[Linux-aus] Grant Application for PinePhones

Russell Coker russell at coker.com.au
Sat Mar 25 20:12:56 AEDT 2023 

On Saturday, 25 March 2023 19:12:49 AEDT Adam Nielsen via linux-aus wrote:
> > OSs such as Android and ChromeOS are free to use but are implemented
> > in locked down configurations and have a development process that is
> > extremely unwelcoming to contributions from the community.  While the
> > F-Droid [3] project does some good work the common use for Android is
> > for mostly proprietary apps.
> 
> I can't comment on the development process, but a lot of the issues are
> around security (trying to limit the damage a rogue app can do).  If
> you're going to allow untrusted code to run on a system owned by
> someone that is not tech savvy, you don't have a lot of choice here.

Running code from untrusted sources does restrict other choices.  But it 
doesn't necessarily have to prevent root access to your own hardware, phones 
have been shipped that are easy to unlock and the sky didn't fall - that said 
preventing your elderly relatives from granting "remote access to a Telstra 
technician" who cold-calls is a benefit.

> But this is one reason why I have chosen to use Google-branded phones
> over the alternatives.  They have a well documented process for
> unlocking the bootloader and allowing you to run your own code on the
> device.

Currently the phones with the best long-term security support are iPhones with 
Google phones offering a couple of years less support.  The other companies 
just do badly.

A large part of the problem with this is the Android security update process 
of putting an image of the new OS on it combined with the fact that one kernel 
can't run with multiple systems.  The latter problem is out of the scope of 
the PinePhone project etc but the former is addressed.  On a Debian based 
system even if you can't upgrade the kernel you can upgrade userspace a 
package at a time and reduce the exposure.  If everyone who does kernel work 
for the PinePhone entirely quits then you can upgrade the userspace for at 
least another 5 years without any problems and barring any "ping of death" 
type kernel bug you will still be reasonably secure.  Running a 5yo kernel 
with random binaries from the net wouldn't be a great idea, but running it 
with the programs that are part of Debian should be reasonably safe.

> I'm certainly not trying to downplay the efforts of PinePhone (as they
> are doing more than just opening the OS) but the core Android OS is
> already relatively open, at least as shipped by Google.

You can download all the source and recompile it all.  If you have the 
resources of a project like LineageOS then you can support binary images for a 
number of different phones and try to support a reasonable range of 
installation options.  But it's hard work for the developers and hard work for 
the users.

> > Also because Android is designed to be used as a locked-down system
> > there aren't good options for performing standard Unix operations
> > such as rsync'ing your home directory to a new device, sshing to your
> > device from a server for remote backups and management, etc.
> 
> If you want to SSH and rsync on an Android device, I recommend the free
> app SimpleSSHD[1].  It provides an SSH server and common commands like
> rsync.  I have used it for many years on my phones for regular backups,
> including moving photos and videos off the device while keeping the
> original quality files.  Once it's set up, SSH'ing into your Android
> device works the same as any other embedded system.
> 
> If you don't have root access on your phone, you have to configure sshd
> via the app to listen on a port above 1024 and you can only get access
> to your user data (like any other app).

Yes ssh and rsync are regular Unix programs that can be compiled for Android 
and run on it.  But the OS isn't designed to be rsync'd which makes it more 
complex.

Also the applications are very different and can't be usably run on a desktop 
system.  The applications for Mobian etc are regular Debian applications that 
are written or configured for smaller screens.  If a Mobian phone breaks and 
you just have your backups you could restore to a desktop PC and run the same 
programs with the same data files.  I think that one of the parts of free 
software is the freedom to sort out unusual situations in the most creative 
way you can find.  Having to buy another phone on short notice isn't what I 
consider freedom, being able to run the same programs on a different system to 
solve problems is freedom.

> However if you have root access to your phone (which you should!) then
> you can configure it to listen on port 22 and log in as the root user.
> Perhaps this comes with some security risks, however it allows you to
> rsync as the root user, meaning you get access to the whole device -
> the OS, all the app data for all apps, the lot.  This allows you to do
> a full phone backup.

Having root is good.  Getting it on a regular Android phone means breaking 
your warranty, getting it on a PinePhone or Librem5 means just buying it.

The risk and effort of getting root on an Android phone is enough to 
discourage most people from trying it.  The solution to this is to not use 
Android phones.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the linux-aus mailing list