Looking for a new mobile OS

I have been running lineageOS on my OnePlus 2. I liked it, but Lineage has stopped supporting my phone. There are two options that I have been able to find as replacements - postmarketOS and /e/OS. Any thoughts on those or other recommendation? Anything that gets security updates, is open source, and is functional meets my needs.

@Lunacy
link
103M

On android there are three recommended operating system:

GrapheneOS

GrapheneOS starts from the strong baseline of the Android Open Source Project (AOSP) and provides substantial privacy and security improvements from the bottom up, such as:

You can find a partial list of grapheneOS features here.

GrapheneOS has also experiments support for installing the official releases of:

as unprivileged, sandboxed apps like any others and GrapheneOS implements shims to make them work without the many privileged permissions and SELinux policy extensions these apps usually require. This approach fit the android security model, unlike microg.

CalyxOS

CalyxOS starts from the strong baseline of the Android Open Source Project (AOSP) and minimizes the tracking, surveillance, and spying done by phone manufacturers, mobile phone service providers, internet service providers, advertising companies, data miners, and malicious hackers. It provides some privacy and security improvement, such as;

  • scramble PIN
  • block unknown USB devices
  • encrypted backup via seedvault
  • Wi-Fi and Bluetooth auto turn off
  • directly make an encrypted call using Signal or WhatsApp from the Dialer
  • sensitive Numbers privacy
  • tethered network devices (USB or Wi-Fi) can use the phone’s VPN or Tor.
  • microg
  • datura firewall
  • mozilla Location Services (and Dejavu) available as default location services.
  • nominatim available as default geocoding service

You can see the full lost of features here

In addition, CalyxOS bundles some application in order to protect user’s privacy and security, such as;

LineageOS

LineageOS is a ROM focused on costomization and compatibility with different devices rather than improve privacy and security. Nonetheless, It comes with a few privacy and security improvements, such as:

  • PIN scramble
  • sensitive numbers privacy
  • encrypted backup via seedvault
  • Trust
  • Hide specific apps behind a secure lock

You can see more detail about LineageOS features

However, this ROM severely weaken the security model of android in different ways:

  • using SELinux in permissive mode instead of enforcing mode, which is a very bad approach

  • disabling verified boot which ensures that all executed code comes from a trusted source, rather than from an attacker or corruption

  • using userdebug builds, which is a bad approach because builds released with userdebug do have serious sandbox holes. In fact, Even if lineage supported verified boot, you could easily disable it as it is a userdebug build. So malware could just disable verified boot on lineageos if it wants to due to userdebug and achieve full persistence.

  • lacking of rollback protection which means that an attacker could downgrade the system to a vulnerable version for further exploitation even if the bootloader was locked.

Moreover, LineageOS still support phones which don’t have vendors support anymore. So, closed source components such as the bootloader, modem firmware, and other firmware no longer get updates.

/e/

/e/ is basically a LineageOS reskin.

conclusion

It’s important to understand that this is not a comparison. These operating systems are different projects; they offer different things, have different goals,thus they have different approaches. Therefore, I’m not saying what OS you should use. You have to choose according your own user case and threat model. And please, if you can read the documentation I linked about these project.

Also, these project have really active community, so if you have any questions you should ask there:

Jama
link
53M

LineageOS don’t use permissive selinux and disabled nearly every function of userdebug build except for root functions over adb (that is disabled by default).

The only real danger about LOS is the unlocked bootloader, but it can’t be solved by LineageOS developers, since it depend deeply by manufactorer.

Still, even if it is a security risk it depend a lot about your threat model and if you usually install only trusted apps and navigate on trusted sites (or usually disable JavaScript) the actual attack surfaces isn’t really a problem for the common users, and there are only theoretical risks.

The great thing about official LOS is the support of a lot of devices (and not only Google made) and the big community approval needed for every change.

Community standards for LOS are actually really strict, and you can be pretty sure to have a stable system when you use official LOS on your device. Since there are dozens of supported devices it gives users a lot of freedom.

@Lunacy
link
13M

don’t use permissive selinux

LineageOS weakens SELinux policies.

disabled nearly every function of userdebug build except for root functions over adb (that is disabled by default).

LineageOS still uses userdebug build. Userdebug builds are primarily development builds that are supposed to be given to closed beta testers hired by a business. These builds are not considered to be secure. Security isn’t even a concern as these builds are purely for development purposes.

The only real danger about LOS is the unlocked bootloader Disabling bootloade

Verified boot ensures that all executed code comes from a trusted source rather than from an attacker or corruption. Moreover, Verified Boot checks for the correct version of Android with rollback protection which helps to prevent a possible exploit from becoming persistent by ensuring devices only update to newer versions of Android. Verified boot it’s not only useful against physical attacks, if a remote attacker has managed to exploit the system and gain high privileges, verified boot would revert their changes upon reboot and ensure that they cannot persist.

Also, rollback protection can be enabled even with bootloader unlocked. However, Lineage doesn’t have rollback protection either.

even if it is a security risk it depend a lot about your threat model and if you usually install only trusted apps and navigate on trusted sites (or usually disable JavaScript) the actual attack surfaces isn’t really a problem for the common users, and there are only theoretical risks.

That’s not really a good argument. The majority of users have bad habits regarding good security practices, they usually install applications without check the signature, for example. You just assume that users will act in certain way, but in reality you don’t know that. It’s not real security, it’s security through obscurity. The risks are not only theorical, as I explained above.

Community standards for LOS are actually really strict.

Doesn’t seems so. All the problem I pointed out still remain. Also, they don’t add any relevant security or privacy improvement, instead they weaken the security android model.

Since there are dozens of supported devices it gives users a lot of freedom.

If you prefer/need/want to use lineageOS then go for it, it’s up to you. However, freedom it’s not equal to privacy and security.

@TheAnonymouseJoker
link
1
edit-2
3M

Hello GrapheneOS propaganda account, nice to meet you. Nice security theater you are fooling everybody with.

@Slatlun
creator
link
53M

Great general info! Thanks for taking the time to put it together. Specifically, Graphene and Calyx support a combined total of 12 devices 11 of which are Pixels. Great for those users and it might inform what I buy in the future. Lineage supports tons of devices - great for anyone reading this who doesn’t care about the softened security (or doesn’t have another choice). Lineage is out for me specifically because my device is old/unpopular enough. /e/ still list support for my device, but I am guessing that since it is based on Lineage it won’t get meaningful support either.

Jama
link
23M

It depend, /e/ could still continue to support your device if trees aren’t so outdated. Still, check frequently at least the security patch version

@Slatlun
creator
link
13M

Thanks for the distinction. Just for the record and anyone asking the same question - /e/ does still support even though lineage dropped my device.

@TheAnonymouseJoker
link
-13M

I recommend you learn about the levels of lunacy I debunked regarding the security theater GrapheneOS and its fanboys have created. https://lemmy.ml/post/73800/comment/66676

The poster above deleted a lot of comments where we had a discussion, a month ago.

@Slatlun
creator
link
13M

Maybe if I am ever looking at graphene I will. As I said it isn’t available on my device.

@fruechtchen
link
8
edit-2
3M

reading recommendation: https://blog.brixit.nl/do-you-really-want-linux-phones/

postmarketos is better longterm because they work heavily on upstreaming patches to for instance the linux kernel or other projects. ubuntu touch instead uses many local patches but doesn’t invest that much time into upstreaming.

if you have time i’d suggest to choose postmarketos and try to fix your problems you find. you can learn a lot by it and improve the long term support. because others have done exactly that before you, the support is already very good usually. so you don’t need to learn everything yourself, just need to look what other people had done on other devices to fix similar problems.

it may require a few hours/weekends until you understand things, but it feels good to have that much knowledge to be able to fix your problems.

EDIT: ah, sorry. i thought your device would be in community, not in testing: https://wiki.postmarketos.org/wiki/OnePlus_Two_(oneplus-oneplus2) - so i thought you had this device: https://wiki.postmarketos.org/wiki/OnePlus_6_(oneplus-enchilada)

so in that case: you probably would need to invest more time but it is still possible to get good support. usually you can also look at the ubuntu touch patches and see if you can work with them, altough for instance ubuntu touch uses usually a very old kernel whereas postmarketos uses a new kernel.

@Slatlun
creator
link
63M

Good thoughts in the article about what needs to get prioritized in development. Yeah, my phone specifically isn’t quite there, but at least they’re pretty far along in the process, and this is good discussion for anyone else looking for a new OS who might have a different old phone. My ability to contribute to code is so limited that it might as well not exist. Best I can usually do is finding and reporting issues.

@fruechtchen
link
43M

well, you can learn. many people in the tech scene have never formally learned to program and just tinkered around. trial and error basically.

so this is not a question of your programming skills and instead rather one of motivation and curiosity.

@fruechtchen
link
5
edit-2
3M

and also many people in the tech scene like to explain things if you show motivation and the desire to listen, read manuals and such things.

so good internet-search skills will get you very far in my experience

@TechieDamien
link
43M

I have been running /e/ for over a year and I have to say that it has been great. As opposed to lineage, they have stripped out as much of the Google stuff as possible while keeping it working (they use microG).

@Slatlun
creator
link
33M

Great to have perspective from a real world user. Thank you!

Dessalines
admin
link
43M

I highly recommend just going to the xdadevelopers forum for your device, and see what the most supported ROMs are. They’ll all be AOSP-based of course, but many of them will have de-googled / de-play-store download options. Most importantly the most popular ones will always support all your phone hardware.

@Slatlun
creator
link
23M

I’ve never been in the xdadevelopers forums. I will definitely go take a look. Thanks for the new resource.

@Helix@feddit.de
link
-1
edit-2
3M

They also might package spyware and are often provided by twelve year olds.

@TheAnonymouseJoker
link
0
edit-2
3M

Can you provide a source for your dubious claims? Is this the “12yo p*jeet ROM” racist meme? Because I am an Indian, who has been enough on 4chan and reddit to know what this means.

@nutomic
admin
link
63M

Dont accuse other users of racism for no reason. No one even talked about Indians before you. This is a warning.

cc @Helix@feddit.de

@Helix@feddit.de
link
13M

Thank you.

@TheAnonymouseJoker
link
0
edit-2
3M

I would like to point out that the term he used before making the edit was pretty obnoxious and targeted towards Indians, exatly how it is done regularly on 4chan. Can the comment be reviewed or showed again, before the edit?

I do not like to mess around with such accusations, and I am sure you know that considering my history.

In the below comment he even validates his earlier used terms using the sentence:

I don’t care if you’re Indian or twelve. You shouldn’t pack spyware into my ROMs and know what you’re doing is all I’m saying.

I am an Indian. Who is packing spyware into his ROMs, most of which are made by Indians and are available on XDA as LineageOS tweaks or variations?

@nutomic
admin
link
6
edit-2
3M

Sorry I didnt notice before that he edited the comment, and unfortunately we dont have any edit history stored in Lemmy. Anyway, when you see a rule violation (eg racism), then you should report it to the admins/mods and have them take care of it. Attacking another user is also a rule violation (rule 2), and is just gonna lead to more trouble.

Edit: also I suggest that both of you stop arguing, because it is not going anywhere. Just accept that you disagree, and ignore each other. @Helix@feddit.de @TheAnonymouseJoker@lemmy.ml

Helix
link
43M

also I suggest that both of you stop arguing, because it is not going anywhere. Just accept that you disagree, and ignore each other.

Good idea, sorry.

@TheAnonymouseJoker
link
03M

The only person I constantly see attacking and evidently justifying his racist phrasing is this fellow, not me. I have a track record of being vigilant and putting myself on the frontlines for Lemmy, and the only thing I have to gain is the existence of a non obnoxious reddit alternative for everyone, that respects darknet anonymous proxy access.

I made a mistake of not screenshotting the exact phrase, and he is taking advantage of it openly. I see it as important to be vigilant about racism towards all the major factions of society, not just the LGBT+, the Jews, Blacks, Muslims and so on. Indians are PoCs and they face their fair share of racism, and there are not enough Indians on the internet to point it out. Atleast I have not seen another active Indian on Lemmy yet, as the couple users on c/india are dormant now.

I would also like to make my position clear once again that I do not accuse users of such serious issues randomly. When I do, it will be rare and it will be worth looking into.

@nutomic
admin
link
63M

I appreciate that you try to fight against racism and discrimination. That isnt the problem, the problem is how you are doing it. You have to understand, most people in Europe dont hate nonwhite people (except for a small, vocal minority). The racism here is much more subtle than that, and people dont even realize that their beliefs and worldviews are racist. I know because I used to hold such beliefs as well (its almost impossible to avoid because the media really misrepresents things).

I think the best way to fight against this racism is with education. If people in the west could understand how people in the global south are being exploited and oppressed by imperialism, they would change their beliefs. Another thing is that many people view racism as something like person A saying a bad word to person B, but thats only a minor part of it. I would say the main aspect of racism is the economic relationship between imperialist and neocolonial countries (again, exploitation and imperialism).

@Helix@feddit.de
link
23M

The racism here is much more subtle than that, and people dont even realize that their beliefs and worldviews are racist. I know because I used to hold such beliefs as well (its almost impossible to avoid because the media really misrepresents things).

I think the best way to fight against this racism is with education. If people in the west could understand how people in the global south are being exploited and oppressed by imperialism, they would change their beliefs.

Well said. If anything came from that discussion, it’s that statement right there. I believe the same thing and I sometimes also find out I was being racist because I believed stereotypes or made inappropriate jokes.

@TheAnonymouseJoker
link
23M

I used to hold some questionable views as well, because I used to be an edgy teenager, and the whole internet culture is pretty messed up, to say the least, as you venture into the darker and secluded corners. However, things change, and identifying and calling out these things is essential.

The issue is, racism is like a baby Pokémon. It evolves with time, with newer crop of users and events that happen around us (like colonialisation et al). So the neocolonial and socio-economic status parts you say are not the elements themselves, but the end product manifestation of what starts as these expresssions that travel through various medium in society, normalising racism in the first place, planting the seeds in society to make way for the governance to assume that if the masses are okay with it, this must be the culture and the governments and giant entities adapt to it.

Bad words or weird hand or object expressions is simply a way to modify the grammar that the society uses daily, and develop behavioural cues with them. This is a crucial part of Theory of Computation, for example in Computer Science, which teaches how new grammar can be created.

Racism also happens to be a way to start wars, as example, by manufacturing consent which we see commonly. That is done if the masses are allowed and encouraged to do this.

Education and awareness can only go so far. If the other party is unwilling to have a dialogue, and doubles down on their doings that they think is done out of “free will” in a “free society”, then how will education work? The only theoretical options left are to be civil and oppose, or be uncivil and oppose.

Dessalines
admin
link
53M

I agree and I appreciate your efforts to stop bigotry in its tracks, but we must always try to be civil when doing so.

Also @nutomic@lemmy.ml and I would much rather spend time coding, than moderating, so it’d be helpful if yall would either just not engage with each other, ( or block each other as that will be released within 2 weeks ), or ping other moderators if you feel that you can’t resolve conflicts between yourselves.

@nutomic
admin
link
33M

I think there is a difference between corporate social media and the fediverse that you should keep in mind here. The former dont care about racism etc because hostility actually generates more “engagement” and advertising money, plus the site owners will never actually see it. But on the fediverse its very different, because instances are run by volunteers in their free time, who want to have a site that they enjoy using. So being civil will go a lot further here (it definitely does on lemmy.ml). For that reason, your warning still stands.

@Helix@feddit.de
link
0
edit-2
3M

I would like to point out that the term he used before making the edit was pretty obnoxious and targeted towards Indians

I edited ‘usually’ into ‘often’, as far as I remember. I myself can’t show the history.

I am an Indian.

Nobody cares. Even if I said 12yo Indians, that’d still be obvious hyperbole and not racism, because I didn’t use ‘pajeet’ or other racist words. I also didn’t insinuate that only Indians do this.

It’s just like if I said CSGO is full of 16yo German cheaters. Which incidentally is true and ruins the game for many people, including Germans. If you cared about understanding my comment you wouldn’t have thought it was racist.

@TheAnonymouseJoker
link
-3
edit-2
3M

No, you did not. You are a liar, and I would not have pointed that out if you did just that. Your comment was 2 sentences long, not a one liner. You are simply taking advantage of me not screenshotting your exact phrasing, and Lemmy has no comment scrapers like reddit does. And the admin unfortunately does not see racism because he does not know how racism against Indians work, because he is a foreigner.

@Helix@feddit.de
link
13M

And the admin unfortunately does not see racism because he does not know how racism against Indians work, because he is a foreigner.

Yeah because magically only targets of racism know how racism works. You even contradict yourself there as that’d mean I myself couldn’t be racist because I wouldn’t know how.

@Helix@feddit.de
link
-13M

Can you provide a source for your dubious claims?

My experience and subsequent hyperbole. Many of those 12 year olds are probably legal now.

Is this the “12yo p*jeet ROM” racist meme?

Don’t call me a racist, mudslinger.

Because I am an Indian, who has been enough on 4chan and reddit to know what this means.

OK bruh. I don’t care if you’re Indian or twelve. You shouldn’t pack spyware into my ROMs and know what you’re doing is all I’m saying.

@TheAnonymouseJoker
link
-13M

@dessalines@lemmy.ml @nutomic@lemmy.ml can you look into this obnoxious commenter?

proof

Helix
link
03M

You call other people racist, which in my book is a serious crime, and then cry about when they tell you to fuck off? What are you, 12? Or have you simply never grown up?

Stop causing drama and stop trolling me. The new ignore feature will be live in a few weeks and I can’t wait to test it on you.

I don’t even know what a “12yo p*jeet ROM” is. After a short research I found out it’s a derogatory term for people shitting in the street, who in my understanding probably don’t even have the means to create ROMs as they don’t have access to more basic infrastructure needed to piece them together. Your allegation doesn’t even make any sense.

@TheAnonymouseJoker
link
03M

I don’t even know what a “12yo p*jeet ROM” is. After a short research I found out it’s a derogatory term for people shitting in the street, who in my understanding probably don’t even have the means to create ROMs as they don’t have access to more basic infrastructure needed to piece them together. Your allegation doesn’t even make any sense.

Acting ignorant towards these dogwhistles being called out is a favourite tactic of people like you. Indians are called pjeet and rjeesh commonly on 4chan, reddit and various other forums that let slide away racism.

@Helix@feddit.de
link
1
edit-2
3M

Acting ignorant towards these dogwhistles being called out is a favourite tactic of people like you.

I can’t even imagine what horrors 😱 you went through due to my comments. I sincerestly apologise for hurting your feelings. Of course, you caught me, I’m a 👌dog-whistling right wing extremist fascist and I like to start genocides and generally hate everything that is not 👩🏻‍🦲 white, libtard or gay 🏳️‍🌈. That’s clear due to my other racist comments on this site. 🙃

@TheAnonymouseJoker
link
-23M

@dessalines@lemmy.ml would you still not look into this comment chain. This user is operating with 2 accounts, @helix@lemmy.ml and @Helix@feddit.de ?

This is clearly some obnoxious bait trolling going on.

proof

Helix
link
03M

This user is operating with 2 accounts, @helix@lemmy.ml and @Helix@feddit.de

Thanks for reminding me. That’s clearly to throw you off and dogwhistle some more. It’s not because all lemmies look the same and this federation thing is a bit confusing sometimes.

@TheAnonymouseJoker
link
-23M

Your instantaneous comment does prove my point that both accounts belong to you, since you also addressed the same comment chain and arguments.

proof

Helix
link
13M

I never said they weren’t both my accounts. Stop seeing nazi ghosts and fuck off, please.

@TheAnonymouseJoker
link
-43M

I see a real person and not ghosts, since I am a bullshit detector. When I see one, I point out one.

@PublicLewdness
link
43M

PostmarketOS would be my choice of those options. They support full disk encryption which the others don’t.

poVoq
link
33M

Out of curiosity: given that AFAIK full disk encryption only helps when the device is turned off, how is that a really useful feature for a smartphone that is basically never turned off?

@Slatlun
creator
link
23M

You’re right that they are probably just edge cases. As a thought experiment I see three possible use scenarios - 1) Lose the phone and it dies 2) Malicious person gets phone, tries to restart for whatever reason, and is locked out 3) I know for some reason that someone is about to try to get data off my phone in person and I have time to turn it off.

More to the point there really isn’t a downside. Entering a password when I restart is nothing for me, and the read/write slow down isn’t going be noticeable because I don’t ask much of my phone.

@Slatlun
creator
link
13M

That is a nice-to-have that could push me that way

@Slatlun
creator
link
13M

Thank you! I must have been looking somewhere with outdated info when I looked into this one.

poVoq
link
13M

Its worth a try, but the OP2 isn’t the best supported device sadly.

@Slatlun
creator
link
13M

Yeah, I don’t think it was super popular and it’s getting old (6yrs). I think spotty support is all I can hope for, but I’d rather do that than toss it.

@kosheralchemist
link
5
edit-2
3M

deleted by creator

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

  • Posts must be relevant to the open source ideology
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

  • 0 users online
  • 18 users / day
  • 36 users / week
  • 136 users / month
  • 429 users / 6 months
  • 4.27K subscribers
  • 1.45K Posts
  • 4.78K Comments
  • Modlog