paradox2011

paradox2011, 6 days ago

I’ve used graphene for over a year, and it’s been solid. If you have the sandboxed Google play installed all apps will work fine, and as long as you don’t rely on heavily commercialized apps everything will likely work without them as well (sans push notifications for app that rely on firebase). RCS will work if you have Gplay services and the carrier services app installed.

One in a while there will be a slight hiccup in the UI, but I’ve experienced far worse on stock android, so I’m assuming it’s normal operating stutters. All in all it’s very reliable.

paradox2011, 15 days ago (edited 14 days ago)

/e/ does quite a good job removing Google’s presence from Android. It’s been awhile since I watched it, but this techlore video does a good breakdown of it.

Edit: actually that’s not the one I was thinking of, I’ll keep trying to find it, but it broke down the actually network connections that different degoogled ROMs were making and /e/ did very well.

Edit 2: couldn’t find the video, it’s lost somewhere in my watch history from 2+ years ago. In any case, even jumping to lineage from stock android is a great move, and /e/ makes many improvements on Lineage in removing further dependence on google code. Better to use a phone you already have than to purchase a new device just to run software that has security features you likely don’t need. It makes me think of buying a car for it’s top speed of 160 mph when you’re only ever going to be driving the speed limit.

paradox2011, 14 days ago

I’m not sure what your point is with this reply?

I’ve seen that page before, it’s helpful for getting your bearings with the different android ROMs, but take a look down towards the bottom at the “Supported Devices” section, and also compare the /e/ section to the “Stock Android” section.

paradox2011, 13 days ago

Like you say, it is moderately de-googled, which is a fantastic improvement over stock android any way you spin it. I believe that was the point of the original commenter, as it is mine. However there are those blobs that do get left in (in every ROM, including even DivestOS which is the most aggresive in this regard). Install a firewall or network monitor on a device that’s only been somewhat deblobbed and you’ll find that they are not little black boxes sending all your data to Google, but instead are there to do things locally like software interaction with hardware in the phone that is from another company like Broadcom.

Any ROM on a Samsung phone probably lags on security updates due to Samsung itself being slow to release them, though they do seem to be doing better lately. If the ROM itself is slow to push updates, the most you’ll wait is 2-3 months. That’s pretty much not a problem unless you’re being threatened by state level actors, and is the state that the majority of stock android users are in. In fact, stock android can often be years out of date because their manufacturer just doesn’t put them out.

Regarding dependence on Google services (play store of otherwise), let’s be honest, GrapheneOS users almost always install sandboxed play services, work profile or not. I don’t blame them, it’s how I have Graphene installed on my phone. However, this not a privacy oriented thing to do, it releases a flood of information to Google, much more that a simple connectivity check or SUPL ping. It’s not as much as fully integrated play services though, which is good. MicroG may be theoretically less secure, but it is certainly more private. It simply asks for less information from you than play services do.

The relockable bootloader subject is bit of a pet peeve of mine. Personally, I do choose to use a pixel so that I can have that added security, as it does have value. However, to say that without a lockable bootloader you are compromising your security and by extension privacy is what i would consider an overstatement that creates fear and uncertainty. Your security and privacy only become compromised if a thief steals your physical device then also has the know how to execute a sophisticated software based attack on the phone using adb. This just isn’t something that happens. In the many years I’ve been around the android ROM community, privacy/security focused or otherwise, I’ve not heard of this happening even once. To tie it back in to the OP, this scenario is actually a perfect use case for the app mentioned in this post, it offers you the ability to remotely wipe the device if it’s been stolen.

It can be an issue from a software angle though too, but then you would have to download and install a piece of malicious software that is specifically targeting phones without verified boot. At that point there is a greater issue though, because you can download and install malicious software that is targeting phones that DO have verified boot active just as easily. All that’s necessary is to be well informed and have good security habits and behaviors, it’s how desktop competant windows and Linux users have gotten along just fine all these decades.

It’s easy to get swept up in the security dogma of the android ROM community. In my opinion, some of it is helpful, but some is not practical or useful for every day users.

paradox2011, 13 days ago

Yes that’s the benefit of verified boot, and it is a helpful security feature. However, if you’ve used or are using Windows or Linux as an operating system, then you are comfortable with using a device that does not have verified boot (not sure about iOS and Mac, I’m not familiar with them). The risk you’re talking about with malicious code being injected in to an app you’ve chosen to trust is a threat to any device, verified boot or not. Modification of the kernel is an attack vector, but it certainly isn’t the only way for an app to cause mischief on your phone and devices are all relatively as vulnerable to developer or supply chain attacks.

Using software someone else developed always comes down to trust, unless you are auditing the code for every app you use, which I don’t think either you or I are. Having features that increase security in some technical way feels good but may lull us a sense of security. For instance, here’s a quote from a security researcher that I ran across in the past. It’s regarding the reputation for security that iOS has:

Erez Metula, founder of a a security and penetration testing firm called AppSec labs: “There’s a myth that iOS apps are more secure than Android. But the truth is, iOS apps are even worse in terms of security. When we do penetration testing for our customers, we’re often asked to test their Android and iOS versions of the same app. We have realized that since iOS developers incorrectly assume that iOS is ‘more secure,’ they allow themselves to make bad security decisions that open up vulnerabilities in their app.” He added, “Interestingly, since Android developers think that Android security is worse, it pressures them to follow better security practices.”

The same is true for us users. Security features are important, but user education and awareness is the most important element of keeping ourselves from ‘making bad decisions and opening up security vulnerabilities’ in our device usage.

Thankfully like you said, there are thousands of highly qualified individuals vetting the code of mainstream open source projects, which saves us regular users in the case we face an xz situation. A few principles that outway security features like verified boot in my book are:

1. Use open source software whenever possible, and make sure that it is widely used and visible to others.
2. Check the “issues” section of the documentation frequently. Even widely used software can be riddled with unpatched security holes (I’m looking at you Nginx Proxy Manager 😄)
3. I may get some hate for this one, but use a trusted middleman like F-droid as your app vendor for apps that do not have wide circulation or visibility. They run basic checks of the code for safety before uploading to their repos, checks that regular users are not able to do.

Unless you are being targeted by a stalker, a malicious state actor or are downloading disreputable software, the average user (with a little bit of knowledge) would be just fine on /e/ or lineageOS. Tens of thousands of people are right now without any problems.

paradox2011, 12 days ago

Me too, the mobile device landscape is definitely shaped by consumerist values. Divest has been intriguing me lately as well, I used to think it was a more flexible, less hardened alternative to Graphene, but it seems to have continued on down the road a ways past Graphene now. That wiki looks super interesting, I’m going to check it out. Just a quick look through what they have looks like high quality info.

paradox2011, 16 days ago (edited 16 days ago)

Futo Keyboard has built in Swype functionality.

Heliboard also has it, but I believe you do have to download Google’s swype libraries to use the functionality. Whether that affects privacy, I don’t know.

Edit: (See calm.like.a.bomb’s comment below)

paradox2011, 16 days ago

Try this page. You have to go in to the folder that corresponds to your device, the above link takes you to the Arm chipset code which should be good for a mobile android device. You should see the raw button in the right hand corner, and the download button should be near it as well. If you’re on mobile, tap the three dots and the download button should show up in the menu.

paradox2011, 16 days ago

That’s a no on Proton calendar working with third party clients. The encryption makes secure syncing difficult, either decrypt it before transit and have it be insecurely sent, or share the decryption key with the third party app so that it can decrypt the data once it is received, which has its own concerns.

paradox2011, 16 days ago (edited 16 days ago)

Sounds like you’re ready for a different email service 😉

paradox2011, 16 days ago

Yeah 🥲. I used proton calendar for some time but ended up going in on WebDAV nextcloud centric calendaring. It’s been more complicated, but at least it is very open (while still being private enough for me)

paradox2011, 16 days ago

I hear you there. I’m still using their email somewhat, but am transitioning away from it. I do lean on protonvpn as well, haven’t found another trustworthy free service that I can use for those few times a month I need to be on some public WiFi.

paradox2011, 16 days ago

They seem like a great company, If I ever did move to a paid service I would probably go Mullvad or IVPN, but I just can’t bring myself to sign up for the $5 monthly with how infrequently I need it.

paradox2011, 16 days ago

Tuta is where I’m at for now. They have stricter privacy than proton and are much more active in their app development. They have an Fdroid release for android and a desktop app for Linux which make life pretty nice.

I have had some connectivity issues with their servers lately though, especially on desktop. I don’t know if it’s my DNS setup or if it is unreliability on the server end. In any case it hasnt been too bad.

paradox2011, 17 days ago

Or you could get it directly from their github releases using obtainium if you don’t like to mix repos in to fdroid.

paradox2011, 22 days ago

You might like oneshot. It’s not quite as full featured as some mood trackers are, but the design is pretty nice. It hasn’t had updates in a year or so, so daily you might be worth checking out too.

paradox2011, 22 days ago

I don’t have any idea of how conplicated it would be, but a phone app would be a nice option. The stock dialer that comes with FOSS ROMs is OK functionally, but visually looks like it was from 2010. Plus it’s not available through F-droid or other open source app store. Koler is the only serious dialer alternative I’ve seen, and while it looks nice it has always been super buggy.

paradox2011, 20 days ago

I tried it back when it was under the simple tools developer. I couldn’t get in to his apps (aside from the calendar) for some reason. They all felt half-baked. It’s nice to see that the fossify forks are getting some love, I’ll check it out again.

paradox2011, 20 days ago

I’ve tried it, but I am a little picky about UI personally. It functioned well while I used it, but had a very dated style. Totally a cosmetic issue though.

paradox2011, 29 days ago (edited 29 days ago)

EDIT: realized this was for desktop, so removed the original list of mostly android apps. Here’s my go to desktop apps:

Lollypop - music player
Invoiceninja - open source invoicing service
Meld - file/folder comparison
Librewolf - hardened Firefox
Joplin - notes
QEMU/Virt-Manager - virtualization for that one windows app you still need
KeepassXC - password management
Element-desktop - Matrix client
Gparted - no fuss partition management
Lutris - game launcher that works with epic games (among many others)
PDFarranger - best PDF management I’ve found on Linux Soundconverter - easy to use file converter
Restic - backups
Fdupes - duplicate file finder
Freetube - privacy respecting YouTube client
Paperless-ngx - very well built electronic document storage. Must be run as a server.

paradox2011, 29 days ago

Whoops, didn’t notice the /c this was posted to 🤦‍♂️

paradox2011, 29 days ago

I second that. It’s been brutal trying to find a good FOSS 2FA app for desktop.

paradox2011, 29 days ago

I have a few codes duplicated in my keepass vault for the services I log in to often on desktop. The autotype is super nice in those cases. Other than that I do generally prefer having a separation between password manager and 2fa data though. Probably only a theoretical safeguard in my case, but simple enough to keep in place for the time being.

paradox2011, 29 days ago

I haven’t heard of 2fas before, they seem pretty interesting. I’m inclined to keep my password and 2fa vaults out of the cloud (thus Aegis and Keepass) so I’m interested in how the browser extension syncs data with a phone. If it uses a shared network or ephemeral data transfers that would be pretty nice.

paradox2011, 27 days ago

I’m on KDE 🥲 That Gnome app has been almost enough to get me to switch though. There’s a few Gnome apps that KDE doesn’t have a comparable parallel to.

paradox2011, 2 months ago

Just another recommendation for QEMU + Virtmanager. I’ve been using that setup for some time now and its a smooth and responsive experience.

I did have some issues getting USB redirection on EndeavourOS, the virtualization entry on the Arch wiki helped. Check out section 8, SPICE. I didn’t have the same problem in Manjaro, so it appears to be just a missing package/configuration issue with more minimalist Arch-based distros.

paradox2011, 2 months ago

Just gonna leave this here for anyone who wants a laugh. It wasn’t a Linux based desktop, but it was hilarious. Buying a PC with Dell: my journey into hell

paradox2011, 2 months ago

I thought this was a really good point regarding situations where a github issue or other channel of communication is being used to pester or make demands of a maintainer. I hadn’t thought about it from this perspective.

Let the maintainer deal with it publicly, and reach out privately if you are concerned about the situation. Otherwise, even if you are concerned about burnout or the maintainer overworking, you may wind up advocating for a threat actor to become a maintainer of something.

paradox2011, 3 months ago

Saber notes is really good. It’s more for notes, annotating PDFs and simple artwork than anything graphic design level though.

paradox2011, 3 months ago

Yes, it’s super easy to do as well. Most distro installers give you the option to automatically install for dual-boot without any manual partitioning.

Definitely try Mint, I was on it for years and it is very thoughtfully designed for stability and ease if use.

The hardest part will be getting the liveUSB made for the Linux ISO. You can find some simple tools like Balena Etcher that make it easy though.

paradox2011, 3 months ago

That’s a bummer, sorry man. That is super rare though, I’ve never heard of that happening to anyone else in my 10+ years of Linux life. Don’t let it keep you from trying it again. I guess that is a testimony to the importance of backups, especially when working with partitions.

OP, the most trouble I’ve ever heard of or experienced myself was some GRUB issues, which are just a matter of the bootloader recognizing that there is a windows or Linux partition alongside whatever is being booted up. There are a ton of tutorials on how to address that type of issue though, it’s usually a matter of one or two commands in a terminal or command prompt.

paradox2011, 4 months ago

I know it’s not super helpful, but I’ll add that this happens to me periodically on my EndeavourOS, Intel based desktop as well. Not even all of the time, just sometimes when it suspends. It seemed to get better when I changed my settings to hybrid sleep, but it just happened again yesterday, so I’m back to square one. Bookmarking to check for possible solutions later.

paradox2011, 4 months ago

Interesting, I’ll look in to that

paradox2011, 4 months ago

EndeavourOS. I like the simplicity and minimalism of stock Arch, bloated distros bother me. I have been thinking of trying out Linux Mint again though, I used it for years and it was really good.

paradox2011, 4 months ago

The just dang works part of Mint is so nice. I do like learning and tinkering, but I have to say setting up my printer in endeavourOS was brutal! I had all the right software installed, but it ended up needing a single line of code pasted in to a file I never would have guessed on my own. I’ll paste the info here on the slight chance it will save anyone else from the trauma I went through 😅

Reference article: wiki.archlinux.org/title/Avahi

2.1 Hostname resolution
Avahi provides local hostname resolution using a “hostname.local” naming scheme. To enable it, install the nss-mdns package and start/enable avahi-daemon.service. use sudo instead of doas if that’s the tool you prefer.

doas systemctl start avahi-daemon.service

Then, edit the file /etc/nsswitch.conf and change the hosts line to include mdns_minimal [NOTFOUND=return] before resolve and dns. It should look like:

<span style="color:#323232;">hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
</span>

paradox2011, 4 months ago

Do they customize it too heavily away from its defaults? I use KDE so I don’t bump in to that issue myself.

paradox2011, 4 months ago

Oh yeah, I get what you mean. There were a few tweaks like that in the KDE file manager too. Dolphin would open with a lot of extra features running like a terminal at the bottom of the window and extra information panes on the sides. They were all normal dolphin features that were just toggled on by default, so I was able to get back to a cleaner experience with a few clicks, but it sounds like that may be their MO: turn on ‘helpful’ features in the user space by default. That was the only app that had non - default settings in KDE that I found, it sounds like it’s not as customized as i3.

paradox2011, 4 months ago

• Audile: offline, trackerless music recognition.
• Keepassdx + Heliboard: both excellent apps in their own right that create a smoother experience of mundane phone use, but they also integrate rather well together and Heliboard will often pop Keepassdx in to its suggestion bar when you enter a log in page. It’s been really nice for me.
• FUTO voice input: speech to text for those who don’t want to use Google speech services. Frankly, the FUTO app works better than googles app anyways, it always handles grammar correctly as long as you speak relatively clearly, and integrates with Heliboard nicely.
• Tailscale: for those who need VPN access to their other devices.
• Thunder : a Lemmy client with compatibility with Lemmy’s recent server side changes and also has a decent UI/UX
• tasks.org: fantastic, customizable to do app with various syncing options.
• Magic Earth: privacy respecting maps/directions for those who don’t want google maps. (NOTE: closed source. Here is the privacy policy, terms of use and description of their business model at the bottom of their FAQ)
• Myne: e-book downloader.
• Markdownr: convert webpages to markdown. Great option for mobile, if I’m on desktop I use the Joplin web clipper plug in for Firefox.

Seconding Newpipe, excellent app.

EDIT: added links to the terms, policies and FAQ of Magic Earth, as it is not open source.

paradox2011, 8 months ago

Absolutely, there are some really good ways to mitigate the data flow even if you can’t stop it entirely. The OS is a big deal, but I think the most fundamental change to make is the apps and services you use.

You’ve probably already done that to a degree, but see if there are more changes you can make.

Alternativeto is an excellent way to explore your options, but also the techlore and the new oil youtube channels are fantastic resources for limiting privacy leaks.

I’ll post a few debloater apps that I’ve run across when I get home too, I haven’t used them but I know there are options for removing some of the tracking elements of stock android.