Posting about Volla in a GrapheneOS thread is... I guess courageous?
They are kind of the opposite of GrapheneOS. Ancient kernel trees, ancient firmware bundles, etc. And since downstreams like /e/OS just take their kernels/firmware, they are ancient as well. Using Volla phones opens you up to a lot of known vulnerabilities.
Besides that, Volla is basically a marketing company (with some external contractors) that does Eurowashing. E.g. one of their phones (Quintus) is a phone designed by an Emirates company, produced by a Chinese ODM, marked up by 500 Euro by Volla (they probably turn some screws and flash the firmware to be able to call it 'from Germany'. You can get the same 719 Euro phone here for ~160 Euro:
I don't see anything they offer for security that's not also in AOSP/LineageOS/eOS/stock/etc.
Which is not to say that's not enough for most people, but why highlight them? It doesn't seem comparable to the laser-focus GrapheneOS has on security
Not GP, but Volla phones are cool in that they officially support running proper Linux[1], so you could just use Linux instead of Android if that's enough for your needs. And you can still boot into their de-Googled Android if you need to run Android apps.
(If you don't believe it from the identical specs and design, you can look at the committers in their kernel trees and it is basically maintained by Daria people.)
Their new Plinius model is just the Gigaset GS6 with a 250 Euro markup:
It takes more than an unlocked bootloader to make Linux boot on random phones and work properly (and ensuring all the radios, camera, audio, phone calls etc work), and Volla have achieved that with their phones. I could be wrong, but I don't think it was possible to get a fully functional Linux distro going on any of these rebadged phones before Volla got to them.
I am not sure about the Daria Bond, but in Ubuntu Touch (which seems one of the very few Linux systems that supports the Daria Bond, ahem, Quintus), most of it seems to be the work of LineageOS developers (probably for generic Mediatek support, since it's a run-off-the-mill Mediatek phone), with some changes from Daria people on top of it.
So, I think you are giving credit to Volla that should go to the upstream ODMs and Lineage.
Oh, one vendor supporting multiple OSes! I hadn't clicked through (https://volla.online/en/operating-systems/), that is neat indeed and quite a unique selling point among mobile vendors
This should have gone in my spreadsheet before I chose a new device xD. Ah well, next time
Android similarly supports, and in fact uses, "proper" Linux. Android and its forks are Linux distributions. You can use a mainline kernel in Android just fine.
Nah, Android is not a really a proper Linux system that 'supports' Linux software within any reasonable definition of the word; not anymore at least
Root nowadays gets you very little: software like wavemon that worked great on Android 4.4 no longer runs because selinux or whatever restrictions block nearly everything from working that isn't going through the Android API channels. Accessing external storage from Linux Deploy (running your favorite distro in userspace with root) no longer works; thankfully it does from Termux so I have some way of manipulating the files with standard Linux tools, but then that keeps getting killed and you need to restart sshd a few times per day if you want to actually use that as a remote access method for your photos.
The Linux processes are being shot at left and right, it's go android or go bust on android. Perhaps that sounded redundant but it used to be that you could install Xorg, Virtualbox and other GUI software, and knock yourself out. No more
Most of this is not related to the claim and is more tangential discussion about things you like that run on the linux kernel, now, there is nothing wrong with that, but I must emphasise that none of what you describe is a part of the criteria for what constitutes a linux distro. A linux distro is an operating system using the linux kernel. Android fits that criteria.
The policies and applications running on top of or in the linux kernel do not change its distro classification. Lacking root access is a massive step forward for privacy and security. Root access is insecure and a hacky shortcut to proper functionality.
Sure, we can have different opinions on what makes a useful Linux distribution. Either way, you can't install Ubuntu Touch on just any phone. That Volla supports that alongside their AOSP derivative gives you more options on how to use the device; it's worth pointing out to potential buyers as a bonus on top of running Android only
Ubuntu Touch is drastically less private and secure than AOSP let alone GrapheneOS. Volla's devices don't come anywhere close to meeting the update and security requirements for GrapheneOS. GrapheneOS is a Linux distribution much closely following along with the Linux kernel LTS releases, unlike those devices. It also regularly moves to new Linux kernel LTS branches. Pixels are in the process of moving to the 6.12 LTS branch with Android 17 QPR2. 6.18 is currently in the early stage of stabilization.
Ubuntu Touch (or any Linux distro for that matter) offers drastically more freedom than GrapheneOS or any other Android distribution. Some people care more about freedom than so called "security", and I don't know about you, but I'll take freedom any day.
Freedom to get a stroke from an incomplete toy OS?
Snark aside, desktop Linux userspace (or gnu Linux, call it how you want) is nowhere near production ready. And even for the more general point, giving out root willy-nilly is not more freedom. It's more like letting your child play on the 5th floor of a half-constructed building that's about to be exploded. Your kid can enjoy their time just as much in the safe forest trail.
Not everything needs to be "production ready". And giving out root willy-nilly is freedom. It's my device, I should get to decide how I want to use it and not have artificial restrictions put on my be by someone else. If I want to rm -rf /, I should be able to do just that.
> giving out root willy-nilly is not more freedom. It's more like letting your child play on the 5th floor of a half-constructed building that's about to be exploded
I take it you don't use desktop OSes anymore of any kind and call child support whenever you see a parent letting their kid use one? Better protect them from themselves in case they can't handle sudo / UAC prompts and give access (xkcd.com/1200) to the wrong process
This sort of logic really boggles my mind to see on hacker news
> Grapheneos is fully open source and comes with 0 Google services.
And calls the open source microG a threat while encouraging people to install google mobile services, conveniently provided from their preinstalled app store, which most people will need for at least some of the apps they need in daily life, so everyone ends up with GMS installed in their main profile. A real bastion of freedom and choice.
MicroG requires privileged access. It also downloads and runs proprietary google code within this privileged context. MicroG additionally has very poor app compatibility and has had severe privacy issues in the past.
Sandboxed google play does not grant google code any kind of privileged access. It is confined to the same app sandbox and permission model as all other apps and can be installed and uninstalled like any other app.
Note that apps with google libraries grant google the same, unprivileged access google services gets on GrapheneOS. MicroG fails to meet the privacy, security, and usability requirements GrapheneOS has in place when it comes to google play compatibility.
So, you can pick MicroG, which is bundled, privileged, poorly made, has poor compatibility, and trusts an additional party...
Or, you can pick sandboxed google play, which is not bundled, optional, unprivileged, fully sandboxed, and does not trust additional parties. Oh, and you can uninstall and reinstall whenever.
It is evident which option gives the user freedom, and a choice.
Thanks, but there's no way anybody here hasn't already heard all of that. GrapheneOS' statements are inevitably reposted to every thread and subthread that touches on the topic.
Yes, I knew it's in a sandbox at the time of writing my comment above; no, that doesn't make it a privacy paradise compared to microG.
The sandbox still needs internet access for a lot of GMS' functions and lots of apps send information into it. For example, Signal will actively reach out for notification bundling, so Google gets to know who runs Signal, what IP address they're on, with who else they share that address as they go to school and work, build a social graph... So while the sandbox is definitely very useful and I'm glad it exists as open source software that other Android distributions can be inspired by, it doesn't definitively solve fundamental problems with running unwanted software on your device
Do you know what privileged context means? As in, what access this grants concretely? I tried to look it up once, ended up in Android source code trees, and left more confused than I went in. It looked like it gets no extra file access at all, which is strange right? What does privileged mean if not that? I tried su'ing to the user ID of GMS and this confirmed that the GMS user can't access other apps' data folders. So I'm no longer sure what to even make of this wording. Is it maybe about syscall hardening that isn't applied to privileged apps or so, so like exploit protection rather than normal permissions? The benefit of that would be protecting from exploits that Google could send. Do we think they'd legit do that, short of receiving an NSL that compels them?
Rather than running the unwanted proprietary (but necessary) software wholesale and attempt to sandbox it, I'd much rather substitute as much as possible with open code (where we know what it does) and have a much smaller set of proprietary components that need to be kept around in a sandbox and active only when necessary. For example, microG will replace Gmaps with Mapbox, reducing how much data is sent out about you to Google (they don't get to see which city you are probably in while using the map in Too Good To Go, for example).
It seems fairly obvious to me that less data sharing plus less proprietary code (that needs to be sandboxed) is better than letting Google go wild and installing their apps as-is with self-updating functionality (in said sandbox). What threat would sandboxed microG pose that sandboxed GMS doesn't? Is there any logic to GrapheneOS not wanting to build upon microG to get the remaining proprietary parts properly sandboxed, rather than starting over from scratch?
Look, I have root, so you can hack me! And my bootloader is wide open, too! In your words:
> > Root access and an unlocked bootloader are insecure, even for low threat models. These devices are vulnerable and should not be used for any sensitive data.
I'm serious that anyone should feel free to prove the point by sending me a responsible disclosure notice about having found a way in, but the threat clearly isn't serious enough for that to actually be concretely possible. Which is not to say that it's never relevant, but "such a device shouldn't be used" is not valid as a blanket statement
For context, GMSCompat is Google Mobile Services Compatibility. GrapheneOS installed the google play store and services as normal apps, and worked backwards to make it behave. There is no google specific sandbox, rather it uses the standard android user app sandbox. This means google is bound by the same rules, as special casing anything creates more maintenance burden and attack surface. GMSCompat is fully open source.
> "Thanks, but there's no way..."
Its reposted because the information is accurate, and misinformation regarding it is very prevalent.
> "Yes, I knew it's in a sandbox..."
Relative to MicroG, sandboxed google play is much more private, secure, and usable. I would not describe it as a privacy paradise, but MicroG does not improve upon this, and instead makes these aspects worse.
> "The sandbox still needs internet access..."
Most google libraries operate independently of google services and do not depend on them to function. FCM is an exception due to how push notifications are optimized (by using one app for the connection). MicroG does not avoid this.
> "For example, Signal will actively reach..."
You do not need to provide an identity to google. This can also be avoided with a VPN, and is not specific to google. There is the concern of metadata but Signal sends empty notifications without any identifying info. They are only used to wake the app up to fetch its own notifications.
> "So while the sandbox is definitely very useful..."
It confines google services to the same rules and restrictions as all other apps. MicroG does not. MicroG also does not avoid running unwanted software, referring to the google libraries in apps and the google code MicroG downloads.
> "Do you know what privileged context means..."
MicroG violates the security model by necessitating signature spoofing, which puts it in a position to receive data it was not intended to receive, there is also attack surface exposed by having access forbidden by the app sandbox. Sandboxed google play is bound by the same app sandbox as all other apps, and would not be any more or less capable of exploiting the device than any other app. The idea that google would try to exploit the device is nonsensical though. But granting both google and a 3rd party privileged access is still unacceptable.
> "Rather than running the unwanted proprietary (but necessary) software..."
Google play services runs in the android user app sandbox. It is not an "attempt", it is successful at doing this. MicroG being open source does not matter in regards to privacy or security. It did not change how MicroG has leaked location to apps without location permissions, it does not change how it downloads and runs google code both privileged and outside of its own APK, and it does not change how other apps are running google libraries anyway. Note that the proprietary code it downloads is not confined to the app sandbox.
> "For example, microG will replace Gmaps..."
Im unsure if you are referring to the app Google Maps, or google maps integration. GrapheneOS reroutes googlefusedlocation requests to the OS, rather than google services. You can use an app other than google maps, and apps with google map integration can simply send your location to google directly, independent of google services or MicroG.
> "It seems fairly obvious to me that less data sharing..."
Googles access to data is not limited by using MicroG, relative to sandboxed google play. And the size of proprietary code is irrelevant, that code can be anything. It can be malicious with 2 lines, or benign with 2 million. Access is what is vital, not size. Google is not permitted to "run wild", and is granted no additional access compared to any other app. Im unsure what you mean by self updating functionality, but for apps from the playstore, nearly all of them are signed with a key that google holds, and MicroG can do nothing about this. GrapheneOSs App Store is responsible for updating google play and google services, it cannot update itself.
> "What threat would sandboxed microG pose that sandboxed GMS doesn't?..."
Using MicroG necessitates GrapheneOS violate the android security model, trust a 3rd party unnecessarily, cripple 99% perfect compatibility, use code that is not near as battletested as play services, run google code as privileged, and run a software that has had serious privacy violations in the past. Not only is the base insufficient, but any finished product based on it still would not compare to GMSCompat. The logic is that GrapheneOS wants the best compatibility, the least changes to the android app sandbox, 0 privileged google components, no violations to the android security model, and no need to maintain a reimplementation when google services and store are already maintained by a huge organization.
> How can you be free when you're not private or secure?
Are you serious? Have you even seen the state of modern operating systems compared to the operating systems of the 80s and 90s? I've had way more fun and learnt lot more about computers messing around with OSes that let you did whatever the hell you wanted to. Modern OSes have sacrificed a lot in that name of security.
As for privacy, that's a completely separate topic. You can have privacy on a OS which offers freedom, depends on what "privacy" you're taking about.
Privacy is when nobody is looking, whether that's because they cannot look or because there's nobody that looks.
Security is the former: actively denying someone or something the ability to look in a situation where they are trying. GrapheneOS does that by encouraging a locked bootloader (preventing physical attacks) and letting you deny sensor access (preventing malicious apps from accessing unnecessary info), for example. I think we agree so far?
But you can also have privacy by just not installing apps that violate your privacy. Such a device could be as open as any Linux laptop where you log in with root:root. It lets you do whatever you want and access whatever you want. It's yours through and through. That's freedom without security, which may or may not have privacy depending on who you let look: if you leave it unattended at a hacker conference or have sshd with password login enabled, yeah that won't stay private for very long. But that's your choice right? You can just not invite anyone in or, in this example, bring it to someone who would do something malicious
An official GrapheneOS release has a lot of features baked in against actively malicious actors (be it apps or people at border checks), but users need to work within the boundaries and limitations of the sandpit that's provided to them. They're not granted much freedom, and that limits what privacy measures you can enact. Making a backup of /data, modifying firewall or traffic routing rules, signature spoofing to substitute an untrusted app with a trusted implementation, intercepting and faking Android API responses... a lot of things are off-limits: you don't have the freedom to shape the environment to suit your needs, for example to create privacy or security
The axes (privacy, freedom, security) all influence each other, but they are still separate enough that you can have one or two without the other. I can see what you mean if you say that your threat actors are skilled exploit developers and you can't have privacy without also thwarting these constant attempts. (Paranoid as that may sound, I'm sure it's true for some people.) Most people would gain more privacy from doing something about the pervasive adtech than about exploit developers they're not likely to run into. For them, LineageOS could be more private and provide more freedom while being less secure in some ways (e.g. they need to watch out which processes they grant access, for example something claiming to be backup software that turns out to be ransomware) and more secure in others (e.g. data availability by getting to make backups)
That is a vague, meaningless statement. What sort of privacy are we taking about? What sort of security? What's the target? What's the attack vector? What's the environment? What's your threat model?
Without all of those details, your statement is meaningless.
Those are much less private and secure than the Android Open Source Project on Pixels without the major privacy and security improvements of GrapheneOS. Those aren't privacy or security hardened devices.
If I can't customise it then I won't waste my time using it it getting use to it.
Claude code is trash, it's customisability is extremely shallow, open code, codex, copilot, Kiro, etc etc... all trash. Yes even open code..
If open code was so awesome then open claw would have been based on it... But it wasn't. That's should tell you everything you need to know.
reply