Android version with security support. Android 14 QPR3 is the only one with full privacy/security patches. Replicant even excludes shipping firmware updates which were available for the ancient, highly insecure devices they support. GNU/FSF approval requires insecurity through not shipping firmware updates and covering up that they exist by even removing warnings about non-updated firmware, etc. They require misleading users about security for approval. Every OS approved by them is both insecure and misleading users about it, by design.

Xtreix

GrapheneOS Yes exactly. Purism consciously used a firmware that can't receive security updates simply so GNU wouldn't disqualify them from certification for providing "non-free" firmware updates, which is total nonsense. It shows GNU/FSF and Purism's dishonesty towards their users. All Purism's statements are their website are marketing.

doublefree

includes a way to download and install the nonfree Google Play program.

Trisquel (example) includes tools to download and install Microsoft Edge.

An operating system that restricts what users can install (=use) beyond strictly technical limitations, is a non-free operating system 🤯.