Comment by sambuccid

12 hours ago

It doesn't solve the current issue, but in case we don't manage to push back on this, some people might not know that there are various actual linux OSes for mobile:

- SailfishOS: still linux based and seems fairly community inclusive, but the UI part of the stack is closed source. Is the only one officially allowed to run android apps, via emulation. Has existed for a very long time, it's lightweight and I think the most stable/bug-free in this list.

- Ubuntu Touch: fully open source and community driven, it uses snap packages for security, you might be able to run android apps. Last time I run it also seemed fairly stable/bug-free.

- PureOS: fully open source and privacy focused. I think it's the only one that, released with the Librem 5, can avoid using proprietary blobs for interfacing with the hardware. Seems less stable than SailfishOS and Ubuntu Touch. You would need to buy a fairly expensive-but-old phone(librem 5) to run it.

- PostmarketOS: fully open source, focused on being lightweight and revive old phones, has a huge amount of phones it has been tested on, is based on Alpine.

- Mobian: mobile version of Debian, it's fairly new on this list.

There are many more linux mobile OSes, but as far as I know these are the main ones. There might also be some inaccuracies on this post, I tested some of these a long time ago, and I never actually run the last 2.

> It doesn't solve the current issue

These operating systems aren't compatible with most of the apps and services people want to use. It's going to become much worse. The compatibility layers several provide have extremely poor compatibility combined with disabling the Android security model and app sandbox. Apps running in those compatibility layers are much less contained with less isolation from the Linux kernel, not more.

Aside from that, many people care about privacy and security. Each of those operating systems is far less private and drastically less secure than the Android Open Source Project. None has a truly complete and working app sandbox or permission model. None uses modern exploit protections. None has serious hardware-based encryption features needed to protect against data extraction. They're not serious alternatives to an iPhone from a privacy and security perspective as an AOSP-based OS on decent hardware can be.

> but in case we don't manage to push back on this

It's a warning that's being added to Google Mobile Services operating systems. It doesn't negatively impact other operating systems based on the Android Open Source Project.

> various actual linux OSes for mobile

Linux doesn't mean GNU/Linux or systemd/Linux. It doesn't at all imply using glibc, systemd, GNU coreutils, Bash, GNOME, etc. Distributions using different userspace components including several of the ones you've listed are still Linux Android-based operating systems including AOSP and GrapheneOS are Linux distributions. Alpine doesn't use glibc and SailfishOS has a lot of their own mix of open and closed source software. Using a typical desktop Linux userspace stack isn't what makes it Linux and there's also not a lot of consistency in what's used on desktops regardless. A Linux distribution not using musl, glibc, GNU coreutils, etc. is still Linux.

> There are many more linux mobile OSes, but as far as I know these are the main ones. There might also be some inaccuracies on this post, I tested some of these a long time ago, and I never actually run the last 2.

AOSP-based mobile operating systems are Linux distributions.

I'm using a Librem 5 as my daily phone. PureOS is actively developed and based on Debian. Monthly development updates are published here: https://puri.sm/posts/tag/advanced-readers/

Personally, I do not use Android apps on the Librem 5, but Waydroid is available in the PureOS repository. Waydroid is a container-based approach to boot a full Android system on regular GNU/Linux systems running Wayland based desktop environments (like PureOS).

PureOS also provides convergence via Phosh. Convergence means here that the same app can be used on a phone and on a big screen, the GUI adjusts to the available screen size.

Phosh aims to provide a daily-usable, robust and easy to use graphical user environment for mobile devices running mainline Linux. Phosh was originally initiated by developers from Purism for the Librem 5 phone but is nowadays used on many different devices covering smartphones, tablets and convertibles. It has even been seen on laptops.

  • > Waydroid is a container-based approach to boot a full Android system on regular GNU/Linux systems running Wayland based desktop environments (like PureOS).

    No, it's only a partially working form of Android with the privacy/security model largely disabled and poor app compatibility. Waydroid is based on an ancient release of Android and disables the SELinux-based privacy/security model. It doesn't contain apps from each other and has far less protection for the Linux kernel from the apps. It has poor app compatibility and isn't a good approach to running Android in another OS. ChromeOS made a proper better Android container not losing the privacy/security model but migrated to using hardware accelerated virtual machines. It makes a lot more sense to use a VM since current era smartphone hardware fully supports it.

    > PureOS also provides convergence via Phosh. Convergence means here that the same app can be used on a phone and on a big screen, the GUI adjusts to the available screen size.

    Android Open Source Project has a desktop mode. It has a hardware-based virtualization layer for running desktop Linux applications too including GPU acceleration support.

    > Phosh aims to provide a daily-usable, robust and easy to use graphical user environment for mobile devices running mainline Linux.

    Android runs fine on mainline Linux. It doesn't require special kernels. That's tied to specific hardware rather than Android.

    PureOS has far worse privacy and drastically worse security compared to iOS or AOSP. It's bringing the traditional atrocious privacy and security of desktops to mobile. Librem 5 also combines that with extraordinarily insecure hardware missing basic firmware updates and security protections. As a whole, these make it drastically easier to exploit devices. That includes going back to disk encryption which doesn't work for the average user due to them not using a strong passphrase and not protecting against data extraction with physical access unless the device is turned off.

Usability-wise, they are no match for Android and iOS—or even versions of them from five years ago.

UI/UX is costly, and most FOSS projects cannot get it right without massive investments from enterprises (e.g., Red Hat's UX designers heavily contributed to GNOME) or startups (e.g., Zed, Element, Bluesky).

Projects without that backing are mostly unusable, at least from a Gen Z perspective.

  • > Usability-wise, they are no match for Android and iOS—or even versions of them from five years ago.

    They're also no match for the privacy or security of iOS or AOSP. They're bringing the lack of privacy/security model and protections on desktop operating systems and hardware to mobile. It's a massive regression for privacy and security despite being marketed in the opposite way.

  • Biggest problem is banking, rideshare, airlines, various other service provider apps- for example, if a cell phone service requires a particular app, etc. It's not as much of a problem in the United States (besides banking), but I've noticed that in Singapore, for example, all sorts of things are tied to mobile apps.

  • Usability-wise it's hard to make too general statements - for me the killer app on mobile is the ability to independently adjust app volumes which is unavailable on mainline Android/iOS (it is supported by a few vendor branches like Samsung's, though)

  • I agree that the usability is behind, as we would expect. For me mainly is about missing apps and some hardware support. But in terms of UX for example I liked using SailfishOS, although I'll admit the UI needs some getting used to.

    But I prefer this to the feeling that I'm being limited on what I can do on Android/Apple, and the worry of being in a duopoly that allows the companies to worsen their products without ever fearing competition(as far as they do it in small chunks).

  • FWIW, I use my smartphone as an MP3 player, SMS messenger and TOTP auth. iOS and Android did that fine 5 years ago, I don't need Instagram or 8 Ball Pool to survive in life.

And all are useless because you can't use your mandatory bank or gov id app.

  • Not useless. It is like the missing printer driver for Linux Desktop. It makes the experience ugly, but this is not the fault of the Linux OSes.

    Also the bank should not require apps (instead they can offer hardware key support or desktop apps) and in fact some - at least in Germany - offer a different authentication possibility. Also the app for the German ID is published on fdroid and does not rely on Google services.

    • Probably not the case for most people. I'm living abroad and had to do something on the Brazilian e-gov platform. To log in I had to confirm my ID with an Android app. Not only is it exclusively on Play store, but it also refuses to install on any rooted device, so I had to boot an old non-rooted Android I had stored somewhere.

      I'm confident this is a very common experience worldwide, be it with gov IDs or banks.

    • Good for Germans then. Slovenian banks won't let you use physical 2FA authenticators (for personal accounts and maybe even business ones at this point) anymore and will also require you to constantly update their stupid app (I've had to replace some otherwise good phones because the OS version wasn't supported anymore).

    • There are plenty of banks in Germany which offer over-the-counter services, if you prefer to do banking as if it's 1999. Most of the time, when people say it's impossible to live without a smartphone, it's actually only impossible to enjoy the conveniences of the internet without a smartphone (at least in Germany). Besides these rentable scooters, I can't think of anything that actually requires a smartphone. Sure, you'll miss out on a lot of conveniences, but I remember a time where that was the norm, so it's not like it's unreasonable.

      3 replies →

    • The question of how useful or not it is is orthogonal to whether it is the "fault" of Linux. Users who can't use it because something they need just doesn't work won't change their minds because the blame lies elsewhere.

    • SailfishOS can run lots of banking apps with an Android emulation layer.

      It's not perfect, but far from useless. Some use it as a daily driver.

      Depending on your country, it can be super doable. There are also lots of indie native apps.

  • In my country, partially due to sanctions, you can access the bank via browser and receive 2FA codes on $15 dumb phone. Also why do you need bank app on your phone? Do you like to give money to random strangers on the street? Only scammers need money urgently. Also it is not secure to use the phone as a single factor to access the bank.

    I do not have any bank apps on my phone (it is not even connected to the Internet) and I have no problem.

    • > Also why do you need bank app on your phone?

      Many banks gate features like mobile check deposit behind the native app. The nearest ATM is 20 minutes away from my house, so unfortunately I consider this feature essential.

      8 replies →

    • In a town nearby me (not really near me but within an hour's driving distance), sometimes I will see old people selling fresh fruit/vegetables in their front yard. They typically take cash, Cashapp, or Venmo. It's super convenient to be able to use Venmo in that situation. These are people I haven't met before.

      2 replies →

    • I can do everything on my bank app from prepaying small amounts of a loan, spend analysis, opening fixed deposits and such.

  • I don't have a mandatory bank or gov id app. Where are you living?

    • Apparently much of Europe is a strange banking dystopia.

      Perhaps the antiquity of the US banking system is finally coming in handy. I’ve still got my checkbook ready to go!

      2 replies →

    • In sweden it's not "mandatory" in the sense that it's illegal not to have it. It's just really really complicated to live without.

      Many services won't work at all.

  • Online banking is a thing. A heck of a lot more secure than an app on a certified android device passing play integrity but having last received security updates years ago and with a ton of privilege escalation exploits. Gov id? Just say no.

  • Might be worth trying to get your gov to pin down the number of users or process to get gov id supported on any new platform.

    They likely wont specify 100k people or 10% of population or whatever email/petition but it at least records the requirement that other OSes exist and requires a process to support

  • This bogus "justification" for not considering any alternative, non-corporate mobile OS on any phone makes no sense

    HN commenters will not let it go

    Most HN readers have multiple computers, including multiple phones

    There is no requirement that one has to run a closed-source banking or government ID app on the same phone as open-source apps, e.g., apps from F-Droid

    And it ignores countless people who do not and will never use banking or government ID apps

    I tested a banking app for depositing a paper cheque and it was incredibly convenient. At the same time, the app tried to make a plain, unencrypted HTTP connection to www.google.com

    I blocked these connection attempts and the app still worked, with plenty of phoney error warnings. I would not be comfortable leaving one of these apps installed on a phone that's charged, powered on and has a cinnection to the internet

    Every user is different but it makes no sense to argue on HN of all places that these closed-source banking apps are essential for everyone. Many HN users are never going to use these apps, and rightfully so

  • I switched banks and made sure it doesn't require Android/iOS. Many banks propose FIDO2 + SMS, even bank of america does.

  • I don't use bank or gov id apps, why are these mandatory? Country-specific?

  • I mean gov id app really doesn't matter (for now) you can just use you id card which is credit card sized. (For now has things might change wrt. age verification.)

    But banking apps are a problem.

    It's not even about the main online banking (you can use a web portal) or storing a EC digitally in you phone (convenient but really unneeded).

    The problem is dump, misguided 2FA apps. E.g. credit card 2FA which already mostly required Android/iOS to work or even online banking login 2FA, transaction 2FA etc. with same requirement.

    Currently for the later I can still use other methods but for a huge amount of Banks where I live you can't use a credit card (reliably) without Android or iOS as "carrier" for an 2FA app.

  • Except they're not useless because a lot of people aren't mandated to use any such apps. (And I feel sorry for those that are.)

There's also FuriOS with the FuriPhone.

That's debian based with gnome and seems to be built by capable people. Also, it can run android apps.

I really wish SailfishOS supported more hardware. I love sony phones, but the sony phone I love the most isn't supported despite being nearly identical to a supported one

All of which have beyond horrific security. GrapheneOS is the only acceptable alternative from mainstream Android.

  • Don’t they have standard Linux security? Does my phone need to be more secure than my production web server?

    • There isn't a standard Linux distribution. Those operating systems have drastically worse security than a decent server distribution or the mainstream mobile Linux. Traditional Linux distributions don't have a standard set of core components or configuration so system administrators are assembling their own OS and the differences in security are vast. It's extremely rare to deploy anything close to the level of iOS and AOSP security but it's an entirely different environment on a server. Running a few server applications in weak sandboxes is far different than using a bunch of apps including an enormously complex web browser with a GPU, cellular, Wi-Fi, Bluetooth, NFC, etc. There's also no serious attempt by almost anyone to defend Linux servers and desktops against physical attacks with the disk encryption only even attempting to provide protection for data before the encryption passphrase is entered, not after.

      Those ports of desktop Linux to mobile don't have a proper privacy/security model for running applications. They don't have anything close to modern exploit protections or hardware-based security features crucial to protect against increasingly sophisticated and widespread exploits. AOSP is a Linux distribution with drastically improved privacy and security compared to a traditional desktop Linux traditional. GrapheneOS starts from there and improves privacy and security much further.

      2 replies →

    • Linux security is quite bad. Android tries to improve this and GrapheneOS improves it even farther than that.

      Which device you need to be more secure depends on your needs and which device you put sensitive data on, but a mobile device is going to provide far better privacy and security than any desktop hardware or OS is currently capable of.

Which phones are supported by which of these operating systems? And can you provide some relevant links?

  • - https://sailfishos.org - https://docs.sailfishos.org/Support/Supported_Devices

    They have few devices of their own (new one coming out this October) and they officially support many Sony Xperia devices. There are also many community ports.

    - https://ubuntu-touch.io - https://devices.ubuntu-touch.io

    They have 33 supported devices, some are being shipped directly with the OS or have an official agreement with the phone maker, while others are community ports. Even if community ports, they all seem to have high hardware support, and is all very clearly documented.

    - https://puri.sm/products/librem-5 / https://pureos.net

    They focus just on the Librem 5, and not everything is fully working but as I said they prioritised privacy and FOSS. The phone is old but the OS is still in active development.

    - https://postmarketos.org - https://wiki.postmarketos.org/wiki/Devices

    They focus on supporting as many devices as possible, currently they don't have "main" devices they support, but they plan to. They too have a very clear documentation on features available for each device.

    - https://mobian.org - https://wiki.debian.org/Mobian/Devices

    They target devices made with the intent of running linux, but also have a few ports to android devices.

    ---

    You'll notice that there are a few devices that are more "linux-friendly" and that are supported by many of these OSes. Phones from Pinephone and Fairphone being the main ones.

    • > prioritised privacy

      Privacy depends on privacy patches/protections and on security patches/protections. They do the opposite of taking it seriously from the hardware through the software.

      None has anything close to the privacy or security of AOSP or iOS. Librem 5 is the direct opposite of hardware prioritizing privacy and security. It doesn't provide basic firmware updates, uses a bunch of extremely low security components and brings the awful privacy and security of a desktop OS to mobile on top of that. It's the opposite of how you're describing it. Purism's devices also aren't open source as they claim but rather are closed source hardware with closed source firmware. They only pretend it's open hardware and firmware by not shipping the closed source firmware with the OS, which leaves users without crucial privacy/security protections. The components don't have proper updates available regardless due to their hardware choices but they don't ship what is available and prevented doing it for some components.

      > They target devices made with the intent of running linux, but also have a few ports to android devices.

      AOSP is a Linux distribution. Linux doesn't mean glibc, systemd, GNU coreutils and GNOME. If you mean GNU/Linux or bringing systemd to mobile then that's what you should say.

    • So, I upvoted you, but I have to say that most of these seem to target old devices, released 6 or 8 years ago or more, which have long stopped being sold (and may not even be easy to get second-hand).