Post AzXE5TUnYPVIJ3OMyG by jeffcliff@shitposter.world
(DIR) More posts by jeffcliff@shitposter.world
(DIR) Post #AzVuZsjW5tEX1bXRHE by gcvsa@mstdn.plus
2025-07-06T13:52:11Z
2 likes, 1 repeats
The #Fairphone is very interesting, but it’s not available in any meaningful sense in the US, one of the most lucrative markets—if not the largest market—in the world.With Google’s recent announcement that they will no longer be providing device trees for Pixel phones, my plan to switch from my now 4.5 year old 2020 iPhone SE2 to a Pixel running @GrapheneOS might be in some doubt. We need alternatives to Apple, Google, and Samsung that aren’t entirely controlled by the CCP/PRC.
(DIR) Post #AzVuZtrhsvNYXINUgK by GrapheneOS@grapheneos.social
2025-07-06T13:56:15Z
0 likes, 0 repeats
@gcvsa Fairphone doesn't provide proper updates or security features. Their devices don't meet our basic hardware security and support requirements which are listed at https://grapheneos.org/faq#future-devices. They ship the yearly releases around a year late from the start, skip monthly/quarterly releases entirely and consistently ship the security backports and SoC driver/firmware patches 1-2 months late. They have no secure element which is essential for disk encryption and important for other features.
(DIR) Post #AzVuZux3qVFvuBtHfM by GrapheneOS@grapheneos.social
2025-07-06T13:57:48Z
0 likes, 0 repeats
@gcvsa > With Google’s recent announcement that they will no longer be providing device trees for Pixel phonesThere's no other Android OEM providing what Pixels provided prior to Android 16. It was never one of our hardware requirements and we've continued supporting Pixels without it. We've communicated that GrapheneOS development will continue, that existing Pixels will remain supported until end-of-life and that future Pixels will be supported if they meet the hardware requirements.
(DIR) Post #AzVuZvzvxJ9F9OF5ma by GrapheneOS@grapheneos.social
2025-07-06T14:00:32Z
0 likes, 0 repeats
@gcvsa GrapheneOS is based on Android 16 and our releases based on Android 16 are available in our Alpha and Beta channels. Please read what we've said about this ourselves on this platform in the threads we've published about it. The future of GrapheneOS is not in doubt. Our threads have been misrepresented by multiple blogs, news sites, etc. Many cited content written by third parties on X and Telegram without verifying it. They inaccurately attributed claims made by someone else to us.
(DIR) Post #AzVuZwg7QStNGDymXI by gcvsa@mstdn.plus
2025-07-06T14:02:23Z
1 likes, 0 repeats
@GrapheneOS I’m sorry, I did not mean to imply that the future of Graphene is in doubt, I meant my future ability to access supported hardware is in some doubt. I am hoping that if I get a Pixel 9a this year, it will remain well-supported for its useful lifespan, and 4-5 years in the future, the landscape will have changed for the better.
(DIR) Post #AzVuZzjQ4eJajKXxb6 by gcvsa@mstdn.plus
2025-07-06T14:01:01Z
1 likes, 0 repeats
@GrapheneOS My original plan was to get a Pixel 8a. Now my carrier now longer even lists that model, some I guess I’m looking at a Pixel 9a. The real question is whether or not I will be able to afford to replacement my iPhone SE2 before it is no longer viable.But, TBPH, my primary beef with Apple right now is their refusal to allow me to install a proper desktop class browser and ad blocking extensions. It renders my iPhone and iPad 90% useless for my needs.
(DIR) Post #AzVuc8Mewq8S5FvA5Q by jeffcliff@shitposter.world
2025-10-23T21:51:21.248315Z
0 likes, 1 repeats
@gcvsa @GrapheneOS We have one: https://puri.sm/
(DIR) Post #AzWBaHpYTsYY5G8qEi by GrapheneOS@grapheneos.social
2025-10-23T22:43:27Z
0 likes, 0 repeats
@jeffcliff @gcvsa These are extraordinarily insecure devices with bottom of the barrel components. They're not open as they claim to be and still use entirely closed source components from large companies around the world. How is massively downgrading the security of the hardware, firmware and software progress? It's still closed source hardware, but with many year old outdated components with much worse security and software on top with much worse privacy and security. What's the point of it?
(DIR) Post #AzWBaJ0w53FnkqTRc8 by jeffcliff@shitposter.world
2025-10-24T01:01:29.487397Z
0 likes, 1 repeats
@GrapheneOS You clearly have memory issues since you have forgotten the past *2* threads you responded to me in, and we went through this. Surely I made a mistake in recommending that @gcvsa pursue a device that can run your OS.
(DIR) Post #AzWK0z8ss2gpZjQN5E by GrapheneOS@grapheneos.social
2025-10-24T02:16:40Z
0 likes, 0 repeats
@jeffcliff @gcvsa This is the GrapheneOS project account, not e a personal account.Librem 5 is an insecure device with ancient components with ludicrous pricing for what it provides. It doesn't avoid components made in China, is not open and it's not compatible with providing basic privacy and security patches or protections. It's also lacking very basic functionality and compatibility with the apps most people want.You didn't recommend GrapheneOS but rather you tried to fearmonger about it.
(DIR) Post #AzWK0zbFAbNIzgh1Hs by jeffcliff@shitposter.world
2025-10-24T02:35:53.142493Z
1 likes, 1 repeats
@GrapheneOS @gcvsa Again, this is the 3rd thread you and I have interacted. And I know it's one person behind this account, because your tone is identically hostile in all 3 threads.I literally just recommended @gcvsa pursue her goal of getting a pixel device and using grapheneOS with it. >Librem 5 is an insecure device with ancient components with ludicrous pricing for what it provides.As opposed to...relying on google to do the hard part for you?> is not open Again: you keep saying this, and we've been through the reasons why you are mistaken about this over and over again.> not compatible with providing basic privacy and security patches or protections. This hits the crux of the matter, and where you've been consistently wrong - the "Security patches" you demand are proprietary binary blob firmware upgrades, which would be *actually* removing the agency from the device from the user.>It's also lacking very basic functionality and compatibility with the apps most people wantIt works fine for me *and it is #freesoftware so I can extend it if I were to find it lacking in any way*.But this is for @gcvsa -- is @gcvsa "most people"? No. They are talking about foregoing convenience to use @GrapheneOS and probably has an eye for UX. They are exactly who should be contributing to an actual freedom respecting, freedom providing hardware rather than some chinesium google crap. Maybe purism isn't ready for "most people" -- that for "most people" the answers are more simple -- switching to android from apple, switching to fdroid from google play(while that's still possible) and switching to @GrapheneOS where possible. @gcvsa should know there's another option though.
(DIR) Post #AzWQo9c9K9OPy5wRxA by GrapheneOS@grapheneos.social
2025-10-24T03:49:11Z
1 likes, 1 repeats
@jeffcliff @gcvsa Librem 5 has closed source hardware and firmware. It's priced as a high end flagship but has very old components with awful security at a hardware, firmware and software level. Purism markets the device with extremely false claims about privacy, security and openness. It's objectively a scam. Purism's hardware is not freedom respecting, not private, not secure and not a safe option. Providing basic privacy/security updates and protections is the bare minimum, and they don't.
(DIR) Post #AzWQoAmSzHEvaNmCfo by jeffcliff@shitposter.world
2025-10-24T03:52:04.508498Z
0 likes, 1 repeats
@GrapheneOS @gcvsa Again we've been through this in the previous thread, are you going to acknowledge this? Or are you going to keep ignoring this fact. > Purism markets the device with extremely false claims about privacy, security and openness.You keep making this accusation, and when called on it you keep being proven wrong.> Providing basic privacy/security updates and protections is the bare minimum, and they don'tThey do provide security and privacy updates, of course( Crimson development continues to this week too). Just not the ones *you* want (ie the proprietary ones) - ie you're completely full of shit on this.
(DIR) Post #AzWRDinHfF4wJcLDrU by GrapheneOS@grapheneos.social
2025-10-24T03:54:56Z
0 likes, 0 repeats
@jeffcliff @gcvsa Purism went out of the way to lock down parts of the device to stop users replacing or updating the software/firmware. They even set up a special closed source core on the main SoC for the sole purpose of engaging in scamming through pretending the device doesn't have closed source firmware on the SoC. You're redefining the word freedom to a nonsense definition where taking away privacy, security and choices from people somehow makes them more free. It's still closed source.
(DIR) Post #AzWRDjxbKMvRvuAya8 by jeffcliff@shitposter.world
2025-10-24T03:56:41.712053Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Purism went out of the way to lock down parts of the device to stop users replacing or updating the software/firmware.Because the alternative was using proprietary firmware. > You're redefining the word freedom to a nonsense definition where taking away privacy, security and choices from people somehow makes them more free. Again, we've been through this in the previous thread. It doesn't 'take away' freedom to 'not have access to proprietary firmware mystery blobs'. That is just basic security. > . It's still closed source.You're still ignoring the other thread as if you didn't run from it with your tail between your legs when your BS was called on you making this accusation
(DIR) Post #AzWojlU7UcFksDcs1A by GrapheneOS@grapheneos.social
2025-10-24T04:03:15Z
0 likes, 0 repeats
@jeffcliff @gcvsa Librem 5 is proprietary hardware with proprietary firmware. Not shipping the updates doesn't mean it doesn't exist. It's closed source, proprietary hardware and firmware that's being peddled as open when it's not. That's objectively scamming people, the same way they're doing it with their false privacy and security claims. Tricking people instead of allowing them to make informed decisions with accurate info is not respecting freedom or at all ethical.
(DIR) Post #AzWojmfr4TEaYu7kwq by GrapheneOS@grapheneos.social
2025-10-24T04:10:24Z
1 likes, 0 repeats
@jeffcliff @gcvsa We're not interested in wasting large amounts of our time engaging with someone who repeatedly makes the same false claims. Instead, we'll respond to your posts by writing up a longer form article to post on our website or forum about the Librem 5 and Purism. We can link that across platforms including Mastodon. We would rather work on other things. If Purism and their supporters stop misleading about GrapheneOS, we won't spend time informing people about it.
(DIR) Post #AzWooOJl3TUkTBz9DE by GrapheneOS@grapheneos.social
2025-10-24T03:59:02Z
1 likes, 1 repeats
@jeffcliff @gcvsa PureOS is lacking the most basic privacy and security protections. It's a fork of an OS with atrocious privacy and security including a history of introducing many vulnerabilities and only backporting a small portion of security patches which are assigned CVEs. Purism chooses not to ship firmware updates and goes out of the way to block them in some cases. They do not provide a working app sandbox, permission model, modern exploit protections or many other basic protections.
(DIR) Post #AzWooOtCvfqqF8ZST2 by GrapheneOS@grapheneos.social
2025-10-24T04:01:29Z
1 likes, 1 repeats
@jeffcliff You're peddling an unsafe option from a company that's scamming people for profit. Purism harms people by selling them overpriced low end hardware for outrageous prices while providing atrocious privacy and security. The hardware is closed source with closed source firmware. Not updating the firmware doesn't make it go away. Leaving known, veritably present vulnerabilities open is not protecting people. Hiding it from users and misleading them isn't at all freedom respecting.
(DIR) Post #AzXDeaVtM2sOFi5Cjo by jeffcliff@shitposter.world
2025-10-24T12:59:23.776432Z
0 likes, 1 repeats
@GrapheneOS @gcvsa Again you repeat these false claims over and over, and again you purposefully ignore the last time you and I got into a thread, where these claims were addressed. Repeating your claims over and over won't make them true.
(DIR) Post #AzXDnuDRTFYVxrtdE8 by jeffcliff@shitposter.world
2025-10-24T13:01:05.374465Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Purism went out of the way to lock down parts of the device to stop users replacing or updating the softwareThis is a lie. You can replace the software and I have. > firmwareInstalling proprietary firmware would indeed be a bad idea, which is what you've been pushing for over and over again here.> You're redefining the word freedom It's not 'redefining' freedom to avoid proprietary firmware blobs no matter how many times you lie and claim otherwise.> taking away privacy, security They do not do this.
(DIR) Post #AzXE5TUnYPVIJ3OMyG by jeffcliff@shitposter.world
2025-10-24T13:04:15.839911Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >. Purism chooses not to ship firmware updatesAgain: this is a good thing. They aren't shipping proprietary firmware.> They do not provide a working app sandbox, "app sandbox" is an excuse to run proprietary software imho so this isn't super important.> permission model, modern exploit protections or many other basic protections.This of course is a blatant lie.
(DIR) Post #AzXEFw7Vz3VHymURHc by jeffcliff@shitposter.world
2025-10-24T13:06:09.417965Z
0 likes, 1 repeats
@GrapheneOS > You're peddling an unsafe option They are 'safe' against their threat model as it comes> from a company that's scamming people for profit.They ship hardware and software - they aren't a scam.> Purism harms people by selling them overpriced low end hardware for outrageous prices while providing atrocious privacy and securityYou keep accusing them of the latter, and every thread we encounter one another you're proven wrong. And the prices aren't that outrageous if your carrier isn't subsidizing it - it's comparable with other devices on the market.
(DIR) Post #AzXENjTWsh6T4vVL9c by jeffcliff@shitposter.world
2025-10-24T13:07:33.682262Z
0 likes, 1 repeats
@GrapheneOS @gcvsa Are you ever going to acknowledge the last thread (that you thoroughly lost)? No, you're going to just keep repeating these false accusations.
(DIR) Post #AzXEVScdQO057sRsLg by jeffcliff@shitposter.world
2025-10-24T13:08:57.759663Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >interested in wasting large amounts of our time engaging with someone who repeatedly makes the same false claims. Sure seems like it given how much of MY time you've wasted with these accusations(mostly false) of your own>. We would rather work on other thingsTHEN DO THIS AND QUIT WASTING MY TIME AND EVERYONE ELSE'S TIME WITH YOUR MISINFORMED VIEWS ON PROPRIETARY FIRMWARE BLOBS
(DIR) Post #AzXEeZ1yxxOXboe5A0 by GrapheneOS@grapheneos.social
2025-10-24T13:08:05Z
0 likes, 0 repeats
@jeffcliff @gcvsa We haven't made any false claims. It's you doing that, including right here. If you want us to write a long form post about this for our website or forum, so be it.
(DIR) Post #AzXEeaSxd8ZM3mH8qm by jeffcliff@shitposter.world
2025-10-24T13:10:35.515337Z
0 likes, 1 repeats
@GrapheneOS @gcvsa Yes, which you know full well you are doing since we went through this in the last 2 threads how wrong you are about proprietary firmware blobs and whether it's ok to force users to use them
(DIR) Post #AzXEkkhMV34BX3x2Ke by GrapheneOS@grapheneos.social
2025-10-24T13:09:14Z
0 likes, 0 repeats
@jeffcliff @gcvsa > This is a lie. You can replace the software and I have.They locked down certain components to prevent updating them in order to claim that it doesn't count, as you're doing. It's closed source hardware with closed source firmware, and they've locked that down more rather than less to block users modifying or inspecting it.> Installing proprietary firmwareIt's already installed. Not loading it or updating it from the OS doesn't make it not exist. It's a lie.
(DIR) Post #AzXEklJeChgvRnrc0W by jeffcliff@shitposter.world
2025-10-24T13:11:42.537362Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > It's already installed. Not loading it or updating it from the OS doesn't make it not exist. It makes it an informed decision on what the hardware is for that device, minimizing complexity of the hardware
(DIR) Post #AzXEpJoZsbzZbOVIMy by GrapheneOS@grapheneos.social
2025-10-24T13:10:03Z
0 likes, 0 repeats
@jeffcliff @gcvsa > It's not 'redefining' freedom to avoid proprietary firmware blobs no matter how many times you lie and claim otherwise.You aren't avoiding proprietary firmware blobs with the Librem 5. It has a huge amount of proprietary firmware, the OS just isn't loading or updating it. That doesn't mean it's not there. It has known, verifiable vulnerabilities which are unpatched due to not being updated and the fact that some components are already effectively end-of-life.
(DIR) Post #AzXEpLIONFR2C9ScTo by jeffcliff@shitposter.world
2025-10-24T13:12:32.054195Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >e, the OS just isn't loading if it's not being loaded it's not an issue> some components are already effectively end-of-life.They aren't end of life if purism is still using them
(DIR) Post #AzXF9yV2KAVbZkDHG4 by GrapheneOS@grapheneos.social
2025-10-24T13:11:26Z
0 likes, 0 repeats
@jeffcliff @gcvsa > They do not do this.The hardware, firmware and software are a massive all around privacy and security downgrade. It lacks the most basic standard privacy and security protections on mobile. It lacks privacy and security patches not only for firmware but for a lot of the software, since Debian mostly only backports fixes which are assigned a CVE and most security fixes are in fact not assigned a CVE. The model of freezing the software for years isn't a good one.
(DIR) Post #AzXF9ypF72fiaPfPkm by jeffcliff@shitposter.world
2025-10-24T13:16:16.214823Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >The model of freezing the software for years isn't a good one.OMFG yes it is. It is the most important model, and this is where you are clearly going wrong. Being able to freeze software for years (and patch with security updates) means that you can build higher level software on top of it. It is fundamentally how free software development should happen.>The hardware, firmware and software are a massive all around privacy and security downgrade.Downgrade or upgrade is the wrong way to look at it -- it's hardware that the user has control over and where the user can have *actual privacy* guarantees -- that's an upgrade from a google device.>but for a lot of the softwareThey are shipping upgrades for that software and continue to do so. Like any other FLOSS project if you or anyone else finds a flaw in it, they can file a bug report on it.
(DIR) Post #AzXFMTD5y7eIIWmOOG by GrapheneOS@grapheneos.social
2025-10-24T13:13:03Z
0 likes, 0 repeats
@jeffcliff @gcvsa > Again: this is a good thing. They aren't shipping proprietary firmware.Purism is shipping proprietary hardware and proprietary firmware with the device. They're leaving it non-updated without fixes for known, verifiable vulnerabilities both due to the end-of-life components and lack of OS updates for it. Not updating it doesn't mean there isn't proprietary firmware. It's still there. They blocked updating some of the firmware, not all of it, but they don't update it.
(DIR) Post #AzXFMUSjJTkWBJ6OOm by jeffcliff@shitposter.world
2025-10-24T13:18:31.805225Z
0 likes, 1 repeats
@GrapheneOS @gcvsaHoly christ are you ever wasting my time today.We went into this in the last thread. YOU are the one who takes issue with them not deploying proprietary firmware, you've done it over and over again, and every time you are called on it you leave the thread. They aren't 'end-of-life' components (that's a lie *because purism uses and supports them*)> and lack of OS updates for it.There is no 'lack of OS updates' -- they are updating the OS all the time. https://forums.puri.sm/t/pureos-crimson-development-report-september-2025/29822/12> Not updating it doesn't mean there isn't proprietary firmware. Yes it does, not updating with proprietary firmware means that the hardware is defined *as is*
(DIR) Post #AzXFMZKlCXLTI2PbAe by GrapheneOS@grapheneos.social
2025-10-24T13:14:39Z
0 likes, 0 repeats
@jeffcliff @gcvsa > "app sandbox" is an excuse to run proprietary software imho so this isn't super important.Open source software still requires trusting the upstream developers and the downstream package maintainers. Open source does not mean all vulnerabilities or bad behaviors are known and resolved at all. Many severe vulnerabilities last for years or even decades in widely used and review projects like the Linux kernel.> This of course is a blatant lie.No, it's the absolute truth.
(DIR) Post #AzXFMfcLq2yumKgjQG by GrapheneOS@grapheneos.social
2025-10-24T13:16:23Z
0 likes, 0 repeats
@jeffcliff @gcvsa PureOS and Debian do not have modern exploit mitigations. They aren't even using the standard upstream Linux kernel exploit mitigations, aren't using type-based control flow integrity, etc. They're still in the process of deploying early 2000s mitigations such as full ASLR. They're nowhere close to deploying hardened allocators, memory tagging, etc.Having a proper permission model would requiring using sandboxing with a design providing that, which they aren't doing.
(DIR) Post #AzXG0suzo2Bzc5aK6C by jeffcliff@shitposter.world
2025-10-24T13:25:50.649497Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Open source software still requires trusting the upstream developersuh no it doesn'tyou should read every line of code in your project and verify what it does BEFORE trusting it> and the downstream package maintainers. Open source does not mean all vulnerabilities or bad behaviors are known and resolved at all.Again this is you confusing 'open source' with 'free software' which you continually do. "Free software" Isn't a guarantee against every software bug --- it gives you the power as a community to resolve them > Many severe vulnerabilities last for years or even decades in widely used and review projects like the Linux kernel.Well no shit. But we have processes for dealing with them.> No, it's the absolute truth.No, it's not. Just checked and system binaries support PIE for example.
(DIR) Post #AzXGAtXkKxaARoU1Zo by GrapheneOS@grapheneos.social
2025-10-24T13:20:59Z
1 likes, 1 repeats
@jeffcliff @gcvsa Purism deploys proprietary hardware and firmware. That's what their devices provide. Selling people devices with proprietary firmware but not providing patches for known, verifiable vulnerabilities is their approach.What we're going to do is respond to your massive flood of false claims to promote these insecure products by making a long form post and sharing it across platforms. It's a waste of time responding to you pushing false claims about it, so we won't keep doing it.
(DIR) Post #AzXGAu06dWGdrlkfmS by GrapheneOS@grapheneos.social
2025-10-24T13:24:06Z
0 likes, 0 repeats
@jeffcliff @gcvsa A lot of the Librem 5 firmware doesn't have updates blocked but it's generally not available due to the hardware components being ancient, low security ones which weren't ever going to provide proper long term support. They're not shipping patches for known, verifiable vulnerabilities. For the SoC, they've prevented themselves or others from doing some of it. They haven't fully blocked it for Wi-Fi, cellular, etc. but they chose components which aren't getting proper updates.
(DIR) Post #AzXGAuc2MUbnlPUxu4 by GrapheneOS@grapheneos.social
2025-10-24T13:25:29Z
0 likes, 1 repeats
@jeffcliff @gcvsa Contrary to what you're saying, they do have serious issues with how the OS software is updated. The model of backporting only a small number of fixes to patch issues with known CVEs isn't one that works well. Most security issues in the open source projects which are used do not get CVE assigned. Projects expect that the new stable releases are shipped at some reasonable pace, not years with the version frozen. Projects with LTS versions also usually don't do it for years.
(DIR) Post #AzXGCwaI0A4sSTeLfk by GrapheneOS@grapheneos.social
2025-10-24T13:26:50Z
0 likes, 1 repeats
@jeffcliff @gcvsa They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. Most open source projects that are used do not actively seek out CVE assignments. CVE assignments tend to mean issues were found by external security researchers or were very blatant. There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. It doesn't work well.
(DIR) Post #AzXGWR84f0sIh4kO2q by jeffcliff@shitposter.world
2025-10-24T13:31:32.956067Z
0 likes, 1 repeats
@GrapheneOS @gcvsa OK I'm going to dig up the last thread, where you ran away from. https://snac.lx.oliva.nom.br/lxo/p/1750293340.123326This is what you want them to do: to plug proprietary firmware blobs. >e end-of-life components and lack of OS updates for itThere is no 'lack of OS updates' since they are still deploying OS updates. >Not updating it doesn't mean there isn't proprietary firmware. It's still there.The hardware is still there, yes.
(DIR) Post #AzXGmqtkcUINFRsK3M by jeffcliff@shitposter.world
2025-10-24T13:34:30.982864Z
1 likes, 1 repeats
@GrapheneOS @gcvsa >What we're going to do is respond to your massive flood of false claims to promote these insecure products by making a long form post and sharing it across platforms.You're the one who has been flooding our feed with false claims> It's a waste of time responding to you pushing false claims about it, so we won't keep doing it.PLEASE stop doing it. You are a complete and utter waste of time and every time you get into one of these threads you wind up wasting everyone's time with your false claims.
(DIR) Post #AzXGuIaE5NBp8gIFlI by jeffcliff@shitposter.world
2025-10-24T13:35:51.668748Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >PureOS and Debian do not have modern exploit mitigations.This is 100% bullshit. Debian is the gold standard of modern software, period.> Having a proper permission model would requiring using sandboxing Again, what you seem to be including as your 'modern security mitigations' is 'stuff designed so proprietary software is easier to run'
(DIR) Post #AzXH0YXpedokNc9otk by lonelyowl13@detroitriotcity.com
2025-10-24T13:36:59.623581Z
0 likes, 0 repeats
@jeffcliff @GrapheneOS @gcvsa This is the official account of grapheneos as far as i understand, apparently they hired a gnu/jihadist community manager
(DIR) Post #AzXH4eGELOezGZsLj6 by GrapheneOS@grapheneos.social
2025-10-24T13:19:20Z
0 likes, 0 repeats
@jeffcliff @gcvsa They don't have full system MAC/MLS policies, they don't use sandboxing throughout the base OS or for apps in general beyond certain partial opt-in sandboxing, etc. They don't have verified boot but at most a useless incomplete desktop Windows Secure Boot approach. They do have software with versions frozen for years with very incomplete backports and many misguided downstream changes to configurations and code. An enormous number of additional people are trusted as part of it.
(DIR) Post #AzXH4evLsVYNK77Bp2 by jeffcliff@shitposter.world
2025-10-24T13:37:42.991658Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > they don't have sandboxing...for apps in generalthey have the ability to run software and 'apps in general' means 'proprietary software apps'> They don't have verified boot that's a good thing - drm locked bootloaders are not a good thing> They do have software with versions frozen for years with very incomplete backports and many misguided oh now they are misguided too? Talk about FUD> An enormous number of additional people are trusted as part of it.Not really - you can build the images yourself, you can audit the code yourself - the hardware is of course still trusted but since it's auditable...
(DIR) Post #AzXH8C33BCpyvPOvj6 by jeffcliff@shitposter.world
2025-10-24T13:38:21.533333Z
0 likes, 1 repeats
@GrapheneOS @gcvsa you keep responding with this response over and over despite the fact that in the last thread these claims were proven wrong.
(DIR) Post #AzXHJaINMyabJO08dE by jeffcliff@shitposter.world
2025-10-24T13:40:25.058094Z
0 likes, 1 repeats
@GrapheneOS @gcvsa The hardware isn't 'low security' -- hell it has features like hardware switches which is unique on the market> ones which weren't ever going to provide proper long term supportAnd yet they are providing long term support>They're not shipping patches for known, verifiable vulnerabilitiesAgain the patches YOU want are the proprietary ones, which aren't 'security' but "exploits"> but they chose components which aren't getting proper updates.Again the only "proper updates" they aren't getting are the binary blob firmware updates that you demand. They *are* getting and continue to get and developing OS updates
(DIR) Post #AzXHPFrGGg3JfE1SEq by jeffcliff@shitposter.world
2025-10-24T13:41:27.405466Z
0 likes, 1 repeats
@GrapheneOS @gcvsa If you're going to just repeat the same post over and over again you are just going to get the same response over and over again.
(DIR) Post #AzXHbnMfW7r53dh0ZE by jeffcliff@shitposter.world
2025-10-24T13:43:43.400610Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Contrary to what you're saying, they do have serious issues with how the OS software is updated.No, they don't. YOU claim there are, and when called on it it always turns out to be bullshit. You just don't like debian's development model. That's fine. That doesn't make debian stable-like distributions not the proper foundation for free software development > The model of backporting only a small number of fixes to patch issues with known CVEs isn't one that works well.Debian has decades of experience showing you are wrong> Most security issues in the open source projects which are used do not get CVE assignedred herring -- security updates are still deployed without them (i've deployed more than a few to debian stable personally)>. Projects expect that the new stable releases are shipped at some reasonable paceOh now they aren't developing at a 'reasonable' pace well guess what? Maybe people would 'deploy faster' IF THEY WEREN'T WASTING TIME ARGUING WITH YOU ALL THE TIME
(DIR) Post #AzXHjUvDyDvCAwWq9Y by jeffcliff@shitposter.world
2025-10-24T13:45:06.774159Z
2 likes, 1 repeats
@lonelyowl13 @GrapheneOS @gcvsa no they aren't a gnu/jihadist -- they are allah forgive me, an open source supporter.
(DIR) Post #AzXI1BKzWVkyeF0tTk by WeissenSocken88@poa.st
2025-10-24T13:48:19.130229Z
2 likes, 0 repeats
@jeffcliff @lonelyowl13 @GrapheneOS @gcvsa Allah will punish these Sunni dogs Jeff Cliff
(DIR) Post #AzXIfVmOwJ8ddD45I0 by lonelyowl13@detroitriotcity.com
2025-10-24T13:55:35.250362Z
1 likes, 0 repeats
@Dudebro @GrapheneOS @gcvsa @WeissenSocken88 @jeffcliff He will explode
(DIR) Post #AzXJT6R7RIE3Vfl0XA by GrapheneOS@grapheneos.social
2025-10-24T13:49:02Z
0 likes, 0 repeats
@jeffcliff @gcvsa Purism's hardware and firmware is extraordinarily insecure with severe known vulnerabilities and lack of important basic privacy and security protections.Kill switches are a last resort when a device is compromised and taken over by an attacker, which is far more likely for the Librem 5 and other Purism hardware. These switches do not protect user data and only stop using the components they turn off when the user has them off. Several are implemented incorrectly too.
(DIR) Post #AzXJT7NFx8jKPyxR9U by jeffcliff@shitposter.world
2025-10-24T14:04:32.791856Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Purism's hardware and firmware is extraordinarily insecure with severe known vulnerabilities and lack of important basic privacy and security protections.1. the hardware is not 'extraordinarily insecure' it even has security functionality built in that most handheld devices do not. You just don't like the fact that it doesn't get 'microsoft-like'(from last thread [1]) firmware updates [1] here's a reply from the last thread ( https://snac.lx.oliva.nom.br/lxo/p/1750295940.933767 )>>Many of the firmware vulnerabilities are found by security researchers publishing information on them.>publishing...where? To who? And now we have to trust not just the manufacturer of the firmware but some rando 'researchers' with no vetting? "just trust me" code is not security, it is the opposite of security. "just trust some rando" is even worse.>> Taking away choices from users and hiding important information from them is not protecting their freedom.> The ones "hiding important information" are those who manufacture proprietary firmware updates. >> Assuring people's insecurity is not managing the complexity of the devices. > Sure it is. There is a fixed amount of complexity in any physical device. Once you start adding to it you're increasing that complexity >> You don't like the way it works in practice so you'd rather force them to be terrible and will mislead people into it.> "the way it works in practice" to who? Microsoft?? To my devices it doesn't work that way, and for anyone who listens to me.
(DIR) Post #AzXJTBsxBESgPRoo76 by GrapheneOS@grapheneos.social
2025-10-24T13:50:37Z
0 likes, 0 repeats
@jeffcliff @gcvsa Purism is not providing actual long term support but rather ignores the unpatched vulnerabilities and leaves users insecure. They've chosen components which are particularly low security, filled with known vulnerabilities and not getting patched. It's verifiable that there are unpatched security vulnerabilities which can be replicated. Contrary to your claims, it can be verified that they exist and are being fixed by firmware updates. Closed source also doesn't mean black box.
(DIR) Post #AzXJTHdvm00gGaptWy by GrapheneOS@grapheneos.social
2025-10-24T13:51:46Z
0 likes, 0 repeats
@jeffcliff @gcvsa Purism's closed source, proprietary hardware is essentially a black box like other proprietary hardware. However, the same thing doesn't apply to all closed source firmware, which can often still be inspected/audited. The same thing applies to software. Not having access to source code doesn't mean it can't be inspected. Purism's approach makes the firmware much harder to inspect/audit and leaves known, verifiable vulnerabilities unpatched including very severe ones.
(DIR) Post #AzXJlEO8c3hbNv0UwC by jeffcliff@shitposter.world
2025-10-24T14:07:50.153677Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Purism is not providing actual long term support This is a complete and utter lie. There's both paid and free long term support for their devices and they have been around for years providing it now.> but rather ignores the unpatched vulnerabilities and leaves users insecure. They don't ignore them -- they work with their users to resolve them. You are spreading FUD> They've chosen components which are particularly low security, As pointed out over and over again their components are chosen because there they *can* provide security> filled with known vulnerabilities and not getting patched. Again, the "patches" you keep demanding over and over are proprietary blob "patches", which should be viewed as exploits. So yeah no kidding they aren't letting you exploit their users.> It's verifiable that there are unpatched security vulnerabilities which can be replicated.On their bug tracker? > Contrary to your claims, it can be verified that they exist and are being fixed by firmware updates. Ah there it is. the demand for proprietary firmware updates that you know full well are not appropriate to free software projects> Closed source also doesn't mean black box.LOLOLOLOLyes it does
(DIR) Post #AzXMaQcv4PXK1DSg08 by jeffcliff@shitposter.world
2025-10-24T14:39:29.934959Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. This, again, sounds like you're talking about the stable OS release -- but looks like you're (probably intentionally) confusing byzantium & byzantium-updates & byzantium-security & crimson releases. Pretty sure byzantium-updates gets more than just "CVEs" and google suggests that there's a bunch of such non-CVE updates that have come in. Can you be more specific about what 'shipping' means in this context? Do you mean they aren't shipping crimson/that non-CVE security patches don't come in byzantium-updates/byzantium-security?> Most open source projects that are used do not actively seek out CVE assignments. red herring> CVE assignments tend to mean issues were found by external security researchers or were very blatant.red herring but there's your 'external security researchers' again that you like to cite > There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. This sounds like mostly FUD - those are the kinds of updates that sound more appropriate to new version of the OS (ie crimson) which are being developed and are increasingly available for deploying.> It doesn't work well."it" works well enough.
(DIR) Post #AzXN35O972a6XzDTBQ by GrapheneOS@grapheneos.social
2025-10-24T13:36:31Z
0 likes, 0 repeats
@jeffcliff @gcvsa It's you who is repeatedly making false claims and promoting scam products with false marketing. It's you who is wasting everyone's time. We'll be writing at least one in-depth article in response, which will reach at least 10000x more people than this thread even if we don't do more to spread it than a single post across our social media accounts. We're uninterested in spending unlimited time dealing with you repeatedly making the same false claims, we'll just make an article.
(DIR) Post #AzXN35sHJ0gU3RJX9M by jeffcliff@shitposter.world
2025-10-24T14:44:39.336082Z
1 likes, 2 repeats
@GrapheneOS @gcvsa Purism is not a 'scam product'. It's not 'false marketing' to point out that they aren't "outdated" for not allowing their users to be exploited by proprietary binary blob updates that you want to push on them.> It's you who is wasting everyone's timeLet's review the last 2 threads, shall we? in BOTH cases I recommended someone use @GrapheneOS and in BOTH cases YOU jumped on me with false claims about purism's security or lack thereof. And in the last thread we went through, point by point, post by post about how you were mistaken, which you were. And then you completely ignored the last thread as if it never happened, just like you did in the *last* thread the way you were utterly trounced by @mangeurdenuage @Suiseiseki and @lxo in the first one.> We'll be writing at least one in-depth article in response, which will reach at least 10000x more people than this thread even if we don't do more to spread it than a single post across our social media accounts. "we have a big audience so even though we're wrong, we'll be wrong louder"> We're uninterested in spending unlimited time dealing with you repeatedly making the same false claims, we'll just make an article.And I've told you multiple times now that you are completely ridiculous in that you are wasting the time dicking around spreading falsehoods on the fediverse when you could be *actually improving your OS*.
(DIR) Post #AzXNJeRWY4VbtrhAX2 by GrapheneOS@grapheneos.social
2025-10-24T13:53:31Z
0 likes, 0 repeats
@jeffcliff @gcvsa You're misinterpreting what we said. Purism's devices have closed source, proprietary hardware with closed source, proprietary firmware. The firmware is stored on the hardware components and loaded each boot from that storage. The OS not being involved in loading it doesn't make it somehow not exist. It doesn't make it any less important. It does mean the closed source firmware on Purism's devices is harder to inspect and the approach has lower security than the OS loading it.
(DIR) Post #AzXNJfBFo35YBh5goK by GrapheneOS@grapheneos.social
2025-10-24T13:54:54Z
0 likes, 0 repeats
@jeffcliff @gcvsa We're using the term end-of-life to refer to components no longer receiving firmware updates including for serious vulnerabilities either known to the company or publicly known. Purism does still have the closed source firmware on their devices. It's stored on the hardware components such as the SoC, cellular radio, Wi-FI radio, etc. and gets loaded from there. This is a much less transparent approach than not having firmware storage in components and the OS having to load it.
(DIR) Post #AzXNJfjzissTvRLQxc by jeffcliff@shitposter.world
2025-10-24T14:47:38.634729Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > We're using the term end-of-life to refer to components no longer receiving firmware updatesand you're accusing *us* of redefining terms????Not receiving proprietary firmware "updates"(ie proprietary blob exploits) is a good thing - it means the system has a fixed level of complexity and can be reasoned about. > It's stored on the hardware components such as the SoC, cellular radio, Wi-FI radio, etc. and gets loaded from there. ie they have hardware > This is a much less transparent approachNo, it's not. What's 'less transparent' is the use of proprietary blob firmware updates from "external researchers" in a neverending mess of irreducible complexity > than not having firmware storage in components and the OS having to load it.Again; this is what you want. You want purism to load proprietary firmware blobs, which of course they take issue with.
(DIR) Post #AzXNp0XQRuJvP7PKcq by Suiseiseki@freesoftwareextremist.com
2025-10-24T14:53:19.686132Z
2 likes, 0 repeats
@jeffcliff @GrapheneOS @gcvsa There is nothing firm about the software - it is in fact proprietary malware.grapheneos takes offense when proprietary malware isn't loaded huh?Of course the modem is insecure - all of them are backdoored - but at least if it's usb attached, you can secure the usb stack to stop it from attacking the main processor - unlike a device where the modem has DMA and decides to turn on IOMMU during the boot process.
(DIR) Post #AzXNwnkvrB7A4sRREe by GrapheneOS@grapheneos.social
2025-10-24T13:57:52Z
0 likes, 0 repeats
@jeffcliff @gcvsa What we've said about it is completely correct. Librem 5 has closed source hardware with closed source firmware. It doesn't avoid the closed source firmware, they just chose components with it stored within the components to avoid the OS loading it. For the SoC, they locked it in place to prevent users changing or updating it. It's users they prevented doing that for their own devices. Users don't get a choice or the option to set up verified boot with their own keys.
(DIR) Post #AzXNwp2L5wdI39ar0S by jeffcliff@shitposter.world
2025-10-24T14:54:43.892246Z
0 likes, 1 repeats
@GrapheneOS @gcvsa No, it isn't. You have claimed multiple times that pureos isn't getting updates, which it is. You have claimed that they use 'insecure hardware' but your definition of 'insecure hardware' is meant in 'doesn't get proprietary firmware updates'. You have claimed that purism is a scam, when they have for years now been deploying free software and hardware, improving the state of the art of both both, being willing to work with their users in the long-term to improve both. You continue to demand that they facilitate the rolling out out of proprietary apps (sandboxes) and blobs( firmware updates) from "external security" sources (that when pressed in previous threads, you admit that other people should have "just trust us" as their security guarantee.> Users don't get a choice or the option to set up verified boot with their own keys.This is a good thing. 'Verified boot' means 'DRM-locked bootloader' and is exactly the kind of antifeature that the GPL3 was intented to stifle.
(DIR) Post #AzXONUcJ7iaUXO8Q40 by Suiseiseki@freesoftwareextremist.com
2025-10-24T14:59:34.264008Z
1 likes, 0 repeats
@jeffcliff @GrapheneOS @gcvsa Yeah, I actually looked at the purism website and they do implement and recommend restricted boot and proprietary software updates;https://docs.puri.sm/Software/PureBoot/Overview/Restricted.htmlhttps://docs.puri.sm/Hardware/Librem_5/advanced/firmware.htmlThe user is just given the choice whether they would like to update the proprietary software or use the existing version - rather than it being updated without asking.
(DIR) Post #AzXOgfUGvpdvkmWI76 by GrapheneOS@grapheneos.social
2025-10-24T13:28:07Z
0 likes, 0 repeats
@jeffcliff @gcvsa The user does not have control over Purism's hardware. It's also still closed source hardware and firmware. Not providing updates for the firmware does not change that it's closed source hardware with closed source firmware. They haven't blocked updating all of the firmware, only some of it, but either way it's there and not something the user controls. The user doesn't get to choose how the hardware or firmware works, and they don't get to modify and replace the firmware.
(DIR) Post #AzXOgg30qfQrUWm2GO by jeffcliff@shitposter.world
2025-10-24T15:03:01.294327Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >The user does not have control over Purism's hardware. They certainly would not if we listened to you and allowed proprietary firmware to be installed on it.> It's also still closed source hardware and firmware. Two claims here: there's you confusing 'closed source firmware' (which it ceases to be if it's hardware), and 'closed source hardware'. The latter are minimized by design https://forums.puri.sm/t/librem-5-is-a-highly-insecure-device/23247/2?u=librem5user1o1 > Not providing updates for the firmware does not change that it's closed source hardware with closed source firmware. We've been through this before.>The user doesn't get to choose how the hardware or firmware works, That's a truism generally. Changing hardware is very hard for end-users. How much can the end-user change the google hardware you run on btw?> and they don't get to modify and replace the firmware.Again, not with proprietary blob firmware no.
(DIR) Post #AzXPCcbBCtFC3rzHPc by jeffcliff@shitposter.world
2025-10-24T15:08:48.703289Z
0 likes, 1 repeats
@GrapheneOS @gcvsa https://forums.puri.sm/t/byzantine-updates-vs-byzantine-security-updates-vs-security-policy/29863/2?u=librem5user1o1So there's an update on 'updates' on the forums -- which proves conclusively that the 'they only get CVE updates' is total horseshit. Debian doesn't just get CVE updates -- they get security updates generally, and those work their way to byzantium, nevermind crimson.
(DIR) Post #AzXPW83KUB7z7HSKdk by jeffcliff@shitposter.world
2025-10-24T15:12:20.262607Z
0 likes, 1 repeats
@Suiseiseki @GrapheneOS @gcvsa that's a pity, but not surprised @GrapheneOS is wrong about this also. Though that sounds like it's mostly for the laptops
(DIR) Post #AzXQPGKBQtWchLd3Ro by GrapheneOS@grapheneos.social
2025-10-24T13:29:04Z
0 likes, 0 repeats
@jeffcliff @gcvsa > you should read every line of code in your project and verify what it doesEven if you read every line of code in every project you used, you would still be trusting the developers. Reading every line of code does not mean you find every vulnerability. It's clearly not the case and fully contradicted by how finding vulnerabilities in open source actually happens. The Linux kernel has many severe vulnerabilities not caught for years or decades with many people reading it.
(DIR) Post #AzXQPHLdcyHbs9JjM0 by jeffcliff@shitposter.world
2025-10-24T15:22:17.044191Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Even if you read every line of code in every project you used, you would still be trusting the developers. Reading every line of code does not mean you find every vulnerabilityIt does if you understand it enough, but the point is that with the source code you can verify what the system itself is doing - at the end of the day you don't *need* to trust debian/pureos if you can compile and test the source code yourself. Of course it's easier *to* trust to some extent debian/pureos...but you don't *have* to>. It's clearly not the case and fully contradicted by how finding vulnerabilities in open source actually happens. Again, you with the 'open source'. But no, how vulnerabilities 'actually happens' are by people looking for and finding them. Which the first step of addressing them comes from is having a fixed system to work with and analyze (ie a stable system like debian stable/ byzantium pureos) and reason about.> The Linux kernel has many severe vulnerabilities not caught for years or decades with many people reading it.This is like saying "people lived for centuries without knowing that e=mc^2" yes there are things about the software we don't yet fully understand, bugs are in any nontrivial codebase. The process for finding them involves having access to the source code, having eyes on that code, reasoning about it and working together to find them -- there is no 'alternative' to this that magically makes bugs appear faster. And certainly not importing binary blobs from "just trust me bro" sources doesn't make this situation any better.
(DIR) Post #AzXQPMHDIqiN9sHleS by GrapheneOS@grapheneos.social
2025-10-24T13:30:46Z
0 likes, 0 repeats
@jeffcliff @gcvsa > Well no shit. But we have processes for dealing with them.In this case, not backporting most of it.> No, it's not. Just checked and system binaries support PIE for example.PIE is for full ASLR. It's an early 2000s mitigation. It's the opposite of the modern mitigations being talked about. Debian taking 2 decades to start getting close to fully deploying the early 2000s mitigations while not providing modern exploit mitigations is the whole point of what we said.
(DIR) Post #AzXQPT0oGEki31fGYS by GrapheneOS@grapheneos.social
2025-10-24T13:32:06Z
0 likes, 0 repeats
@jeffcliff @gcvsa > Again this is you confusing 'open source' with 'free software' which you continually do.The ideology is different, but the requirements for both are the same. Actual open source software is free software too.> it gives you the power as a community to resolve themOther people cannot resolve the hardware and firmware issues in the Librem 5 because it's closed source hardware with closed source firmware. Not updating the firmware doesn't make it not exist, sorry.
(DIR) Post #AzXQoi33UfRbvBkepc by jeffcliff@shitposter.world
2025-10-24T15:26:54.145573Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > It's an early 2000s mitigation. You said no modern mitigations, i provided an example that they have. Now we're splitting hairs and saying that early 2000s isn't modern?? Debian stable is to me pretty close to the definition of 'modern'. If it's not in debian stable it's not stable and reliable enough for end-users yet. You want *experimental* mitigation features, seemingly based on your desire to get proprietary apps (sandboxes) and blobs( firmware ) into the devices of pureos users. And sure there's probably some futuristic technology that could be deployed yet that we don't have any reason to believe works right now at the level and scale of debian. But that is not somehow the fault of pureos for not having.
(DIR) Post #AzXRIJVBJxGeTo1Wvw by jeffcliff@shitposter.world
2025-10-24T15:32:14.965020Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > The ideology is different, but the requirements for both are the same. No, as this thread and the previous ones demonstrate, there's a fundamental disconnect when dealing with *what hardware does and how it behaves* > Actual open source software is free software too.sometimes> Other people cannot resolve the hardware and firmware issues in the Librem 5 Most people can't resolve hardware problems at all. Hardware, once baked, has fixed properties. There may be 'firmware issues' in librem5 but they aren't the ones you have (ie people not being able to load proprietary firmware). If you *do* find any "firmware issues" you should report them as bugs to purism, or at least document them somewhere so someone else can *rather than wasting the time of individual pureos users when they try to promote the use of grapheneos to third parties*> because it's closed source hardware with closed source firmware.Again, you are misrepresenting hardware as firmware, and the design of pureos is specifically to limit the number of such hardware components to a minimal subset > Not updating the firmware doesn't make it not exist, sorry.And you continually insisting that hardware needs to be updated with proprietary firmware blobs isn't valid, sorry
(DIR) Post #AzXRjwhpfYDnt67Jya by GrapheneOS@grapheneos.social
2025-10-24T13:33:33Z
0 likes, 0 repeats
@jeffcliff @gcvsa Not continuing to engage with people engaging in serial fabrications and manipulation is not running away. There's a limit to how much time we'll allow people like yourself to waste. As we said earlier, the fact that you're repeatedly doing this means we'll be writing a post debunking the highly insecure and non-private Librem 5 and other Purism hardware. You've pushed us to do that by continuing to come to threads about GrapheneOS to try to mislead people. That's on you.
(DIR) Post #AzXRjx98243XFkt7WS by jeffcliff@shitposter.world
2025-10-24T15:37:13.702541Z
1 likes, 2 repeats
@GrapheneOS @gcvsa >Not continuing to engage with people engaging in serial fabrications and manipulation is not running away. When your bullshit is thoroughly called and your response was to block and run away from people who were pointing out how you were mistaken, yeah, it is. > There's a limit to how much time we'll allow people like yourself to waste. Again let's review this threadI responded to someone who was expressing a desire to switch to GrapheneOS with an encouragement to do so. You then wasted my time for 50+ posts talking shit about purism. As a free software project, instead of working on your open issues...choosing instead to crapflood the feed of an individual user of a competing project. Not dealing with the competing project itself, or having dialogue with anyone involved with its development beyond being an end user...just an end user.> As we said earlier, the fact that you're repeatedly doing this means we'll be writing a post debunking the highly insecure and non-private Librem 5I look forward to purisms response to this once written, but generally: shit or get off the pot.>You've pushed us to do that by continuing to come to threads about GrapheneOS to try to mislead people.Again: I was in a thread about grapheneos to *encourage people to use grapheneos*. That's what I was doing. Obviously a mistake, if this is how you treat prospective users.
(DIR) Post #AzXRk2gdQupSR7bRwW by GrapheneOS@grapheneos.social
2025-10-24T13:34:58Z
0 likes, 0 repeats
@jeffcliff @gcvsa Purism sells proprietary hardware with proprietary firmware, which they falsely claim is open and free. They're scamming people.Contrary to your claims, Purism does not provide proper OS updates but rather uses a model of freezing software for years with only a small subset of security patches backported. Only patching a subset of issues with CVEs assigned while letting software get years out of date is not a good approach, regardless of whether it's IBM or Purism doing it.
(DIR) Post #AzXSDJYZn1p99in8ro by jeffcliff@shitposter.world
2025-10-24T15:42:33.041574Z
0 likes, 1 repeats
@GrapheneOS @gcvsa They are not scamming people. They have built a product that minimizes the number of proprietary hardware components, and takes steps in the hardware to contain any problems from them. It's an open issue in the hardware world right now to do better and they are open about their progress>urism does not provide proper OS updates but rather uses a model of freezing software for years with only a small subset of security patches backportedThe heavy lifting here is done by 'proper'. The model of freezing software is how free software projects have worked for decades, and will continue to long into the future as it allows for software to be built upon in a predictable and understandable way. They *do* provide OS updates - crimson development might be slow for your liking but it *is* happening. And sure, a subset of security patches are backported -- the ones that affect their users that they know about. If you are aware of any that they are missing that they should have you should note them instead of vagueposting about it so that the system can be improved.
(DIR) Post #AzXUP0cMEKhpniGSHI by GrapheneOS@grapheneos.social
2025-10-24T13:37:39Z
0 likes, 0 repeats
@jeffcliff @gcvsa > This is 100% bullshit. Debian is the gold standard of modern software, period.It's the direct opposite of that and objectively doesn't ship modern exploit mitigations. They haven't even started deploying type-based CFI or other basic protections. They're 20 years behind on it. You brought up them finally deploying full ASLR in an era where ASLR is an incredibly weak mitigation that's used because it's near free and trivial to deploy.
(DIR) Post #AzXUP28Ib3qmV4DThg by jeffcliff@shitposter.world
2025-10-24T16:07:03.388320Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > It's the direct opposite of thatSo far we have disagreed on a couple of fundamental things, and this is one of them. Debian is not the 'direct oppoosite' of modern software -- it is an intelligible baseline from which the modern era can be demarcated. Unless something better comes along and replaces the multi-decade pattern of success at doing so debian has exhibited, and this could happen someday. But as of yet it has not that I've seen.> and objectively doesn't ship modern exploit mitigations. I already pointed out a counterexample, and you claimed it wasn't modern enough, but I pointed out in response to that that there's 2 reasons for believing otherwise: the 'not stable enough to be in debian' mitigations are still de facto experimental (see above) and 'you just want them to install proprietary software anyway' (which you don't seem to dispute)> They haven't even started deploying type-based CFI Now we're getting somewhere at least. let's see what grapheneOS says about it on their webpage (can't see *anyone* discussing this in the debian context:)> Type-based CFI uncovers type mismatches which block deploying it but rarely have any direct security impact. These are major ongoing areas of work as software changes,in other words* it's experimental / not ready for debian yet (ongoing area of work)* "rarely" has any direct security impact according to your own website.Now I'm willing to believe otherwise, but it sounds like a "feature" that is unique to the android stack that does make sense that it could help with non-android/LLVM/clang stacks. Looking through gcc's mailing list it looks like there's some support for it in gcc and looking through debian's security documentation it looks like they recommend enabling it on hardened debian systems. Maybe that's not good enough for you, and that's fine -- if there's some reason why that's not good enough you should publish this somewhere. But if your issue with pureos is "some experimental, rarely security-related change that is recommended by debian but isn't on by default for everyone should be more universally used" that's perhaps a valid issue--- but not one you should be wasting the time of individual downstream pureos users who were trying to recommend people use grapheneOS on a fediverse thread. To suggest otherwise is absurd.> full ASLRThis one is a little more complex. It's clear there's some ASLR in debian going on, though. Again though, if "there's some debian(and pureos) package without enough ASLR hardening for my liking" ...then where is that? It sounds like yet another case where something that makes sense in the android context is not available in debian somewhere. If you can be more specific about where debian is lacking ASLR that would be useful perhaps to remedy.
(DIR) Post #AzXUP6ql3hn38732Ya by GrapheneOS@grapheneos.social
2025-10-24T13:38:35Z
0 likes, 0 repeats
@jeffcliff @gcvsa > Again, what you seem to be including as your 'modern security mitigations' is 'stuff designed so proprietary software is easier to run'Allocator hardening, type-based control flow integrity, hardware memory tagging and many other modern exploit protections have nothing to do with making proprietary software easier to run. App sandboxing and a proper modern permission model with case-by-case control don't have to do with it either. You're just making absurd claims now.
(DIR) Post #AzXUcTzGLYAceYP2PI by jeffcliff@shitposter.world
2025-10-24T16:09:30.550158Z
0 likes, 1 repeats
@GrapheneOS @gcvsa This is of course the first you've brought up "Allocator hardening" and "hardware memory tagging", so excuse me for not knowing you were refering to them.> App sandboxing and a proper modern permission model with case-by-case control don't have to do with it either.yeah it kind of does.'Case by case' micromanagement control sounds to me like you're talking about letting people have proprietary apps, with access permissions like android does which is mostly about letting proprietary software have access to things
(DIR) Post #AzXVD5UwMKi3PrfsIa by jeffcliff@shitposter.world
2025-10-24T16:16:07.575040Z
0 likes, 1 repeats
@GrapheneOS @gcvsa ""Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8" oohhh that's why you're bragging about it. Because it's a google chinesium thing mostly. https://www.anarsec.guide/posts/grapheneos/
(DIR) Post #AzXWAsviDTl7oNi6Bk by GrapheneOS@grapheneos.social
2025-10-24T13:40:13Z
0 likes, 0 repeats
@jeffcliff @gcvsa It's completely true and you haven't prove anything wrong either here or elsewhere. You repeat the same false claims over and over again to market highly insecure and non-private proprietary hardware/firmware products from Purism.
(DIR) Post #AzXWAu2q4T3PGm3Iw4 by jeffcliff@shitposter.world
2025-10-24T16:26:55.198784Z
0 likes, 1 repeats
@GrapheneOS @gcvsa And now it's non-private? You keep adding things. What part of it is non-private? It's specifically designed for privacy and with privacy in mind. They go to great lengths to describe their design decisions and 'privacy' is constantly their justification for why they are doing the things they are doing, along with 'the best effort to remove proprietary components' Here's what they actually say in their marketing > We are “as close to free software foundations respects your freedom as possible with current Intel CPUs” but are investing heavily to advance that toward complete binary freedom.https://docs.puri.sm/Hardware.html...> (with a heavy emphasis and best effort towards maximum software freedomhttps://puri.sm/learn/freedom-roadmap/> proprietary hardware/firmware products from Purism.And your solution over and over again is to 'use proprietary firmware' rather than the hardware as is (ie with proprietary bits of the hardware locked down and minimized as much as possible)
(DIR) Post #AzXWTStlE0hEZveo5I by GrapheneOS@grapheneos.social
2025-10-24T13:41:27Z
0 likes, 0 repeats
@jeffcliff @gcvsa > they have the ability to run software and 'apps in general' means 'proprietary software apps'You can run proprietary software on that insecure OS without modern privacy and security protections too. Providing modern privacy and security protections is not enabling running proprietary software more than not doing it.> that's a good thing - drm locked bootloaders are not a good thingThey have a proprietary, locked firmware early boot chain. Not updating != not existing.
(DIR) Post #AzXWTTX6riAiXy4EPw by jeffcliff@shitposter.world
2025-10-24T16:30:16.675886Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >You can run proprietary software on that insecure OS without modern privacy and security protections too.I'm sure you can, but don't expect me to help you with that> Providing modern privacy and security protections is not enabling running proprietary software more than not doing it.Of course not. Of course purism has 'modern privacy and security protections' which we've discussed elsewhere in this thread, but is missing a couple of things that you find desirable (memory tagging, type CFI enforcement, full aslr) but which might have performance consequences. > They have a proprietary, locked firmware early boot chain. Not updating != not existing.'locked firmware' ie they have hardware yes, kind of hard to have a device without hardware. 'proprietary' as mentioned elsewhere in the thread -- there is a minimal set of proprietary hardware bits, that they have been working on removing and have taken great care to minimize https://puri.sm/learn/freedom-roadmap/
(DIR) Post #AzXWTYhvcunSayARTU by GrapheneOS@grapheneos.social
2025-10-24T13:42:40Z
0 likes, 0 repeats
@jeffcliff @gcvsa > oh now they are misguided too? Talk about FUDIt's the truth, not FUD. Backporting a subset of patches with CVEs assigned for the vulnerabilities is only a small portion of overall privacy and security patches. Freezing the software versions for years is highly problematic. It's better when projects provide LTS releases with a much higher portion of backports but Debian usually ignores LTS versions other than specific cases where they can't keep up with CVEs otherwise.
(DIR) Post #AzXWTezsF6iU6MbrHM by GrapheneOS@grapheneos.social
2025-10-24T13:43:49Z
0 likes, 0 repeats
@jeffcliff @gcvsa > Not really - you can build the images yourself, you can audit the code yourself - the hardware is of course still trusted but since it's auditable...Having the code and being able to audit it at a source code level does NOT mean you aren't trusted the developers and people making downstream changes to it. Reading all of the code does not mean you find all the vulnerabilities. In practice, only a small subset will be found. See how it actually works for the Linux kernel.
(DIR) Post #AzXWrQmMkvjixJcsro by jeffcliff@shitposter.world
2025-10-24T16:34:37.415826Z
0 likes, 1 repeats
@GrapheneOS @gcvsa I meant that saying they were 'misguided' is FUD> Backporting a subset of patches with CVEs assigned for the vulnerabilities is only a small portion of overall privacy and security patches. Yes, and that's a red herring since they do more than that.> Freezing the software versions for years is highly problematic. No, it's not problematic at all - - what would be problematic is *not* having some stable subset of a known good OS to reason about and build on top of.> It's better when projects provide LTS releases with a much higher portion of backports but Debian usually ignores LTS versions other than specific cases where they can't keep up with CVEs otherwise.Debian is the epitome of LTSs. Debian imports software if it is useful and free. If your problem is 'debian uses versions of software that don't match with what I feel like each individual package maintainer chooses' then you are taking issue with the choices made by thousands of volunteers requiring information you cannot possibly have. And that is your prerogative, of course -- but don't expect anyone to take your doing so seriously as any kind of criticism and *certainly* don't expect anyone to interpret your attempting to use it as criticism as *anything* remotely approaching a reasonable thing to bring up to a user of a competitors product who just happened to make the mistake of recommending someone else use grapheneos. That is ridiculous.
(DIR) Post #AzXXE3VBSwd9QJNTN2 by jeffcliff@shitposter.world
2025-10-24T16:38:42.689017Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Having the code and being able to audit it at a source code level does NOT mean you aren't trusted the developers and people making downstream changes to it. It does if you compile it yourself, and run it on your own device. If you have the software, and compile yourself you are fundamentally responsible for what happens on your device. You are 'trusting' people only insofar as you aren't bothering to check the functionality of said source code.> Reading all of the code does not mean you find all the vulnerabilities.And no one is claiming otherwise -- there are going to be bugs in any non-trivial software project. Hell *beep* had a CVE bug in it and was only like maybe, what 20 lines of code? But this, like as in any other science, is as good as we can do -- working together with other developers, publishing our results. Generally you seem to expecting some kind of miracle process that finds bugs faster than science[1] can. ie *the best you can do* is have access to the source code, read it, attempt to understand it, and work with the developers of the rest of the world who are doing the same. There is no 'do better than that'[1] https://www.lesswrong.com/posts/vNBxmcHpnozjrJnJP/no-one-knows-what-science-doesn-t-know
(DIR) Post #AzXY07eRLGhMBycwWe by GrapheneOS@grapheneos.social
2025-10-24T13:44:57Z
0 likes, 0 repeats
@jeffcliff @gcvsa Freezing software versions for years while backporting a small subset of privacy/security patches is not somehow the one true model for proper free software developers. It's an outrageously baseless and ridiculous claim. Free software is not at odds with providing recent stable releases of software or recent LTS releases.> Debian has decades of experience showing you are wrongQuite the opposite, they've proven their approach is highly insecure and that it doesn't work well.
(DIR) Post #AzXY08VGAswupnL7r6 by jeffcliff@shitposter.world
2025-10-24T16:47:23.061636Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Freezing software versions for years while backporting a small subset of privacy/security patches is not somehow the one true model for proper free software developers.No, but it represents the a gold standard of of the what should be considered modern functionality.> Free software is not at odds with providing recent stable 'recent' and 'stable', however *are* at odds with eachother. Generally: you can have 'more recent' or you can have 'more stable' -- there is a tradeoff there. Debian trades off for stability.> Quite the opposite, they've proven their approach is highly insecure and that it doesn't work well. Obviously we disagree not just on whether or not debian *should* works but whether it *does*. I think you will find that this is a much harder ground for me to be standing on, too -- millions of debian users will disagree that debian is "highly insecure" but it's good to know that when you call pureos "highly insecure" your level of what "highly insecure" encompasses not just pureos, but the entirety of debian and presumably all of its descendent OSs such as ubuntu. What a world we are living in, when the probably billion+ devices are all "highly insecure" according to you, who, I'm sure are not insecure at all given you're running on blessed chinesium google hardware.
(DIR) Post #AzXY0DNe2cpRxcocBE by GrapheneOS@grapheneos.social
2025-10-24T13:46:00Z
0 likes, 0 repeats
@jeffcliff @gcvsa > red herring -- security updates are still deployed without them (i've deployed more than a few to debian stable personally)Debian's approach is tracking and backporting patches for vulnerabilities with CVEs assigned. Their policy is obtaining a CVE if they want to backport other security patches, which is very rare and an extremely tiny subset of the actual security fixes being done upstream. In most cases they don't even ship LTS releases such as for nginx.
(DIR) Post #AzXY0JoS7rpzuVP6nY by GrapheneOS@grapheneos.social
2025-10-24T13:47:19Z
0 likes, 0 repeats
@jeffcliff @gcvsa > This is mostly FUD. Security vulnerabilities get rolled out. LTS means that the project can be more predictable, and can be built upon by third partiesDebian mostly doesn't use the LTS releases of upstream projects. Instead, they backport a much smaller subset of security fixes. It's a far smaller subset of the security patches than what gets backported by upstream projects providing LTS releases. CVE assignments are not actually done for all security vulnerabilities.
(DIR) Post #AzXY9yPgXkwQR9QHr6 by GrapheneOS@grapheneos.social
2025-10-24T15:11:09Z
0 likes, 1 repeats
@jeffcliff @gcvsa Debian backports a subset of security patches which gets CVE assigned and barely anything else. There are no substantial backports of security patches beyond that. Most security patches to most projects do not get a CVE assigned and do not get backported. You haven't disproven any of this, you're just linking to irrelevant information while misrepresenting what we've said. What we've said about their approach is fully accurate. The approach is to give the semblance of security.
(DIR) Post #AzXYA5RMPvROENGDwG by GrapheneOS@grapheneos.social
2025-10-24T15:11:56Z
1 likes, 1 repeats
@jeffcliff @gcvsa You can read our detailed article about the Librem 5 and Purism's products more broadly once we post it, since you've successfully convinced us to make it and keep it updated.
(DIR) Post #AzXYTYkZfSzKdUX6xc by jeffcliff@shitposter.world
2025-10-24T16:52:43.066748Z
1 likes, 1 repeats
@GrapheneOS @gcvsa >Debian's approach is tracking and backporting patches for vulnerabilities with CVEs assigned. but not just CVEs> Their policy is obtaining a CVE if they want to backport other security patches, which is very rare and an extremely tiny subset of the actual security fixes being done upstream.ie if there's something without a CVE they obtain one so the CVE thing is a red herring as I've been saying>tiny subset of the actual security fixes being done upstream....to their stable distribution, while pulling in changes so other people can work on testing them. ie they have a process to ensure that "fixes" don't break more than they fix.> In most cases they don't even ship LTS releases such as for nginx.So now because you personally disapprove of the version available for a *webserver* and think that there's too much vetting on debian's side for including particular versions of it in debian, somehow my *handheld purism device* is insecure or not private or something??????????
(DIR) Post #AzXa11TC0f3DDcvJ8C by vikingkong@misskey.vikingkong.xyz
2025-10-24T17:09:43.327Z
0 likes, 0 repeats
@jeffcliff@shitposter.world @GrapheneOS@grapheneos.social And the prices aren't that outrageous if your carrier isn't subsidizing it - it's comparable with other devices on the market.Come on, man, $800 for this? The reasonable price here is $200 at most.
(DIR) Post #AzXdozGGnJbUi9OZ8q by jeffcliff@shitposter.world
2025-10-24T17:52:37.136018Z
0 likes, 1 repeats
@vikingkong @GrapheneOS then why don't you start building it (both in and outside of the US) and competing with them if you think it's so cheap to do so??turns out the 'reasonable' price includes a bunch of things that you're probably not thinking are important (ie work on coreboot/libreboot)
(DIR) Post #AzXeYd3LhGnx9b7Cu8 by jeffcliff@shitposter.world
2025-10-24T18:00:51.812564Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Purism's closed source, proprietary hardware is essentially a black box like other proprietary hardware. But it's also kept isolated to some extent, minimizing its possible impact on the rest of the system.> However, the same thing doesn't apply to all closed source firmware, Yes it does> which can often still be inspected/audited.This is where we're disagreeing here -- you think that it's at all reasonable to have to inspect binary "just trust us" blobs from experts. I don't think this at all legitimate in practice.> Not having access to source code doesn't mean it can't be inspected. You can try to inspect binaries, sure...but the complexity of doing so is prohibitively high - this is where the difference between open source and software freedom comes in. You don't functionally have software freedom if you don't have the source code. Every additional proprietary bit doubles the state space of complexity of the system in question -- so firmware updates makes a system EXPSPACE worse to analyze.> Purism's approach makes the firmware much harder to inspect/audit and leaves known, verifiable vulnerabilities unpatched including very severe ones.Again when you say 'unpatched' you mean 'by unverifiable binary blob exploits from our "experts"'. ie they aren't 'unpatched' they simply are.
(DIR) Post #AzXexIFy9eP9tVmNM0 by jeffcliff@shitposter.world
2025-10-24T18:05:19.332495Z
0 likes, 1 repeats
@GrapheneOS @gcvsa this has been addressed elsewhere in the thread ( see summary https://shitposter.world/notice/AzXYTSTMCgorgcFVRI )
(DIR) Post #AzXfM5jtpYbYJQbTtY by jeffcliff@shitposter.world
2025-10-24T18:09:48.344141Z
1 likes, 1 repeats
@GrapheneOS @gcvsa >You're misinterpreting what we said. Purism's devices have closed source, proprietary hardware with closed source, proprietary firmware.No, I'm not. >with closed source, proprietary firmware.What you are calling 'proprietary firmware' is part of the hardware, and as mentioned multiple times in this thread, purism makes a point to both minimizing the amount of proprietary hardware used and as much as possible isolates it from the rest of the system. > The OS not being involved in loading it doesn't make it somehow not existit makes it part of the hardware subsystem> It doesn't make it any less important. It does mean the closed source firmware on Purism's devices is harder to inspect again what you're calling 'firmware' is 'how the hardware works' and it's no 'harder to inspect' than any other hardware functionality> the approach has lower security than the OS loading it.Says the guy that thinks that all of debian is "highly insecure", of course. No, it's not 'lower security' again see https://blog.lx.oliva.nom.br/draft/blob-fallacy -- reducing the binary to *only* hardware minimizes complexity allowing *for* security to be meaningfully defined around it.
(DIR) Post #AzXfYEm444kvoCPLJQ by vikingkong@misskey.vikingkong.xyz
2025-10-24T18:10:43.739Z
0 likes, 0 repeats
@jeffcliff@shitposter.world @GrapheneOS@grapheneos.social then why don't you start building it (both in and outside of the US) and competing with them if you think it's so cheap to do so??Why should I? I'm not a phone manufacturer 😉turns out the 'reasonable' price includes a bunch of things that you're probably not thinking are important (ie work on coreboot/librebootI don't think it's not important. But buying low end hardware for the price of high end phones is just ridiculous.
(DIR) Post #AzXftxUwyeQibBlC9A by GrapheneOS@grapheneos.social
2025-10-24T13:56:07Z
0 likes, 0 repeats
@jeffcliff @gcvsa No, it doesn't. It's closed source hardware that's still a black box with closed source firmware stored on the hardware. Components having their own flash memory to store their firmware is much less transparent than the OS having to load it each boot. Users are much less aware of the firmware, but it's still there, and it's not any less privileged. A cellular radio could update itself remotely... but it's a whole lot more reasonable if the OS is responsible for updating it.
(DIR) Post #AzXftyeYgPi4BHGNlI by jeffcliff@shitposter.world
2025-10-24T18:15:54.718703Z
0 likes, 1 repeats
@GrapheneOS @gcvsa :>No, it doesn't. Yes it does. It means there's a finite, limited bound of complexity involved in the hardware, that can be analyzed and understood as any other hardware device is. > It's closed source hardwareA minimal amount, with a minimal state space that purism takes best effort to minimize>with closed source firmware ie reminder that what you call 'closed source firmware' is actually part of the hardware in the design of the purism device.> Components having their own flash memory to store their firmware is much less transparent than the OS having to load it each boot.So is your issue that you don't have access to internal hardware state?> Users are much less aware of the firmware, but it's still there, and it's not any less privileged.red herring -- there is no 'binary blob firmware' users need to be aware of beyond the hardware> A cellular radio could update itself remotely... but it's a whole lot more reasonable if the OS is responsible for updating it.What are we talking about updating here? Are you suggesting that purism hardware self-modifies using foreign firmware via some cellular sidechannel?
(DIR) Post #AzXgQeffzqPxlRMsme by GrapheneOS@grapheneos.social
2025-10-24T14:00:25Z
0 likes, 0 repeats
@jeffcliff You came to a thread mentioning GrapheneOS making inaccurate claims about it to promote insecure products. That's why we're responding here and it's why we're going to make a detailed article about it on our website or forum. We're not limited to replying in a place hardly anyone is going to read it. You chose to go out of the way to try to discourage someone using GrapheneOS and that's the only reason we're posting about this, which we're doing by posting accurate information.
(DIR) Post #AzXgQg36sCky2PL6wq by jeffcliff@shitposter.world
2025-10-24T18:21:47.688988Z
0 likes, 1 repeats
@GrapheneOS > You came to a thread mentioning GrapheneOS making inaccurate claims about it to promote insecure products. I claim that *google* will eventually lock you out just like it's locking out fdroid now. Which it almost certainly will. It is a claim about the future and about the behaviour about NSA/alphabet google, and I stand by that claim. Maybe I'll be wrong about it - I certainly hope so. But obviously your calling purism "insecure" must be taken with a LARGE grain of salt since you also call debian based OS's "highly insecure"> We're not limited to replying in a place hardly anyone is going to read it. You chose to go out of the way to try to discourage someone using GrapheneOSno i went out of my way to ENCOURAGE someone to use grapheneOSjust like I did in the last thread when I tried to encourage @risperdoll to use it (and you were just as hostile to me for doing so, then, before you tucked your tail between your legs on that thread).
(DIR) Post #AzXgw3KONDGXDFNsQ4 by GrapheneOS@grapheneos.social
2025-10-24T14:02:06Z
0 likes, 0 repeats
@jeffcliff @gcvsa Losing interest in talking to people repeatedly making the same false claims is not "losing". We're not making false accusations.There's nothing false about the fact that Purism is selling closed source, proprietary hardware with closed source, proprietary firmware but is calling it open and free because the OS they ship on top of the closed source product is open and free. Not updating the proprietary firmware doesn't make it not exist or any less relevant.
(DIR) Post #AzXgw4ArE9EVpxvmCG by jeffcliff@shitposter.world
2025-10-24T18:27:29.716909Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >osing interest in talking to people repeatedly making the same false claims is not "losing". We're not making false accusations.Accusing debian of being "highly insecure" is a false accusation. Refer to the summary for a list of accusations that are likely false https://shitposter.world/notice/AzXYTSTMCgorgcFVRI> There's nothing false about the fact that Purism is selling closed source, proprietary hardware with closed source, proprietary firmware Again, what you are calling 'proprietary firmware' is hardware.> but is calling it open and free because the OS they ship on top of the closed source product is open and free.The OS is free, the hardware is, and I'll quote for you once more, "as close to free software foundations respects your freedom as possible with current Intel CPUs but are investing heavily to advance that toward complete binary freedom." ie still a work in progress.> Not updating the proprietary firmware doesn't make it not exist or any less relevant.It makes the hardware have a fixed, linear bound level of complexity
(DIR) Post #AzXhMw9NATxAlo37BI by GrapheneOS@grapheneos.social
2025-10-24T14:03:59Z
0 likes, 0 repeats
@jeffcliff > They are 'safe' against their threat model as it comesIt's proprietary hardware and proprietary firmware with atrocious privacy and security. Redefining words and making convoluted rules for what's okay and what's isn't based on ideology does not have to do with a threat model.> They ship hardware and software - they aren't a scam.It's a scam because they sell it by making many objectively false claims about what it provides.> proven wrongNo such thing has happened.
(DIR) Post #AzXhMxCFHHqU10OvIW by jeffcliff@shitposter.world
2025-10-24T18:32:21.145006Z
0 likes, 1 repeats
@GrapheneOS > It's proprietary hardware and proprietary firmware with atrocious privacy and security.Again, this is coming from someone who calls debian "highly insecure"[1], but I see you're adding "atrocious" as an accusation. You're not adding anything by saying this new word beyond what was covered in [1]> Redefining words and making convoluted rules for what's okay and what's isn't based on ideology does not have to do with a threat model.Whether or not hardware has a fixed level of complexity isn't "ideology". The facts of what purism is and is trying to do isn't "ideology". I guess you could mean here that not wanting to install binary blob firmware updates is "ideology", rather than a means of reducing complexity of the system to the point where it can be understood and where it can give the user freedom and agency over said system.> It's a scam because they sell it by making many objectively false claims about what it provides.So in addition to "atrocious privacy and security" there's now "false claims about what it provides" with ...no details.> No such thing has happened.You clearly don't remember the previous 2 threads very well.[1] summary https://shitposter.world/notice/AzXYTSTMCgorgcFVRI
(DIR) Post #AzXhN2PXtGSIBhf7Ds by GrapheneOS@grapheneos.social
2025-10-24T14:05:26Z
0 likes, 0 repeats
@jeffcliff The prices have nothing to do with carriers subsidizing it. Purism is selling hardware which would be in the $100 and below range for unlocked, non-carrier device for the price of a high end flagship phone. They're selling it for that high price based on falsely claiming that their closed source, proprietary hardware and closed source, proprietary firmware are open/free which they're not. They're misleading people by claiming a closed source hardware product is open. It's wrong.
(DIR) Post #AzXi7ikApYWInjZSAC by jeffcliff@shitposter.world
2025-10-24T18:40:49.212400Z
0 likes, 1 repeats
@GrapheneOS >The prices have nothing to do with carriers subsidizing it. For most people owning a "phone" the carrier subsidized price is their experience of what the hardware costs. ie near gratis and sometimes even gratis for a 1200$ iphone/android device. Most people don't realize that hardware devices *do* have a cost but that when they "buy a phone" from their carrier, they are de facto subsidizing the cost of that phone through their carrier subscription. Along with probably other side deals (similar to how nvidia is bribing their customers to buy their GPUs - i would not put it past apple to provide similar liquidity for large scale purchases of iphones from them by large-scale carriers like verizon / AT&T). But purism benefits from virtually none of that -- when you buy a purism device, you are paying the whole cost of producing that device, with a profit for purism itself to survive on. There is an option now to pay for a subscription service to make the ecosystem better -- but there doesn't seem to be any reciprocal benefits beyond this expected by those who subscribe. That's not really a 'scam' -- since to this past week or so OS and hardware development updates continue to roll in (despite your repeated claims to the contrary)> Purism is selling hardware which would be in the $100 and below range for unlocked, non-carrier device for the price of a high end flagship phone.Making a global distribution system work for the kind of free software / best-effort hardware turns out to be more expensive than mere components alone. Are the components, individually, summed together probably just on that order? Probably. Software development, infrastructure, administration, and legal probably eat into their profits substantially even at their pricepoint. This 'it should be 100$' is pretty much what you would see if you didn't see the push for expanding the scope of freedom that they are engaged in -- that's expensive, hard work and it's costing them to do so. Even the new FSF LibrePhone project ( https://librephone.fsf.org/FAQ.html ) is not tackling the problems purism is making good progress on -- ie the hardware level.> They're selling it for that high price based on falsely claiming that their closed source, proprietary hardware No, they aren't. They are open and honest about the limited amount of proprietary hardware they are deploying, in their goal of working towards a fully free system. https://puri.sm/learn/freedom-roadmap/> and closed source, proprietary firmware Again, what you are referring to 'proprietary firmware' is hardware.> They're misleading people by claiming a closed source hardware product is open. It's wrong.See above.
(DIR) Post #AzXj7DAYK8e0pRELWC by GrapheneOS@grapheneos.social
2025-10-24T14:07:37Z
0 likes, 0 repeats
@jeffcliff @gcvsa Librem 5 hardware is extraordinarily insecure. Each of the major components including the CPU, Wi-Fi radio, Bluetooth radio and cellular radio is very outdated and lacks basic security features. Features like pointer authentication have nothing to do with supporting proprietary software. Having components like radios using isolated processes and basic exploit mitigations including early 2000s ones internally is not that either. What they do instead doesn't make up for it.
(DIR) Post #AzXj7DXawT4lyu0kQy by jeffcliff@shitposter.world
2025-10-24T18:51:55.173981Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Librem 5 hardware is extraordinarily insecure. Oh a new term "extraordinarily insecure". Like "atrocious security" it's yet another epithet that ...almost certainly means that purism doesn't allow the binary firmware "just trust us" blobs to be used.> Each of the major components including the CPU, Wi-Fi radio, Bluetooth radio and cellular radio is very outdated and lacks basic security features.Not really. they have a CPU that works with their platform, and wifi is standard and can be used with most wifi networks in the world (ie it's standard, not outdated), as far as i'm aware bluetooth works with most other bluetooth devices (ie it's standard, not outdated). Are there faster, better CPUs out there?? maybe. Is this one particularly suited to their use-case, in that they are able to turn off EME/etc and have it be a CPU that is the best option for actually running a free system?? Maybe. Maybe there's better cpus out there -- but that doesn't make current running ones 'outdated' per se for this use case.> lacks basic security features.This is of course, a complete lie. There's a hardware switch for all of the above sans cpu and for the subsystems with proprietary hardware(eg probably bluetooth) there's security features to address that.> Features like pointer authentication have nothing to do with supporting proprietary software.Of course, this is the first you've brought up 'pointer authentication' and 'radios using isolated processes' so far. The former is relatively newly available(2023) in debian https://wiki.debian.org/ToolChain/PACBTI -- again this isn't 'modern' this is 'bleeding edge' stuff, and over time as it matures as a technology purism will doubtless benefit from debian's making it default. The latter is specific to radio hardware devices and is probably a limitation of the hardware in question and there may very well be performance reasons for not doing so at this time otherwise.> What they do instead doesn't make up for it.Says you.
(DIR) Post #AzXj7JJHUbBvsFMOxM by GrapheneOS@grapheneos.social
2025-10-24T14:08:33Z
0 likes, 0 repeats
@jeffcliff @gcvsa Kill switches are a last resort after a device gets compromised by an attacker which do not stop them getting all the user's data including login sessions, passwords, photos, videos, documents, etc. The switches only stop them using specific hardware when the user has it off. Any time a user makes a call, records a video, etc. they still get that. Purism also improperly implements the microphone switch which does NOT stop audio recording despite the implication it does.
(DIR) Post #AzXj7PtJ1ZZaHiGFwO by GrapheneOS@grapheneos.social
2025-10-24T14:09:39Z
0 likes, 0 repeats
@jeffcliff @gcvsa >And now we have to trust not just the manufacturer of the firmware but some rando 'researchers' with no vetting? This is what you're relying on for FOSS too, because it does not inherently get thoroughly reviewed through being open source, and reading/reviewing all of the code does NOT mean you're going to find all the vulnerabilities. That's clearly and provably not the case, and a subtle hidden vulnerability would be harder to find than the regular accidental ones.
(DIR) Post #AzXjQZNpxKI1E8ftpI by jeffcliff@shitposter.world
2025-10-24T18:55:25.988974Z
0 likes, 1 repeats
@vikingkong @GrapheneOS >Why should I? I'm not a phone manufacturer 😉because funnily enough, no other manufacturer is doing the same as they are doing that cheap. they could of course use competition but if you're not willing to step up to the plate i guess we'll have to wait for someone else who thinks they can do it cheaper . . . > But buying low end hardware for the price of high end phones is just ridiculous.Either you understand why it's important and why it's worth that cost or you don't. Sure seems like you don't. An iphone is about 1000$USD right now at verizon or free if you sign up to a plan. This gives a good idea of what the pricepoint is for a handheld free-as-posssible equivalent -- about 1000$usd. But of course apple also profits by its app store, which purism does not so we should expect whatever they provide, it's going to be higher than 1000$usd.
(DIR) Post #AzXjoXbMEU3meOQgD2 by jeffcliff@shitposter.world
2025-10-24T18:59:45.809759Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Kill switches are a last resort after a device gets compromised by an attackerHonestly not how I use them. I keep most of them off unless I'm specifically using some device (eg wifi). > The switches only stop them using specific hardware when the user has it off.sure. and if your problem is the specific hardware, then that's at least giving the user direct control over it>. Any time a user makes a call, records a video, etc. they still get that.sure>Purism also improperly implements the microphone switch which does NOT stop audio recording despite the implication it does.I'm guessing you mean https://forums.puri.sm/t/trying-to-understand-what-the-kill-switches-really-accomplish/16268/3 ? ie 'audio recording' via gyrocsope or something?? ie 'they kill the microphone but you can record audio by other means than the microphone' is i guess in principle an issue but a minor one.
(DIR) Post #AzXkVoSFRtxtN5nn0K by jeffcliff@shitposter.world
2025-10-24T19:07:35.188385Z
0 likes, 1 repeats
@GrapheneOS @gcvsa ? > This is what you're relying on for FOSS too,No, I'm not because, again, I can read the source code for myself and verify what it's doing [and often do.]> because it does not inherently get thoroughly reviewed through being open source,No, but it means *I* have the ability (and responsibility) to do so myself> and reading/reviewing all of the code does NOT mean you're going to find all the vulnerabilities. Again -- this is you suggesting that there is some way of knowing these vulnerabilities beyond what science knows[1] -- ie people using the code, reading the code, analyzing it to the best of their ability, sharing their results -- all of which requires software freedom to do. Which, I will remind you, instead of spending your time making your own OS more secure and finding bugs in it you are wasting your time, and mine on this thread. All because I tried to encourage someone to use grapheneOS> subtle hidden vulnerability would be harder to find than the regular accidental ones.no shit.[1] https://www.lesswrong.com/posts/vNBxmcHpnozjrJnJP/no-one-knows-what-science-doesn-t-know
(DIR) Post #AzXkmL6joUnPHCcaHY by GrapheneOS@grapheneos.social
2025-10-24T14:11:22Z
0 likes, 0 repeats
@jeffcliff @gcvsa> This is a complete and utter lie.No, you're doing that. Purism isn't providing updates for all the components, meaning they aren't providing proper support from day 1. Using already end-of-life components not having vulnerabilities patched isn't made any better by not shipping the updates.> they work with their users to resolve themNo, they leave many vulnerabilities unpatched both in firmware (no updates) and software (multiple years of frozen versions).
(DIR) Post #AzXkmMSOnRiVSflOgS by jeffcliff@shitposter.world
2025-10-24T19:10:33.373475Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > No, you're doing that. Purism isn't providing updates for all the components, meaning they aren't providing proper support from day 1.They are providing *software* updates ie for things that they can update, ie the *software*. You want them to update the hardware with firmware, which is obviously not going to happen.> Using already end-of-life componentsAgain, they aren't end-of-life components if they are using them.> not having vulnerabilities patchedOf course what you mean here is 'patched with proprietary blob "just trust us" firmware> isn't made any better by not shipping the updates.But it's also not making it any worse, which is what you are calling for> No, they leave many vulnerabilities unpatched both in firmware (no updates)Again: yes they don't provide their users with proprietary binary blob firmware (which is what your issue with them really is)> and software (multiple years of frozen versions).This is however bullshit. They have continued to update byzantium and crimson with time. The 'frozen versions' you are referring to is the debian model of development which other posts in this thread have addressed
(DIR) Post #AzXkmQx25Ub7Oq7uzI by GrapheneOS@grapheneos.social
2025-10-24T14:12:26Z
0 likes, 0 repeats
@jeffcliff @gcvsa > As pointed out over and over again their components are chosen because there they *can* provide securityNo, they chose the components because they have their proprietary, closed source firmware stored on the components. They do not block updating the firmware for most of the non-SoC components, there are just mostly no updates available due to the age and low quality of the components combined with them not shipping it. The components also had far worse security to start.
(DIR) Post #AzXkmXkAphTGSzAFPs by GrapheneOS@grapheneos.social
2025-10-24T14:13:37Z
0 likes, 0 repeats
@jeffcliff @gcvsa Since they aren't going to ship firmware updates for the components, it makes it far more important that they chose components without proper protections. Radios not even using early 2000s mitigations such as stack canaries and ASLR for their code makes it that much worse that they're not having vulnerabilities patched. Similarly, the fact that the components are less isolated from the main processor and OS rather than more isolated is very relevant. USB is high attack surface.
(DIR) Post #AzXkme6NC4nGBZb3qq by GrapheneOS@grapheneos.social
2025-10-24T14:15:15Z
0 likes, 0 repeats
@jeffcliff @gcvsa You portray it as if Purism chose components which avoid proprietary firmware, but they didn't do that. They used components which have the proprietary firmware stored on internal memory so Purism can pretend it doesn't exist. It still exists, and it's no less relevant. Persistent firmware stored on components is in fact less secure than the approach of those components requiring the OS to load it, and it's less transparent rather than more. It's harder to inspect, not easier.
(DIR) Post #AzXkml2NPKkvhCmT5s by GrapheneOS@grapheneos.social
2025-10-24T14:18:23Z
0 likes, 0 repeats
@jeffcliff @gcvsa We're moving on to writing an article about it instead of responding here.
(DIR) Post #AzXlA8xYdCSwY9g5tQ by jeffcliff@shitposter.world
2025-10-24T19:14:52.514161Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >No, they chose the components because they have their proprietary, closed source firmware stored on the components. They do not block updating the firmware for most of the non-SoC components, there are just mostly no updates available due to the age and low quality of the components combined with them not shipping it.This doesn't even make sense. Components they aren't shipping? They are not shipping components that are in their devices that they are shipping? If they aren't blocking the firmware for non-soc components then that firmware is going to be not binary blobs...key difference there
(DIR) Post #AzXlp7x3HgsZIPz4Ns by jeffcliff@shitposter.world
2025-10-24T19:22:16.995664Z
0 likes, 1 repeats
@GrapheneOS @gcvsa >Since they aren't going to ship firmware updates for the components, it makes it far more important that they chose components without proper protections. I think your negative tense is backward here but ...they chose components that could get them closer to *freedom*. That's the best the market had. Maybe there's better now and they could do better in their next version but that was what the market had to work with. Remember the original thread started because of problems with the supply chain generally -- we should expect if we're avoiding hardware problems of the kind this thread started with that it won't be have recent advances which is almost certainly what you're referring to hereIn the meanwhile... are you complaining that they don't have ASLR and stack canaries in their hardware?? > for their code makes it that much worse that they're not having vulnerabilities patched.of course they are having vulnerabilities patched, mentioned many times in this thread by now> Similarly, the fact that the components are less isolated from the main processor and OS rather than more isolated is very relevant. Would it be nice if there was more hardware isolation ? Sure. I'd love another switch for bluetooth, specifically. But "hardware subsystems could be more isolated from eachother" (on a system specifically designed to isolate hardware subsystems) is ...again you are wasting my time with this sort of design minutae of a hardware company, because I, a someone who is not a hardware engineer...just some rando purism user ...decided to try to encourage someone to use grapheneOS. > USB is high attack surface.USB is always an attack surface, the only way to prevent that is to not have USB :eyeroll:
(DIR) Post #AzXmHxaAumyhXF22xk by GrapheneOS@grapheneos.social
2025-10-24T15:04:15Z
0 likes, 0 repeats
@jeffcliff @gcvsa > They certainly would not if we listened to you and allowed proprietary firmware to be installed on it.Their products ship with a whole lot of proprietary firmware, some of which can be updated and other parts of which cannot be updated.> minimized by designPurism doesn't minimize it at all. The hardware is nearly completely closed source. There's nothing open source about the SoC, Wi-Fi, Bluetooth, cellular, memory, touchscreen, battery, etc.
(DIR) Post #AzXmHxwrYR7sfbeAKG by jeffcliff@shitposter.world
2025-10-24T19:27:28.652055Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > Their products ship with a whole lot of proprietary firmware, some of which can be updated and other parts of which cannot be updated.ie the hardware cannot be updated and your earlier complaining about not being able to update firmware was for moot.> Purism doesn't minimize it at all. The hardware is nearly completely closed source. There's nothing open source about the SoC, Wi-Fi, Bluetooth, cellular, memory, touchscreen, battery, etc.https://puri.sm/learn/freedom-roadmap/ shows that this is inaccurate - - there's a bunch of the system that has been freed
(DIR) Post #AzXmI3r3aw2yzKyc6q by GrapheneOS@grapheneos.social
2025-10-24T15:06:09Z
0 likes, 0 repeats
@jeffcliff @gcvsa It has the regular closed source firmware, not minimized in any way. Not updating it does not make it not exist. The very deliberate attempt at hiding it and misleading people is scamming them. Covering up serious security weaknesses and vulnerabilities makes it objectively a backdoored device. You make unsubstantiated claims about others doing that while promoting a device doing it.> you run on btw?It's not claiming to be open and free.
(DIR) Post #AzXmI9waxG2fsFc7Zg by GrapheneOS@grapheneos.social
2025-10-24T15:07:48Z
1 likes, 0 repeats
@jeffcliff @gcvsa GrapheneOS is not at all inherently specific to Pixels, those are just the current devices meeting the requirements listed at https://grapheneos.org/faq#future-devices. We're actively working with a major OEM on at least one of their next generation meeting these requirements so we can officially support it. The devices are being brought up to meet these standards rather than lowering our standards. A partnership with us does not provide an exception from any of our standard requirements.
(DIR) Post #AzXmIGdi3s5wdhpdbs by GrapheneOS@grapheneos.social
2025-10-24T15:09:02Z
0 likes, 0 repeats
@jeffcliff @gcvsa We deliberately made our requirements so that other devices can meet all of the standards without anything exotic. All of the requirements are for standard updates and security protections. Purism's devices are far further from meeting these requirements than most devices. Some companies would just need to open up their devices by allowing using an arbitrary OS while permitting it to use the full functionality.
(DIR) Post #AzXmOQjbRPmpgbWjpY by jeffcliff@shitposter.world
2025-10-24T19:28:39.831296Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > The devices are being brought up to meet these standards rather than lowering our standards. Good for you. focus on that instead of wasting random purism users time
(DIR) Post #AzXmVRk067Zepo3hLM by jeffcliff@shitposter.world
2025-10-24T19:29:55.902627Z
0 likes, 1 repeats
@GrapheneOS @gcvsa > . Purism's devices are far further from meeting these requirements than most devices. shots fired Come back when you've accomplished what they've accomplished
(DIR) Post #AzXmo534gw71xQrjvc by jeffcliff@shitposter.world
2025-10-24T19:33:17.720220Z
0 likes, 2 repeats
@GrapheneOS @gcvsa >Debian backports a subset of security patches which gets CVE assigned and barely anything else.> There are no substantial backports of security patches beyond that.> Most security patches to most projects do not get a CVE assigned and do not get backported. We've addressed this elsewhere in this thread> You haven't disproven any of this, you're just linking to irrelevant information while misrepresenting what we've said. What we've said about their approach is fully accurate.No, it's not. You've said that it's "incredibly insecure", which is laughable.> The approach is to give the semblance of security. No, it's to actually deal with the massive amount of complexity at the scale that debian operates in a sane way
(DIR) Post #AzXmpMDmKUcBVVTu52 by jeffcliff@shitposter.world
2025-10-24T19:33:31.957327Z
0 likes, 1 repeats
@GrapheneOS @gcvsa Will do, make sure to tag me so I see it