The time is right for this project I hope they succeed.
Otherwise, their website suggests you can specify a particular project via the memo line of a check:
I'm willing to suffer a rough beta or alpha experience, but let me use modern hardware of my choice.
That said, the phone market is huge. They could sell enough devices to fund future development which might be good enough even if it doesn’t slow down Apple or Google. At least then there will be a device for those of us who are not happy with the state of things.
Is there survey data available on this? Anecdotally, everybody I know hates their phones. In fact, I think if you asked, "what's the biggest pain point in your life right now?" I think most people will point to their phones.
> I don't think you're the target market for this phone.
My comment is downstream of the entertaining of a possibility of:
> a significant user base that runs alternative operating systems
... which isn't going to happen if you ask your users to give up commonly used features. It will forever be a niche project, at best.
People do proprietary bullshit because they want to do proprietary bullshit. Anything else is made up.
WTF? What kind of shitty banking system are you using?
The only supported 2FA is the bank's own dedicated 2FA app.
To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.
Does it? The browser doesn't do anything, the person sitting at the computer where the browser is running is what performs the actions. The reauthentication and 2fa is meant to authenticate and authorize the user, not the browser.
The attack vector of someone else using your phone using an app that doesn't require (re)authentication is independent of the browser or the app itself being trusted. That your bank doesn't periodically require some kind of re-authentication for their app is a security hole, but because the device could fall into the wrong hands, not because the code/app/browser used to access it isn't trusted.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
That might just be European banks though
The phone I really want is as uncomplicated and open as possible and beholden to no corporate economic interests or privacy invasions.
Now that I'm retired I'm looking for a project to immerse myself in. This sounds like just the ticket.
Also many websites are making it remarkably hard to not use the app if they even remotely sense you're not on an actual PC. FB and LinkedIn aren't banks but prime examples.
I like my credit union.
I remember the stagnation of Internet Explorer combined with increased awareness of security exploits in Windows and Internet Explorer led to the rise of Mozilla Firefox and (to a lesser extent) increased marketshare for the Mac. This, combined with the arrival of smartphones around 2007, put pressure on organizations to make their Web sites accessible to a wider range of browsers instead of just IE.
Perhaps if we had a critical mass of people using phones with FOSS software, this would be enough for banks and other organizations to consider people who don’t use Apple/Google products.
The challenge, though, is getting that critical mass. Firefox benefitted from Microsoft’s fumbles in the 2000s. It’s going to be hard for a FOSS project to compete head-on against Apple and Google.
A free OS will empower developers to implement technical workarounds that could trick these apps into working there. If the OS is tightly controlled, we have no recourse.
Even in the worst case scenario, we could use a cheap big-tech-approved phone for these applications (a glorified digital token) and use the free phone for everything else. When there's enough adoption and trust in the new phone, non-technical avenues are available to influence these organizations to accept the alternative.
If you can't be sure what's going on and unable to inspect or debug the hardware and software, how can you trust it's doing what you want?
Proprietary hardware and software is already known to work against the interests of the user. Not knowing exactly what's going on is being taken advantage of at large scale.
Let's put it this way: if you can choose between making your own lasagna with a good recipe vs ready-made microwave lasagna. What would you choose? How about your suit? And would you trust an open known to work well pacemaker vs the latest Motorola or Samsung pacemaker? Would you rather verify the device independently or pay up for an SLA?
You trust hardware and software by establishing boundaries. We figured this out long ago with the kernel mode/user mode privilege check and other things. You want apps to be heavily locked down/sandboxed, and you want the OS to enforce it, but every time you do you go up against the principles of open source absolutists like the FSF. "What do you mean my app can't dig into the storage layer and read the raw image files? So what if apps could use that to leak user location data, I need that ability so I can tell if it's a picture of a bird"
For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted. The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
In other words, should the device be responsible to enforcing DRM (and more) against its owner?
Does anyone remember having a copy of internet explorer that the bank required (or chrome these days) but using firefox for everything else? Apply that concept to a phone.
Luckily, here in the U.S. this is still possible. I run Graphene on a Pixel without Play Store compatibility layer and everything just works. Most of my apps come from F-Droid, with the notable exception of Whatsapp, for which a standalone APK is available. Unfortunately, it is proving difficult to get rid of Whatsapp entirely because of friends and family.
But the partially wrong part is, we can make our own platform. PCs let you install and run any software you want, because it's an open platform. If we make an open platform smartphone that can compete on features with the closed behemoths, and that then becomes popular enough, then banks may offer apps on that.
But this is tricky too. Linux already has issues getting official support from corporations. We'd need our open platform to be compatible with the closed ones, so that it's easy for banks to run their apps on our open platform. There are already ways around this, like virtual machines to run Android, or other methods. But the closed behemoths may try and end-run around this, like DRM. So we'll still need to advocate for our rights and compatibility.
Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
Make sure your app has a progressive web app version that has feature parity with the store apps. That way, the app will work on phones like the librephone, and, if Apple or Google decide to kick you off the store, you and your users have some recourse. As a bonus, it’s compatible with open source — users can modify the app and install it without jailbreaks, root or (for now) sideloading.
React Native supports this (and can mostly be bundled with electron for mac/win/linux support).
Are there other stacks people can recommend?
And it will in turn depend on Secure Attestation, Web Credentials, and other recent W3C work to provide proof that you're the registered owner, age of majority and verified by thumbprint or other biometrics, running an unmodified device. Your ID might be escrowed with your OS vendor, email provider, bank, ISP, or even Twitter/X, who knows. Either way, as an end user you'll be mollified that you don't have to provide your ID to the adult site, and the adult site will be happy that they don't have to implement any of this themselves.
And, of course, this will mean that an intelligence service could have ironclad proof of exactly what person visits what website, effectively killing a lot of online anonymity.
Time to donate to the EFF and FSF I guess…
Log in to your bank over the internet, the normal way.
Given the apparent trajectory of the corporate/government model of organizing society, it seems like they're going to be the ones that will be second-class citizens.
1.: https://grapheneos.org/articles/attestation-compatibility-gu...
What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else? The reality is that we need both free hardware and free software. I can always tell my bank to fuck off and move my accounts to one that gives me freedom to use the mobile OS of my choosing, and if there isn't a single bank on earth willing to do that I can always simply refuse to use my cell phone for banking.
I'd much rather keep the phone I control and trust while limiting myself to only having the options of a desktop PC, a laptop, an ATM, a phone call, a drive thru, and walking into my bank's closest branch when interacting with my bank. Not being able to also stab my finger at a cell phone screen to check my balance isn't really that big of a deal.
The only project I know of that really actively addressing the end to end problem is Bunnie Huang's precursor.
Work seems to be going on low-key: https://github.com/betrusted-io/xous-core
Currently scope only seems to go as far as the operating system
These projects have stuff that works, but the lack of firmware for chips that can connect to modern cell infrastructure means that they can't really create an appealing product. The OS layer is where all previous Linux phone efforts have failed, and I hope the FSF makes it farther than everyone else has.
The OS layer is where the existing projects are thriving, with various distros and shells to choose from to match one's needs and tastes. It's the appropriate hardware that's in undersupply. I'm using a Librem 5, a 2019 design, and if I wanted to switch to something newer I can't because there's no viable upgrade path on the market. No other hardware vendor has invested significant resources into mobile GNU/Linux since then, everything else is either purely community-based or uses Halium.
I like postmarketOS, but it always felt to me more like a pet project than a real OS, for that reason.
Seems like a smart decision to me since that's what everything phone related builds to as a lowest common denominator anyway.
Funny, I would have used those exact words had they chosen anything BUT Android as their base.
All the other "freedom" Linux phones are failures (yes I'm sure fsflover will now chime in to but akshually). I know because I bought them all. They all have one thing in common: the software sucks.
And I don't even need apps. Just basic phone functionality (several Linux phones still can't do MMS), a web browser, and no crashes. Unfortunately no Linux phone has been able to give the to me yet. Whereas Android has been delivering for over a decade.
Doesn't stop you on working from there once that milestone is reached.. I would certainly welcome more alternatives in light of the recently announced changes from do-no-evilG
Trying to build a non-Android Linux phone that is competitive is just not practical at this point. It would require an enormous amount of funding.
Not even just "requires a mouse/keyboard", but a lot of things of the form "assumes a reasonable screen size", ...
In a modern smartphone, modem is often a part of the SoC itself - and it runs some of the biggest and fattest blobs you've ever seen.
In most countries, the spectrum that cell phone carriers use is licensed to the carrier, under the condition they only connect devices that are guaranteed to comply with the requirements of using that spectrum. The end user (i.e. the person with the phone) has no license to use the spectrum. So in order to get regulatory certification, basically every modem has to be locked down so that the end user cannot operate it in a way that would violate any rules or regulations for using that spectrum.
So basically, it's illegal to have open source modem firmware. At least, as long as cell phones are operating on spectrum that isn't open for public use.
Ultimately, if you want to open source a modem, you first need to build your own cell phone network.
there are also all kind of open source lte/cbrs projects iirc
I am so happy they are focusing on Android, one of the most popular operating systems widely used by every day people. This is important work for providing user friendly, free software to users.
Let's just hope they don't fall into the trap of disqualifying binary blobs sent as part of drivers vs opting for hardware that harcodes the blob.
They're saying approval of any who-knows-what code shouldn't be decided based on how it's loaded.
The OP's point is, having the firmware permanently burnt-in on a ROM chip vs loaded as a binary blob via a driver doesn't change the "non-free"-ness of the firmware itself.
So opting for hardware which has a "fully-open-source" driver, but runs a binary blob encoded into the hardware, doesn't make the system fully open.
It's a take for a more Free system, not for accepting binary blobs.
(Or I guess for acknowledging that if you're willing to allow binary blobs stored in hardware, then dynamically-loaded binary blobs doesn't change the "free"-ness.)
Open Source Firmware signed by OS > Firmware blob signed by device manufacturer > Firmware blob hardcoded by device Manufacturer
The FSF treats hardcoded firmware blobs as "free" and updatable firmware blobs as nonfree despite there not being a big difference between them in practice. And practical differences like being able to fix security issues benefits users.
This needs to be done before age verification apps become universal..
They should probably prepare themselves to make ideological concessions... The situation is very ugly here in mobile land. Treacherous computing, remote attestation, DRM, all ubiquitous and normalized...
*Edit* Because Idiots are Downvoting me, look at the texas law SB 2420 as an example. These phones will essentially be illegal in texas unless they comply with already passed laws.
Any reason that can't happen now in something like the Steam Deck?
[0] https://www.thinkpenguin.com/gnu-linux/usb-4g-lte-advanced-m...
These days, I see FSF and all I can think of is a donation racket with zero sincere intent to operate or capability to execute. If they were not still cashing in on goodwill from the Unix Wars era, they would be nothing more than a grift overseeing a mountain of copyright assignments.
I can't take these jokers seriously.
Years after mobile phones came onto the market they are now planning to create their own phone.
Hopefully this project will go better than Replicant. Here are my notes on running Replicant on the (then already very old) flagship Samsung GT-I9300:
https://www.neilvandyke.org/replicant/
The hardware was a little difficult to obtain in the US, and WiFi worked only with a blob of questionable provenance.
It looks like Replicant has been stuck for several years, and they recognize that they need to find a new device, funding, etc.
(After Replicant, I spent some time on PostmarketOS with various devices, and then gave up and bought iPhones, and then got ticked off and moved to GrapheneOS.)
I wonder whether the FSF is already collaborating with Purism on this, to leverage their work on the Librem 5 and PureOS, which I believe the FSF is well aware of. If the FSF manages to muster a lot more open source volunteers on a more affordable hardware, but that work is also usable for Librem 5, then it could be a win-win. (And Purism also has something called Liberty Phone, which is a made-in-USA Librem 5 phone, so their lawyers should talk about trademarks in any case.)
Terr_•4h ago
Just because pieces are open-source (or "free software") doesn't mean the autonomy and capabilities we want are necessarily present in the overall system.
[0] https://news.ycombinator.com/item?id=45562286