> GrapheneOS always strikes me as "perfect is the enemy of good"... I've been all right with all kinds of Android phones

I fully agree with you. I never received a reasonable reply to this from GrapheneOS fans or developers. Latest attempt: https://news.ycombinator.com/item?id=47182376

▲

subscribed 2 minutes ago | parent | next [-]

Ahahah.... This thread doesn't show what you think does.

Unfortunately you come out as whining that the project focused on security doesn't want to support insecure hardware.

Go for it, fork, call it, say, ClayOS and have GOS on whatever you want. Why would someone else have to do something that's contrary to the project just because you want to lower the security?

Bizarre. Just fork it mate.

▲

gruez 3 hours ago | parent | prev | next [-]

>Latest attempt: https://news.ycombinator.com/item?id=47182376

Your Qubes OS comparison doesn't really work because Android distributions need extra work to support each new device, whereas for Qubes OS, they're probably using some virtualization framework that makes it pretty trivial to add support for CPUs without virtualization. There's nothing stopping you from starting a new fork that supports your motorola phone, for instance.

▲

fsflover 3 hours ago | parent [-]

I understand that supporting new phones is a lot of extra work. My only question is whether the developers of GrapheneOS would accept patches from community for such support without full set of security features.

▲

throawayonthe 2 hours ago | parent | next [-]

"accepting patches" is still a lot of work and often means taking on the maintenance burden; i suspect that if qubes had to do extra hardware enablement work/maintenance for VT-d-less devices they might've had the same position

	▲	handedness 2 hours ago \| parent [-]
		Qubes hasn't always shipped Xen patches nearly as quickly as I would like. It's the unfortunate reality of the situation they're in, simultaneously trying to catch up with broad-spectrum device support, with a miles-long HCL with many entries having sub-threads attempting to resolve significant compatibility issues. Don't buy hardware that's too new, don't buy hardware that's too old, certified hardware doesn't necessarily stay certified, and so on. It's a mess. I love what they're doing and it's my preferred daily driver, but from a security standpoint they're still pushing molasses up a sandy hill.

▲

handedness 2 hours ago | parent | prev [-]

You keep coming back to this. GrapheneOS accepting community patches with a reduced feature set (hardware security) degrades the nature of the project. It's an absurd proposal.

Fork it, make your own. Not only are they OK with that, they're actively supportive of it.

Criticizing them for not actively supporting the Balkanization and unavoidable dilution of the security and therefore total value of their project makes me wonder whether the strength with which you hold your opinions has any meaningful connection to the extent to which you even understand the subject matter. It's just mind-boggling the things you assert every single time an OS you don't even use comes up.

Your love of Qubes OS (which I share) somehow even increasingly seems rooted in something that just isn't reality. If it were, you'd be able to fairly assess both projects and see the relative strengths and weakneses of both with useful accuracy.

As it stands, you're just spouting harmful noise. Please don't do that.

▲

strcat 2 hours ago | parent | prev | next [-]

GrapheneOS is not QubesOS. We have our own approach and goals. Our approach includes heavily focusing on our resources on our mission which includes needing to do a lot of hardware-related work to deploy features like hardware memory tagging. We're actively working with Motorola and Qualcomm on improving their hardware to meet our requirements. We're also going to work with Qualcomm on improving Linux kernel security. It's not part of our mission to support devices where we can't provide our core feature set. It would drain a huge amount of our resources and lead to people buying those instead of devices with real GrapheneOS providing all the features. Supporting devices with less than 7 years of support also isn't very appealing when we have those via Pixels and can have the same for the new devices.

GrapheneOS does support budget devices. Pixel 8a, Pixel 9a and Pixel 10a are budget devices. It's true that they aren't on the low side of budget pricing at launch but they have 7 years of support from launch. Pixel 8a is approaching 2 years old but has over 5 years of support remaining. The only limitation in practice is that Pixels aren't sold officially in enough countries yet, which can be solved by our Motorola partnership. We don't need more than a range of devices fulfilling what most people want which are available internationally. People would still need to go out of the way to buy a device with GrapheneOS support if we supported more than the 20 models we do.

You're also ignoring all of the work we have to do on devices which is already a massive amount with 20 supported models of Pixels. We build specialized releases with minimum attack surface for each with plans to use per-device RANDSTRUCT and other similar features too. We could make most of the OS builds generic as AOSP has support for it but it goes against our goals. We also have to test it on each device ourselves before Alpha. Each device needs to be tested more broadly by our community.

Our goals have never included supported a huge range of devices. It would drain our limited resources and destroy our ability to provide what we do. It would water down what GrapheneOS provides and sabotage our ability to partner with OEMs. It simply doesn't interest us. People are free to use LineageOS but we strongly recommend avoiding the supposed privacy-focused forks of it which are worse at privacy and security. On nearly any device you won't get basic kernel, driver and firmware updates with LineageOS and it's not a privacy or security hardened OS. Their time is largely spent on device support and it massively slows down how quickly they can do updates too. They wouldn't have time to work on the kinds of privacy features we do let alone the security ones. It isn't as if they're not working hard on their project, they just chose different things to work on and we aren't choosing those over what we work on.

GrapheneOS will run on more than Pixels soon. It will start with a regular flagship and then both flip/fold variants. It can then start supporting lower end devices once they improve. The OEM is going to be helping us implement and maintain it which is the only reason it's going to be practical to do it. We already struggle to support as many devices as we do but it's going to be easier on our end to support the ones from Motorola than supporting Pixels due to collaboration.

▲

handedness 2 hours ago | parent | prev [-]

If you feel like you can't get a reasonable reply from anyone on a given subject, it's possible that the subject matter is purely indefensible and everyone but you is wrong about it, or it's possible that there's one constant in all this which you're overlooking.

Anyway, in terms of laptop/desktop security, Apple's doing the best job of anyone on that front at present and is still moving in the direction of improvement. Overall, modern Pixels running GrapheneOS are still the most resistant to a variety attacks, compared to just about any consumer device with any practical value.

Most laptop/desktop hardware architecture is wildly vulnerable in some specific ways that Pixels and iPhones just aren't, and no amount of OS enhancements built on that foundation will fully overcome its limitations. Your refutation to that is typically, "But, Google." I get it. I'm no fan of Google, but their architectural chops on modern Pixels is excellent.

Suggesting in the next breath that people look at the Librem 5 or PinePhone while criticizing the security of GrapheneOS makes me think you might just be completely out to lunch on this one. The Purism project is just not a serious security project in so many ways, and while I appreciate the appeal of hardware switches, the rest of their approach makes the hardware switches and domestic supply chain option and shipping protocols little more than security theatrics. The Librem 5 is so easily compromised that the switches are practically a necessity, I suppose, because the hardware and the software (from the OS to device drivers and--gasp--closed blobs!) just isn't trustworthy. With the clever rhetorical games they play to overstate the reality of the device it's difficult to place any trust in them.

'You shouldn't use this device because Google drove the architecture,' just isn't as compelling to me as, 'you should use this device with outdated drivers, no secure element, no sandboxing, and no IOMMU, no hardware resistance to attacks, baseband isolation that's literally an all-or-nothing affair,' and so on, is a terrible followup recommendation which completely undermines credibility.

You're citing hypothetical weaknesses as a reason to dismiss GrapheneOS while advocating devices with numerous demonstrable weaknesses. The Librem 5 not only isn't very resistant to attacks, it's highly vulnerable to attacks. And then you complain when serious people stop engaging with you. (Not being a serious person, I persist.)

As a former PinePhone user, it's a wonderful effort and I love that they're doing what they're doing, but the device and its software is just completely lacking in security to any real degree. Which is fine, because that isn't the device's reason for being, but we shouldn't overstate its position, which you continually do.

All that said, I genuinely think if you take the time to really fairly understand the situation, you'll find value in GrapheneOS as a project. Whether or not it's for you is another matter, but the only reason I'm bothering to quibble with a faceless stranger on the internet over the issue is because I think the project is one of the most important consumer-device security projects of this era, and I massively hope it succeeds. The planet will be better off for it if it does. And yet, every single time it comes up you make the same lazy dismissals of it, ignore substantive responses, then invariably play the victim when people eventually tire of playing your game.

A broader ecosystem of supported devices is something I very much hope for, and am excited to seem take the step into working directly with one OEM, and I hope for more. The virtualization aspects of their roadmap are exciting, and I expect they'll bring great upstream contributions to whatever hypervisor they choose, as they have for AOSP. Their talks of targeting a laptop which meets their hardware requirements is incredibly exciting, and here's hoping it's a ThinkPad, which seems genuinely possible now.

All this is the most compelling alternative to something like Apple, which, while great at leveraging the advantages of being the behemoth in the market, is too inherently motivated in its pursuit of commercial outcomes to be something I'm likely to want to use.

I lack any real hope that you'll come around on this one, but if you're going to play the game of linking to prior discussions to settle an argument, at least I now have a comment to link to, too. Thanks for fueling my future efficiency.

▲

fsflover an hour ago | parent [-]

Thanks for your extended reply, but many of your points are strawman. I never suggested that Librem 5 or Pinephone were seriously more secure than GrapheneOS. They may be more secure in small ways, depending on your threat model, like avoiding Google or allowing to use the kill switches. However I explicitly said more than once that I would be happy to use GrapheneOS on a more libre hardware (Librem 5), even if the security may be lower. Some people value an additional bit of freedom more than cutting-edge security.

> You're citing hypothetical weaknesses as a reason to dismiss GrapheneOS

Where did I say this? I do not dismiss GrapheneOS, and I do wish them success. I agree this is a very important project (and I upvoted all their recent posts for more visibility). I just feel that some of their decisions harm them more than they think, which is the reason for my parent question.

I suggest Librem 5 or Pinephone in my HN replies whenever I see people caring about mobile freedom more than about immediate security, which GrapheneOS provides. I do not suggest those phones as a more secure replacement of GrapheneOS devices.

> we shouldn't overstate its position, which you continually do

I do not see where I am doing this, see above. And I certainly didn't do it in my parent comment.

> Their talks of targeting a laptop which meets their hardware requirements is incredibly exciting

I have no idea how anything can be more secure than Qubes OS. I never received a reasonable answer to this question. And yes, virtualization (i.e., compartmentalization) is the best way to achieve security, in my opinion.

> in terms of laptop/desktop security, Apple's doing the best job of anyone on that front at present and is still moving in the direction of improvement

This is not even funny, given how many vulnerabilities are constantly being found in MacOS. You should just compare that with Qubes OS, which I use.

	▲	handedness an hour ago \| parent \| next [-]
		And I appreciate that you wish them success and think it's important. If you think so, please try to better understand the nature of what it is you're criticizing. If you're repeatedly met with push-back from numerous individuals but can't evolve in your understanding, you have to start asking yourself harder questions.
	▲	handedness an hour ago \| parent \| prev [-]
		They aren't strawman. You pop up in Graphene OS threads like clockwork and recommend other devices. You say, "but Google hardware." I get not wanting to contribute to Google financially, I get not wanting their logo on a device, I get the general discomfort with anything Google. But it's akin to people being so anti-Google that even when Firefox on Android lacked nearly any sandboxing whatsoever and had downright reprehensible security practices, they'd continue to use Firefox on Android when visiting untrusted websites, because, well, at least it's not Google-adjacent. It's completely irrational and unjustifiable on anything but a totally emotional level. You conflate privacy with security here, "They may be more secure in small ways, depending on your threat model, like avoiding Google," and yet you don't articulate any demonstrated connection between using Google hardware with GrapheneOS and Google's ad tech business. The closest thing there is is needing to connect to Wi-FI to unlock the bootloader, but that's easily addressed. You cite a hypothetical backdoor that Google may have placed in the hardware, but unless you're physically examining every chip running every OS (and there are several) in every device you own (even the ones you think you've disabled the MIE on), you simply can't know that. You have to account for that, but you talk about it in ways that imply a project which accounts for it better than others hasn't, while one that inherently can't, has. When they announce Motorola support, you're still on about avoiding Google. They literally can't win with you. If you think their decisions harm them more than they think, but can't understand the basic factors at play, it's hard to take your determinations seriously. Good governance of a complex project is hard, and people snipe from the sidelines with virtually no understanding of what the actual situation is. By all indications the project is incredibly well run in all ways that practically impact eventual end-user security. If you have no idea how anything can be more secure than Qubes OS, consider Qubes OS running on hardware with excellent security features, and the two being tightly integrated. There's your reasonable answer. That is literally the roadmap for Graphene OS. A hypervisor-based OS that's useful for end-user purposes by carefully layering on functionality to make a hypervisor-based OS some degree of usable. The less reasonable reasonable answer is that you'd have better security if you ran Xen itself, as everything Qubes adds to make it usable potentially weakens it. It's just the nature of the beast. It wouldn't surprise me if GrapheneOS lands on Xen for all the same reasons Joanna landed on Xen, and they end up contributing massively upstream to Xen security largely by tightly integrating it with said hardware. But I'm sure other patches will flow upstream with whatever project they choose, because their security chops are that good. Qubes OS also lacks resources. They're supporting a massively bigger variety of hardware with a comparatively tiny user and donor base. By all indications their finances are nowhere near sufficient for what they really need to do. The project is as good as it currently is almost entirely down to the incredible efforts by a very small number of amazing people. If nothing else, the speed at which they can iterate and evolve is highly constrained. Remove 1-2 key players from the equation and the project almost invariably collapses. That alone is constitutes a definite security vulnerability. Re: Apple, I'm talking hardware security. But even when you factor the software in, for a portfolio of consumer operating systems used by a billion and a half normies who expect it to do every normie task under the sun with very little frictional security overhead, Apple does a great job at security. Edited to add: > I would be happy to use GrapheneOS on a more libre hardware (Librem 5), even if the security may be lower. Some people value an additional bit of freedom more than cutting-edge security. OK, but that's a nonsensical wish at best. There are other AOSP forks out there that would meet your needs. Buy a non-Google Android phone and load another AOSP fork. Or, fork GrapheneOS and modify it to meet your needs, thought that would be a largely pointless exercise. Repeatedly criticizing the project every single time it comes up for not wanting to completely change its fundamental nature in an ill-defined attempt to satisfy your inclination is a real head-scratcher.