Main issue is because you can't verify that the GrapheneOS is real. Though it does have the Auditor app so I guess there's that.
Thoughts on selling of Pixels with preinstalled GrapheneOS
paweljott There is "unlocked" which means you can use it with any carrier, and there's "factory unlocked" which allows you to install the custom bootloader.
Max-Zorin This is so much great info and better than I could have hoped for. I'd be making these to order with basically no inventory no overhead from marketing. I pitched this on reddit and was called "scummy".
de0u I look for factory unlocked, unopened Pixel 4A phones. Not used, opened unused, or "carrier unlocked".
idontknow I look for factory unlocked, unopened Pixel 4A phones.
Pixel 4a firmware support from Google ended 2 months ago. Especially given the backup situation, I would not feel comfortable encouraging somebody to move their life onto a device with unsupported firmware when it would be a hike for them to migrate off.
- Edited
I don't mean to be discouraging, but one of the worst things someone selling devices with GrapheneOS can do is sell near EOL or EOL devices to people. Nobody should be selling something older than a Pixel 6 right now, and that's cutting it close (https://grapheneos.org/faq#recommended-devices should be one's guide on which devices would make sense for this).
The reason for that is twofold. You're selling a phone to someone with the promise of it being secure when it cannot be past EOL. When GrapheneOS stops providing extended support releases for it (which are not complete, cannot be complete and do not make the device secure), those people are left stranded with an insecure device and without the technical knowhow to know what to do about it and what it means.
The second reason is admittedly more "selfish", but those same people may reach out to us, frustrated, because the phone they bought is no longer receiving updates, and why is that?
It's completely fine and allowed to sell devices with GrapheneOS provided you clearly explain that you're a third party and not affiliated with GrapheneOS, and that you do not modify the OS (as if the OS is modified, it is no longer GrapheneOS, and shouldn't be called that).
[deleted]
- Edited
idontknow and there's "factory unlocked" which allows you to install the custom bootloader
No, It does not allow you to install an "custom bootloader".
This post has given me inspiration for future projects, so first of all thank you:) I'm thinking about offering to install GrapheneOS for people in my region who aren't confident they can do so themselves. I might include buying the phone anonymously and initially guiding them into a secure & working setup if they want. I'd like this to be very accessible, so at most I'd accept voluntary donations and give 50 % to the project.
Of course, this would require strict security. This being a non-profit service and me not being rich, what would be the least expensive setup for this?
Under no circumstances would I want to expose the people coming to me for help to greater risk than required. Although I'm not Ed, I don't have a completely average threat model and neither would some of them. I'd need to ensure reasonably well that an infection of (some of) my devices couldn't spread unnoticed.
- Edited
I wouldn't pay attention to Reddit comments like that.
The way I look at it, I was providing a service. For some people time is money and the time for them to secure a proper phone, learn about GOS, setting up their computer with the proper drivers to install it and setting up the phone is a significant cost in time. This is time they could be making more money (than it would cost to hire someone to do the above) or could spend doing other things like spending time with family, or recreational activities. I know a few directors and executives at my employer and they work 60 to75 hours a week. They use all sorts of services a "regular person" could do themselves (house cleaners, grocery delivery, vehicle cleaning and maintenance etc.) because their time is more important than doing these menial tasks in addition to their job. And it's not just executives that use these services, a lot of "regular people" do as well for their own reason.
Many of the naysayers look at the situation from their own perspective. "Well I bought a phone and installed GOS myself, why would anyone hire someone to do that?". Might sound harsh to say this, but those people have a limited view and likely will never be entrepreneurial.
They themselves probably use many services (go to restaurants, hire a plumber etc) that someone else with different skills could easily turn the table and say the same thing (well why don't they just cook food themselves, well why don''t they just unclog the drain themselves).
I think if you keep your overhead down, and start out slow then you could see where it goes. You might also start out consulting people on how to set up GOS on their own phones and installing their GOS devices for privacy. There is a lot of research involved in setting up a GOS device to be private, secure and everyday functional for the needs of an average person.
And like @matchboxbananasynergy said, make you sure you are clear with your clients you in no way represent or are directly involved with the GOS project, are not involved with developing the OS and are only a 3rd party installer. Any support would have to be done by you during the support period you define, and not the GOS team.
Good luck with this!
Please be sure to inform customers when firmware support will end for whichever devices you install.
idontknow I'm one of the people you describe who does not have the knowledge to confidently do an install myself.
I would be very happy to purchase a product that already has the install on it. But I agree with you that the prices being asked a far too high. I have seen prices that are twice the cost of the phone.
I do think the a reasonable fee for the time and effort is required. Also some money should be kicked backed to the developers of GOS. $50 sounds fair and maybe $100 for install. So about $150/over the cost of the device.
Also of note is how low the prices are from companies like Verizon.
I was able to get my P 7a for $299 which is the best price I have seen by far.
AlwaLe729 Note that the phone you received from Verizon is likely locked and can't be used to install GrapheneOS.
Unless of course you've already done so, which would certainly be the exception rather than the rule.
[deleted]
- Edited
idontknow I found this on the FAQ of the DivestOS website. Although not all points apply to GrapheneOS, I thought It could be useful.
"I want to sell devices with DivestOS preloaded, what should I know?¶
Selling devices with official builds of DivestOS installed is OKAY and within the license. Some preferred suggestions:
Handle the sale in good faith.
Do not market DivestOS as a magic bullet of privacy and/or security.
Verify the GPG signature and checksums of the builds you download/install.
Use Extirpater + factory reset to ensure no previous user data remains.
Ensure the device firmware is up to date before flashing.
Use the DivestOS recovery if supported.
Do not modify any system or firmware partitions such as /system, /vendor, or /boot.
Lock the bootloader if supported.
If the device requires a token or keyfile to unlock the bootloader, provide it to the user.
Leave it at the setup screen.
Leave the default wallpaper.
If you preload apps only source from the existing F-Droid repositories. (This would not apply as there are no existing F-Droid repositories on GrapheneOS by default.)
If you are not using official builds of DivestOS:
Make it clear to your users that it is unofficial.
Use the branding variables in the scripts to rebrand it.
You must make your sources available to your users as per the original repositories' respective licenses. Compliance is mandatory!
Consider upstreaming any appropriate changes."
@[deleted] @de0u @Max-Zorin @matchboxbananasynergy
Thanks all for your feedback. My take aways:
General consensus: It's not scummy, but there are right and wrong ways to do it.
- Explain I'm a 3rd party, not affiliated with GOS, and that I will handle support for a specified period of time
- Explain I do not modify the OS
- Alternatively, sell the GOS setup as a "how-to" service with best practices (this is the real value to the consumer)
- Sell at least a Pixel 6 (no older)
- Tell customers when firmware support will end, and what this means
- charge no more than $150 over price of phone
- donate part of proceeds to GOS project (30-50%)
- Don't misrepresent the product (silver bullet for privacy)
Build process:
- Verify GPG checksums of the OS file
- Completely factory reset phones prior to install
- Ensure firmware is up to date
- Do not modify the OS in any way, aside from requested apps
I will pilot a small number of sales and see how it goes.
[deleted]
idontknow Good luck
idontknow not to discourse you but I bought a p6a to install grapheneos on and realized that I needed a bigger phone so I listed it on eBay with grapheneos installed . it didn't sell for much more then I bought it for . granted I bought a new device and sold it as like new . wasn't looking to make money.
Skyway Skyway It's definitely a niche market and I have no delusions about selling like crazy. If I do this it will be made to order with lots of communication pre and post-sale. I do think non-technical folks are starting to gain interest in digital privacy, especially older folks from my home country, the United States of "3rd party doctrine" America.
[deleted]
idontknow Verify GPG checksums of the OS file
GrapheneOS Developers don't provide GPG checksums. Only an .sig file is provided which contains the SHA-256 checksum of the appopriate Factory Image/OTA Update.
idontknow Would I be a parasite on the FOSS community for this?
Why do you even care what anyone thinks about that? Just do it. If it's successful, great. Nobody is forcing anyone to buy anything, people are choosing to send you money for the service provided. There is literally nothing wrong with that. If it is not successful, then it was not a good idea after all. It's that simple.
A few years back I was looking for this. First I wrote to the GrapheneOS team and asked if they'd do it. They said no. Then I reached out to a local repair shop with a good reputation in my area and asked if they'd help me with it. I was asking for a $100 markup. They thought the price was fair but in the end they said they couldn't do it, so I had to learn how to do it myself.
I'm a bit surprised to hear that anyone thinks this process is easy for anyone who doesn't live and breathe tech.
- Source the device
device compatibility?
device close to end of life?
unlocked? - Flash
OEM unlocking needs an update first?
unlock the bootloader
boot into bootloader
only certain USB cables work
set the udev rules
at least 1 DE is incompatible - Want to avoid Google Play?
sideload Signal Private Messenger
sideload VPN software
Oh yea, and don't follow any youtube tutorial, because the install instructions may have changed since then.
IMO $100 is a deal to for a plug and play solution that removes the headache of all this stuff. Every citizen deserves privacy, not just those of us who have the time and skill to implement these solutions ourselves.
Main issue I see is how to establish trust. Not sure I'd ever buy one from someone I couldn't look in the eye.
Also, I'm pretty sure there would be trademark issues with the marketing. Not sure how that would work.
I really liked the comment above that suggested incorporating a GOS donation into the purchase price.
Personally, I'd love to see the growth of a grassroots tech support industry the same way we've got a dentist, a doctor, an accountant and a lawyer.