because @mozilla thinks someone might be able to do harmful things with #WebUSB they do not want to add WebUSB to #firefox.
-
@txt_file @tipjip Fairphone's devices have 1-2 month delays for partial security backports from launch. They do not have proper support from the beginning. They skip monthly and quarterly updates entirely, then ship the next yearly update over a year late. The delay gets longer over the lifetime of the device.
Providing a release from 2025 in 2027 is hardly providing 2 extra years of support compared to a device shipping it in 2025. However, that's how Fairphone portrays their support time.
@txt_file @tipjip Fairphone devices do not have proper long term support because they don't have proper support from day one and it significantly degrades over the lifetime of the device. Pixels get the latest monthly, quarterly or yearly release of Android when it comes out each month. Fairphone is providing the security backports to older releases instead, then catching up to a new initial yearly release after a year or more. That's really not comparable to iPhone or Pixel long term support.
-
@txt_file @tipjip Fairphone devices do not have proper long term support because they don't have proper support from day one and it significantly degrades over the lifetime of the device. Pixels get the latest monthly, quarterly or yearly release of Android when it comes out each month. Fairphone is providing the security backports to older releases instead, then catching up to a new initial yearly release after a year or more. That's really not comparable to iPhone or Pixel long term support.
@txt_file @tipjip Fairphone's devices have no secure element meaning none of the important features such as working disk encryption for users without a strong passphrase are available. They're other important security features too. They used publicly available private keys for signing on the Fairphone 4 so while supposedly having verified boot, it doesn't truly have it. Verified boot permitting publicly available keys isn't a real implementation and it's strange CalyxOS portrays it as one.
-
@tipjip @txt_file @mozilla Firefox chooses not to support WebRTC despite the predecessor to it originating in FirefoxOS. Mozilla used to want to have highly functional web applications but moved away from wanting that and aligned with Apple's position of using native applications for those purposes. Firefox allows people to download and run a native executable with a tiny warning which gives access to everything on a desktop OS. What's wrong with providing only access to a specific USB device?
@tipjip @txt_file @mozilla Pixels are currently the only devices meeting the very reasonable hardware security requirements listed at https://grapheneos.org/faq#future-devices. We use the only available secure devices with proper non-stock OS support.
There are no other Android devices providing the firmware/driver support we need or the security features we need. The devices closest to providing the security features we need such as certain Samsung flagships are missing proper support for using another OS.
-
@tipjip @txt_file @mozilla Pixels are currently the only devices meeting the very reasonable hardware security requirements listed at https://grapheneos.org/faq#future-devices. We use the only available secure devices with proper non-stock OS support.
There are no other Android devices providing the firmware/driver support we need or the security features we need. The devices closest to providing the security features we need such as certain Samsung flagships are missing proper support for using another OS.
@tipjip @txt_file @mozilla Samsung and most other Android devices do not provide all of the important security features for use by other operating systems. Samsung burns an efuse when you unlock their devices which permanently cripples security functionality. You can't get it back even if you go back to the stock OS and lock the device again. The efuse is permanently burned and they arbitrarily disable a bunch of functionality including their equivalent to Private Space based on it being burned.
-
@tipjip @txt_file @mozilla Samsung and most other Android devices do not provide all of the important security features for use by other operating systems. Samsung burns an efuse when you unlock their devices which permanently cripples security functionality. You can't get it back even if you go back to the stock OS and lock the device again. The efuse is permanently burned and they arbitrarily disable a bunch of functionality including their equivalent to Private Space based on it being burned.
@GrapheneOS @tipjip Thank you for all the insight.
regarding Fairphone: Expecting a ~150 people company (that has software as secondary goal) to have similar update intervals as the upstream developers (Google) seems a bit strange. Yes Fairphone can do better and I wish they did better but there is only so much they can do with the money they have.
BTW: How is GrapheneOS Foundation financed? venture capital, other similar foundation and a few donations?
-
@GrapheneOS @tipjip Thank you for all the insight.
regarding Fairphone: Expecting a ~150 people company (that has software as secondary goal) to have similar update intervals as the upstream developers (Google) seems a bit strange. Yes Fairphone can do better and I wish they did better but there is only so much they can do with the money they have.
BTW: How is GrapheneOS Foundation financed? venture capital, other similar foundation and a few donations?
@txt_file @tipjip 150 people is a huge number to be doing something so easy, especially with the early access available to Fairphone. A couple people can do it and pass the required tests. There's nothing strange about expecting proper security updates.
GrapheneOS Foundation is a non-profit organization. There are no shareholders. It's funded entirely by donations but we could choose to sell products and services. The revenue from those can only be used to advance the mission of the non-profit.
-
@txt_file @tipjip 150 people is a huge number to be doing something so easy, especially with the early access available to Fairphone. A couple people can do it and pass the required tests. There's nothing strange about expecting proper security updates.
GrapheneOS Foundation is a non-profit organization. There are no shareholders. It's funded entirely by donations but we could choose to sell products and services. The revenue from those can only be used to advance the mission of the non-profit.
@txt_file @tipjip It's dramatically easier for Fairphone to port a vanilla variant of AOSP to new Android versions with early access to new Android releases than it is for us to port invasive changes improving privacy and security to each new release. We don't have early access. We port to the new yearly releases in a few days. For us, it being delayed by a week is a disaster and that's without having many months of early access. We get no early access whatsoever. We will in the future though.
-
@txt_file @tipjip It's dramatically easier for Fairphone to port a vanilla variant of AOSP to new Android versions with early access to new Android releases than it is for us to port invasive changes improving privacy and security to each new release. We don't have early access. We port to the new yearly releases in a few days. For us, it being delayed by a week is a disaster and that's without having many months of early access. We get no early access whatsoever. We will in the future though.
@txt_file @tipjip There's no good excuse for even smaller Android OEMs than Fairphone not shipping each monthly, quarterly and yearly release. Fairphone is so far behind that they aren't in compliance with EU regulations which are coming into force around updates. It does not take a lot of money or resources to provide updates made for them which they receive early access to. They aren't making the updates, they're just porting their own code and dealing with testing / fixing some small issues.
-
@txt_file @tipjip There's no good excuse for even smaller Android OEMs than Fairphone not shipping each monthly, quarterly and yearly release. Fairphone is so far behind that they aren't in compliance with EU regulations which are coming into force around updates. It does not take a lot of money or resources to provide updates made for them which they receive early access to. They aren't making the updates, they're just porting their own code and dealing with testing / fixing some small issues.
@txt_file @tipjip OEMs can avoid making significant changes to the OS if they want a much easier time porting to new releases and shipping security patches. Fairphone does not make significant changes to the OS. It's not like some OEMs where they nearly completely redo the user interface across the board and add immense complexity. The OEMs doing that could stop doing it and avoid the delays. The bare minimum security patch backports don't have a good reason to be delayed for any OEM.
-
@txt_file @tipjip OEMs can avoid making significant changes to the OS if they want a much easier time porting to new releases and shipping security patches. Fairphone does not make significant changes to the OS. It's not like some OEMs where they nearly completely redo the user interface across the board and add immense complexity. The OEMs doing that could stop doing it and avoid the delays. The bare minimum security patch backports don't have a good reason to be delayed for any OEM.
@GrapheneOS fair. Now I kind of have more questions about this whole software ecosystem than before. e.g. Why isn't Fairphone not paying one person for downstreaming the software.
@tipjip
