Why can't they just partner with postmarketOS here?
Why do we have to have /e/OS instead of a better supported LineageOS, because /e/ is a 1:1 copy anyways?
Why do we have to have a Librephone project now instead of partnering with say, Fairphone and the Pine64 people?
Open source loses this war because proprietary devices are streamlined. The only thing that comes close to this is GrapheneOS, LineageOS, and postmarketOS.
LineageOS has huge problems since the mandatory eBPF requirements of late Android versions, which postmarketOS and its upstreamed kernel drivers could fix. GrapheneOS has huge problems because of Pixel devices, which LineageOS could help with.
We need a unification of this ecosystem because each on their own is hardly surviving on their own against the megacorporations.
There is a lot of work to do to reverse the trend of increasingly locked down computing devices, particularly on mobile.
But from scanning through this press release, this seems nothing more than the FSF doubling down on their failed RYF approach, which does absolutely nothing for user freedom. In fact it's a big negative for freedom, as it ties down resources that could be spent doing something useful in doing something completely pointless like putting firmwares in ROM and adding another chip to load the firmware.
The thing is, firmwares are here to stay. And firmwares that can be stored on the filesystem and loaded by the OS during driver initialization increases flexibility and reduces BOM cost. So that's what device manufacturers are going to do, and RYF will not have any effect on that.
Well… mixed feelings here. I spent a lot of time dealing with early smartphones and hacking away at Android, Tizen, FirefoxOS (remember that?) and several variations on that theme back when manufacturers were vying for differentiation, and I get that the FSF has a mission, but I don’t see this panning out.
Like many folk who’ve been watching Google’s gradual shutdown of AOSP and alignment with Apple in terms of platform lockdown, I think the days of fully open devices are actually coming to a close. Again, I applaud the FSF’s initiative, but you need to get a lot of buy-in for this kind of thing to work—-manufacturers, developers (both OS and app devs), and, of course, users, who will never accept anything that doesn’t let them do things like banking, shopping, mainstream social apps, etc.
And you can’t do a lot of those on an unlocked boot loader (which I think is going to be the logical consequence of replacing bits of the OS) without more hacking. It’s like XML and violence—-it will only lead to more of the same.
I expect the usual amount of “you can do that with web apps” pushback, but let’s be real. Except in markets like India where simpler and vastly cheaper platforms make sense, you either use iOS, Android, or… nothing but voice calls, and I don’t see enough here to make me think this will be something for everyone.
Finally! It took the FSF long enough to catch up with the overwhelming usage of mobile devices, but it's better late than never.
I like that this project is trying to tackle something much more challenging that can't be done with just software: reverse engineering device firmware and binary blobs, the pieces of software that actually make hardware components interface with an OS. Understanding how this stuff functions is key to being able to write replacement software, so we may have less non-free software to deal with. I don't have any experience in trying to reverse engineer software, so the best I can do for now is cheer on from outside, unless I want to try my hands at this stuff later.
I also like that this project is not intending to produce an Android-based distro, but focusing more on reverse engineering. Although I read that the results are targeted at helping developers of Android-compatible OSes, the results can hopefully be used by non-Android [GNU/]Linux distros and perhaps other *nix stuff, like the BSD distros. The FSF (by way of developer Rob Savoye) recognizing that a project like this is not going to be quick, easy, or cheap, and is a long term effort is good, as that likely means this project isn't going to be easily abandoned just because of not being able to produce quick results.
I hope that this whole effort can eventually let us break free of the Apple-Google mobile device duopoly, as it sure is getting tiring for me to stick with one of these two companies for my mobile computing needs.
I hate to complain, but I can't help but feel this is kind of impossible with the resources available to the people working on it. Reverse engineering a modern phone would take years and years of work from many people, and by the time you have it worked out, the phone is obsolete and very few people still use it.
The Apple Silicon macbooks seem a good example. The M1 came out about 5 years ago now and with a whole project and a lot of work later there is still limited hardware support. Having to put this effort in for all the models of phones seems massive.
One would hope that enough things stay similar between devices that replacing, say, the galaxy s25 paves the way for a far easier implementation of the s26, particularly now that the market is stagnating a bit.
And I’m not knowledgeable about this at all, but intuitively I’d expect apple stuff to be much more customized than the average android phone - they’re famous for vertical integration and owning the end to end process.
Phones aren't x86, each is own snowflake, and on Android the nature of being a managed userspace, means there is a certain freedom regarding which ARM designs that Samsung, Qualcomm, Mediatek, and whatever else is out there comes up with.
Then there is everything else that happens to be on the motherboard.
1) The article states they are focusing on the phone model that they guess will require the least work to become totally free. This may make the project useless, but it does give it some hope of finishing.
2) The hope is that the M2-M5 won’t be that different from the M1 models - after all, Apple doesn’t want to spend their money reinventing the wheel without compelling reason. I think that is less likely with phones from different manufacturers, though Android phones typically share a lot of single source components.
That's certainly not the case here, even if it's true sometimes. The duopoly is gradually tightening their grip on the customers' wallets. It's worth it at any stage to reverse their cash grab.
This is bound to fail unless they get the full stack and even then, it will be for specific phone models, x86 is an anomaly in having a cloning freedom that IBM did not intended.
The hardware was a little difficult to obtain in the US, and WiFi worked only with a blob of questionable provenance.
It looks like Replicant has been stuck for several years, and they recognize that they need to find a new device, funding, etc.
(After Replicant, I spent some time on PostmarketOS with various devices, and then gave up and bought iPhones, and then got ticked off and moved to GrapheneOS.)
I wonder whether the FSF is already collaborating with Purism on this, to leverage their work on the Librem 5 and PureOS, which I believe the FSF is well aware of. If the FSF manages to muster a lot more open source volunteers on a more affordable hardware, but that work is also usable for Librem 5, then it could be a win-win. (And Purism also has something called Liberty Phone, which is a made-in-USA Librem 5 phone, so their lawyers should talk about trademarks in any case.)
I am pretty sure that it's not going to be the Librem 5, despite Purism's efforts to get it RYF certified (which, thinking of the Redpine WiFi card) went so far that they seriously impacted user experience.
Why? There's no Android port for that device and they keep mentioning LineageOS.
Even the PINE64 PinePhone would be more likely, as that has Android support and even some LineageOS 22 support [1]. The Replicant project had eyed it as a target device [2].
That said, I'd expect a different device, and, assuming LineageOS supports one, and I would not be suprised to see a device that's not powered by a Qualcomm, Mediatek or Samsung SoC.
> Why? There's no Android port for that device and they keep mentioning LineageOS.
The LineageOS folks are working on supporting their OS on Linux-first devices running a close-to-mainline (not AOSP) kernel. So it could go either way. Of course if they do choose an Android-first device, their efforts would ultimately also make it easier to run a mainline kernel on it as shown by projects like pmOS.
You make it sound like the Redpine card ended up being shitty because of RYF efforts. The Redpine card was chosen because of its internal flash, but the fact that the vendor failed to properly support the advertised features (and even removed some that worked before), abandoned its mainline driver and pretty much halted the firmware development after SiLabs acquisition is orthogonal to that and could have happened with a different card as well. So nice it was a replaceable M.2 card, isn't it? ;)
> If the FSF manages to muster a lot more open source volunteers
First line of my pitch is, "When hundreds of millions of people need something, it doesn't make sense to wait for a handful of volunteers to build it for free."
That's their US made patriot phone, the regular less than half of that. Also, please read up on the concept of economies of scale.
If you go with postmarketOS (good!), and don't want to touch anything that touched Purism, better avoid anything GTK (Phosh, GNOME Mobile and related apps). While Purism did not make a competitive phone, their investments into libre software went great and keep paying off.
> Practically, Librephone aims to close the last gaps between existing distributions of the Android operating system and software freedom. The FSF has hired experienced developer Rob Savoye (DejaGNU, Gnash, OpenStreetMap, and more) to lead the technical project. He is currently investigating the state of device firmware and binary blobs in other mobile phone freedom projects, prioritizing the free software work done by the not entirely free software mobile phone operating system LineageOS.
The time is right for this project I hope they succeed.
The time is right, but I still don’t think this project can accomplish much because people are generally happy with their phones.
That said, the phone market is huge. They could sell enough devices to fund future development which might be good enough even if it doesn’t slow down Apple or Google. At least then there will be a device for those of us who are not happy with the state of things.
> because people are generally happy with their phones.
Maybe thats exactly why it can succeed now. The phone tech has plateud to the point where a 5 year old phone performs almost identically as a new one and this is when people can afford to experiment and take more risks.
Also its much easier for free software to catch up now as most problems are already solved and/or easy to copy.
I don't mind having a second phone, esp. if it's a foldable which can be a great reader and a small "linux in a pocket". There might even be some use-cases, for example I recently wanted to implement a type-c external GPS antenna, and found out that it's a pain on Android (done via "developer mode" hacks etc.), and impossible on iOS.
That being said, very low expectations on this project.
> much because people are generally happy with their phones.
Talked to many iPhone owners this year? The 17 hardware has a bizarre choice of a camera button / pointless physical change, and IOS 26 is pretty much hated by everyone.
I use iPhone, and have happily for years but F if this isn’t the worst OS I can remember. The first downgrade really.
Have you been around when iOS 7 was released? If not, I’d say that was the same, whatever that means. Things might get better, but we’re not entitled to it.
> The time is right, but I still don’t think this project can accomplish much because people are generally happy with their phones.
Is there survey data available on this? Anecdotally, everybody I know hates their phones. In fact, I think if you asked, "what's the biggest pain point in your life right now?" I think most people will point to their phones.
Maybe, but that pain point isn't something free software is going to fix. Obviously not everyone has the same problems with their phone, but largely I think they fall into a few categories: notification overload, apps designed to keep you scrolling for every last minute of the day, and dark patterns or other design choices aimed at separating users from as much of their money as possible.
Every single one of these is fixable on any modern phone. Stop using social media, take a hatchet to what apps can send you notifications and when, and be more mindful of what tricks are commonly deployed to steal your attention, time, and money.
But people can't even manage that. They don't even have to do anything, they just have to stop doing certain things, but they can't or won't. Those same people aren't going to go through the effort to switch, and even if they did they would end up re-creating the same thing that makes them miserable currently.
You might need to expand your social circle a bit.
If you asked normal average people "what's the biggest pain point in your life right now?" they would point to financial, societal, or health issues.
The vast majority of people when asked specifically about their phones probably wish that they were a newer model or had a longer battery life. As long as it communicates with people, lets them access banking and social media, and has a few of their niche hobby/entertainment apps nobody actually cares about the licensing of the modem firmware or the fact you can't install TempleOS on it.
I think they will fail because they fundamentally don't understand the problem.
Android does not contain binary blobs because of some evil conspiracy against free software. If they could get away with it, the whole damn thing would be open source.
The problem is those blobs do things that interact with complex hardware for which only blobs are available. Even if you reverse engineer them, you are going to get sued into oblivion because of the patents you are going to need to infringe on to make functional replacements.
But even if you get a blessing from the component manufacturers, your new hippie binary blobs need to be certified to legally operate on cellular and wifi frequencies in most parts of the world. If you decide you don't like something and change it - as is the open source way - that new version with your modifications needs to be certified too. Carriers do not allow uncertified devices on their networks.
No one is going sue the fsf into oblivion. The movement has decades of legal experience, if a company would be dumb enough that company would just burn money and lose. Especially about reverse engineering software, as if patents had any power there. Apple, the end boss in that regard, not fighting on that level against the m1 project is proof enough.
Second, fuck the carriers. Certifications will not persist as soon as real Foss phones are available. Nothing persists against a world of free hardware invading a realm. And even if: freeing everything around a modem blob would still be a big step forward.
It's frankly ridiculous to assume the people working on this and the organisation that already supported replicant knowns nothing about the mobile space.
Indeed, this is the right time. I really want to daily drive a linux phone, but i dont want to buy a used phone. I hope this brings more hardware support for newer phones.
I'm willing to suffer a rough beta or alpha experience, but let me use modern hardware of my choice.
I'm kinda the opposite, I don't want to buy new any more. Currently rocking a 2nd hand Pixel 7a running GrapheneOS and loving it.
If battery life is the issue, that's fair enough. I've bought a couple of wireless charging docks that I spread around the places I frequently spend my time, so if it needs a boost I can charge her up just by plonking it on the dock. Most of the time, though, she makes it through the day from (maximum charge for battery longevity reasons) 80% down to 30%, maybe 25% or 20% if there's lots of interesting news in a day.
But I'm not a particularly heavy user and I don't game on it.
As the first project FSF has launched in years with a current budget of one developer I expect they will be happy to spend new donations on further funding for it. However, it is very uncommon for a nonprofit to have a separate fund for a project that is part of the organization itself, rather than a project which makes semi-independent decisions and is fiscally sponsored by a related nonprofit. The exception is usually when some very large donor which insists on that arrangement.
I was talking to someone who is involved in a nature conservation nonprofit recently - small donations go into the general pot of money for the organization to choose how to spend it. If you want to influence what the money is used for you have to donate a significantly higher sum. They said they like having many small donors because they can fund things that don't necessarily make a big splash in a press release but are important precursors to impact (e.g. researching what projects would have the most impact vs actually implementing a project).
Upon commenting, I removed the snarky part of the website being visually… well, bad. After all, FSF isn’t about design and aesthetics, right? But donate button not working demonstrates the whole seriousness of the effort.
Ultimately, I don't think the most important challenge is in binary firmware blobs, but the software which people depend upon to run their lives. What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS? Perhaps the FSF can't do much about that, but that is where I feel they could truly make the biggest difference for freedom for the average user.
A free OS will empower developers to implement technical workarounds that could trick these apps into working there. If the OS is tightly controlled, we have no recourse.
Even in the worst case scenario, we could use a cheap big-tech-approved phone for these applications (a glorified digital token) and use the free phone for everything else. When there's enough adoption and trust in the new phone, non-technical avenues are available to influence these organizations to accept the alternative.
I've kinda migrated to the worst-case scenario already and it's really not that bad - for my use case.
I have an old phone (actually running LineageOS rather than stock) that works as you perfectly describe as a glorified digital token. This device doesn't come with me. There's no banking I need to do, on a day-to-day basis, requiring said token, that has to be done right now or the world will end. It can wait until I get home (and I usually use the bank's web interface from a desktop). This device has minimal other apps installed, which limits bank app accessibility of other app data, and other app accessibility of bank data.
Then my GrapheneOS daily driver serves my day-to-day needs with minimal data leakage, tracking, ads, other general paranoia-inducing modern-life shit.
I pay for things on a day-to-day basis with a physical debit card due to an existing habit of not wanting to depending on a single device for "all the things", so GrapeheneOS wasn't a downgrade, but it should be noted to others that whilst Google Wallet can run on GrapheneOS, NFC payments through the Google Wallet will not work due to Full SafetyNet requirements that GrapheneOS can not pass. Non-NFC items such as tickets and boarding passes have been reported to work (and I'm pretty sure I've used it for that, although Google Wallet is no longer installed on my device).
That is a slight concern, but I don't see it happening, at least in Australia for the big four banks, in the near future.
If that became the case, then the 'glorified token device' would become the dedicated banking device, and not much else would change (ie. I still wouldn't be doing 'banking' while I'm out and about).
I hadn't migrated my life to any of the (tiny, possibly zero) convenience improvements that "mobile banking" may offer me, so none of what I've described has been any kind of downgrade in 'living'.
(I don't mean this in a sarcastic way) are you able to make tangible what 'living' I may be sacrificing?
You can trust hardware and software that's easy to inspect.
If you can't be sure what's going on and unable to inspect or debug the hardware and software, how can you trust it's doing what you want?
Proprietary hardware and software is already known to work against the interests of the user. Not knowing exactly what's going on is being taken advantage of at large scale.
Let's put it this way: if you can choose between making your own lasagna with a good recipe vs ready-made microwave lasagna. What would you choose? How about your suit? And would you trust an open known to work well pacemaker vs the latest Motorola or Samsung pacemaker? Would you rather verify the device independently or pay up for an SLA?
No software is "easy to inspect". Only a tiny fraction of users will ever even try. When things are inspected and problems are found, you need a way to revoke the malicious bits. You'll never notify everyone, which is one of the roles app stores play.
You trust hardware and software by establishing boundaries. We figured this out long ago with the kernel mode/user mode privilege check and other things. You want apps to be heavily locked down/sandboxed, and you want the OS to enforce it, but every time you do you go up against the principles of open source absolutists like the FSF. "What do you mean my app can't dig into the storage layer and read the raw image files? So what if apps could use that to leak user location data, I need that ability so I can tell if it's a picture of a bird"
For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted. The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
> For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted
In practice, that just means you trust a Chinese black box Android ROM from a random manufacturer, but not a fresh Lineage OS. To run some banking apps there, one has to root it and install all kinds of crap to hide the fact that your phone is running an OS you actually can trust.
I don't think it's right, I don't think non-manufacturer provided ROMs are a real danger in practice, or rooted phones, and I think this is all just security theater and an excuse to control what people do on their own devices.
> The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
If they pay for the phone and ship it to you then I agree. Otherwise, they have an obligation to serve their community (part of their banking charter) and that may include meeting their customers where they are, rather than offering an app with unreasonable usage requirements.
No charter requires allowing access from any device. The charters don't even require banks to be open during hours most of their customers are off work.
The threat models aren't secret algorithms, they're apps reading the contents of the screen, stealing keystrokes, MITM attacks against 2FA, and much more.
I don't have this problem on my computers, they run free software. My wifes thinkpad runs free software. The friends I gave a computer with various GNU+Linux distros don't have this problem.
Add Google Chrome with its spammy extensions to the mix and they start getting problems.
There’s no way I’d trust open source anyone with my health. And I am not sure there is one open known to work well project, let alone a pacemaker that couldn’t possibly be funded in the open source world. What open source hardware is actually more usable than the closed source alternative for most people?
Should the app builder’s ability to “trust” that the hardware will protect them from the user supersede the user’s ability to be able to trust that the hardware will protect them from the app?
In other words, should the device be responsible to enforcing DRM (and more) against its owner?
There is one solution to this problem that many people reading this message can contribute to:
Make sure your app has a progressive web app version that has feature parity with the store apps. That way, the app will work on phones like the librephone, and, if Apple or Google decide to kick you off the store, you and your users have some recourse. As a bonus, it’s compatible with open source — users can modify the app and install it without jailbreaks, root or (for now) sideloading.
React Native supports this (and can mostly be bundled with electron for mac/win/linux support).
You are mixed up 3 different tech stacks:
1. React Native has nothing in common with web apps except JS runtime. It uses "native" widgets for Android and iOS. You need to add a new "native" runtime for your free OS. There are some third-party attempts to add mac/win/linux support, but they are not feature complete as officially supported platforms. Again, your free OS will be step behind.
2. Yes, you can write PWA with React (Web), but PWA still have many missing features which offered by platform APIs of Android and iOS. Your app will not be in "feature parity" with "native" app. Especially banking app.
3. Electron apps are integrated with desktop platform APIs, you cannot easily port Electron app to mobile.
Every time big company with big investments wins.
It won't just be them. I foresee Cloudflare and other CDNs offering a free checkbox: [] Require age of majority verified user
And it will in turn depend on Secure Attestation, Web Credentials, and other recent W3C work to provide proof that you're the registered owner, age of majority and verified by thumbprint or other biometrics, running an unmodified device. Your ID might be escrowed with your OS vendor, email provider, bank, ISP, or even Twitter/X, who knows. Either way, as an end user you'll be mollified that you don't have to provide your ID to the adult site, and the adult site will be happy that they don't have to implement any of this themselves.
And, of course, this will mean that an intelligence service could have ironclad proof of exactly what person visits what website, effectively killing a lot of online anonymity.
I agree, but unfortunately I think the chances of that are just about zero. The reality is that the vast, vast majority of people don't care about software freedom. They care about the flashy marketing features in the newest iPhone (and competitors). I wish it were otherwise, but alas. Heck, you can't even get people to care about their physical freedom most of the time, let alone their digital life. It's hard to see this effort taking off as a result.
These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.
This isn't the browser not being trusted, it's access to the device the browser runs on. Forcing logout when idle, and authenticating again, is good in general to avoid leaving something accessible when walking away from it, even if it's a home computer that is otherwise "secured".
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
It is given the environment. But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it. While the phone app is considered secure enough to just stay logged in perpetually without any external confirmation.
To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.
> But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it.
Does it? The browser doesn't do anything, the person sitting at the computer where the browser is running is what performs the actions. The reauthentication and 2fa is meant to authenticate and authorize the user, not the browser.
The attack vector of someone else using your phone using an app that doesn't require (re)authentication is independent of the browser or the app itself being trusted. That your bank doesn't periodically require some kind of re-authentication for their app is a security hole, but because the device could fall into the wrong hands, not because the code/app/browser used to access it isn't trusted.
That is true. I guess one of the main differences is the bank app can run a faceid check when you open the app and before you make a transaction while websites don't have access to these apis. So they are forced to make you approve the action via your phone.
Every banking phone app I've used auto-logouts after being idle or unused for a bit, and my primary bank's app requires 2fa using an app that exists on the same device -- a second factor that secures nothing. They probably are not explicitly considering the phone more secure than a computer, but rather a good 80% of this is security theater or a checkbox on some baseline security checklist that was implemented without really understanding what the implications, for usability and security, were going to be.
> 2fa using an app that exists on the same device -- a second factor that secures nothing
2FA on the same device secures against your login credentials becoming known to another party, e.g. by fishing, password reuse, database leaks, etc., which are real threats. It is not meant to protect against someone being in possession or full control of your unlocked device, which is of course also a real threat, though possibly less common.
> 2fa using an app that exists on the same device -- a second factor that secures nothing
If I steal your device, and you didn’t have faceid, I have both factors. But if I steal your password, or find it in a leak of another site because like most people you re-use passwords, then I only have one factor. It still provides a fair bit of security because of that.
webauthn cares about the strength of the authenticators used. Mobile has standard libraries for biometrics and secure enclaves. This is less common on desktops and laptops. Your bank may offer the ability to enroll a yubikey or similar.
You seem to be part of the problem. As long as people like you are happy to run spyware on their phones for the sake of convenience or a meager discount, companies will be empowered to make such software and devices a requirement.
I use cash whenever possible, but carrying cash for larger transactions has its own risks and those risks need to be balanced against the privacy benefits it offers. The way I see it, carrying a credit card in addition to my phone when I might need it is a minor inconvenience relative to that of allowing Google complete control over my phone.
My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
In my country we have a large religious community that eschews smartphones. Due to this no company or government agency requires a smartphone for service.
This is a very good thing. I don't think many people here on HN reject technology, but sometimes no technology is better than one that is not controlled by the user.
It's because it's way easier to install malware on PC than mobile. None of us are immune either. In recent times there has been malware distributed by common NPM packages as well as game mods. Every NPM package you install has the ability to steal your browser session tokens and the only thing stopping the attacker from actually logging in and spending your money is the fact it has to be confirmed on your phone.
Depends on the bank's policies. Currently it tends to be when you transfer to a new destination and/or above a certain amount. I could certainly imagine a bank requiring it for every PC-initiated transaction as and when they reach a point where most normie customers are using their app.
> What type are transactions are you talking about?
Bank transfers and I guess direct debit authorisations (if your bank requires you to confirm those) and reauthorisation/confirmation of card payments that were blocked by the bank's fraud detection. I think those are the only kinds of transactions one would ever use a PC for? I mean for me most of my day-to-day transactions are me paying by debit card in a shop, but you can't do that on a PC in the first place; pretty much everything else I do on my PC.
No. Only to unblock when they get blocked/flagged as fraud (tends to happen for large transactions like plane tickets or buying a bunch of furniture), and even then I currently have the option of authorizing via the web browser (and I think also via phone call).
But sending a bank transfer is also a fairly common day-to-day transaction that I do a couple of times a month (and is the only way to pay for some government services like tax certificates short of visiting the tax office in person). Authorising a new direct debit happens occasionally (joined a gym, changed my utility provider, got a new credit card, that kind of thing).
My brokerages require it every time I login from a computer. My bank will require it if it can't find a cookie from a previous login session. Occasionally, my bank will require it seemingly randomly since I usually log in at least once a week from my laptop yet every couple of months or so I have to reconfirm on the app or another secondary method.
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else? The reality is that we need both free hardware and free software. I can always tell my bank to fuck off and move my accounts to one that gives me freedom to use the mobile OS of my choosing, and if there isn't a single bank on earth willing to do that I can always simply refuse to use my cell phone for banking.
I'd much rather keep the phone I control and trust while limiting myself to only having the options of a desktop PC, a laptop, an ATM, a phone call, a drive thru, and walking into my bank's closest branch when interacting with my bank. Not being able to also stab my finger at a cell phone screen to check my balance isn't really that big of a deal.
> What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else?
Perhaps. But how does this effort from the FSF do anything to solve that? They are (as far as I can tell) producing firmware, not hardware. If the hardware manufacturers are working with the government or whomever to spy on you, they will just not use the FSF firmware in that case.
Well you're partially right. After all, the "big tech approved phone OS" is actually Linux, so just having a free OS isn't enough to prevent it from being co-opted and turned into a locked-down platform.
But the partially wrong part is, we can make our own platform. PCs let you install and run any software you want, because it's an open platform. If we make an open platform smartphone that can compete on features with the closed behemoths, and that then becomes popular enough, then banks may offer apps on that.
But this is tricky too. Linux already has issues getting official support from corporations. We'd need our open platform to be compatible with the closed ones, so that it's easy for banks to run their apps on our open platform. There are already ways around this, like virtual machines to run Android, or other methods. But the closed behemoths may try and end-run around this, like DRM. So we'll still need to advocate for our rights and compatibility.
Indeed, binary blobs are not much of a problem; it's anti-user "security" that has to be attacked. Otherwise we'll end up with user-hostile systems that we can see the source code of but can't modify, in contrast to systems that we can't see the source code of but can modify. The Windows modding scene of the late 90s/early 2000s is a good example of the latter (and I've joked that every power user was a novice reverse-engineer), while Android is turning out to be a good example of the former.
Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
I hope all the things you mention never become mandatory some day because I currently use my phone for voice and text only. Sooner than later I plan to get rid of my phone all together. I'm gonna surprise the phone company and get a land line. That means any online service that uses SMS/text to verify me will fail.
If you're being serious, you're in for a rude awakening. POTS lines are dead and being replaced with VOIP and VoIP to pots modems on the premise. lots of cities have already started to grub the copper out and replaced it a long time ago with fiber.
Yeah... Corporations and governments are starting to push remote attestation. There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
> There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
Given the apparent trajectory of the corporate/government model of organizing society, it seems like they're going to be the ones that will be second-class citizens.
Get a big tech second phone. Cheapest available. Just perform the needed tasks and use your Libre phone for everything else.
Does anyone remember having a copy of internet explorer that the bank required (or chrome these days) but using firefox for everything else? Apply that concept to a phone.
For people without a viable alternative such as transferring their funds to a bank that does not require Google/Apple certified devices, this seems to be the way. The second phone does not even need to have a SIM card in it, except perhaps during set up. That phone does not leave home and is ideally be powered off with its battery removed when not in use. Everything else can be done on a free device, ideally using FOSS apps. Ideally again, this means no Facebook, no Whatsapp, no IoT crapware.
Luckily, here in the U.S. this is still possible. I run Graphene on a Pixel without Play Store compatibility layer and everything just works. Most of my apps come from F-Droid, with the notable exception of Whatsapp, for which a standalone APK is available. Unfortunately, it is proving difficult to get rid of Whatsapp entirely because of friends and family.
Yup. Right now that's something running graphene for me. I'd prefer full linux but the other options don't seem viable yet to me. When I tried the pine phone a few years ago its battery life was in the 3-5 hours range if I used the phone which is not sufficient.
But then I would need to constantly charge two phones and keep two phones in my pocket all the time because I never know when I would need to do those things on the go.
I recently added a second phone for secure comms (Graphene). The biggest hassle turned out to be moving data between them. For that I settled on running my own Matrix server.
Some banking apps require relatively new OS, so if you have an old phone with e.g. Android 8 and you can't upgrade (Android 9 removes certain important features), you are out of luck.
To be clear I'm not saying that alternatives don't exist now. But it's a worrying trend that big businesses, and even governments in some cases, are moving away from such alternatives being available. Look for example at the proposed age verification scheme in the EU, where they don't plan to make a version you can use on a desktop (and even for mobile devices require you use a vendor-attested device). Sure, right now it's just for looking at porn. But it seems to me that once that settles, it won't be long (a decade or two) before you start to see government IDs require a similar mobile app. That's the kind of thing I fear happening soon.
UBS bank mandates their "Secure Access" app as second factor even when logging in from a desktop. They used to allow the smart card reader for existing customers that had it as a work around for a few years but they disabled that.
Also many websites are making it remarkably hard to not use the app if they even remotely sense you're not on an actual PC. FB and LinkedIn aren't banks but prime examples.
Monzo bank in the UK doesn't have a web access (apart from very basic page where you can block your card and do nothing else, not even see your balance).
They also retired support for older Android phones, so if you happen to use it on an old phone, you are out of banking.
I, for security, refuse to install bank apps on my phone that I carry, but I have them on a separate phone that I have in safe place.
Banks and national id apps already work on GrapheneOS. Sometimes you just need to msg devs and ask them to use a different OS attestation method - see link 1. This battle is won already.
Sorry, but no. Device attestation is another mechanism to track and ultimately exercise control over the user. It fundamentally goes against the freedom of choice. You want me to authenticate with multiple factors? Cool.. let me tell you which method I'm already using on all my other accounts and then tell me how to register that with your service. You want to "measure" my device? Okay, I'll take my business elsewhere..
This was a problem during the early 2000s when Windows and Internet Explorer were utterly dominant. Some banks, government services, and other essential websites used ActiveX controls, preventing access by non-Windows users. I remember during my senior year of high school being unable to fill out a college financial aid application circa late 2004 or early 2005 on my PC running FreeBSD and Firefox; I needed to use Windows and Internet Explorer.
I remember the stagnation of Internet Explorer combined with increased awareness of security exploits in Windows and Internet Explorer led to the rise of Mozilla Firefox and (to a lesser extent) increased marketshare for the Mac. This, combined with the arrival of smartphones around 2007, put pressure on organizations to make their Web sites accessible to a wider range of browsers instead of just IE.
Perhaps if we had a critical mass of people using phones with FOSS software, this would be enough for banks and other organizations to consider people who don’t use Apple/Google products.
The challenge, though, is getting that critical mass. Firefox benefitted from Microsoft’s fumbles in the 2000s. It’s going to be hard for a FOSS project to compete head-on against Apple and Google.
I agree that FSF and similar groups should be focusing efforts on influencing government policy at least as much as on software. The problem is that in practice, you’ll get a bunch of people who are erstwhile free software supporters, shouting back that the FSF should “stay n their lane” and stay out of politics (missing the point that in life, everything is politics).
You can replace the banking system. Replacing the banking system does nothing if a single tech company can brick the phones of people using the replacement, or block it from launching.
Exactly. A simple phone that runs a browser I can trust that's also capable of running web-based apps is all I need. I already avoid running apps on my iphone whenever possible.
The phone I really want is as uncomplicated and open as possible and beholden to no corporate economic interests or privacy invasions.
Now that I'm retired I'm looking for a project to immerse myself in. This sounds like just the ticket.
It depends on what definition of "uncomplicated" you'll assume, but that's pretty much how I perceive my Librem 5. It's fairly inspectable and relatively easy to understand as a computing device - no weird stuff like hundreds of disk partitions that you can't touch without risking bricking the phone like on Qualcomm devices, but a fairly regular GNU/Linux installation with well-defined boundaries on what's open and what's not - and it runs web apps pretty well. I have things like my bank, public transit planner, ride-hailing, webmail, RSS reader, Matrix client, package delivery status, even Facebook & Messenger for the handful of people that can still be only reached there - all "installed" as web apps using Epiphany (aka GNOME Web). Some of them required a bit of fiddling to discover which user-agent leads to a usable experience, but the results have been pretty good so far. In case I really need to run some Android app for some reason, I can boot Waydroid up and launch it there, though I use it very rarely. No corporate economic interests, no privacy invasions, no invasive notifications or ads, it simply works the way I want it to work. I just have to be careful with battery usage, but it's manageable :)
Actually "open" is a misnomer, maybe it was a decade ago but it's clear that Big G has an effective monopoly over browser(s), the web "standards", and is gradually making them more user-hostile.
Mozilla is absolutely asleep at the wheel (and have arguably already swerved off the road and hit a tree) and Apple aren't any better than Google in terms of wanting to lock down the web.
I use Safari as my daily driver and I'm still routinely shocked at just how terrible certain aspects of the experience is compared to Chrome. For example, the UI seems to completely block for most of the website loading process, rather than streaming as Chrome does. Also, rather than restore the previous state when I swipe to go back, it has to reload the page from scratch. Little things like this continue to annoy me day by day, the primary reason I don't switch to Chrome is because it just doesn't integrate with macOS at all.
Also, rather than restore the previous state when I swipe to go back, it has to reload the page from scratch
I've encountered cases when both behaviours would've been desired (either use the cached version, or the latest version), so I think that's neither a point in favour nor against.
Well, Safari caches resources, it just doesn't seem to cache the actual runtime state of the page like Chrome does (look for bfcache). The bfcache article claims Safari and Firefox do it too, but I have both in front of me and no they don't (or it's not good enough).
I think real caching is superior because you can manually reload if you actually needed that, but you can't go in the other direction.
Funny that bank software needs approved phone, but runs absolutely fine in the browser. That to me sounds like collusion - something that regulators should look at. There is absolutely no need for banking app to require "legitimate" Android or other operating system.
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
Log in to your bank over the internet, the normal way.
i think the best solution to this would be some sort of docker-project for people to remotely access a device hooked up to a raspberry pi or something at home via adb via https://github.com/Genymobile/scrcpy as "natively" as possible.
The phone is the critical root identity anchor for most of the world now. And many countries outside of the west has already made the Sim card a root identity. Additionally to make it trustworthy (think Google wallet and digital wallets and so on) to work they cannot trust the end user because effectively you the user don't own your own identity. So that's why the phone has to be proprietary - so that it's secure element can be trusted in interactions with the state-big-tech nexus. I talked about my experience with this while attempting to cross borders in SEA. https://polykey.com/blog/architecting-anti-fragile-trust-at-...
It is very inspiring to see a project announced like this with the developer’s name attached to it. As someone who has always struggled with the confidence to be open about my work, let alone work openly in public, it feels extremely inspiring to see Rob Savoye (and Zoe and John behind him) nail their plans to the door like this.
My thrill is matched in strength by the loathing I have for this Apple device on which I type, whose entire boot process is miserably locked down from the very start. It is like a bicycle made from Mickey Mouse logo bolts where the spanners are proprietary and not for sale. The situation is just as ludicrous.
The two major phone OS companies both stand on the shoulders of IBM PC, openly bootable hardware, and the fantastic software systems nurtured and built on top of these platforms — the BSDs, GNU, Linux, and the long tail of all that run on them. It is very troubling that their own platforms are the antithesis of being openly hackable.
Librephone could be successful in a few ways. Outright, as a device, but also as a carrot to bring open handheld hardware to enough people to drive political change (with a small-p, the politics of society, as well as politics of the big-p kind) such that iOS and Android would have to follow suit. With actual public policy Librephone could also end up being a stick: bringing about legislation that requires computers of any kind to be able to boot software of our choosing. Right-to-repair plus plus, if you will.
With enough Librephone devices in the right hands, either the market or the law will demand that we have the same openness and freedom to use our devices the same way we do commodity x86 hardware today. The same freedom imprisoned and exploited in the core of mine and your phone, right now.
Meta-commentary: At least within the HN community there seems to be a strong interest in a pursuit such as this, given that this is at the top of the front page, and has been for a little while, plus the first page has simultaneously contained these two stories:
Unfortunately, even if you could completely de-blob the kernel itself (and for many chipsets, that would require a considerable amount of reverse engineering work!), smartphones bear the Curse of the Modem.
In a modern smartphone, modem is often a part of the SoC itself - and it runs some of the biggest and fattest blobs you've ever seen.
This is the big barrier here, and unfortunately, it is legally impossible to open source.
In most countries, the spectrum that cell phone carriers use is licensed to the carrier, under the condition they only connect devices that are guaranteed to comply with the requirements of using that spectrum. The end user (i.e. the person with the phone) has no license to use the spectrum. So in order to get regulatory certification, basically every modem has to be locked down so that the end user cannot operate it in a way that would violate any rules or regulations for using that spectrum.
So basically, it's illegal to have open source modem firmware. At least, as long as cell phones are operating on spectrum that isn't open for public use.
Ultimately, if you want to open source a modem, you first need to build your own cell phone network.
this is the same thing with wifi. There are different channels and transmission power rules depending on country. Something you cannot change even if you are root or build your own kernel, as it's built in to the wifi hardware (eg. raspberry pi)
Don't cbrs devices need to be part 96 certified? The spectrum might not be licensed but you still may need a certified device to legally use the spectrum. Which you could do, but that is a tall hill to climb for a FOSS enthusiast. And when you're done -- what network are you going to connect it to? A cheap SIM from the corner store is probably out of the question :)
looks like they need.
but it still gives you more possibilities compared to usual spectrum. if there is enough coverage from SAS you (or FSF) can build your own cbrs network that will have open source modem/firmware (yet, still will have to comply with part96).
there are also all kind of open source lte/cbrs projects iirc
It's a fun thought exercise, but putting "part 96 certification" at the end of my build pipeline sounds pretty expensive. And building a physical cell phone network is stupidly capital intensive. Maybe there are some interesting small scale niches that this would be useful for. But as a daily driver cell phone, I don't think we're ever gonna have an open source modem, at least not until there are significant changes to the spectrum that's in use.
Haven't there been projects trying to do this since 802.11b? I think the last time I looked one of these mash networks up, there wasn't even decent coverage in the dense city I lived in.
I for one am up to the idea of breaking android off Google due to the same reasons of chrome - conflict of interest since Google is an advertising company.
Android already is mobile: making it better makes sense. Linux already runs fine on it: termux and things like NOMone desktop combined with allowing virtual memory and keep apps running like some brands (Blackview, Oukitel) allow, you are there a lot of the way. Then Android desktop support (again, many brands have something already but it is now in Android mainline it seems). I use an oukitel rt7 as my main daily driver: it is rooted. It has some quirks and of course is very far from open, but things works, -ish. I would spend far more time on contributing if we had an open choice(or at least working) here that supports the 5g. On other phones/tablets, it is the fingerprint sensors, 3d face camera, but also different 'niche' auxillaries that would get far more attention if you at least can start with something that is (mostly open) and works. If we have coverage for a bunch of devices with everything working, it will be more attractive to work on other/newer ones.
With Linux, you will need, as I have seen on my pine phone, way too much focus on just basic apps which still are not good compared to their android equivalent: spending time there is not spending time on hardware support...
If they wouldn’t have then X years later there would have been first beta release and zero apps on it except for a calculator app, a notes app, a calendar app, and maybe a mail app developed by the core developer team. The post would have definitely reached the top of hn, so that’d be a plus.
If prior "Linux phone" projects have taught me, it's that "based on desktop Linux" is a great way to have a ton of apps that install just fine, but can't meaningfully be used.
Not even just "requires a mouse/keyboard", but a lot of things of the form "assumes a reasonable screen size", ...
It makes a lot of sense to me. There's a huge amount of work that's already been put into the Android ecosystem that can be used in a free software phone.
Trying to build a non-Android Linux phone that is competitive is just not practical at this point. It would require an enormous amount of funding.
yes, but it's probably the quickest path to market with a reasonably certain customer satisfaction.
Doesn't stop you on working from there once that milestone is reached.. I would certainly welcome more alternatives in light of the recently announced changes from do-no-evilG
It's an incredible waste and an amazing example of how useless the FSF is today. Instead of supporting real Linux phones they're focusing on trying to degunk Android even more.
I think that supporting Android as a free platform is a sensible choice. Android has benefited from more than a decade of development by Google, Samsung, and others and provides a polished experience and thousands of apps people actually want to use (and many excellent FOSS options too). AOSP is already "free software" and starting from scratch with Linux would make very little sense at this point. The FSF is right to focus on what matters here, which is hardware on which to run free Android.
Funny, I would have used those exact words had they chosen anything BUT Android as their base.
All the other "freedom" Linux phones are failures (yes I'm sure fsflover will now chime in to but akshually). I know because I bought them all. They all have one thing in common: the software sucks.
And I don't even need apps. Just basic phone functionality (several Linux phones still can't do MMS), a web browser, and no crashes. Unfortunately no Linux phone has been able to give the to me yet. Whereas Android has been delivering for over a decade.
I applaud the move, but it's going to be really hard if manufacturers aren't willing to document their chipsets and keep bootloaders locked. The folks at Pine64 were forced to waste resources to develop their own platform, which after the enormous effort ant time invested resulted outdated the day it came out of the factory, because of that.
This seems pretty relevant on the heels of yesterday's popular discussion on how "Free software Hasn't Won" [0] in terms of tools available to the average consumer.
Just because pieces are open-source (or "free software") doesn't mean the autonomy and capabilities we want are necessarily present in the overall system.
That's really as far as they need to go; if the userland is compatible with Linux, it can use all of the work that KDE and other organizations have put into building mobile interfaces.
These projects have stuff that works, but the lack of firmware for chips that can connect to modern cell infrastructure means that they can't really create an appealing product. The OS layer is where all previous Linux phone efforts have failed, and I hope the FSF makes it farther than everyone else has.
> The OS layer is where all previous Linux phone efforts have failed
The OS layer is where the existing projects are thriving, with various distros and shells to choose from to match one's needs and tastes. It's the appropriate hardware that's in undersupply. I'm using a Librem 5, a 2019 design, and if I wanted to switch to something newer I can't because there's no viable upgrade path on the market. No other hardware vendor has invested significant resources into mobile GNU/Linux since then, everything else is either purely community-based or uses Halium.
Does webrender work with the Librem 5? Last time I checked it didn't-- Firefox disallowed it because the etnaviv driver didn't have all the features available needed to enable it. It appears there's been a lot of work on etnaviv recently but I don't know if it affects this issue.
etnaviv doesn't do GLES3 yet, so no, but the work to support it (mostly done by Christian Gmeiner) is ongoing and progressing. I'm using Epiphany though, it's pretty snappy these days and I make extensive use of its webapp feature. I don't even remember when was the last time I had to fallback to Firefox because of some incompatibility, but it did happen at least once.
It's a great idea. Why not join forces with the PinePhone and Librem folks? They're building the hardware and I'm sure they could use more software folk to help out with the firmware and OS.
Took them long enough... The free software movement was still stuck on PC despite the fact the whole world moved to mobile. Glad to see they're finally starting to catch up.
They should probably prepare themselves to make ideological concessions... The situation is very ugly here in mobile land. Treacherous computing, remote attestation, DRM, all ubiquitous and normalized...
The concept of "outdated" is imposed by big tech itself through artificial restrictions. Apps are forced to update their minimum supported OS versions. Upgrades are stopped after 1 or 2 years. And so on.
Anyone who has replaced Windows 8 or Windows 10 on their 5+ year old machine with a distro like Xubuntu/Lubuntu realizes that "outdated" is often a sales propaganda term, not necessarily a technical term.
I want this, even if it means we have to pay some of the people who work on this.
> Librephone will serve existing developers and projects who aim to build a fully functioning and free (as in freedom) Android-compatible OS.
It may well be that Google will not rest until "Android-compatible" means that they can put their foot down on this. We should be prepared for that eventuality.
For it to succeed, they must also help put pressure on governments (countries like Brazil or Italy) and banks to stop depending on "Play Integrity" because only Google has the keys (and blocks leaked ones) so we can't count on bypasses being available (it's not just a matter of obfuscation).
This needs to be done before age verification apps become universal..
There was a time the brazilian government mandated free software in government computers. Lots of people hated it unfortunately. Eventually Microsoft lobbying put an end to it. That was around ten years ago... I wonder if such a thing could ever repeat again.
They work fine for data and SMS, but it gets complicated once you need audio routing (it's rare for a modem to expose audio over USB) or waking up from low power mode to answer the incoming call. Could be done with M.2 USB modules and some dedicated controller in-between though.
Vita had a WWAN variant. What that means is, hardware wise it's trivial, business wise it's impossible. It's always has been that way. It took Apple under peak Jobs leadership couple years to sell the iPhone globally.
Not sure, but perhaps it could be somewhat easier to take them seriously if you had actually clicked on the link instead of living in an alternate reality where it's about "planning to create their own phone".
>Librephone aims to close the last gaps between existing distributions of the Android operating system and software freedom
I am so happy they are focusing on Android, one of the most popular operating systems widely used by every day people. This is important work for providing user friendly, free software to users.
Let's just hope they don't fall into the trap of disqualifying binary blobs sent as part of drivers vs opting for hardware that harcodes the blob.
Are you hoping the Free Software Foundation _doesn't_ prioritize Free Software? For people who are okay with random bits of proprietary software doing who-knows-what on their devices there are various alternatives already.
The OP's point is, having the firmware permanently burnt-in on a ROM chip vs loaded as a binary blob via a driver doesn't change the "non-free"-ness of the firmware itself.
So opting for hardware which has a "fully-open-source" driver, but runs a binary blob encoded into the hardware, doesn't make the system fully open.
It's a take for a more Free system, not for accepting binary blobs.
(Or I guess for acknowledging that if you're willing to allow binary blobs stored in hardware, then dynamically-loaded binary blobs doesn't change the "free"-ness.)
Open Source Firmware signed by OS > Firmware blob signed by device manufacturer > Firmware blob hardcoded by device Manufacturer
The FSF treats hardcoded firmware blobs as "free" and updatable firmware blobs as nonfree despite there not being a big difference between them in practice. And practical differences like being able to fix security issues benefits users.
These days, I see FSF and all I can think of is a donation racket with zero sincere intent to operate or capability to execute. If they were not still cashing in on goodwill from the Unix Wars era, they would be nothing more than a grift overseeing a mountain of copyright assignments.
How will this phone comply with child safety laws?
*Edit* Because Idiots are Downvoting me, look at the texas law SB 2420 as an example. These phones will essentially be illegal in texas unless they comply with already passed laws.
Why can't they just partner with postmarketOS here?
Why do we have to have /e/OS instead of a better supported LineageOS, because /e/ is a 1:1 copy anyways?
Why do we have to have a Librephone project now instead of partnering with say, Fairphone and the Pine64 people?
Open source loses this war because proprietary devices are streamlined. The only thing that comes close to this is GrapheneOS, LineageOS, and postmarketOS.
LineageOS has huge problems since the mandatory eBPF requirements of late Android versions, which postmarketOS and its upstreamed kernel drivers could fix. GrapheneOS has huge problems because of Pixel devices, which LineageOS could help with.
We need a unification of this ecosystem because each on their own is hardly surviving on their own against the megacorporations.
There is a lot of work to do to reverse the trend of increasingly locked down computing devices, particularly on mobile.
But from scanning through this press release, this seems nothing more than the FSF doubling down on their failed RYF approach, which does absolutely nothing for user freedom. In fact it's a big negative for freedom, as it ties down resources that could be spent doing something useful in doing something completely pointless like putting firmwares in ROM and adding another chip to load the firmware.
The thing is, firmwares are here to stay. And firmwares that can be stored on the filesystem and loaded by the OS during driver initialization increases flexibility and reduces BOM cost. So that's what device manufacturers are going to do, and RYF will not have any effect on that.
Well… mixed feelings here. I spent a lot of time dealing with early smartphones and hacking away at Android, Tizen, FirefoxOS (remember that?) and several variations on that theme back when manufacturers were vying for differentiation, and I get that the FSF has a mission, but I don’t see this panning out.
Like many folk who’ve been watching Google’s gradual shutdown of AOSP and alignment with Apple in terms of platform lockdown, I think the days of fully open devices are actually coming to a close. Again, I applaud the FSF’s initiative, but you need to get a lot of buy-in for this kind of thing to work—-manufacturers, developers (both OS and app devs), and, of course, users, who will never accept anything that doesn’t let them do things like banking, shopping, mainstream social apps, etc.
And you can’t do a lot of those on an unlocked boot loader (which I think is going to be the logical consequence of replacing bits of the OS) without more hacking. It’s like XML and violence—-it will only lead to more of the same.
I expect the usual amount of “you can do that with web apps” pushback, but let’s be real. Except in markets like India where simpler and vastly cheaper platforms make sense, you either use iOS, Android, or… nothing but voice calls, and I don’t see enough here to make me think this will be something for everyone.
Finally! It took the FSF long enough to catch up with the overwhelming usage of mobile devices, but it's better late than never.
I like that this project is trying to tackle something much more challenging that can't be done with just software: reverse engineering device firmware and binary blobs, the pieces of software that actually make hardware components interface with an OS. Understanding how this stuff functions is key to being able to write replacement software, so we may have less non-free software to deal with. I don't have any experience in trying to reverse engineer software, so the best I can do for now is cheer on from outside, unless I want to try my hands at this stuff later.
I also like that this project is not intending to produce an Android-based distro, but focusing more on reverse engineering. Although I read that the results are targeted at helping developers of Android-compatible OSes, the results can hopefully be used by non-Android [GNU/]Linux distros and perhaps other *nix stuff, like the BSD distros. The FSF (by way of developer Rob Savoye) recognizing that a project like this is not going to be quick, easy, or cheap, and is a long term effort is good, as that likely means this project isn't going to be easily abandoned just because of not being able to produce quick results.
I hope that this whole effort can eventually let us break free of the Apple-Google mobile device duopoly, as it sure is getting tiring for me to stick with one of these two companies for my mobile computing needs.
I hate to complain, but I can't help but feel this is kind of impossible with the resources available to the people working on it. Reverse engineering a modern phone would take years and years of work from many people, and by the time you have it worked out, the phone is obsolete and very few people still use it.
The Apple Silicon macbooks seem a good example. The M1 came out about 5 years ago now and with a whole project and a lot of work later there is still limited hardware support. Having to put this effort in for all the models of phones seems massive.
One would hope that enough things stay similar between devices that replacing, say, the galaxy s25 paves the way for a far easier implementation of the s26, particularly now that the market is stagnating a bit.
And I’m not knowledgeable about this at all, but intuitively I’d expect apple stuff to be much more customized than the average android phone - they’re famous for vertical integration and owning the end to end process.
Phones aren't x86, each is own snowflake, and on Android the nature of being a managed userspace, means there is a certain freedom regarding which ARM designs that Samsung, Qualcomm, Mediatek, and whatever else is out there comes up with.
Then there is everything else that happens to be on the motherboard.
1) The article states they are focusing on the phone model that they guess will require the least work to become totally free. This may make the project useless, but it does give it some hope of finishing.
2) The hope is that the M2-M5 won’t be that different from the M1 models - after all, Apple doesn’t want to spend their money reinventing the wheel without compelling reason. I think that is less likely with phones from different manufacturers, though Android phones typically share a lot of single source components.
> the results can hopefully be used by non-Android [GNU/]Linux distros
That was stated as a goal at the FSF 40 event, videos of which should be online in the next few days.
When it is this late, it might as well have been never.
That's certainly not the case here, even if it's true sometimes. The duopoly is gradually tightening their grip on the customers' wallets. It's worth it at any stage to reverse their cash grab.
This is bound to fail unless they get the full stack and even then, it will be for specific phone models, x86 is an anomaly in having a cloning freedom that IBM did not intended.
> The FSF has been supporting earlier free software mobile phone projects such as Replicant,
Hopefully this project will go better than Replicant. Here are my notes on running Replicant on the (then already very old) flagship Samsung GT-I9300:
https://www.neilvandyke.org/replicant/
The hardware was a little difficult to obtain in the US, and WiFi worked only with a blob of questionable provenance.
It looks like Replicant has been stuck for several years, and they recognize that they need to find a new device, funding, etc.
(After Replicant, I spent some time on PostmarketOS with various devices, and then gave up and bought iPhones, and then got ticked off and moved to GrapheneOS.)
I wonder whether the FSF is already collaborating with Purism on this, to leverage their work on the Librem 5 and PureOS, which I believe the FSF is well aware of. If the FSF manages to muster a lot more open source volunteers on a more affordable hardware, but that work is also usable for Librem 5, then it could be a win-win. (And Purism also has something called Liberty Phone, which is a made-in-USA Librem 5 phone, so their lawyers should talk about trademarks in any case.)
https://puri.sm/products/librem-5/
https://puri.sm/products/liberty-phone/
I am pretty sure that it's not going to be the Librem 5, despite Purism's efforts to get it RYF certified (which, thinking of the Redpine WiFi card) went so far that they seriously impacted user experience.
Why? There's no Android port for that device and they keep mentioning LineageOS.
Even the PINE64 PinePhone would be more likely, as that has Android support and even some LineageOS 22 support [1]. The Replicant project had eyed it as a target device [2].
That said, I'd expect a different device, and, assuming LineageOS supports one, and I would not be suprised to see a device that's not powered by a Qualcomm, Mediatek or Samsung SoC.
[1]: https://github.com/GloDroidCommunity/pine64-pinephone/releas...
[2]: https://blog.replicant.us/2024/03/replicant-status-and-repor...
> Why? There's no Android port for that device and they keep mentioning LineageOS.
The LineageOS folks are working on supporting their OS on Linux-first devices running a close-to-mainline (not AOSP) kernel. So it could go either way. Of course if they do choose an Android-first device, their efforts would ultimately also make it easier to run a mainline kernel on it as shown by projects like pmOS.
That's nice to know. Do you happen to have some links to where I could read up more on this effort?
You make it sound like the Redpine card ended up being shitty because of RYF efforts. The Redpine card was chosen because of its internal flash, but the fact that the vendor failed to properly support the advertised features (and even removed some that worked before), abandoned its mainline driver and pretty much halted the firmware development after SiLabs acquisition is orthogonal to that and could have happened with a different card as well. So nice it was a replaceable M.2 card, isn't it? ;)
> If the FSF manages to muster a lot more open source volunteers
First line of my pitch is, "When hundreds of millions of people need something, it doesn't make sense to wait for a handful of volunteers to build it for free."
hahahahaha 2k for a phone that cannot last a day. yeah no. i d rather go for a redmi with postmarket os. it does not even have a blob free modem
That's their US made patriot phone, the regular less than half of that. Also, please read up on the concept of economies of scale.
If you go with postmarketOS (good!), and don't want to touch anything that touched Purism, better avoid anything GTK (Phosh, GNOME Mobile and related apps). While Purism did not make a competitive phone, their investments into libre software went great and keep paying off.
> Practically, Librephone aims to close the last gaps between existing distributions of the Android operating system and software freedom. The FSF has hired experienced developer Rob Savoye (DejaGNU, Gnash, OpenStreetMap, and more) to lead the technical project. He is currently investigating the state of device firmware and binary blobs in other mobile phone freedom projects, prioritizing the free software work done by the not entirely free software mobile phone operating system LineageOS.
The time is right for this project I hope they succeed.
The time is right, but I still don’t think this project can accomplish much because people are generally happy with their phones.
That said, the phone market is huge. They could sell enough devices to fund future development which might be good enough even if it doesn’t slow down Apple or Google. At least then there will be a device for those of us who are not happy with the state of things.
> because people are generally happy with their phones.
Maybe thats exactly why it can succeed now. The phone tech has plateud to the point where a 5 year old phone performs almost identically as a new one and this is when people can afford to experiment and take more risks.
Also its much easier for free software to catch up now as most problems are already solved and/or easy to copy.
I don't mind having a second phone, esp. if it's a foldable which can be a great reader and a small "linux in a pocket". There might even be some use-cases, for example I recently wanted to implement a type-c external GPS antenna, and found out that it's a pain on Android (done via "developer mode" hacks etc.), and impossible on iOS.
That being said, very low expectations on this project.
> much because people are generally happy with their phones.
Talked to many iPhone owners this year? The 17 hardware has a bizarre choice of a camera button / pointless physical change, and IOS 26 is pretty much hated by everyone.
I use iPhone, and have happily for years but F if this isn’t the worst OS I can remember. The first downgrade really.
Your “everyone” seems to be substituting for “me” an awful lot.
I like the action button and have no issues whatsoever with iOS 26.
Have you been around when iOS 7 was released? If not, I’d say that was the same, whatever that means. Things might get better, but we’re not entitled to it.
> The time is right, but I still don’t think this project can accomplish much because people are generally happy with their phones.
Is there survey data available on this? Anecdotally, everybody I know hates their phones. In fact, I think if you asked, "what's the biggest pain point in your life right now?" I think most people will point to their phones.
Maybe, but that pain point isn't something free software is going to fix. Obviously not everyone has the same problems with their phone, but largely I think they fall into a few categories: notification overload, apps designed to keep you scrolling for every last minute of the day, and dark patterns or other design choices aimed at separating users from as much of their money as possible.
Every single one of these is fixable on any modern phone. Stop using social media, take a hatchet to what apps can send you notifications and when, and be more mindful of what tricks are commonly deployed to steal your attention, time, and money.
But people can't even manage that. They don't even have to do anything, they just have to stop doing certain things, but they can't or won't. Those same people aren't going to go through the effort to switch, and even if they did they would end up re-creating the same thing that makes them miserable currently.
You might need to expand your social circle a bit.
If you asked normal average people "what's the biggest pain point in your life right now?" they would point to financial, societal, or health issues.
The vast majority of people when asked specifically about their phones probably wish that they were a newer model or had a longer battery life. As long as it communicates with people, lets them access banking and social media, and has a few of their niche hobby/entertainment apps nobody actually cares about the licensing of the modem firmware or the fact you can't install TempleOS on it.
I think they will fail because they fundamentally don't understand the problem.
Android does not contain binary blobs because of some evil conspiracy against free software. If they could get away with it, the whole damn thing would be open source.
The problem is those blobs do things that interact with complex hardware for which only blobs are available. Even if you reverse engineer them, you are going to get sued into oblivion because of the patents you are going to need to infringe on to make functional replacements.
But even if you get a blessing from the component manufacturers, your new hippie binary blobs need to be certified to legally operate on cellular and wifi frequencies in most parts of the world. If you decide you don't like something and change it - as is the open source way - that new version with your modifications needs to be certified too. Carriers do not allow uncertified devices on their networks.
No one is going sue the fsf into oblivion. The movement has decades of legal experience, if a company would be dumb enough that company would just burn money and lose. Especially about reverse engineering software, as if patents had any power there. Apple, the end boss in that regard, not fighting on that level against the m1 project is proof enough.
Second, fuck the carriers. Certifications will not persist as soon as real Foss phones are available. Nothing persists against a world of free hardware invading a realm. And even if: freeing everything around a modem blob would still be a big step forward.
It's frankly ridiculous to assume the people working on this and the organisation that already supported replicant knowns nothing about the mobile space.
Indeed, this is the right time. I really want to daily drive a linux phone, but i dont want to buy a used phone. I hope this brings more hardware support for newer phones.
I'm willing to suffer a rough beta or alpha experience, but let me use modern hardware of my choice.
Why not used?
I'm kinda the opposite, I don't want to buy new any more. Currently rocking a 2nd hand Pixel 7a running GrapheneOS and loving it.
If battery life is the issue, that's fair enough. I've bought a couple of wireless charging docks that I spread around the places I frequently spend my time, so if it needs a boost I can charge her up just by plonking it on the dock. Most of the time, though, she makes it through the day from (maximum charge for battery longevity reasons) 80% down to 30%, maybe 25% or 20% if there's lots of interesting news in a day.
But I'm not a particularly heavy user and I don't game on it.
If rich techies on this website want to support something worthwhile, here you go
Not rich but is there a way to contribute specifically to this project? The donate button on the website does not work.
I would have expected an online means to contribute specifically to Librephone, but indeed, seems like nothing yet. Hopefully it is forthcoming.
Otherwise, their website suggests you can specify a particular project via the memo line of a check:
https://www.fsf.org/about/ways-to-donate/
As the first project FSF has launched in years with a current budget of one developer I expect they will be happy to spend new donations on further funding for it. However, it is very uncommon for a nonprofit to have a separate fund for a project that is part of the organization itself, rather than a project which makes semi-independent decisions and is fiscally sponsored by a related nonprofit. The exception is usually when some very large donor which insists on that arrangement.
I was talking to someone who is involved in a nature conservation nonprofit recently - small donations go into the general pot of money for the organization to choose how to spend it. If you want to influence what the money is used for you have to donate a significantly higher sum. They said they like having many small donors because they can fund things that don't necessarily make a big splash in a press release but are important precursors to impact (e.g. researching what projects would have the most impact vs actually implementing a project).
Upon commenting, I removed the snarky part of the website being visually… well, bad. After all, FSF isn’t about design and aesthetics, right? But donate button not working demonstrates the whole seriousness of the effort.
Ultimately, I don't think the most important challenge is in binary firmware blobs, but the software which people depend upon to run their lives. What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS? Perhaps the FSF can't do much about that, but that is where I feel they could truly make the biggest difference for freedom for the average user.
I think this is the right place to start.
A free OS will empower developers to implement technical workarounds that could trick these apps into working there. If the OS is tightly controlled, we have no recourse.
Even in the worst case scenario, we could use a cheap big-tech-approved phone for these applications (a glorified digital token) and use the free phone for everything else. When there's enough adoption and trust in the new phone, non-technical avenues are available to influence these organizations to accept the alternative.
I've kinda migrated to the worst-case scenario already and it's really not that bad - for my use case.
I have an old phone (actually running LineageOS rather than stock) that works as you perfectly describe as a glorified digital token. This device doesn't come with me. There's no banking I need to do, on a day-to-day basis, requiring said token, that has to be done right now or the world will end. It can wait until I get home (and I usually use the bank's web interface from a desktop). This device has minimal other apps installed, which limits bank app accessibility of other app data, and other app accessibility of bank data.
Then my GrapheneOS daily driver serves my day-to-day needs with minimal data leakage, tracking, ads, other general paranoia-inducing modern-life shit.
I pay for things on a day-to-day basis with a physical debit card due to an existing habit of not wanting to depending on a single device for "all the things", so GrapeheneOS wasn't a downgrade, but it should be noted to others that whilst Google Wallet can run on GrapheneOS, NFC payments through the Google Wallet will not work due to Full SafetyNet requirements that GrapheneOS can not pass. Non-NFC items such as tickets and boarding passes have been reported to work (and I'm pretty sure I've used it for that, although Google Wallet is no longer installed on my device).
I see a trend of banks pushing people off of their websites onto the mobile app.
That is a slight concern, but I don't see it happening, at least in Australia for the big four banks, in the near future.
If that became the case, then the 'glorified token device' would become the dedicated banking device, and not much else would change (ie. I still wouldn't be doing 'banking' while I'm out and about).
It sounds utopian except you still have to pay for a cell plan on said device, no? How else to obtain a phone number for MFA?
No, just connected via wifi. I don't use it outside the house. The MFA token comes via the banking app itself, not via SMS.
If it came by SMS my daily driver would receive it.
Hopefully by not using MFA that depends on SMS.
To me that sounds like sacrificing living for a principle and missing the point.
I hadn't migrated my life to any of the (tiny, possibly zero) convenience improvements that "mobile banking" may offer me, so none of what I've described has been any kind of downgrade in 'living'.
(I don't mean this in a sarcastic way) are you able to make tangible what 'living' I may be sacrificing?
Like they have been doing for Desktop Linux?
And FSF has a history of creating important OS level software.
And I feel like it undermines any effort to make free, featureful applications if the hardware itself can't be trusted.
You can trust hardware and software that's easy to inspect.
If you can't be sure what's going on and unable to inspect or debug the hardware and software, how can you trust it's doing what you want?
Proprietary hardware and software is already known to work against the interests of the user. Not knowing exactly what's going on is being taken advantage of at large scale.
Let's put it this way: if you can choose between making your own lasagna with a good recipe vs ready-made microwave lasagna. What would you choose? How about your suit? And would you trust an open known to work well pacemaker vs the latest Motorola or Samsung pacemaker? Would you rather verify the device independently or pay up for an SLA?
No software is "easy to inspect". Only a tiny fraction of users will ever even try. When things are inspected and problems are found, you need a way to revoke the malicious bits. You'll never notify everyone, which is one of the roles app stores play.
You trust hardware and software by establishing boundaries. We figured this out long ago with the kernel mode/user mode privilege check and other things. You want apps to be heavily locked down/sandboxed, and you want the OS to enforce it, but every time you do you go up against the principles of open source absolutists like the FSF. "What do you mean my app can't dig into the storage layer and read the raw image files? So what if apps could use that to leak user location data, I need that ability so I can tell if it's a picture of a bird"
For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted. The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
> For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted
In practice, that just means you trust a Chinese black box Android ROM from a random manufacturer, but not a fresh Lineage OS. To run some banking apps there, one has to root it and install all kinds of crap to hide the fact that your phone is running an OS you actually can trust.
I don't think it's right, I don't think non-manufacturer provided ROMs are a real danger in practice, or rooted phones, and I think this is all just security theater and an excuse to control what people do on their own devices.
> The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
If they pay for the phone and ship it to you then I agree. Otherwise, they have an obligation to serve their community (part of their banking charter) and that may include meeting their customers where they are, rather than offering an app with unreasonable usage requirements.
No charter requires allowing access from any device. The charters don't even require banks to be open during hours most of their customers are off work.
The charters aren't that specific (nor should they be). But they do oblige the banks to serve their customers to a certain extent.
Not really.
If their security depends on enslaving the user, their security sucks.
Real security, be it your financial transactions or keeping your bird pictures safe, doesn't depend on any secret algorithm. Because it's secure.
The threat models aren't secret algorithms, they're apps reading the contents of the screen, stealing keystrokes, MITM attacks against 2FA, and much more.
Apple, Google and Microsoft created that problem.
I don't have this problem on my computers, they run free software. My wifes thinkpad runs free software. The friends I gave a computer with various GNU+Linux distros don't have this problem.
Add Google Chrome with its spammy extensions to the mix and they start getting problems.
There’s no way I’d trust open source anyone with my health. And I am not sure there is one open known to work well project, let alone a pacemaker that couldn’t possibly be funded in the open source world. What open source hardware is actually more usable than the closed source alternative for most people?
Should the app builder’s ability to “trust” that the hardware will protect them from the user supersede the user’s ability to be able to trust that the hardware will protect them from the app?
In other words, should the device be responsible to enforcing DRM (and more) against its owner?
Trusted to do what? Work against user's interests? Prevent user from even expressing their interests?
There is one solution to this problem that many people reading this message can contribute to:
Make sure your app has a progressive web app version that has feature parity with the store apps. That way, the app will work on phones like the librephone, and, if Apple or Google decide to kick you off the store, you and your users have some recourse. As a bonus, it’s compatible with open source — users can modify the app and install it without jailbreaks, root or (for now) sideloading.
React Native supports this (and can mostly be bundled with electron for mac/win/linux support).
Are there other stacks people can recommend?
You are mixed up 3 different tech stacks: 1. React Native has nothing in common with web apps except JS runtime. It uses "native" widgets for Android and iOS. You need to add a new "native" runtime for your free OS. There are some third-party attempts to add mac/win/linux support, but they are not feature complete as officially supported platforms. Again, your free OS will be step behind. 2. Yes, you can write PWA with React (Web), but PWA still have many missing features which offered by platform APIs of Android and iOS. Your app will not be in "feature parity" with "native" app. Especially banking app. 3. Electron apps are integrated with desktop platform APIs, you cannot easily port Electron app to mobile. Every time big company with big investments wins.
What does a banking app need that a PWA can not provide?
This won't help if Google/Apple/Microsoft roll out integrity checks for browsers, something which they have already suggested they want to do.
It won't just be them. I foresee Cloudflare and other CDNs offering a free checkbox: [] Require age of majority verified user
And it will in turn depend on Secure Attestation, Web Credentials, and other recent W3C work to provide proof that you're the registered owner, age of majority and verified by thumbprint or other biometrics, running an unmodified device. Your ID might be escrowed with your OS vendor, email provider, bank, ISP, or even Twitter/X, who knows. Either way, as an end user you'll be mollified that you don't have to provide your ID to the adult site, and the adult site will be happy that they don't have to implement any of this themselves.
And, of course, this will mean that an intelligence service could have ironclad proof of exactly what person visits what website, effectively killing a lot of online anonymity.
You’re probably 100% right and it’s honestly heartbreaking.
Time to donate to the EFF and FSF I guess…
That sounds awful.
It's something they've already done, they just aren't being public about it yet. Look up the X-Browser-Validation header.
...and packaging my app as a PWA is going to help with cantankerous bank/ditigal-id apps, how, exactly?
Momentum.
It becomes much harder to force attestation on people if there's a significant user base that runs alternative operating systems.
I agree, but unfortunately I think the chances of that are just about zero. The reality is that the vast, vast majority of people don't care about software freedom. They care about the flashy marketing features in the newest iPhone (and competitors). I wish it were otherwise, but alas. Heck, you can't even get people to care about their physical freedom most of the time, let alone their digital life. It's hard to see this effort taking off as a result.
Do you really NEED to be forced to attest if you can make your phone look like any damn PC using a browser?
Websites are starting to make use of passkeys and TPM stuff on the device for workflows where money is involved.
These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.
This isn't the browser not being trusted, it's access to the device the browser runs on. Forcing logout when idle, and authenticating again, is good in general to avoid leaving something accessible when walking away from it, even if it's a home computer that is otherwise "secured".
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
It is given the environment. But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it. While the phone app is considered secure enough to just stay logged in perpetually without any external confirmation.
To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.
> But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it.
Does it? The browser doesn't do anything, the person sitting at the computer where the browser is running is what performs the actions. The reauthentication and 2fa is meant to authenticate and authorize the user, not the browser.
The attack vector of someone else using your phone using an app that doesn't require (re)authentication is independent of the browser or the app itself being trusted. That your bank doesn't periodically require some kind of re-authentication for their app is a security hole, but because the device could fall into the wrong hands, not because the code/app/browser used to access it isn't trusted.
That is true. I guess one of the main differences is the bank app can run a faceid check when you open the app and before you make a transaction while websites don't have access to these apis. So they are forced to make you approve the action via your phone.
Every banking phone app I've used auto-logouts after being idle or unused for a bit, and my primary bank's app requires 2fa using an app that exists on the same device -- a second factor that secures nothing. They probably are not explicitly considering the phone more secure than a computer, but rather a good 80% of this is security theater or a checkbox on some baseline security checklist that was implemented without really understanding what the implications, for usability and security, were going to be.
> 2fa using an app that exists on the same device -- a second factor that secures nothing
2FA on the same device secures against your login credentials becoming known to another party, e.g. by fishing, password reuse, database leaks, etc., which are real threats. It is not meant to protect against someone being in possession or full control of your unlocked device, which is of course also a real threat, though possibly less common.
> 2fa using an app that exists on the same device -- a second factor that secures nothing
If I steal your device, and you didn’t have faceid, I have both factors. But if I steal your password, or find it in a leak of another site because like most people you re-use passwords, then I only have one factor. It still provides a fair bit of security because of that.
This seems desirable? Is your phone the only 2FA available?
webauthn cares about the strength of the authenticators used. Mobile has standard libraries for biometrics and secure enclaves. This is less common on desktops and laptops. Your bank may offer the ability to enroll a yubikey or similar.
I can’t tap my PC to buy a burrito at Chipotle.
So you pay more money and also give up your privacy for what you could pay cash for. I don't think you're the target market for this phone.
I pay less money for my burrito than I would with cash, but the reason I use my phone is convenience, not cost.
> I don't think you're the target market for this phone.
My comment is downstream of the entertaining of a possibility of:
> a significant user base that runs alternative operating systems
... which isn't going to happen if you ask your users to give up commonly used features. It will forever be a niche project, at best.
And there are still folks who don't use ad blockers.
This sounds like a challenge to me.
It’s actually super easy and not a challenge. The lowest tech way to do it would be the tape a cc with tap functionality to the inside of a laptop.
what a phenomenal comment, thank you for the laugh
You seem to be part of the problem. As long as people like you are happy to run spyware on their phones for the sake of convenience or a meager discount, companies will be empowered to make such software and devices a requirement.
Do you think the same for using credit cards in general or is using the phone somehow worse?
I use cash whenever possible, but carrying cash for larger transactions has its own risks and those risks need to be balanced against the privacy benefits it offers. The way I see it, carrying a credit card in addition to my phone when I might need it is a minor inconvenience relative to that of allowing Google complete control over my phone.
My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
That might just be European banks though
That could be nice on the Librem 5 which has an integrated smartcard reader.
Some banks require app confirmation for PC-initiated transactions, using play integrity requiring apps. Cause security, you know.
I think it's time to look for a new bank.
In my country we have a large religious community that eschews smartphones. Due to this no company or government agency requires a smartphone for service.
This is a very good thing. I don't think many people here on HN reject technology, but sometimes no technology is better than one that is not controlled by the user.
It's because it's way easier to install malware on PC than mobile. None of us are immune either. In recent times there has been malware distributed by common NPM packages as well as game mods. Every NPM package you install has the ability to steal your browser session tokens and the only thing stopping the attacker from actually logging in and spending your money is the fact it has to be confirmed on your phone.
That doesn't require a bank approved app - we already have authentication mechanisms that are standardized.
People do proprietary bullshit because they want to do proprietary bullshit. Anything else is made up.
Choosing between a risk of that and preinstalled non-removable malware in every phone? Tough one, I know.
What kind of transactions require this? Normal bank transactions don't, right?
Depends on the bank's policies. Currently it tends to be when you transfer to a new destination and/or above a certain amount. I could certainly imagine a bank requiring it for every PC-initiated transaction as and when they reach a point where most normie customers are using their app.
"Every PC-initiated transaction" doesn't make sense to me. What type are transactions are you talking about?
> What type are transactions are you talking about?
Bank transfers and I guess direct debit authorisations (if your bank requires you to confirm those) and reauthorisation/confirmation of card payments that were blocked by the bank's fraud detection. I think those are the only kinds of transactions one would ever use a PC for? I mean for me most of my day-to-day transactions are me paying by debit card in a shop, but you can't do that on a PC in the first place; pretty much everything else I do on my PC.
Do you have to authorize those day-to-day transactions with your debit card on your phone every time?
No. Only to unblock when they get blocked/flagged as fraud (tends to happen for large transactions like plane tickets or buying a bunch of furniture), and even then I currently have the option of authorizing via the web browser (and I think also via phone call).
But sending a bank transfer is also a fairly common day-to-day transaction that I do a couple of times a month (and is the only way to pay for some government services like tax certificates short of visiting the tax office in person). Authorising a new direct debit happens occasionally (joined a gym, changed my utility provider, got a new credit card, that kind of thing).
Fraud prevention on my primary transaction account requires 2FA for every transfer.
The only supported 2FA is the bank's own dedicated 2FA app.
So if you buy something on Amazon with your debit card you have to authorize it?
Transfer of more than a set amount between even your own accounts in different banks.
Between your own accounts is the main use-case because you typically can't transfer between different banks.
> you typically can't transfer between different banks
WTF? What kind of shitty banking system are you using?
Wells Fargo said to do it I had to use Zelle.
Wow. You guys really need better banking regulation.
My brokerages require it every time I login from a computer. My bank will require it if it can't find a cookie from a previous login session. Occasionally, my bank will require it seemingly randomly since I usually log in at least once a week from my laptop yet every couple of months or so I have to reconfirm on the app or another secondary method.
What are the other secondary methods?
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else? The reality is that we need both free hardware and free software. I can always tell my bank to fuck off and move my accounts to one that gives me freedom to use the mobile OS of my choosing, and if there isn't a single bank on earth willing to do that I can always simply refuse to use my cell phone for banking.
I'd much rather keep the phone I control and trust while limiting myself to only having the options of a desktop PC, a laptop, an ATM, a phone call, a drive thru, and walking into my bank's closest branch when interacting with my bank. Not being able to also stab my finger at a cell phone screen to check my balance isn't really that big of a deal.
Safe hardware is super difficult
The only project I know of that really actively addressing the end to end problem is Bunnie Huang's precursor.
Work seems to be going on low-key: https://github.com/betrusted-io/xous-core
> What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else?
Perhaps. But how does this effort from the FSF do anything to solve that? They are (as far as I can tell) producing firmware, not hardware. If the hardware manufacturers are working with the government or whomever to spy on you, they will just not use the FSF firmware in that case.
Well you're partially right. After all, the "big tech approved phone OS" is actually Linux, so just having a free OS isn't enough to prevent it from being co-opted and turned into a locked-down platform.
But the partially wrong part is, we can make our own platform. PCs let you install and run any software you want, because it's an open platform. If we make an open platform smartphone that can compete on features with the closed behemoths, and that then becomes popular enough, then banks may offer apps on that.
But this is tricky too. Linux already has issues getting official support from corporations. We'd need our open platform to be compatible with the closed ones, so that it's easy for banks to run their apps on our open platform. There are already ways around this, like virtual machines to run Android, or other methods. But the closed behemoths may try and end-run around this, like DRM. So we'll still need to advocate for our rights and compatibility.
Indeed, binary blobs are not much of a problem; it's anti-user "security" that has to be attacked. Otherwise we'll end up with user-hostile systems that we can see the source code of but can't modify, in contrast to systems that we can't see the source code of but can modify. The Windows modding scene of the late 90s/early 2000s is a good example of the latter (and I've joked that every power user was a novice reverse-engineer), while Android is turning out to be a good example of the former.
Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
>Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
RMS is afraid of trees!
https://news.ycombinator.com/item?id=28419139
I hope all the things you mention never become mandatory some day because I currently use my phone for voice and text only. Sooner than later I plan to get rid of my phone all together. I'm gonna surprise the phone company and get a land line. That means any online service that uses SMS/text to verify me will fail.
If you're being serious, you're in for a rude awakening. POTS lines are dead and being replaced with VOIP and VoIP to pots modems on the premise. lots of cities have already started to grub the copper out and replaced it a long time ago with fiber.
Changing the implementation but not the interface is exactly the point. It doesn't matter how it's delivered; it's just a phone line for voice calls.
Yeah... Corporations and governments are starting to push remote attestation. There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
> There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
Given the apparent trajectory of the corporate/government model of organizing society, it seems like they're going to be the ones that will be second-class citizens.
Get a big tech second phone. Cheapest available. Just perform the needed tasks and use your Libre phone for everything else.
Does anyone remember having a copy of internet explorer that the bank required (or chrome these days) but using firefox for everything else? Apply that concept to a phone.
For people without a viable alternative such as transferring their funds to a bank that does not require Google/Apple certified devices, this seems to be the way. The second phone does not even need to have a SIM card in it, except perhaps during set up. That phone does not leave home and is ideally be powered off with its battery removed when not in use. Everything else can be done on a free device, ideally using FOSS apps. Ideally again, this means no Facebook, no Whatsapp, no IoT crapware.
Luckily, here in the U.S. this is still possible. I run Graphene on a Pixel without Play Store compatibility layer and everything just works. Most of my apps come from F-Droid, with the notable exception of Whatsapp, for which a standalone APK is available. Unfortunately, it is proving difficult to get rid of Whatsapp entirely because of friends and family.
Yup. Right now that's something running graphene for me. I'd prefer full linux but the other options don't seem viable yet to me. When I tried the pine phone a few years ago its battery life was in the 3-5 hours range if I used the phone which is not sufficient.
But then I would need to constantly charge two phones and keep two phones in my pocket all the time because I never know when I would need to do those things on the go.
I recently added a second phone for secure comms (Graphene). The biggest hassle turned out to be moving data between them. For that I settled on running my own Matrix server.
Some banking apps require relatively new OS, so if you have an old phone with e.g. Android 8 and you can't upgrade (Android 9 removes certain important features), you are out of luck.
Use the website. I’ve never seen a bank where a mobile app is the only option for remote access. If my bank did that, I’d switch banks.
To be clear I'm not saying that alternatives don't exist now. But it's a worrying trend that big businesses, and even governments in some cases, are moving away from such alternatives being available. Look for example at the proposed age verification scheme in the EU, where they don't plan to make a version you can use on a desktop (and even for mobile devices require you use a vendor-attested device). Sure, right now it's just for looking at porn. But it seems to me that once that settles, it won't be long (a decade or two) before you start to see government IDs require a similar mobile app. That's the kind of thing I fear happening soon.
They more and more force you into 2FA through banking app
Every bank i’ve used (2, so ymmv) allowed 2fa using a totp app, they just don’t make that choice obvious you have to dig around in the settings
In SE Asia, most banks I've used no longer offer any services other than through their app.
What about WhatsApp?
UBS bank mandates their "Secure Access" app as second factor even when logging in from a desktop. They used to allow the smart card reader for existing customers that had it as a work around for a few years but they disabled that.
Also many websites are making it remarkably hard to not use the app if they even remotely sense you're not on an actual PC. FB and LinkedIn aren't banks but prime examples.
Good reason to stop using that bank.
I like my credit union.
Oh, and of course the stock app will refuse to run on rooted (or sometimes even just not widely used) phones.
Monzo bank in the UK doesn't have a web access (apart from very basic page where you can block your card and do nothing else, not even see your balance). They also retired support for older Android phones, so if you happen to use it on an old phone, you are out of banking. I, for security, refuse to install bank apps on my phone that I carry, but I have them on a separate phone that I have in safe place.
Banks and national id apps already work on GrapheneOS. Sometimes you just need to msg devs and ask them to use a different OS attestation method - see link 1. This battle is won already.
1.: https://grapheneos.org/articles/attestation-compatibility-gu...
Sorry, but no. Device attestation is another mechanism to track and ultimately exercise control over the user. It fundamentally goes against the freedom of choice. You want me to authenticate with multiple factors? Cool.. let me tell you which method I'm already using on all my other accounts and then tell me how to register that with your service. You want to "measure" my device? Okay, I'll take my business elsewhere..
This was a problem during the early 2000s when Windows and Internet Explorer were utterly dominant. Some banks, government services, and other essential websites used ActiveX controls, preventing access by non-Windows users. I remember during my senior year of high school being unable to fill out a college financial aid application circa late 2004 or early 2005 on my PC running FreeBSD and Firefox; I needed to use Windows and Internet Explorer.
I remember the stagnation of Internet Explorer combined with increased awareness of security exploits in Windows and Internet Explorer led to the rise of Mozilla Firefox and (to a lesser extent) increased marketshare for the Mac. This, combined with the arrival of smartphones around 2007, put pressure on organizations to make their Web sites accessible to a wider range of browsers instead of just IE.
Perhaps if we had a critical mass of people using phones with FOSS software, this would be enough for banks and other organizations to consider people who don’t use Apple/Google products.
The challenge, though, is getting that critical mass. Firefox benefitted from Microsoft’s fumbles in the 2000s. It’s going to be hard for a FOSS project to compete head-on against Apple and Google.
I agree that FSF and similar groups should be focusing efforts on influencing government policy at least as much as on software. The problem is that in practice, you’ll get a bunch of people who are erstwhile free software supporters, shouting back that the FSF should “stay n their lane” and stay out of politics (missing the point that in life, everything is politics).
You can replace the banking system. Replacing the banking system does nothing if a single tech company can brick the phones of people using the replacement, or block it from launching.
In an emergency, can't you call your bank over the phone? Do you depend on it still if you have a Computer?
you have to start somewhere, and with Goggle closing Android to non-approved apps this seems like the right move.
If the government needs me to get a side phone for ID, I'll cross that bridge. For everyday use, I'm fine with having a "rogue" phone as my primary.
The next step will be for them to prevent you connecting to the cellular network.
Just tether through your shit phone
Most importantly is to continue supporting web browser access and open web protocols. Then anyone with a web browser and device can use all the apps.
Exactly. A simple phone that runs a browser I can trust that's also capable of running web-based apps is all I need. I already avoid running apps on my iphone whenever possible.
The phone I really want is as uncomplicated and open as possible and beholden to no corporate economic interests or privacy invasions.
Now that I'm retired I'm looking for a project to immerse myself in. This sounds like just the ticket.
It depends on what definition of "uncomplicated" you'll assume, but that's pretty much how I perceive my Librem 5. It's fairly inspectable and relatively easy to understand as a computing device - no weird stuff like hundreds of disk partitions that you can't touch without risking bricking the phone like on Qualcomm devices, but a fairly regular GNU/Linux installation with well-defined boundaries on what's open and what's not - and it runs web apps pretty well. I have things like my bank, public transit planner, ride-hailing, webmail, RSS reader, Matrix client, package delivery status, even Facebook & Messenger for the handful of people that can still be only reached there - all "installed" as web apps using Epiphany (aka GNOME Web). Some of them required a bit of fiddling to discover which user-agent leads to a usable experience, but the results have been pretty good so far. In case I really need to run some Android app for some reason, I can boot Waydroid up and launch it there, though I use it very rarely. No corporate economic interests, no privacy invasions, no invasive notifications or ads, it simply works the way I want it to work. I just have to be careful with battery usage, but it's manageable :)
Actually "open" is a misnomer, maybe it was a decade ago but it's clear that Big G has an effective monopoly over browser(s), the web "standards", and is gradually making them more user-hostile.
It's still significantly more open than any other platform. Believe it or not, Mozilla is not asleep at the wheel, and neither is Apple.
Mozilla is absolutely asleep at the wheel (and have arguably already swerved off the road and hit a tree) and Apple aren't any better than Google in terms of wanting to lock down the web.
I use Safari as my daily driver and I'm still routinely shocked at just how terrible certain aspects of the experience is compared to Chrome. For example, the UI seems to completely block for most of the website loading process, rather than streaming as Chrome does. Also, rather than restore the previous state when I swipe to go back, it has to reload the page from scratch. Little things like this continue to annoy me day by day, the primary reason I don't switch to Chrome is because it just doesn't integrate with macOS at all.
Also, rather than restore the previous state when I swipe to go back, it has to reload the page from scratch
I've encountered cases when both behaviours would've been desired (either use the cached version, or the latest version), so I think that's neither a point in favour nor against.
Well, Safari caches resources, it just doesn't seem to cache the actual runtime state of the page like Chrome does (look for bfcache). The bfcache article claims Safari and Firefox do it too, but I have both in front of me and no they don't (or it's not good enough).
I think real caching is superior because you can manually reload if you actually needed that, but you can't go in the other direction.
seconding this. more compatible with day-to-day life/apps means more adoption which I believe is a snowball effect.,
Funny that bank software needs approved phone, but runs absolutely fine in the browser. That to me sounds like collusion - something that regulators should look at. There is absolutely no need for banking app to require "legitimate" Android or other operating system.
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
Log in to your bank over the internet, the normal way.
i think the best solution to this would be some sort of docker-project for people to remotely access a device hooked up to a raspberry pi or something at home via adb via https://github.com/Genymobile/scrcpy as "natively" as possible.
Banking might be the wrong example to choose from here since we discovered with cryptos how to handle money without governments
The phone is the critical root identity anchor for most of the world now. And many countries outside of the west has already made the Sim card a root identity. Additionally to make it trustworthy (think Google wallet and digital wallets and so on) to work they cannot trust the end user because effectively you the user don't own your own identity. So that's why the phone has to be proprietary - so that it's secure element can be trusted in interactions with the state-big-tech nexus. I talked about my experience with this while attempting to cross borders in SEA. https://polykey.com/blog/architecting-anti-fragile-trust-at-...
It is very inspiring to see a project announced like this with the developer’s name attached to it. As someone who has always struggled with the confidence to be open about my work, let alone work openly in public, it feels extremely inspiring to see Rob Savoye (and Zoe and John behind him) nail their plans to the door like this.
My thrill is matched in strength by the loathing I have for this Apple device on which I type, whose entire boot process is miserably locked down from the very start. It is like a bicycle made from Mickey Mouse logo bolts where the spanners are proprietary and not for sale. The situation is just as ludicrous.
The two major phone OS companies both stand on the shoulders of IBM PC, openly bootable hardware, and the fantastic software systems nurtured and built on top of these platforms — the BSDs, GNU, Linux, and the long tail of all that run on them. It is very troubling that their own platforms are the antithesis of being openly hackable.
Librephone could be successful in a few ways. Outright, as a device, but also as a carrot to bring open handheld hardware to enough people to drive political change (with a small-p, the politics of society, as well as politics of the big-p kind) such that iOS and Android would have to follow suit. With actual public policy Librephone could also end up being a stick: bringing about legislation that requires computers of any kind to be able to boot software of our choosing. Right-to-repair plus plus, if you will.
With enough Librephone devices in the right hands, either the market or the law will demand that we have the same openness and freedom to use our devices the same way we do commodity x86 hardware today. The same freedom imprisoned and exploited in the core of mine and your phone, right now.
Meta-commentary: At least within the HN community there seems to be a strong interest in a pursuit such as this, given that this is at the top of the front page, and has been for a little while, plus the first page has simultaneously contained these two stories:
https://news.ycombinator.com/item?id=45584498
https://news.ycombinator.com/item?id=45585869
It's heartening.
Unfortunately, even if you could completely de-blob the kernel itself (and for many chipsets, that would require a considerable amount of reverse engineering work!), smartphones bear the Curse of the Modem.
In a modern smartphone, modem is often a part of the SoC itself - and it runs some of the biggest and fattest blobs you've ever seen.
This is the big barrier here, and unfortunately, it is legally impossible to open source.
In most countries, the spectrum that cell phone carriers use is licensed to the carrier, under the condition they only connect devices that are guaranteed to comply with the requirements of using that spectrum. The end user (i.e. the person with the phone) has no license to use the spectrum. So in order to get regulatory certification, basically every modem has to be locked down so that the end user cannot operate it in a way that would violate any rules or regulations for using that spectrum.
So basically, it's illegal to have open source modem firmware. At least, as long as cell phones are operating on spectrum that isn't open for public use.
Ultimately, if you want to open source a modem, you first need to build your own cell phone network.
this is the same thing with wifi. There are different channels and transmission power rules depending on country. Something you cannot change even if you are root or build your own kernel, as it's built in to the wifi hardware (eg. raspberry pi)
Part 15 is a lot more permissive, and it's unlicensed. But yeah, the device still has to be part 15 certified.
theoretically, there is lte cbrs where spectrum not licensed.
Don't cbrs devices need to be part 96 certified? The spectrum might not be licensed but you still may need a certified device to legally use the spectrum. Which you could do, but that is a tall hill to climb for a FOSS enthusiast. And when you're done -- what network are you going to connect it to? A cheap SIM from the corner store is probably out of the question :)
looks like they need. but it still gives you more possibilities compared to usual spectrum. if there is enough coverage from SAS you (or FSF) can build your own cbrs network that will have open source modem/firmware (yet, still will have to comply with part96).
there are also all kind of open source lte/cbrs projects iirc
It's a fun thought exercise, but putting "part 96 certification" at the end of my build pipeline sounds pretty expensive. And building a physical cell phone network is stupidly capital intensive. Maybe there are some interesting small scale niches that this would be useful for. But as a daily driver cell phone, I don't think we're ever gonna have an open source modem, at least not until there are significant changes to the spectrum that's in use.
i didn't say that it's cheap. i said that it's possible.
Hopefully open mesh wifi will supplant cell phone networks anyway.
Haven't there been projects trying to do this since 802.11b? I think the last time I looked one of these mash networks up, there wasn't even decent coverage in the dense city I lived in.
Not insurmountable, given the availability of srsRAN.
https://www.srsran.com/
I for one am up to the idea of breaking android off Google due to the same reasons of chrome - conflict of interest since Google is an advertising company.
Yep, with DMA sometimes. I've heard this same thing on the Pinephone forums iirc during the early years.
Interesting that they chose Android as a base and not one of the desktop-Linux-for-mobile ports like postmarketOS.
Android already is mobile: making it better makes sense. Linux already runs fine on it: termux and things like NOMone desktop combined with allowing virtual memory and keep apps running like some brands (Blackview, Oukitel) allow, you are there a lot of the way. Then Android desktop support (again, many brands have something already but it is now in Android mainline it seems). I use an oukitel rt7 as my main daily driver: it is rooted. It has some quirks and of course is very far from open, but things works, -ish. I would spend far more time on contributing if we had an open choice(or at least working) here that supports the 5g. On other phones/tablets, it is the fingerprint sensors, 3d face camera, but also different 'niche' auxillaries that would get far more attention if you at least can start with something that is (mostly open) and works. If we have coverage for a bunch of devices with everything working, it will be more attractive to work on other/newer ones.
With Linux, you will need, as I have seen on my pine phone, way too much focus on just basic apps which still are not good compared to their android equivalent: spending time there is not spending time on hardware support...
If they wouldn’t have then X years later there would have been first beta release and zero apps on it except for a calculator app, a notes app, a calendar app, and maybe a mail app developed by the core developer team. The post would have definitely reached the top of hn, so that’d be a plus.
If prior "Linux phone" projects have taught me, it's that "based on desktop Linux" is a great way to have a ton of apps that install just fine, but can't meaningfully be used.
Not even just "requires a mouse/keyboard", but a lot of things of the form "assumes a reasonable screen size", ...
It makes a lot of sense to me. There's a huge amount of work that's already been put into the Android ecosystem that can be used in a free software phone.
Trying to build a non-Android Linux phone that is competitive is just not practical at this point. It would require an enormous amount of funding.
Inertia is a hell of a thing.
Seems like a smart decision to me since that's what everything phone related builds to as a lowest common denominator anyway.
App compatibility is a thing, you know.
I like postmarketOS, but it always felt to me more like a pet project than a real OS, for that reason.
waydroid
yes, but it's probably the quickest path to market with a reasonably certain customer satisfaction.
Doesn't stop you on working from there once that milestone is reached.. I would certainly welcome more alternatives in light of the recently announced changes from do-no-evilG
It's an incredible waste and an amazing example of how useless the FSF is today. Instead of supporting real Linux phones they're focusing on trying to degunk Android even more.
I think that supporting Android as a free platform is a sensible choice. Android has benefited from more than a decade of development by Google, Samsung, and others and provides a polished experience and thousands of apps people actually want to use (and many excellent FOSS options too). AOSP is already "free software" and starting from scratch with Linux would make very little sense at this point. The FSF is right to focus on what matters here, which is hardware on which to run free Android.
> It's an incredible waste
Funny, I would have used those exact words had they chosen anything BUT Android as their base.
All the other "freedom" Linux phones are failures (yes I'm sure fsflover will now chime in to but akshually). I know because I bought them all. They all have one thing in common: the software sucks.
And I don't even need apps. Just basic phone functionality (several Linux phones still can't do MMS), a web browser, and no crashes. Unfortunately no Linux phone has been able to give the to me yet. Whereas Android has been delivering for over a decade.
I applaud the move, but it's going to be really hard if manufacturers aren't willing to document their chipsets and keep bootloaders locked. The folks at Pine64 were forced to waste resources to develop their own platform, which after the enormous effort ant time invested resulted outdated the day it came out of the factory, because of that.
This seems pretty relevant on the heels of yesterday's popular discussion on how "Free software Hasn't Won" [0] in terms of tools available to the average consumer.
Just because pieces are open-source (or "free software") doesn't mean the autonomy and capabilities we want are necessarily present in the overall system.
[0] https://news.ycombinator.com/item?id=45562286
https://librephone.fsf.org/FAQ.html
Currently scope only seems to go as far as the operating system
That's really as far as they need to go; if the userland is compatible with Linux, it can use all of the work that KDE and other organizations have put into building mobile interfaces.
These projects have stuff that works, but the lack of firmware for chips that can connect to modern cell infrastructure means that they can't really create an appealing product. The OS layer is where all previous Linux phone efforts have failed, and I hope the FSF makes it farther than everyone else has.
> The OS layer is where all previous Linux phone efforts have failed
The OS layer is where the existing projects are thriving, with various distros and shells to choose from to match one's needs and tastes. It's the appropriate hardware that's in undersupply. I'm using a Librem 5, a 2019 design, and if I wanted to switch to something newer I can't because there's no viable upgrade path on the market. No other hardware vendor has invested significant resources into mobile GNU/Linux since then, everything else is either purely community-based or uses Halium.
Does webrender work with the Librem 5? Last time I checked it didn't-- Firefox disallowed it because the etnaviv driver didn't have all the features available needed to enable it. It appears there's been a lot of work on etnaviv recently but I don't know if it affects this issue.
etnaviv doesn't do GLES3 yet, so no, but the work to support it (mostly done by Christian Gmeiner) is ongoing and progressing. I'm using Epiphany though, it's pretty snappy these days and I make extensive use of its webapp feature. I don't even remember when was the last time I had to fallback to Firefox because of some incompatibility, but it did happen at least once.
It's a great idea. Why not join forces with the PinePhone and Librem folks? They're building the hardware and I'm sure they could use more software folk to help out with the firmware and OS.
All the best for the efforts, however I am bin long enough around this planet to not have big hopes how this will turn out.
Phones aren't x86 hardware, which only got open due to a lucky event, regretted by IBM.
Took them long enough... The free software movement was still stuck on PC despite the fact the whole world moved to mobile. Glad to see they're finally starting to catch up.
They should probably prepare themselves to make ideological concessions... The situation is very ugly here in mobile land. Treacherous computing, remote attestation, DRM, all ubiquitous and normalized...
Why aren't they sending representatives to 6G standardization bodies? It's too late for 5G and under.
I am a fan! I have missed this for years.
Two phones might be our sad reality, one for freedom, one for compliance.
I highly doubt this will takeoff. I'm betting it never works beyond a couple outdated phones.
The concept of "outdated" is imposed by big tech itself through artificial restrictions. Apps are forced to update their minimum supported OS versions. Upgrades are stopped after 1 or 2 years. And so on.
Anyone who has replaced Windows 8 or Windows 10 on their 5+ year old machine with a distro like Xubuntu/Lubuntu realizes that "outdated" is often a sales propaganda term, not necessarily a technical term.
Let's hope the phone's ui won't look like FSF's website.
It will be much easier on the eyes (and perfect IMO) if font size changes from 13 to 16, and all line heights like 1 are fixed to 1.5.
ahahaha too true
but actually these kind of websites are way more informative also
instead of "clean" look where everything is just fluffed up
I want this, even if it means we have to pay some of the people who work on this.
> Librephone will serve existing developers and projects who aim to build a fully functioning and free (as in freedom) Android-compatible OS.
It may well be that Google will not rest until "Android-compatible" means that they can put their foot down on this. We should be prepared for that eventuality.
For it to succeed, they must also help put pressure on governments (countries like Brazil or Italy) and banks to stop depending on "Play Integrity" because only Google has the keys (and blocks leaked ones) so we can't count on bypasses being available (it's not just a matter of obfuscation).
This needs to be done before age verification apps become universal..
There was a time the brazilian government mandated free software in government computers. Lots of people hated it unfortunately. Eventually Microsoft lobbying put an end to it. That was around ten years ago... I wonder if such a thing could ever repeat again.
Thank you John Gilmore.
Good to see someone fighting the fight
To me this feels like blah blah blah, but I’d love to be very wrong, of course.
The world could have been very different today if Nintendo or Sony had put phone functionality in the DS and Vita.
Any reason that can't happen now in something like the Steam Deck?
USB modems exist and work on Linux[0]. The Steam Deck is a Linux computer with a USB port. You could be living this reality today.
[0] https://www.thinkpenguin.com/gnu-linux/usb-4g-lte-advanced-m...
They work fine for data and SMS, but it gets complicated once you need audio routing (it's rare for a modem to expose audio over USB) or waking up from low power mode to answer the incoming call. Could be done with M.2 USB modules and some dedicated controller in-between though.
HID USB devices can already wake up computer from sleep, so i dont think we need M2 here.
Also i dont think routing audio is problem, the dongle could represent itself as external audio device, like those external usb dac.
Of course it could! Now find one that does.
Vita had a WWAN variant. What that means is, hardware wise it's trivial, business wise it's impossible. It's always has been that way. It took Apple under peak Jobs leadership couple years to sell the iPhone globally.
something like this https://en.wikipedia.org/wiki/Xperia_Play
thank god.
Looks like we will have to wait forever.
I can't take these jokers seriously.
Years after mobile phones came onto the market they are now planning to create their own phone.
Not sure, but perhaps it could be somewhat easier to take them seriously if you had actually clicked on the link instead of living in an alternate reality where it's about "planning to create their own phone".
Someone hasn't read the article.
I suppose my PC's BIOS is a binary blob, yet I run open source Linux on that machine.
https://www.coreboot.org/
>Librephone aims to close the last gaps between existing distributions of the Android operating system and software freedom
I am so happy they are focusing on Android, one of the most popular operating systems widely used by every day people. This is important work for providing user friendly, free software to users.
Let's just hope they don't fall into the trap of disqualifying binary blobs sent as part of drivers vs opting for hardware that harcodes the blob.
Are you hoping the Free Software Foundation _doesn't_ prioritize Free Software? For people who are okay with random bits of proprietary software doing who-knows-what on their devices there are various alternatives already.
I initially made the same misread that you did...
The OP's point is, having the firmware permanently burnt-in on a ROM chip vs loaded as a binary blob via a driver doesn't change the "non-free"-ness of the firmware itself.
So opting for hardware which has a "fully-open-source" driver, but runs a binary blob encoded into the hardware, doesn't make the system fully open.
It's a take for a more Free system, not for accepting binary blobs.
(Or I guess for acknowledging that if you're willing to allow binary blobs stored in hardware, then dynamically-loaded binary blobs doesn't change the "free"-ness.)
That's not even close to what they said.
They're saying approval of any who-knows-what code shouldn't be decided based on how it's loaded.
To me:
Open Source Firmware signed by OS > Firmware blob signed by device manufacturer > Firmware blob hardcoded by device Manufacturer
The FSF treats hardcoded firmware blobs as "free" and updatable firmware blobs as nonfree despite there not being a big difference between them in practice. And practical differences like being able to fix security issues benefits users.
[dead]
> FSF announces
These days, I see FSF and all I can think of is a donation racket with zero sincere intent to operate or capability to execute. If they were not still cashing in on goodwill from the Unix Wars era, they would be nothing more than a grift overseeing a mountain of copyright assignments.
How will this phone comply with child safety laws?
*Edit* Because Idiots are Downvoting me, look at the texas law SB 2420 as an example. These phones will essentially be illegal in texas unless they comply with already passed laws.
They will comply with the law because they are not making a phone, or any product at all for that matter. This is a reverse engineering initiative.