Fairphone 6 is switching to a new design that's even more sustainable

I recently suggested that GrapheneOS support devices with average security on Mastodon. Much like yourself, I think "moderately okay security" is better than "just use Google's spyware infested OS".

The GrapheneOS folks replied in disagreement, insisting that this is a terrible idea because security would be less than perfect. They then started making up stories about me and throwing around unfounded accusations. I don't trust them in the slightest, and strongly recommend staying away from them.

> They then started making up stories about me and throwing around unfounded accusations.

That sounds oddly similar with Louis Rossmann's video when in disagreement with some (the?) project owner.

https://www.youtube.com/watch?v=4To-F6W1NT0

> I recently suggested that GrapheneOS support devices with average security on Mastodon. Much like yourself, I think "moderately okay security" is better than "just use Google's spyware infested OS".

For most use cases, like mine, I agree. But I understand GrapheneOS disagreeing with that statement. "average security" is not their goal, nor the use case they are working for. GrapheneOS' focus is security. They just happened to make the best AOSP version there is out there. So lots of us wish they better support our use cases disregarding the use case they work for. But they obviously don't want to spend resources on it, and I'd assume they wouldn't even accept extra resources to do those things, as it would dilute their "most secure mobile OS" brand by having less secure versions of it.

For those of us who don't need the best security, another fork of AOSP that incorporates many of the features GOS has, like sandboxed Google Play and contact and storage scopes would do. But we can't expect GOS to be the one doing that.

That's like suggesting to Formula 1 World Champion to accept not being at the pinnacle of excellence and despite their talent to voluntarily move to a mid tier team because having a moderately okay car is better than not being in the sport. Same for cycling, tell last years Tour de France winner to stop using that light high end carbon fibre bike and just use that heavy 1960s steel bike instead, they both have wheels and get you from the start to the finish after all. Don't aspire to be more than average or the best. Just settle.

I'm the community manager for GrapheneOS. That isn't what happened, and it is very weird to not only see that on Mastodon, but also that you're going around saying it in other places, too.

People involved with the project you're working on have a history of making attacks on GrapheneOS, but what I mostly want to focus on is your suggestion because my goal here isn't to get in a back-and-forth with you or convince you, but rather provide context for others reading this.

Our hardware requirements are not arbitrary. They are what we need in order to be able to provide usable security to people who depend on it. There's no "average security" for devices that are missing patches for known vulnerabilities for months. That's a non-starter, not something imperfect that an OEM can work on improving. Multiple OEMs have reached out to us and actually want to do the work of improving their devices so that we can use them to provide security for people. It's very weird for people to be fixated on this idea that GrapheneOS should instead be supporting devices which can't actually provide what the OS is known for.

Without a secure element, a 6 digit PIN is no longer secure and can be bruteforced. What average person is using a long diceware passphrase to unlock their phone? Our device requirements are reasonable, and can be found at https://grapheneos.org/faq#future-devices. Every time people ask us to support another device, we have to point to that explain that we cannot, because to date, no other devices meet them, and those who do purposefully go out of their way to cripple third-party OS support (Samsung chief among them). Then, we ask people which of our requirements we should drop in order to support that other device, and why people think that requirement is unreasonable. To date, we have received no convincing reply to that.

You think we're chasing "perfection" but Pixels are just the best that exists right now and is extremely far from perfect. Our requirements aren't a wishlist, they're based on what is possible and reasonable today, not in the future.

Hi there, I'm the community manager for the GrapheneOS project. To you, and perhaps others seeing your comment, I would just like to ask that if people are going to watch the video, they should watch it in context, and also read the material that Louis is linking to in the video description, as I'm getting the sense that he's relying on people to not read them.

Our perspective is that Louis was upset with Daniel because we wouldn't do content with him, which resulted in a lot of jabs in his videos preceding that one, along with him expressing support for a video and a creator who has created what is essentially a hitpiece video on the project and its founder.

The main context that seems to be missing is that a supporter of the creator of that hitpiece was raiding our community rooms not longer before Louis' video happened, which culminated in the GrapheneOS founder being swatted by that person 3 times in the span of a few days. Louis Rossmann expressing support (with his large following) for that creator lends credence to their claims and leads more people to attack us. That should hopefully explain why Daniel was upset at Louis (in private, which Louis decided to livestream and leak). If Louis really thinks Daniel is some mentally ill person, is broadcasting him like that really the compassionate thing to do? Even in his version of events, this seems cruel.

Louis is a kiwifarms user, a website dedicated to harassing people (including Daniel). Daniel's thread what started by a self-admitted fan of Louis, shortly after his video, so it has directly led to a bunch more hatred. You can find all of that out yourself.

So for you, and those reading this comment after the fact, I'd encourage you to do your own research, and also to not take what a YouTuber says at face value just because they said it.

> Without a secure element, a 6 digit PIN is no longer secure and can be bruteforced.

Thanks for providing an actual example which we can use as a realistic reference.

Right now such device can run OSs which ship first party spyware. If GrapheneOS supported those devices, they’d be usable with an OS without that spyware, which is a net improvement. The security issue of “a PIN can be brute-forced” exists regardless of OS.

It has always been the goal of the project to provide security and privacy features while maintaining usability. People are expected to acquire a device to use GrapheneOS rather than us supporting as many devices as possible where we cannot offer the same protections.

We're hoping to have a non-Pixel device that actually meets the projects requirements in the near future, potentially. Our requirements aren't exotic and OEMs are confirming that they're well within their capabilities. We'll focus on working with OEMs interested in shipping secure devices in order to expand our offerings, which should offer more choices for potential users as well.