[HN Gopher] Show HN: DivestOS - Long-term support for end-of-lif... ___________________________________________________________________ Show HN: DivestOS - Long-term support for end-of-life Android devices Author : SubzeroCarnage Score : 145 points Date : 2022-11-14 19:00 UTC (3 hours ago) (HTM) web link (divestos.org) (TXT) w3m dump (divestos.org) | kernal wrote: | Unless these devices have the ability to update their binary OEM | blobs then these cannot be considered secure. This is why | alternative OSs like GrapheneOS end their support when the Google | Pixel is EOL. If you want long term support buy an iPhone or an | Android phone that guarantees at least 5 years of security | updates. | SubzeroCarnage wrote: | This is clearly documented see (and also the section above it): | https://divestos.org/index.php?page=patch_levels#secure | summm wrote: | That makes it even worse. They apparently do not even try to | make it secure and willingly exclude some patches. Reminds me | of "security by management risk acceptance" | SubzeroCarnage wrote: | They? This is my project, it is just me. There is not a | single other project that achieves the scope of what | DivestOS does for old devices. | kernal wrote: | The title states "Long-term support for end-of-life Android | devices". This "long term support" does not extend beyond | cherry picked AOSP security patches and does not address the | security issues in the drivers of these devices. | SubzeroCarnage wrote: | But it does what it can. It patches the system, the | kernels, adds many hardening features, provides updated | browser engines, and removes the proprietary unpatchable | components that it can. | | This is all well documented on the website, please read | through it. | ccouzens wrote: | Don't forget that even supported phones can have unpatchable | hardware bugs. | | For example checkm8 back in 2019. | forgotmypw17 wrote: | Security isn't everything. Sometimes just having a working | device you can use to access information takes priority. | | Not everyone can buy a device. | jlkuester7 wrote: | Exactly! If security is your highest priority, buy a new | Pixel and put GrapheneOS on it. | | But if you have an EOL device, DivestOS seems to be an | amazing alternative to just staying on the stock firmware | that is not going to get any updates at all. | squarefoot wrote: | Any chances to see something similar to install Linux images | (native, no chroots) to old Android tablets over the original OS? | Some hardware wouldn't be supported, but I wouldn't mind not | having for example video acceleration, audio and/or modem, if I | could use an old tablet as a IoT screen or to show graphs from | sensor data, etc. Having a full OS, hence the ability to use | multiple programming languages, libraries, etc would change | everything. | yjftsjthsd-h wrote: | Sounds like you want https://postmarketos.org/ or | https://mobian-project.org/ ? | squarefoot wrote: | I'm aware of PostmarketOS, but unfortunately not many tablets | are supported; I'm not interested in phones also due to their | too small screen. | palata wrote: | They have a nice community, you could try to add support | for your tablet! | WaxProlix wrote: | https://postmarketos.org/ might be of interest to you. | SubzeroCarnage wrote: | Checkout the postmarketOS project, they do exactly that! | WaitWaitWha wrote: | I am frustratingly blind to today's alternate OSes. | | Where does a lay-consumers even start? Do I buy a used, but well | supported (by alt OSes) phone? Which one would that be? Do I | attempt to use my existing phone? | ramesh31 wrote: | Still running the latest iOS on my 7 year old first-gen SE. | | Why can't Android do the same? | yjftsjthsd-h wrote: | The tool https://gitlab.com/divested-mobile/cve_checker is | fascinating; I've usually seen people attempting to bring needed | drivers to a mainline kernel, but backporting security fixes to a | vendor kernel does seem like a plausible way to get a lot of the | benefit with less work. | SubzeroCarnage wrote: | It isn't perfect, but I am quite happy with how effective it | has been considering how simple it really is. | mofosyne wrote: | Could there be a chance for splitting android into two half? One | for per device low level initialization and one for a shared | image for all android devices? | | So the idea is you be able to easily upgrade or even multiboot | different android or linux images if you wish, without having to | recompile for every device. | ccouzens wrote: | Sounds like project treble. | | I don't know how much of a success it has been, and I don't | think it has been used to multiboot a phone or to boot a more | standard Linux. | | https://android-developers.googleblog.com/2017/05/here-comes... | craftkiller wrote: | Does this support GrapheneOS's Google Services Framework | compatibility layer? And why not fork GrapheneOS instead of | Lineage? | thrtythreeforty wrote: | Are there _any_ other projects that are using Graphene 's Play | Services? My ideal OS is basically Lineage with those patches | applied. | j-james wrote: | Yes, ProtonAOSP: https://protonaosp.org/ | SubzeroCarnage wrote: | Was sadly discontinued it seems: | https://github.com/ProtonAOSP | ignoramous wrote: | Is GrapheneOS' PlayServices sandbox open source? | SubzeroCarnage wrote: | All of their work is open source, usually Apache-2.0 or MIT | but some GPL-2.0 too. | | There is an older condensed list of changes here: https://gis | t.github.com/thestinger/ee536cbd1ca674b94dde05831... | | Newer changes are in the updated repos. | FireInsight wrote: | The main dev has expressed that they don't intend to add any | google play services compatibility, and probably forking | Lineage because GrapheneOS is already pretty good but works | just on pixels, as opposed to Lineage which works on maany many | phone models. | SubzeroCarnage wrote: | DivestOS has been a fork of LineageOS since before it was | LineageOS: https://divestos.org/index.php?page=history | | The precursor to GrapheneOS also used to have a non-foss | license for a period of time. | JohnKuzyarko wrote: | I have an old OnePlus and it's managed to last like 7 years. | Sadly every other developer has abandoned it. Hope this project | can bring it back from the dead! | wazoox wrote: | My 2013 OnePlus One still works perfectly fine (with an out-of- | date LineageOS). Battery still lasts 2 full days easily. | strenholme wrote: | The problem with long term support for my Android phones has | actually _not_ been the fact that Android devices have incredibly | short security update windows. That issue has been somewhat | mitigated with the newer Google Pixel phones which have five | years of security updates. | | The biggest issue for long term cell phone support is, even if we | get an OS with a 10-year security update timeline like Rocky | Linux, will the phone itself be able to make calls on whatever | cellular networks exist 10 years from now? I have a number of 3G | phones I bought as recently as 2018 which became paperweights in | 2021 when all of the cellular telcos in the United States stopped | supporting 3G, forcing me to update to a 5G phone. Is 5G going to | still work in 10 years? Or are the telcos going to continue to | convert perfectly good phones in to landfill? | | As someone who has a 15-year-old laptop which is still a | perfectly good Linux server (its screen went out two years ago, | but it was a perfectly good desktop computer until then), it's | annoying seeing phones I bought less than six years ago be | useless on today's cellular networks. | iamgopal wrote: | What are the alternatives / competitors to this ? | SubzeroCarnage wrote: | For new/supported devices I strongly recommend GrapheneOS. | | The other projects who support some of these older devices have | numerous issues as noted here: | https://divestos.org/index.php?page=patch_levels#osSecurity | | Edit: also of note: DivestOS currently provides monthly updates | spanning seven versions of Android, I don't know of any other | project doing that specifically. | h4waii wrote: | To note, the monthly security updates DivestOS provides don't | (can't?) include baseband and such "firmware" updates for | legacy OEM-unsupported versions of Android. | | Don't get me wrong, it's terrific that security patches are | backported to such ancient versions of Android by those | working on DivestOS and it's a great option for devices that | aren't supported by GrapheneOS, LineageOS, et al. | SubzeroCarnage wrote: | Firmware is included for 45 devices, but no one but the | vendor/manufacturer can actually provide security updates | for them, so they are largely just the last release. | | https://gitlab.com/divested-mobile/firmware- | empty/-/blob/mas... | | This is indeed an issue and is documented on multiple | places of the website. | | Patching everything else is the best harm-reduction for | this. | yjftsjthsd-h wrote: | A significant difficulty for GrapheneOS is that it has fairly | limited device support: https://grapheneos.org/faq#supported- | devices | | Now if you're buying a device planning to run it, that's | fine, but it really does limit its usefulness. | jeduardo wrote: | GrapheneOS looks interesting but DivestOS's focus seem to be | aftermarket devices that Graphene is not targeting. | | I recently got an unofficial build of LineageOS running on a | Nexus 4 (mako) device and I was positively surprised with the | speed it can run modern software. But this is an unofficial | build that is also broken on some essential points, such as | WiFi. | | For these old devices, Graphene is not an option and if there | are others targeting the same devices as DivestOS (which I | will surely be checking out soon) I have yet to see them. | SubzeroCarnage wrote: | fwiw voron00's mako builds and my builds are fully | functional. I daily drove one a while back for fun. | FireInsight wrote: | I own a Fairphone 4 and recently had to decide between DivestOS | and CalyxOS decided to install Calyx. GrapheneOS is bettet than | CalyxOS if you own a pixel, but CalyxOS has a few supported | devices more. I decided against DivestOS eventhough it had | technically better security and privacy due to the lack of | microG. There's also /e/os which works on many devices and uses | microG, but they're kinda building their own ecosystem and I | didn't want to deal with that. ___________________________________________________________________ (page generated 2022-11-14 23:00 UTC)