Pinephone and open source firmware for baseband
05-28-2023, 08:19 AM
(05-28-2023, 07:31 AM)zetabeta Wrote: i tend to disagree little bit. i have heard that gnu/linux is lower on security than ios or android, probably mostly on app isolation, in gnu/linux world, ordinary user has quite wide permissions, where in android and ios every app is isolated more or less. however, in android and especially in ios, user are dependent on apple and google for security, it is centralized. maybe in android it can be circumvented somewhat by modifications, but still relies on google's eco system indirectly. so in gnu/linux world, if user knows the flaws, they can be fixed or circumvented, and not being dependent on apple's or google's policies.
in short, i don't think centralization bring security in longer term.
I recommend reading this for a run-down of security flaws with GNU/Linux: https://madaidans-insecurities.github.io/linux.html
Free software developers are not particularly great at, or focused on security; they tend to be focused on making things work, and the fun stuff. Making things secure is not particularly fun. There are some great free software projects out there that are really secure, but this is the reason a considerable number of them are not. I would mention Shellshock and Heartbleed as examples of projects which had major security vulnerabilities for a long time that went unnoticed. You need regular, professional security audits to confirm your software is secure, rather than relying on drive-by contributors to get you there. They'll fix some stuff, sure...but likely not all of it.
Now, the Linux kernel has plenty of resources; more than any other free software project in the world. Some of that work has been focused on security. They're still missing exploit mitigations as mentioned in Madaidan's article and there are other problems with it, but there are certain patches you can use like the PaX patches or linux-hardened to improve the situation. Now, because we're talking about an operating system and not just the kernel here, we have to talk about userspace...which means X.org and sandboxing like Flatpak. I won't even talk about X.org. Some GNU/Linux distributions for the Pinephone run Wayland, which is much better. Compositors likely still need to do more work on security, but the protocol is a great baseline start that's far ahead of X.org.
Flatpak...needs work. It's better than nothing but nothing like the proper isolation on Android. Also, don't use it with a browser because it replaces that browser's sandboxing, which is better.
But yes, as you mention, being dependent on Google and Apple is a pretty bad situation to be in from a freedom perspective, and it has impacts on privacy and security as well. Software Should Not Have Owners, as a certain project would say: https://www.gnu.org/philosophy/why-free.html
Using free software operating systems on an Android phone is possible, however. You can even get rid of Google Play Services, Google Services Framework, and Google Play. You can install APKs from developers directly and update them with Obtainium. Of course, some of these apps have dependencies on Google libraries and frameworks anyway...
However, you still need to update the device drivers and other firmware from the OEM to avoid being vulnerable, which are almost certainly proprietary. This problem doesn't necessarily go away even with the Pinephone. As we've covered here, there are parts of the Qectel modem which are proprietary and cannot be replaced.
...but putting all of that discussion aside, I just find Pinephones far more comfortable and fun. It's also a far more sustainable future. Rather than worrying about Google components I have to strip out, I can be confident they're not there to begin with. And I love the idea of having GNOME on my phone.