You can buy phones which run mainline Linux.
I know. The issue is that at least the PMOS compatible ones that I saw mostly are supported only on older, often unmaintained kernels.
Youâd have to check the PMOS wiki for the device youâre getting, but Iâve checked a bunch of devices and they all say mainline, so I donât think what you saw is common.
1 Like
This seems incredibly suspicious and abrupt.
Nick didnât say why he left?
3 Likes
When senior personnel have access to signing keys and leave a team, it is security best practice to update signing keys and conduct audits
Thatâs the first time I hear something like that. This is not standard procedure.
As mentioned in our community letter below, we estimate that this audit and the implementation of new security protocols and signing keys will take four to six months, but we will endeavor to complete this process as soon as possible
Why would you do an audit in a situation, in which you donât even have enough employees to provide basic maintenance?
3 Likes
Seriously I donât understand why people arenât freaking out. I absolutely do not mean this in any FUDdy way, this really is truly suspicious behavior on their part.
1 Like
Nick leaving without as much as a blog post saying that heâs looking for a replacement should be a red flag for people. I donât understand why thatâs not more of a focus.
^ The above is the only thing I could find on him leaving at all. It strikes me as really odd.
2 Likes
I think this isnât the right way to think about it.
By default, the security measures of a Linux desktop and Linux phone are likely compatible.
But the usage and attack surface of a Linux phone is so much larger. The phone has become our new daily computer. Itâs always on, always near us, and is connecting to networks all the time, and with cellular capability. Different threat model than desktop Linux as the trust boundaries have grown.
Which this is the scary part of Linux as a phone.
2 Likes
Crazy. Yeah for some time we just do do anything and good luck with that. Lol.
What people seem to miss is that every Android phone is a Linux phone.
But 99% of the usability and security is not defined by the Linux (the kernel), but by how it is used by rest of the software stack (and what that stack is).
Linux-based OS can have MAC (e.g. SELinux/AppArmor) or not, it can have (or not) per-app containerization (and/or running each app as separate user to employ DAC as Android Linux does), see e.g. QubesOS (also Linux), it could use message passing or allowing apps to communicate more directly without security filtering, it could use VMs like Java or interpreted code like python or run native code (or combination), it can be written in easily exploitable languages like C or less exploitable like Rust, it could by written by people caring about security and knowing how to program defensibly (or not), it could use systemd or it could use some sensible init system with several orders of magnitude less attack surface running with admin privileges, etc.
IOW, âItâs a Linux phoneâ doesnât tell us mostly anything about the phone or its security unless we know the details. Any single one of the above features will tell us way more about its security (e.g. âitâs a phone that employs mandatory access controlsâ or âitâs a phone with all userland software written in Rustâ or âitâs a phone which doesnât use systemdâ), not to mention multiple of them w/ more details.
3 Likes
Android is to Linux like Americans are to Europeans. Same descent, yeah, but itâs diverged quite a bit.
This argument would be like âwhy doesnât GrapheneOS just fork off of mainline Linux instead of Android, itâs both Linuxâ. If they could do that, they would do so right now.
4 Likes
My guess is Calyx were forced to hand over the keys, and thatâs why Nick and others quit. By telling users to backup and restore to another OS, and that there are new signing keys coming, this is basically says the current signing keys are compromised. Nick may be legally unable to say anything in public.
edit: this is 100% my guess from listening to what is not being said in public. I have about 25% confidence in this being correct. The most likely scenario is that Nick and others just burnt out and want to do something else.
4 Likes
I have researched this and created this timeline of events that reinforce this as likely: AstraKitten's Blog
Itâs definitely extremely strange. I would hope if this were true Nick would have pulled a Lavabit and shut everything down though, instead of just quietly leaving personally. I donât really know him though or enough about Calyx to say what they would do in a situation like this.
Turns out Stallman was right and we should have been calling Linux on desktop âGNU/Linuxâ this entire time to clear up this confusion lol
Android is Linux. Android is not GNU/Linux. Itâs pretty clear most security issues people have with Linux on Desktop are related to all the software running on top of it, given how Google has demonstrated twice (ChromeOS) that they can build a very secure software stack atop Linux itself if they do it all by themselves.
3 Likes
âI use Linux as my operating system,â I state proudly to the unkempt, bearded man. He swivels around in his desk chair with a devilish gleam in his eyes, ready to mansplain with extreme precision. âActuallyâ, he says with a grin, "Linux is just the kernel. You use GNU+Linux!â I donât miss a beat and reply with a smirk, âI use Alpine, a distro that doesnât include the GNU Coreutils, or any other GNU code. Itâs Linux, but itâs not GNU+Linux.â The smile quickly drops from the manâs face. His body begins convulsing and he foams at the mouth and drops to the floor with a sickly thud. As he writhes around he screams âI-IT WAS COMPILED WITH GCC! THAT MEANS ITâS STILL GNU!â Coolly, I reply âIf windows were compiled with GCC, would that make it GNU?â I interrupt his response with â-and work is being made on the kernel to make it more compiler-agnostic. Even if you were correct, you wonât be for long.â With a sickly wheeze, the last of the manâs life is ejected from his body. He lies on the floor, cold and limp. Iâve womansplained him to death.
5 Likes
I agree; but when one uses the term âLinuxâ that is akin to using term âHumanâ. Yeah, adult Americans are different from Europeans, and women are different then men, and toddlers are most definitely quite different from adults. Yet they are all Linux âhumansâ.
Applying term âHumansâ to mean exclusively âEuropeansâ (or even worse, to mean only âEuropean Caucasian middle-aged well-payed English-speaking malesâ) is misleading at best.
So is using term âLinuxâ when one wants to describe only things very similar to e.g. âDebian Bookworm GNU/Linux desktop distro with X11 running KDE desktop environmentâ, as happens e.g. when comparing âAndroid vs. Linux on mobile phonesâ (âAmericans vs. Humans on planet Earthâ? See how it sounds? 
)
Iâm confused by what you mean by âmainline Linuxâ. That meaning may only be applied to kernel itself (meaning unpatched vanilla kernel from kernel.org), but there exist no such thing as âmainlineâ Linux OS (so nothing could be forked off it, as it doesnât exist and never did).
Android is a framework using Linux kernel, as is e.g. Tails or Maemo or QubesOS or OpenWRT or SHR or SailfishOS or BalenaOS or TinyCore Linux. All of those frameworks are different, and often use totally different apps, with (sometimes strikingly) different UI. Some run on your dishwasher, some of your IP camera or your phone or your laptop or your desktop with 146â screen.
Their security implementation also varies greatly (e.g. CubesOS is far more similar to Android there then to say âDebian GNU/Linux with KDEâ).
In fact, some distros (âLinux-based distribution/distroâ is proper term for OS with Linux kernel which includes lots of curated apps) allowed for different kernels, and vast majority of the users would be hard pressed to say if theyâre running âDebian GNU/Linux with GNOME DE install optionâ or âDebian GNU/kFreeBSD with GNOME DE install optionâ â they looked and acted identically to the user, but only the former is Linux, and the latter is not.
Thus, the proper way is ether:
- (much preferred!) spelling proper distro name (and its details if possible and it is useful for topic at hand, e.g. âxzutils backdoor in systemd on Debian Trixie GNU/Linuxâ)
or (if âDebian GNU/Linux with GNOME DE via systemd running on X11â is too unwieldy and shortening is absolutely required even with massive loss of information it introduces) then:
- shorten it (if you really must) to the most important and user-visible part, i.e. call it just âGNOMEâ (instead of âLinuxâ).
Anyway, that was meant as an aside, and didnât intend to hijack the thread, but though I should explain, as there seems to be misunderstanding what Linux is: it is only the kernel.
Everything else (improperly) uses the term âLinuxâ as a shorthand for âSomething using the Linux kernelâ where that âsomethingâ is basically always much more important and informative than âLinuxâ.
2 Likes
Iâm using the term in a colloquial manner, which most of us and the wider population loosely refer to.
I figure itâs about time to slap this bad boy in this thread, call it a day, and continue on with the main discussion
2 Likes
I assume there are people reading this thread being more knowledgeable about CalyxOS and it being the superior deGoogled choice over LineageOS.
I created a thread in which I asked for additional means there are in order to make systems like LineageOS less dependent on Google via some ADB commands.
In that thread I also did not get any input about how Calyx would be better in terms of connections to Google than LOS after these commands, so I assume the most obvious ones are covered.
So if anyone could automate these commands via update survival scripts (or flashable zip), I see using LOS as a viable option in place of Calyx or any other Android flavor.
That is until someone points out additional actions that are required for being equally deGoogled. I am not confident I have covered everything, since these commands are very few.
This is an unreliable method with poor/ineffective results that often barely scratches the surface and gives false hope/confidence.
It is also very easy to end up in a state which requires a factory reset.
Many people play with these tools like a bull in a china shop and then end up losing all their precious files.
Hi Luke