← Back to context

Comment by HybridStatAnim8

2 hours ago

You dont have the ability to guarantee you have overridden anything. The integrity of the OS cannot be verified and anything with root can lie to you that it was revoked. It does not put power in your hands.

Installing your own build does wipe the device when you unlock the bootloader, yes, but updating it with a locked bootloader does not. It would be a one time transfer if you have official images already installed.

Your paths forward are a false dichotomy. These are not the only 2 options. You can simply update your build with the changes you want.

The randomness of an app is irrelevant and apps need to jump through significantly less loops to obtain root access without your input. And even if they didnt do that, and you permitted root instead, the app can lie about you revoking it later in either case.

This is blind ideology over safety and real ownership. Root is a hacky shortcut for proper functionality, and is not a prerequisite to ownership in the slightest.

> Your paths forward are a false dichotomy. These are not the only 2 options. You can simply update your build with the changes you want.

Okay, so once I install grapheneOS, how do I update it with my own custom build while keeping my data intact?

> You dont have the ability to guarantee you have overridden anything. The integrity of the OS cannot be verified and anything with root can lie to you that it was revoked. It does not put power in your hands.

You haven't read anything of what I've written, it's incredible.

You're continuing to use the term "root" to mean granting full power to random apps.

I'm using the term "root" in Linux terminology.

It's not advisable to run random software as root, no matter what platform you are on.

But the OS' native file explorer and shell, in this case com.android.documentsui/com.android.files and adb, should allow the user to authorize themselves as root and read/write to any file.

  • You would install your own build of GrapheneOS. Not the official images.

    Its not advisable to run anything as root, at all. Or expose access to it in any form.

    You can make userdebug builds to access a form of root that doesnt undermine the entire security model, in ADB. Afaik this lets you access apps internal directories but is not recommended for production devices.

    • > You would install your own build of GrapheneOS. Not the official images.

      Awesome, so you're advising against installing GrapheneOS for anyone that wants control over their own data.

      Sorry for twisting the words slightly, but that's the essence of the issue here, isn't it?

      > Its not advisable to run anything as root, at all. Or expose access to it in any form.

      And then you advise for exposing access to it in pretty much the same form I asked for before.

      It'd be funny if it wasn't so exhausting.

      Regarding the security model: So adjust the security model.

      Any access that an app can have, should also be available to the user. Importantly, they should be able to access and modify any data.

      The system documents/files app already has special permissions for that, there's no reason why it shouldn't have access to all files (accessible through the same unlock system as e.g. the security settings)

      1 reply →