Comment by 827a
17 hours ago
Here's a take on this which might be unpopular:
Open source software lost in this domain fair and absolutely square. Desktop linux has been an extremely accessible and decent option desktops and laptops for, what, three decades; it lost in the open market. I'm typing this comment on arch linux, but even so: It failed to become a force sizable enough to fight back against the tide of corporate-owned attested consumer hardware. Android has been an option for nearly two decades. Its reasonably successful, globally. Google is now toggling the doomsday switch everyone knew they had, to force all applications to go through the Google Mothership. Samsung could fight back; they won't. Motorola could fight back; they won't. The market could revolt; it won't.
Software being open source is not enough to change the tide on what the market wants. Should service providers be forced (e.g. by regulation) to support consumer hardware stacks they prefer not to? By what mechanism do you propose we stop a bank from saying "we'll only support connections from iOS devices", if not the democratic market force of ensuring enough of their customers demand access from devices running free and open source software? You get there by building products people want. Anything else is succumbing to the same authoritarian forces that you're hoping free software will stop, by forcing service providers to behave against their own interests.
If that was unpopular, here's where it gets really unpopular: I don't see a doomsday-level problem with a world where, in addition to whatever awesome FOSS hardware I might have, I also have an iPhone 12 ($130 on swappa) as my "attested device" to do "attested stuff" with, like store my drivers license, banking, whatever. To me, this is... fine. Not ideal; but fine. We should fight like hell to score wins where we can, like in right to repair, parts availability, ensuring old devices are kept up to date for as long as possible (Apple is pretty good at this); but if I have to carry an old iPhone in my backpack to access my bank because they refuse to support my hypothetical GnuPhone 5, the world isn't going to end.
We need nerds who care about this to stop typing on hackernews and go start a phone hardware company. That's it.
> Should service providers be forced (e.g. by regulation) to support consumer hardware stacks they prefer not to?
Yes.
Well, sort of. They don't actually have to do anything. Nobody wants to force them to work for us, that's slavery.
Just don't get in our way when we start writing and using our own software. That's the "support" we want. Just stay out of our way. Leave us alone, without actively discriminating against us for it.
For example, companies wielding DMCA "anti-circumvention" section 1201 [0] to put people in jail.
Or tricks like Nintendo designing their hardware only boot games which show the Nintendo logo on the screen, so that they can shut down any third-party games for trademark infringement.
[0] https://www.eff.org/pages/unintended-consequences-fifteen-ye...
DMCA anti-circumvention laws have made it attractive to add computers to otherwise simple products in order to reify a business model. Breaking those locks by doing things such as using "pirate" ink cartridge turns legitimate competition into a violation the DMCA. We live in the era of felony contempt of business model:
https://www.eff.org/deeplinks/2019/06/felony-contempt-busine...
The trademark security system you mentioned produced such wonderful case law. Not only was it found that this "infringement" was fair use, judges decided that it was the trademark holders themselves who were at fault for creating this stupid system where competitors had to infringe their trademarks in order to create perfectly legal interoperable software.
https://en.wikipedia.org/wiki/Sega_v._Accolade
> Accolade's decompilation of the Sega software constituted fair use.
> the use of the software was non-exploitative, despite being commercial
> the trademark infringement, being required by the TMSS for a Genesis game to run on the system, was inadvertently triggered by a fair use act and the fault of Sega for causing false labeling
That's what the world was like before the DMCA. Corporations would invent all this "clever" nonsense and they'd get destroyed in court. Not anymore.
> Should service providers be forced (e.g. by regulation) to support consumer hardware stacks they prefer not to? By what mechanism do you propose we stop a bank from saying "we'll only support connections from iOS devices", if not the democratic market force of ensuring enough of their customers demand access from devices running free and open source software?
The same mechanism that stops a bank from saying, "sure you can withdraw more than $10,000 from your account and we won't ask any questions about what you plan to do with it" - explicit financial regulation with real penalties attached to it, that banks systematically adhere to. I'm not necessarily a fan of all legal regulations around banks or other financial product providers - this is a huge reason I'm interested in truly decentralized cryptocurrency systems - but given that the regulated fiat financial system does exist and is widely used, we might as well demand that these regulations include provisions that the bank has to let people running free smartphone OSs connect to their systems too.
> We need nerds who care about this to stop typing on hackernews and go start a phone hardware company.
We need nerds who care about this to stop complaining about minor things in existing GNU/Linux phones and other similar devices on the market and go buy them. These hardware companies have been there for years already.
It's hard to build a profitable and sustainable business only basing on the minority that doesn't mind it being "too thick", "too slow", "not high-res enough" or "unable to run modern PC games" (all of these are real things I heard from people here, no kidding). And I assure you that if you really care, you'll easily find a way to live with a (swappable) battery that lasts 20 hours.
I own one of these devices (pinephone) and it is legitimately not good enough for day-to-day use (despite the incredible efforts of the people who are working on it's software). I only use my phone for locally-stored music, text-only web browsing and calls/SMS. The Pinephone cannot perform any of these tasks competently. The thing it does best is playing music, but this drains the battery. It will not reliably place/recieve calls/texts (and 911 doesn't work IIRC). It can barely handle basic web browsing. KDE on this device literally pegs both CPU cores to 100% all of the time. Phosh is better but still dog-slow. This is the case even with the many years of improvements the community has been making to these devices. It used to be significantly worse, and the software is monumentally better than it ever has been. I love this device, and it deeply saddens me that it has such major flaws.
All of the current Linux phones have major showstopper issues, and saying we're complaining about them being "unable to run modern PC games" is a strawman. The simple fact of the matter is there are no decent mobile Linux options available.
The most endemic problem right now is "Linux" phones that use crummy forked vendor kernels and Halium. For all intents and purposes, these devices are trapped in time and can't meaningfully get software updates for major system components. The 2 decent Halium-free options, the Pinephone and the Librem 5, both still use downstream kernels, and the Pinephone's kernel is maintained by 1 person in their spare time. I think it's apparent that this is not sustainable, and one can't reasonably expect megi to maintain this device forever.
As sad as it makes me feel to say this, I don't foresee these problems improving for a long time. As of now, I remain stuck with a Moto E6 from 2019 (Android 9.0) as it seems to be the final device ever produced with a replaceable battery, headphone jack, SD card slot, and screws instead of glue.
> Pinephone's kernel is maintained by 1 person in their spare time
Most open source projects, except few popular ones, are maintained by 1 person in their spare time.
1 reply →
Man, I just want to get a rapsberry pi and screw together a touch display screen with some sim attachment as my phone.
Or a device which can just take a X server running on the same port of sorts but I have found that sure you can do something like it, but its gonna be of inferior / subpar than a phone but definitely possible.
Halium is fine.
If you wait around to be purist on this issue all day, nothing will ever change. Something like e.g FuriLabs is good for growing the ecosystem and getting people actually exposed to something other than iOS/Android.
1 reply →
And yet I've been using these devices for 17 years now (first Neo Freerunner, then Nokia N900, now Librem 5) and they've been good enough for day-to-day use. With some compromises, sometimes effort, maybe not for everyone, but they sure were usable by a determined person who cares.
I do have a replaceable battery, headphone jack, SD card slot and screws. I do some Web browsing, reliable calls/SMS, playing music for hours. It's starting to get a bit slow and old over the years, but I still see no reason to switch to any less user-respectful device.
What I worry about is whether there will be an upgrade path within the next decade. So far there was the Liberux campaign, and it failed. I already had to use an Android device as a secondary phone for 2-3 years before I got my Librem 5 because the N900 eventually aged too much to be usable for the Web and there was nothing on the market that could properly replace it. I don't want to need to do that again.
PinePhone is a low-end device with no support other than what you get from the community. It was a good option for those who couldn't afford anything else and wanted to invest their time and skills instead of money, but there are no miracles. The community of people who did actually care turned out to be small enough that you can still find some low-hanging fruits to work on today - and that's the thing I wanted to point out. I see lots of people who talk about how much they want Linux phones, but it's a tiny subset that actually acts like it. They won't fall from the sky - not when the sales of existing devices can't finance developing their successors.
4 replies →
> It can barely handle basic web browsing
I don't understand what you're talking about. SXMo (https://sxmo.org/) is fast on Pinephone. Even Phosh is pretty usable. Firefox with NoScript is more than good enough to browse web sites with pictures.
Also, Librem 5 is much faster than Pinephone, and I've been using it as a daily driver for quite some time already.
2 replies →
I have to second this. I've bought two of these devices over the years: first the Neo Freerunner and then a Pinephone Pro.
I spent over two years persisting, trying to get the Freerunner to a state where it was usable as a phone. Openmoko were more interested in rewriting from scratch and making sure it had pretty animations than things that some might consider more important, like working power management and phone calls.
For a long time I called the Freerunner "the worst phone ever made"...
...but then I bought a Pinephone. Which couldn't even play mp3s without stuttering - something even the freerunner could manage over a decade earlier. Don't get me started on the "quirkiness" of trying to use it to make and receive calls. Also the keyboard attachment I bought with it never worked. I tried multiple distros and whatnot, but I didn't get to spend a huge amount of time experimenting, because less than a month after I started to try actually using it, I dropped it, and it was so fragile that the screen was destroyed, despite me having bought a screen protector for it.
I've looked at a lot of these devices over the years and been tempted many times. I was very put off by the freerunner experience. The pinephone experience was actually almost impressive that it managed to be somehow worse.
I've just been scanning the postmarketos wiki looking at how that works with a few different devices. The number of devices that have some feature like calls / gps / camera / etc "partially working" is dismaying, particularly for open devices like the pinephone and librem.
Personally I switched to using lineageos on phones a long time ago. It's not ideal but at least it's usable as a phone.
> By what mechanism do you propose we stop a bank from saying "we'll only support connections from iOS devices", if not the democratic market force of ensuring enough of their customers demand access from devices running free and open source software?
Similar to all the accessibility requirements, of course. Do you think the society / government should force banks to provide services to blind or deaf people? Or should we just let the market decide?
I never stated that its never reasonable or good to force corporations to behave against their interests. What you stated is that the "mechanism" might be to treat a person's chosen software stack as a protected class. I can't agree with this, in any sense, and I think you're just trying to distract the conversation by suggesting it.
In a sense, that is the solution: ensure availability through open standards (like the web platform) through legislation.
My bank has stopped issuing physical TOTP tokens years ago, and I am holding on to one from 2006: when that one dies, I won't be able to use their e-banking web site if I do not have an Android or iOS locked-down phone.
Not, that does not mean making it a protected class. But instead, guaranteeing access through open protocols and open platforms should be sufficient.
I also hope legislation, like CRA/NIS2 in EU and different e-waste regulations combined, will push manufacturers to consider FOSS approach as a get-out-of-jail card too.
Accessibility requirements are completely unrelated to protected classes.
I've done research on this, and have considered it but it's capital and time intensive even if I think it's viable.
There are two reasons I think it's viable now:
1. It's possible to wire an agentic system management service into the OS to handle a lot of the routine stuff, so non-technical users will be able to just talk to their computer and it'll be fine tuned to be good at fixing system issues, installing/removing software, managing windows, etc. I developed a scheduling inversion of control executor for enterprise agent control that I've looked into adapting for this use case.
2. The steam deck has proven a new model. Game friendly and a simplified UI is enough to carry Linux. New Arch rices like Omarchy are pushing the envelope of usability. I've been ricing desktops since enlightenment on slackware 96, so I'm pretty familiar with this world.
Regarding form factor, I'm not a huge fan of phones, too many tradeoffs. I think with strong AI voice systems, the optimal setup is buds + tablet. That's a better setup for mobile linux anyhow, and it makes the hardware almost a non-issue.
This is a valid take. I do not agree with it in general: if we look beside the consumer devices, FOSS software us everywhere. and powers almost everything consequential.
But the mobile phones specifically turned from phones into trusted terminal which institutions like banks and governments use to let users control large amounts of money and responsibility. And the first rule of a secure device is to be limited. In particular, the device should limit the ability of its owner to fake its identity, or do unauthorized things with networking, camera, etc.
This junction of a general portable computer and a secure terminal is very unfortunate, because it exerts a very real pressure on the general computing part. Malicious users exist, hence more and more locking, attestation, etc, so that the other side could trust the mobile phone as a secure terminal.
It would be great to have a mobile computer where you can run whatever you please, because it's nobody's business. And additionally there'd be a security attachment that runs software which is limited, vetted, signed, completely locked-up and tamper-proof on the hardware level (also open-source), which sides of the communication would trust. Think about a Yubikey, or a TPM, but larger and more capable. The cellular modem and a SIM card are other examples, even though they may be not as severely hardened. They are still quite severely limited, and this is good.
If I were to offer an open-source phone (and, frankly, any mobile phone), I would consider following this principle. Much like the cellular modem, it would carry a locked up and certified security block, which would not be user-alterable. It would be also quite limited, unable to snoop into the rest of the phone. The rest of the phone would be a general-purpose computer with few limitations. Anything that would want to run on it securely would connect to the unforgeable interface of the security module, and do encryption / decryption / signing / secure storage that other parties, local and remote, would be able to verify and thus trust.
One can dream.
If they want to manage their hedge fund from their phone, then maybe they should consider using a special device for that. It doesn’t really matter for the rest of the people as status quo shows
Locked devices are created to supposedly ensure the security of a device user, not because malicious users exist.
SIM card is a good example. Technically, that's trivially solvable with a PKI infrastructure (a malicious user can't trivially and successfully misrepresent as google.com): operator runs their CA, and by signing your certificate, they attest that you are the owner of a particular phone number. No malicious user can mess with that (other than attacking the CA).
What they can do is attack end-user devices through different cheaper means (social engineering, malicious apps, exploits...), and extract individuals' private keys, thus allowing them to misrepresent as that individual. A SIM card protects against this by not making private key accessible in the first place.
This is exactly what locked devices do: they protect customers from not knowing how to properly (including securely) use their devices.
This is what we need to focus on as technologists: if we know how to securely use our devices, how do we opt out of others "protecting" us, and take full responsibility and liability for security lapses?
It's got nothing to do with protecting users. It's got everything to do with protecting the corporation from the users. Especially the corporation's bottom line.
If you have a free computer, you can make it save a copy of the film the corporation is streaming to you. It's your computer, you are in control.
If you have a corporate owned computer, it will not let you do that. They own the computer, they are in control. If you manage to subvert their control, it will be detected and they will not stream the movie to you.
Substitute corporation with government, and streaming with cryptography. Now consider the fact Europe is trying hard to enact laws that force client-side scanning of our end-to-end encrypted messages.
That is the war we are fighting. The fact we are losing hurts me deeply. It is hard to put into words my disillusionment.
1 reply →
Jails are created to secure users. Jailbreak is created to make users insecure!!!
?
They can represent themselves as users just fine without extracting keys from the Secure Enclave. What are you talking about?
1 reply →
> We need nerds who care about this to stop typing on hackernews and go start a phone hardware company. That's it.
We need nerds that are more politically conscious than that, and are not naive enough to believe they can solve political problems through creating companies and hardware.
At this point there are only two things stopping me from using kde or gnome on my work box: Apple and my employer, and I could probably convince my employer. The hardware though is something I’m not willing to compromise on and Apple is in a tier above everyone else currently, so I’m stuck with subpar macOS, not planning upgrading to Tahoe for as long as possible.
How do you price this? How many flops per watt for freedom?
Can you be more specific about why you are not upgrading to Tahoe concerning software freedom?
I’m not upgrading to Tahoe because liquid glass is dumb.
You can run Linux on Apple devices using the work of these folks:
https://asahilinux.org/
Nerd have been at it since the OpenMoko days, the problem is that they don't understand what the general public cares about, thus all those efforts end up failing, as the few nerds that care about being customers all get a phone, and there isn't anyone left to keep the business going, buying new devices.
Eh? Samsung still maintains a whole suite of independent alternative apps, providing things ranging from NFC payments to calendaring and contact management, that they stuff onto their phones in addition to the usual Google fare.
Until very recently, most/all of their phones had alternative Samsung-produced chipsets available in various markets (Exynos).
They've got their own app store as a built-in.
And they also maintain their own small-system operating system, with Tizen, in case it all goes to shit.
They've been working very hard on parallel development for quite a long time. They're probably better-prepared to jump ship than any other top-tier manufacturer of Android cell phones is.
Motorola Mobility? That was spun out of the stodgy-big batwing mothership in Chicago a long time ago -- and first purchased by Google, before being sold to Lenovo. Subsequent to Google's influence, whatever remains is ill-prepared to jump ship, but that was certainly a design intent. That behemoth is much more dug-in.
So the outlook is certainly gloomy, but it's not all darkness.
(In terms of things like banks only supporting one OS or another: Gosh. Prior to the entrenchment of the smart phone age, I never installed a company-specific consumer banking application on any computing devices at all. It was OK. I just used Sir Tim Berners-Lee's World Wide Web to do that stuff, sometimes with a side dose of SMS on my dumb-phone for active notifications.
And still today, I don't have banking apps for most of the companies that I do banking-stuff with -- and I get along fine with keeping track of the money I have, the money I owe, and the bills I need to pay.
Maybe the right answer here is to shore up the utility of the platform-independent WWW.)
>Eh? Samsung still maintains a whole suite of independent alternative apps, providing things ranging from NFC payments to calendaring and contact management, that they stuff onto their phones in addition to the usual Google fare.
Which is EVEN WORSE in maintaining device attestation than Android. Read about the Knox warranty bits.
> To me, this is... fine. Not ideal; but fine. We should fight like hell to score wins where we can, like in right to repair, parts availability, ensuring old devices are kept up to date for as long as possible (Apple is pretty good at this); but if I have to carry an old iPhone in my backpack to access my bank because they refuse to support my hypothetical GnuPhone 5, the world isn't going to end.
But even as you say, as you're using Arch as your desktop computer, things may be fine now, but they're only going to get worse.
Should we all have to carry two laptops because anything running a free software core is just utterly unusable due to remote attestation?
> We need nerds who care about this to stop typing on hackernews and go start a phone hardware company. That's it.
Didn't you just spend most of your comment talking about how the market forces don't care anyway? Would good is starting up a phone hardware company that will ultimately go bust due to total apathy of the general consumer?
Agreed. Its only going to get worse and all current trends validate that. It’s clearly trending towards closed source big brother platforms. E.g ios, android, windows and macos.
It does look that way. Though there is one potential silver lining around the madness going on in geopolitics: much of the rest of the world is rethinking it's long-standing strategy of relying on American software. That makes Open solutions look a lot more attractive, even to the average politician, than say a year ago.
Yep
"free and open web" isn't even used to be anymore, many are using bots and AI to make things worse and many people especially young people didn't even do "surfing" on the web anymore
like it or not but internet that need verification on personal level is the future, I don't agree with it either but if you see from the progress perspective its always been like that