[HN Gopher] Show HN: DivestOS - Long-term support for end-of-lif...
___________________________________________________________________
Show HN: DivestOS - Long-term support for end-of-life Android
devices
Author : SubzeroCarnage
Score : 145 points
Date : 2022-11-14 19:00 UTC (3 hours ago)
(HTM) web link (divestos.org)
(TXT) w3m dump (divestos.org)
| kernal wrote:
| Unless these devices have the ability to update their binary OEM
| blobs then these cannot be considered secure. This is why
| alternative OSs like GrapheneOS end their support when the Google
| Pixel is EOL. If you want long term support buy an iPhone or an
| Android phone that guarantees at least 5 years of security
| updates.
| SubzeroCarnage wrote:
| This is clearly documented see (and also the section above it):
| https://divestos.org/index.php?page=patch_levels#secure
| summm wrote:
| That makes it even worse. They apparently do not even try to
| make it secure and willingly exclude some patches. Reminds me
| of "security by management risk acceptance"
| SubzeroCarnage wrote:
| They? This is my project, it is just me. There is not a
| single other project that achieves the scope of what
| DivestOS does for old devices.
| kernal wrote:
| The title states "Long-term support for end-of-life Android
| devices". This "long term support" does not extend beyond
| cherry picked AOSP security patches and does not address the
| security issues in the drivers of these devices.
| SubzeroCarnage wrote:
| But it does what it can. It patches the system, the
| kernels, adds many hardening features, provides updated
| browser engines, and removes the proprietary unpatchable
| components that it can.
|
| This is all well documented on the website, please read
| through it.
| ccouzens wrote:
| Don't forget that even supported phones can have unpatchable
| hardware bugs.
|
| For example checkm8 back in 2019.
| forgotmypw17 wrote:
| Security isn't everything. Sometimes just having a working
| device you can use to access information takes priority.
|
| Not everyone can buy a device.
| jlkuester7 wrote:
| Exactly! If security is your highest priority, buy a new
| Pixel and put GrapheneOS on it.
|
| But if you have an EOL device, DivestOS seems to be an
| amazing alternative to just staying on the stock firmware
| that is not going to get any updates at all.
| squarefoot wrote:
| Any chances to see something similar to install Linux images
| (native, no chroots) to old Android tablets over the original OS?
| Some hardware wouldn't be supported, but I wouldn't mind not
| having for example video acceleration, audio and/or modem, if I
| could use an old tablet as a IoT screen or to show graphs from
| sensor data, etc. Having a full OS, hence the ability to use
| multiple programming languages, libraries, etc would change
| everything.
| yjftsjthsd-h wrote:
| Sounds like you want https://postmarketos.org/ or
| https://mobian-project.org/ ?
| squarefoot wrote:
| I'm aware of PostmarketOS, but unfortunately not many tablets
| are supported; I'm not interested in phones also due to their
| too small screen.
| palata wrote:
| They have a nice community, you could try to add support
| for your tablet!
| WaxProlix wrote:
| https://postmarketos.org/ might be of interest to you.
| SubzeroCarnage wrote:
| Checkout the postmarketOS project, they do exactly that!
| WaitWaitWha wrote:
| I am frustratingly blind to today's alternate OSes.
|
| Where does a lay-consumers even start? Do I buy a used, but well
| supported (by alt OSes) phone? Which one would that be? Do I
| attempt to use my existing phone?
| ramesh31 wrote:
| Still running the latest iOS on my 7 year old first-gen SE.
|
| Why can't Android do the same?
| yjftsjthsd-h wrote:
| The tool https://gitlab.com/divested-mobile/cve_checker is
| fascinating; I've usually seen people attempting to bring needed
| drivers to a mainline kernel, but backporting security fixes to a
| vendor kernel does seem like a plausible way to get a lot of the
| benefit with less work.
| SubzeroCarnage wrote:
| It isn't perfect, but I am quite happy with how effective it
| has been considering how simple it really is.
| mofosyne wrote:
| Could there be a chance for splitting android into two half? One
| for per device low level initialization and one for a shared
| image for all android devices?
|
| So the idea is you be able to easily upgrade or even multiboot
| different android or linux images if you wish, without having to
| recompile for every device.
| ccouzens wrote:
| Sounds like project treble.
|
| I don't know how much of a success it has been, and I don't
| think it has been used to multiboot a phone or to boot a more
| standard Linux.
|
| https://android-developers.googleblog.com/2017/05/here-comes...
| craftkiller wrote:
| Does this support GrapheneOS's Google Services Framework
| compatibility layer? And why not fork GrapheneOS instead of
| Lineage?
| thrtythreeforty wrote:
| Are there _any_ other projects that are using Graphene 's Play
| Services? My ideal OS is basically Lineage with those patches
| applied.
| j-james wrote:
| Yes, ProtonAOSP: https://protonaosp.org/
| SubzeroCarnage wrote:
| Was sadly discontinued it seems:
| https://github.com/ProtonAOSP
| ignoramous wrote:
| Is GrapheneOS' PlayServices sandbox open source?
| SubzeroCarnage wrote:
| All of their work is open source, usually Apache-2.0 or MIT
| but some GPL-2.0 too.
|
| There is an older condensed list of changes here: https://gis
| t.github.com/thestinger/ee536cbd1ca674b94dde05831...
|
| Newer changes are in the updated repos.
| FireInsight wrote:
| The main dev has expressed that they don't intend to add any
| google play services compatibility, and probably forking
| Lineage because GrapheneOS is already pretty good but works
| just on pixels, as opposed to Lineage which works on maany many
| phone models.
| SubzeroCarnage wrote:
| DivestOS has been a fork of LineageOS since before it was
| LineageOS: https://divestos.org/index.php?page=history
|
| The precursor to GrapheneOS also used to have a non-foss
| license for a period of time.
| JohnKuzyarko wrote:
| I have an old OnePlus and it's managed to last like 7 years.
| Sadly every other developer has abandoned it. Hope this project
| can bring it back from the dead!
| wazoox wrote:
| My 2013 OnePlus One still works perfectly fine (with an out-of-
| date LineageOS). Battery still lasts 2 full days easily.
| strenholme wrote:
| The problem with long term support for my Android phones has
| actually _not_ been the fact that Android devices have incredibly
| short security update windows. That issue has been somewhat
| mitigated with the newer Google Pixel phones which have five
| years of security updates.
|
| The biggest issue for long term cell phone support is, even if we
| get an OS with a 10-year security update timeline like Rocky
| Linux, will the phone itself be able to make calls on whatever
| cellular networks exist 10 years from now? I have a number of 3G
| phones I bought as recently as 2018 which became paperweights in
| 2021 when all of the cellular telcos in the United States stopped
| supporting 3G, forcing me to update to a 5G phone. Is 5G going to
| still work in 10 years? Or are the telcos going to continue to
| convert perfectly good phones in to landfill?
|
| As someone who has a 15-year-old laptop which is still a
| perfectly good Linux server (its screen went out two years ago,
| but it was a perfectly good desktop computer until then), it's
| annoying seeing phones I bought less than six years ago be
| useless on today's cellular networks.
| iamgopal wrote:
| What are the alternatives / competitors to this ?
| SubzeroCarnage wrote:
| For new/supported devices I strongly recommend GrapheneOS.
|
| The other projects who support some of these older devices have
| numerous issues as noted here:
| https://divestos.org/index.php?page=patch_levels#osSecurity
|
| Edit: also of note: DivestOS currently provides monthly updates
| spanning seven versions of Android, I don't know of any other
| project doing that specifically.
| h4waii wrote:
| To note, the monthly security updates DivestOS provides don't
| (can't?) include baseband and such "firmware" updates for
| legacy OEM-unsupported versions of Android.
|
| Don't get me wrong, it's terrific that security patches are
| backported to such ancient versions of Android by those
| working on DivestOS and it's a great option for devices that
| aren't supported by GrapheneOS, LineageOS, et al.
| SubzeroCarnage wrote:
| Firmware is included for 45 devices, but no one but the
| vendor/manufacturer can actually provide security updates
| for them, so they are largely just the last release.
|
| https://gitlab.com/divested-mobile/firmware-
| empty/-/blob/mas...
|
| This is indeed an issue and is documented on multiple
| places of the website.
|
| Patching everything else is the best harm-reduction for
| this.
| yjftsjthsd-h wrote:
| A significant difficulty for GrapheneOS is that it has fairly
| limited device support: https://grapheneos.org/faq#supported-
| devices
|
| Now if you're buying a device planning to run it, that's
| fine, but it really does limit its usefulness.
| jeduardo wrote:
| GrapheneOS looks interesting but DivestOS's focus seem to be
| aftermarket devices that Graphene is not targeting.
|
| I recently got an unofficial build of LineageOS running on a
| Nexus 4 (mako) device and I was positively surprised with the
| speed it can run modern software. But this is an unofficial
| build that is also broken on some essential points, such as
| WiFi.
|
| For these old devices, Graphene is not an option and if there
| are others targeting the same devices as DivestOS (which I
| will surely be checking out soon) I have yet to see them.
| SubzeroCarnage wrote:
| fwiw voron00's mako builds and my builds are fully
| functional. I daily drove one a while back for fun.
| FireInsight wrote:
| I own a Fairphone 4 and recently had to decide between DivestOS
| and CalyxOS decided to install Calyx. GrapheneOS is bettet than
| CalyxOS if you own a pixel, but CalyxOS has a few supported
| devices more. I decided against DivestOS eventhough it had
| technically better security and privacy due to the lack of
| microG. There's also /e/os which works on many devices and uses
| microG, but they're kinda building their own ecosystem and I
| didn't want to deal with that.
___________________________________________________________________
(page generated 2022-11-14 23:00 UTC)