• Sem
    link
    fedilink
    English
    arrow-up
    59
    arrow-down
    2
    ·
    5 days ago

    To be honest I do not see any reason to use Lineage with Pixel while there is GrapheneOS… But maybe there will be some users of it: it is always better to have more free open OS

    • sunzu2@thebrainbin.org
      link
      fedilink
      arrow-up
      26
      arrow-down
      2
      ·
      5 days ago

      The only use case i guess if you prefer microG implementation v sandboxed GPS.

      I think GOS model will end up being proven right from security/privacy perspective but the debate is ongoing.

      GOS chief should not be in any public facing communication position though… that weaponized autism with heavy dose of paranoia is what is needed to develop GOS but not a good look objectively, and I give people a lot benefit of doubt.

      • Brad Boimler@startrek.website
        cake
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        5 days ago

        I use GOS and agree with you completely some of the things GOS has done and said in the past should have never happened and hurt GOS more than it helped it. Also on the micro G front You are correct still being debated but as long as Micro G is signature spoofing it is my opinion it is not secure as signature spoofing requires kernel changes that in fact weaken Android’s security model.

        • cmhe@lemmy.world
          link
          fedilink
          English
          arrow-up
          17
          ·
          5 days ago

          Maybe an unpopular opinion here, the Android security model is based around trusting the vendor of the device or ROM more than the end-user, which I find wrong in principle. The origin of trust needs to be fully in the hands of the owner of the device. Otherwise you take away the self-determination of the users, and that should never be an option when it comes to security.

          Users themselves should be able to give or take away trust however they choose, and if they are unsure on whom to trust for certain things, they should be able to delegate that trust-management to a third-party on their own accord and with the ability to revoke it at any point.

          Everyone is different, and trusts entities to different degrees. For instance I would trust MicroG more to only transmit data that is absolutely required to google servers, than the gapps.

          Also, modifying the kernel is already done by google, in order to provide hardware support, so patching it additionally doesn’t automatically make it more or less secure. That depends on what those patches do, and if those patches are properly maintained.

          • Brad Boimler@startrek.website
            cake
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            4 days ago

            Correct but GOS reverses alot of Google patches like always on voice requires kernel privalage it is disabled on GOS etc. But kernel level signature spoofing gives way for a malicious app to spoof as micro g and infect your device and you would never know because micro g requires the same thing to function it is making itself look like Google when it is not google. So using microg opens your device up to allot more ways for it to be compromised and also makes it harder to detect or notice once it is compromised. For me the security risk of kernel level spoofing is way to high to use on a production device used everyday. Also I trust neither Google or microg I only use Foss apps I don’t have Sandboxed play services installed at all I just don’t use Google anymore.

            • cmhe@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              4 days ago

              I haven’t looked into it (because Android repos are confusing), but I assume it allows just one specific signature to spoof one other specific signature. If so then I do not see such a security issue, because it wouldn’t suddenly open this mechanism up to everyone.

              Even if it would require spoofing of multiple signatures, if there is a limited list of signatures to spoof as and a whitelist of signatures for the apps that are allowed to spoof them, then it would also be limited enough, IMO.

              IIUC, you don’t need to patch LineageOS anymore for MicroG: https://github.com/lineageos4microg/android_vendor_partner_gms/blob/master/README.md#microg-mobile-services

              • Brad Boimler@startrek.website
                cake
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                6 hours ago

                So after more research linage OS and calyx only allow Micro G apps to spoof and the verify via the app signature key the are signed with to verify this is the only way LinageOS would agree to adding micro G support so it is secure but still makes me feel unsafe at least to me just my opinion but yes it can be done securely I would use Linage OS with Micro G if the supported relocking the bootloader I know pixels support this but requires you to build your own version from source of linage and the sign your device with your own key that you also sign your build with as well I think I’ll stick with GrapheneOS.

    • EngineerGaming@feddit.nl
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      3
      ·
      5 days ago

      Graphene has a relatively short support, especially given that the phones for it are completwly unaffordable new so it’s effectively shorter than advertised. I am now spoiled by using a device that is not EOL so I think I will be switching when GOS’ support ends.

      • Brad Boimler@startrek.website
        cake
        link
        fedilink
        English
        arrow-up
        14
        ·
        5 days ago

        GOS Supports the pixel devices for the same amount of time as Google hard to keep a device secure once drivers are no longer being updated. But with Google extending support for pixel 6 and 7 series and the new 7 year guarantee on pixel 8 devices and newer this isn’t really a concern anymore. So pixel 7a and fold will be supported until 2028 and Pixel 6 and 6 pro until 2026 pixel 7, 7 pro, and 6a until 2027. Seems like plenty of time for support and that means as long as Google supports it so does GOS.

        • EngineerGaming@feddit.nl
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 days ago

          Yes, I know about them extending it. For me, for example, that means four years of official support, which is much less than a usual lifespan of my phone.

          • Brad Boimler@startrek.website
            cake
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 days ago

            Then buy a newer one with longer support this will always be a issue since the support window is the same as Google. Once a manufacturer stops updating drivers and device firmware the said device can no longer effectively be secure because any exploit in the drivers or firmware will forever go unfixed compromisimg the devices security. Doesn’t matter what devices you buy this will always be the case it just depends on what your personal threat model is.

            • EngineerGaming@feddit.nl
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 days ago

              That support is about as long as it goes on mobile. An average poor person can’t afford to just buy new phones as soon as the support ends. Some updates is still better than no updates in this case.

        • buttfarts@lemy.lol
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 days ago

          A Pixel 8 on contract was free for me if I commit three years with my provider. I think I will get seven years support from GOS which is a worthy enough lifespan for an everyday smartphone

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 days ago

            Is it an expensive contract? I doubt my $3/mo plan would ever have perks like this lol. Especially given that Pixels here are only sold unofficially.

            • subtext@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              5 days ago

              Yeah I’m in the US and those “free” phone contracts over 3 years are objectively terrible deals when you look at the total cost of $100–120/mo or more with the “free” phone on one of the big three vs buying it outright and paying $25/mo (ish) with an MVNO.

              Even if you assume a total cost of $100 at Verizon with the “free” phone—which I believe is a super low estimate—and you assume $45 at Visible (shameless referral plug)—which is their most expensive tier—you’re coming out at $1980 less in contracts over 3 years which could buy you (virtually) any phone you want and then some.

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 days ago

                $25 is already a crazy enough sum for a phone bill, what you’re talking about is outrageous. Also, I’ve heard that such devices are often carrier-locked, and that carrier-locked devices often also have locked bootloaders.

                • subtext@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  5 days ago

                  I mean that’s just kinda the way it is in the US / Canada. Though I hear Canada has even higher prices for less service.

            • buttfarts@lemy.lol
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              4 days ago

              About $60 CAD per month for talk/text with 50GB data which is average for here