[HN Gopher] Purism Librem 14 review (part 1): The ethical flagship
___________________________________________________________________
Purism Librem 14 review (part 1): The ethical flagship
Author : fsflover
Score : 116 points
Date : 2022-05-03 11:44 UTC (11 hours ago)
(HTM) web link (tuxphones.com)
(TXT) w3m dump (tuxphones.com)
| eptcyka wrote:
| Given my previous, ongoing experience with receiving a product
| from Librem, will this also take years to be shipped after taking
| payment?
| jvanveen wrote:
| Still waiting on a Librem 5 from 2019, while the Puri.sm site
| claims it takes 52 weeks to deliver new orders. Draw your own
| conclusions.
| eptcyka wrote:
| To be fair, I put down the money knowing that I might lose it
| and not receive anything. I ordered mine at the start of
| 2019, I do not have my hopes up.
| fsflover wrote:
| Did you hear about the global supply chain problems? Even
| Apple suffers from that:
| https://www.theguardian.com/technology/2021/oct/28/apple-
| ear....
|
| (I am waiting for my Librem 5 too by the way!)
|
| Edit: Their estimate for the new orders comes from the
| information from the CPU suppliers, which say the same thing.
| Every time they can get the CPUs, they ship another bunch of
| phones. See also: https://forums.puri.sm/t/estimate-your-
| librem-5-shipping/112....
| [deleted]
| wander_homer wrote:
| Purism's shipping claims and estimates have been way way
| off even before there were any supply chain issues. At one
| point they even lied to be shipping devices, with pictures
| from the devices "in the wild", when it later turned out to
| be prototypes given to some employees.
| fsflover wrote:
| > Purism's shipping claims and estimates have been way
| way off even before there were any supply chain issues
|
| This is true, and they had good reasons for that in my
| opinion: https://source.puri.sm/Librem5/community-
| wiki/-/wikis/Freque....
|
| > At one point they even lied to be shipping devices
|
| Yes, it did happen:
| https://source.puri.sm/Librem5/community-
| wiki/-/wikis/Freque....
| fsflover wrote:
| Since a few months, they have laptops in stock, so shipping
| occurs within 10 days.
| throwlllllllll wrote:
| I opened mine and found the headset jack firmware had not been
| written yet. Does the headphone jack work yet?
| author-of-post wrote:
| Author here. Works for me (Ubuntu 22.04), although I hear a
| high-pitched interference when using low-impedance IEMs.
| ineedasername wrote:
| _> Intel Core i7-10710U Comet Lake processor (RRP $443), which
| was, apparently, the most powerful laptop-oriented Intels at the
| time._
|
| No, that would be the i7-10870H, which has a higher base & max
| frequency, and on high performance settings will support
| sustained workloads much better before throttling down. Intel's
| "U" chips are one of the the low power flavors. Not horrible for
| very short burst but pretty bad for sustained loads.
|
| I'm using the equivalent H from Gen 9. Work initially "upgraded"
| me from a 8+ year old xeon to a Gen 9 i7 "U" processor, and it
| was like stepping into molasses so I insisted on the H. Battery
| life is significantly worse but I can actually get work done on
| it, and switch to low power mode if I need to stretch things.
| (Even then it doesn't last as long as a U, but it's a good
| compromise for me)
| smoldesu wrote:
| Those U-series chips are a bit of a nerd novelty in my book.
| I've had some kicks and giggles getting my 6600u to run at
| absurdly low clock speeds (~400mhz) to see how far I could
| stretch the battery and how usable it was. Pretty much anything
| under 800mhz is unusable for desktop purposes, but it was a lot
| of fun playing around with that level of power tuning. Those
| clocks are much lower than the reported TDP-down stats, so I'm
| assuming it's only possible to reach those speeds courtesy of
| the funky sleep states Intel used to put in their Ultrabook
| CPUs. I don't think you can do similar tricks on new machines.
|
| Definitely not the sort of chip you'd want to do anything
| besides text editing and video streaming on though.
| happycube wrote:
| And gen8+ U's are _much_ better than previous dual-core chips,
| which were basically all i3 's.
| mr337 wrote:
| Exiting to see more linux options including system76, framework,
| etc. I'm still really salty about the XPS13 not having proper
| sleep [1] and looking for other options.
|
| [1] - https://www.dell.com/community/XPS/XPS-13-9310-Ubuntu-
| deep-s...
| alias_neo wrote:
| How does it differ from the sleep/hibernate I'm currently using
| in Ubuntu?
|
| My XPS 13 has hardly ever been off since I bought it (2018
| model), I enabled sleep/hibernate with a tweak, and it'll last
| weeks just sitting there "sleeping" if I don't use it.
| simonh wrote:
| I'd be interested in seeing an analysis of the hardware, firmware
| and driver security on this thing. From what I can ascertain the
| security implementation on some of their phones is horrifying. It
| brings a different dimension to the reviewer's comment they are a
| 'known brand among enthusiasts especially in the fields of
| privacy and information security'.
|
| https://news.ycombinator.com/item?id=30761886
| Elyra wrote:
| I completely agree with that comment you linked, Purism is
| either deliberately selling snake oil or are completely
| clueless.
|
| Here's another example of this with them bashing Android/iOS
| security:
|
| > _One of the problems with the security measures implemented
| in Android and iOS is that they restrict the user as much, if
| not more, than they restrict an attacker._ [1]
|
| When Android actually has pretty decent sandboxing [2] which
| I've never felt restricted me as a user, and can actually
| protect you from malware, unlike their recommendation which is
| just security theater without a sandbox when it comes to
| malware.
|
| Unless you don't plan on ever installing any apps and
| personally audit every update yourself (since it's unlikely
| someone else will audit every single one thoroughly enough),
| malware and malicious third parties are a much greater threat
| than Google who is actually pretty transparent about what data
| they collect and handle it securely and responsibly.
|
| [1] https://puri.sm/posts/snitching-on-phones-that-snitch-on-
| you...
|
| [2] https://source.android.com/security/app-sandbox
| yjftsjthsd-h wrote:
| > When Android actually has pretty decent sandboxing [2]
| which I've never felt restricted me as a user, and can
| actually protect you from malware, unlike their
| recommendation which is just security theater without a
| sandbox when it comes to malware.
|
| Congrats on not hitting it, I guess? Android is absolutely
| painful if you try to do anything interesting, and it's
| becoming annoying even for trivial stuff - it was annoying
| but understandable when they started killing API surface for
| tasker and termux to use, it was annoying but understandable
| when they almost broke termux outright, but it moved beyond
| being understandable when they restricted file access so much
| that a third-party app can't _move_ files between directories
| without the OS prompting you to allow the "delete".
| Elyra wrote:
| > restricted file access so much that a third-party app
| can't move files between directories without the OS
| prompting you to allow the "delete"
|
| What use case do you have where you have an app that you
| want to be able to move files but you don't trust it with
| the "delete" permission?
| yjftsjthsd-h wrote:
| I _do_ trust it. The OS, however, "helpfully" insists on
| "protecting" me and prompts every single time with no way
| to save the permission.
| Elyra wrote:
| Which app and Android version is it? I've never had that
| issue where it prompts me every time without letting me
| save the permission, although if I recall requesting one
| time access is different than requesting permanent access
| for some permissions that an app has to declare, so maybe
| the app never declared the latter. (I admit, this is sort
| of silly)
| yjftsjthsd-h wrote:
| This is https://f-droid.org/en/packages/com.simplemobilet
| ools.galler... on Android 11 (LineageOS 18.1).
|
| And yes, it may be a localized bug, but it's a localized
| bug that wouldn't occur on a nice normal GNU/Linux
| desktop without all of this, bringing us back to me
| agreeing with
|
| >> One of the problems with the security measures
| implemented in Android and iOS is that they restrict the
| user as much, if not more, than they restrict an
| attacker.
| Elyra wrote:
| In order to argue that, you have to list your goals, what
| you want to do with your phone, and the goals of an
| attacker. On Android, other than a few minor
| inconveniences, I can still achieve everything I want to
| with my phone, where an attacker will have a difficult
| time achieving their goal, of presumably stealing some
| data from another app.
|
| This is compared to PureOS where you may have free reign,
| but so would an attacker if you install their app on your
| device. If you used QubesOS I'd argue that restricts the
| user a similar amount as Android does, not to mention
| missing out on a number of mobile friendly apps.
| bo1024 wrote:
| An analysis of those things would be very interesting. At a
| basic level, I appreciate the neutered ME and the killswitches,
| which already put the laptop at the front of the pack.
| fsflover wrote:
| The laptop also uses Heads, which is indeed known among the
| security experts:
| https://docs.puri.sm/PureBoot/Heads/User_Manual.html.
| megous wrote:
| Only security thing they point out is USB access for the modem,
| and you can fix that quite easily with a bunch of udev rules, I
| guess. Disable device auto-probing on the USB port the modem is
| connected to, and bind the proper modem/ACM driver to the
| device manually via udev rule. Then there will be no exposure
| to "all Linux USB drivers" and you'll avoid modem exposing
| itself as a keyboard and typing things into your console, or
| whatever.
|
| It's the same thing you should be doing on the desktop if you
| fear untrusted USB devices.
| simonh wrote:
| >Only security thing they point out is USB access for the
| modem..
|
| And the pointless supply chain vulnerability, introduced in
| order to game the FSF certification process, and lying about
| security features in their competitors, and accusing them of
| using binary blobs which they actually do as well while doing
| so with a worse security implementation.
|
| >you can fix that quite easily with a bunch of udev rules, I
| guess
|
| Exactly, why didn't they? I would understand if some of those
| were just teething troubles but that phone came out well over
| a year ago and bear in mind this analysis and criticism comes
| from within the OSS community trying to help them get this
| fixed, and hitting a brick wall.
| fsflover wrote:
| Or just use Qubes OS with a dedicated VM for usb devices:
| https://qubes-os.org.
| megous wrote:
| That will still allow execution of kernel code you may not
| want executed (even though in a VM), and is thus strictly
| worse. Especially for the modem, which you need to run and
| interact with all the time on a phone, this sounds like
| overkill.
| rank0 wrote:
| Not sure I understand your comment. Of course kernel code
| is executed in the guest VM...what's the problem with
| that? An adversary would have to break Xen security
| controls to gain access to your other domains.
| megous wrote:
| VM has to have some communication bridge to the host, for
| all the features of the modem. That's still quite a lot
| of attack surface, once guest VM is compromised.
|
| It's better to not expose the needless attack surface
| rather than just attempting to isolate the attack into a
| leaky VM.
| rank0 wrote:
| My understanding is that the paravirtualization provided
| by Xen is an effective control. The guest shouldn't have
| direct access to the hardware device io right?
|
| What is the alternative? If you don't use a VM you have
| to expose dom0 directly to device io.
|
| EDIT: ah I see we're talking about a Linux phone! I agree
| with your point I'm not sure mobile devices have the
| resources to isolate every component into a VM. Overkill
| indeed!
| bpye wrote:
| Mobile devices could, if the SOC allowed every device to
| be isolated with an IOMMU. Apple does this, Nvidia too
| (though some SoCs are broken) and I think Qualcomm might
| as well. A lot of the other ARM SoCs seem to have just
| one or maybe two domains (GPU and everything else), and a
| non standard IOMMU for even that too.
|
| I've looked a few times for an ARM SBC with a nice
| architecture to play with this stuff, Nvidia seemed to be
| the only option but they are also unobtanium right now.
| fsflover wrote:
| > From what I can ascertain the security implementation on some
| of their phones is horrifying.
|
| Their phones run desktop GNU/Linux. Their security is then the
| same. It's probably not enough for a phone, if you run a lot of
| untrusted apps, but it's a start. Also, the app store only
| consists of FLOSS apps.
|
| See also: https://source.puri.sm/Librem5/community-
| wiki/-/wikis/Freque....
| tomxor wrote:
| The parent is referring to the replacement firmware not the
| OS and above. This is different from running the same FOSS
| software on other more closed hardware.
|
| It's a valid concern: On the one hand Purism is gradually
| achieving their intermediate ideal of providing machines with
| open firmware for all the hardware; On the other hand, if the
| real life security of that open firmware is poor, it
| undermines their underlying principle of privacy - To
| complicate matters it may not be technically worse than the
| proprietary blobs it replaced, but it's open for all to see.
|
| In other words, to achieve real world privacy, it's not
| enough for the firmware to be open, it must also be secure.
| daenney wrote:
| I'm a bit puzzled by the 'ethical' in the title. It only appears
| in the title, there's no explanation of what makes this laptop
| ethical and by which measures.
|
| The Librem is probably the most available laptop with recent-gen
| hardware that is the most Free (i.e controllable down to the
| firmware through Free Software components, and sometimes puts
| proprietary components behind libre daughter cards). That's a
| laudable and an impressive achievement all by itself.
|
| But when we say ethical, for me that would mean many other things
| too. Being very repairable and ideally modular so that the user
| can maintain the device for a long time. Selecting materials that
| ensure the device is very recyclable and sourcing those materials
| and the labour needed to assemble them from places that mine them
| in environmentally conscious ways, that don't employ child labour
| and pay workers fairly. Purism might be doing some or even all of
| that, but that information doesn't appear to be available from
| Purism itself and doesn't look like it's something TuxPhones
| intends to dig into.
|
| Based on the next installments they do at least intend to look at
| the repairability of the device. Purism itself states:
|
| > By removing just a few screws, you can easily replace the
| battery, wifi module, RAM, or the M.2 ssd.
| ineedasername wrote:
| _> there's no explanation of what makes this laptop ethical and
| by which measures._
|
| Well, they didn't say "no animals were harmed in the making of
| this laptop" so I'm going to assume that's not what they meant
| & therefore probably slaughtered countless puppies in the
| process.
| fsflover wrote:
| > there's no explanation of what makes this laptop ethical and
| by which measures.
|
| They probably mean this: https://www.fsf.org/news/fsf-adds-
| pureos-to-list-of-endorsed....
|
| See also: https://news.ycombinator.com/item?id=25504641.
|
| It's repairable and upgradable, too:
| https://puri.sm/posts/beyond-right-to-repair/.
| daenney wrote:
| > They probably mean this: https://www.fsf.org/news/fsf-adds-
| pureos-to-list-of-endorsed....
|
| Possibly, yes. But if that's the case then I'd argue the
| author didn't understand the announcement. It covers PureOS
| the Debian-derivative published by Purism, not Purism's line
| of hardware. Purism does some stuff with hardware that the
| FSF considers "unethical", like the daughter card setup for
| components where they can't control the firmware.
|
| The FSF explicitly states on that page:
|
| > It is not a certification of any particular hardware
| shipping with PureOS.
|
| No Purism hardware is "Respects Your Freedom" certified.
| fsflover wrote:
| > It covers PureOS the Debian-derivative published by
| Purism, not Purism's line of hardware.
|
| No, it's not just software. You can only run an FSF-
| endorsed distro, if you have no proprietary blobs in the
| OS. You can do this on Librem 14, because it uses Atheros
| (replaceable) WiFi module working with free software _and_
| firmware.
|
| > No Purism hardware is "Respects Your Freedom" certified.
|
| This is true, but they are trying to get this certification
| for their Librem Key and Librem 5.
| daenney wrote:
| It is just software. The only thing PureOS does it not
| ship with the firmware necessary to make those
| proprietary hardware components work out of the box. It's
| essentially Debian but without the non-free repo. Nothing
| stops you from making PureOS work on hardware with
| proprietary firmware if you want to. It isn't locked to
| only work on libre hardware, it's just a bit more
| tedious.
| hiq wrote:
| > They probably mean this: https://www.fsf.org/news/fsf-adds-
| pureos-to-list-of-endorsed....
|
| There are already many FSF-approved Linux distributions which
| you can install on most laptops, many of which existed before
| PureOS.
| fsflover wrote:
| > which you can install on most laptops
|
| But your WiFi card will not work on those laptops, except
| for Lenovo ones from 2008 and earlier.
| author-of-post wrote:
| Author here (thanks for posting!) - I went much deeper on
| that in the 2nd part, which was released some hours ago
| (https://tuxphones.com/purism-librem-14-ethical-linux-
| privacy...), not sure if before or after this first bit was
| shared here)
| als0 wrote:
| > Thanks to Pureboot, the Intel Management Engine (ME) on the
| processor is disabled: this controversial microcode component,
| supposed to optimize x86 machine code inside the CPU
|
| The author has confused two things here, which are not related.
| The ME is not microcode, it is a special processor inside the
| PCH, and is supposed to provide remote management services.
| Whereas the Intel microcode is a totally different thing - it is
| an updatable part of the main CPU itself and is used for fixing
| performance issues, errata, or security issues like Spectre.
| myself248 wrote:
| Are they not both types of microcode?
|
| Just one referred to as Intel Microcode(tm) which is what they
| want you to think of as microcode, and the other _also_ being
| code that executes within the chip outside the user's view,
| which Intel doesn't refer to as Intel Microcode(tm) but which
| still meets the dictionary definition thereof?
| h-w wrote:
| The Star Labs Starbook MK V has coreboot and intel ME turned off
| and is one generation newer CPU (11th gen).
| xanaxagoras wrote:
| Seems like all of these not-Dell linux laptops have awful
| speakers, how are they in this?
| amachefe wrote:
| It looks like Lenovo Thinkpad T Series. Solid Linux Machines.
| Brian_K_White wrote:
| I do value the Purism goal of eradicating all the blobs from the
| hardware, but reading this I don't feel any envy compared to my
| Framework which is almost a year old already.
|
| I don't have fixed standard ports, but I do have 4 full
| thunderbolt 4 ports, supporting power/charging on all, and
| displayport on all, and the modules convert those into whatever
| combination of dongle-less ports I want. Even though I would like
| a dongleless ethernet and there is no module for that yet, I
| still feel like I have way better io than this because what I do
| have is configurable and way more powerful.
|
| Framework's special aim is more about hardware freedom and
| reusability/repairability, but software freedom is a very close
| second and they are not exactly slouching on that job.
|
| Of course the machine is fully supported under linux for all
| hardware, and beyond that, they have fwupd support in beta, and
| most impressively they open sourced the bios a few months ago.
|
| Between the open source bios and the ability to install whatever
| wifi card and storage you want, and the ability to disable the
| management engine in the cpu yourself by a hack essentially, you
| get pretty close to eradicating all the blobs.
|
| And it's cheaper, even more repairable, and has better io (in a
| sense).
|
| It has hardware camera & mic kills but not hardware rf kill. The
| screen is 3:2.
|
| I routinely run 2 portable external thunderbolt/dp displays.
| Single usbc/tb3 cable to each display, power and data.
|
| I'm not a gamer but other people have used external gpus on it so
| the ports support that.
|
| I also routinely use a tb3 dock on my desktop for gigabit and two
| monitors and power on a single cable.
|
| The plugin modules also means that the usbc ports are also all
| essentially prophylactic. If you break a usbc port, all you
| really broke is a $9 passthrough module which you can replace in
| 2 seconds like swapping a thumb drive. You can even keep using
| the real usbc port while the replacement module ships, if you
| didn't already have a spare.
|
| 64g removable ddr4, 2t removable nvme, 11th gen i9. I don't
| suffer for power.
|
| Battery life could be better. After tuning I get 6 or 7 hours.
| Not really up to par for today, although my machine is maxxed out
| in cpu, disk, and ram which is on me. There is a known issue that
| some of the plugin usbc modules draw power at all times even when
| not in use and even when the machine is powered off. So, I happen
| to use a thunderbolt dock on my desk, and my portable monitors
| are usbc, so I don't happen to ever actually use the hdmi or dp
| modules I got, so I don't happen to suffer that power drain
| because the usbc modules have no electronics.
|
| I'd be interested in hearing more about the touchpad and
| keyboard. The Framework keyboard feels fine and is backlit, but I
| don't love the layout. And I really don't like the apple-style
| huge glass touchpad with no buttons. At least the pad is
| clickable so I can at least still disable taps. And at least it
| does work well when I must use it. Mostly I use an mx keys
| keyboard and mx anywhere 3 mouse.
|
| I really like the keyboard and touchpad on my x1 carbon 5th gen
| (2017/2018).
| rank0 wrote:
| I just got a framework last week, and I was quite disappointed
| with the supposed "Linux support". It's absolutely not "out of
| the box support" as they claim on their marketing material. I
| had to do a number of tweaks to get into a usable state using
| Fedora 35, their recommended Linux distro.
|
| I love the company's mission, so I'll cut them some slack on v1
| but it feels dishonest. They should really iron out all their
| problems with BIOS, audio jack, suspend/hibernation, grub
| before selling the idea that fedora 35 is fully functional.
| Just be honest!
|
| EDIT: I'm looking for a reasonable dock/KVM switch lmk if you
| have any recommendations!
| Brian_K_White wrote:
| I'm using xubuntu and the mainline kernel and the only thing
| I'd have to do special at all would be to make the
| fingerprint reader work. Everything else has just worked.
|
| The suspend thing I think has to do with the bios not linux.
| It's a bug but not a linux support bug, I think.
|
| I'm currently using a fairly old HP tb3 dock that was really
| only intended for use with a few laptops of theirs. I like it
| for it's form factor, and it does function, but there are a
| couple annoyances that have me looking for an update.
|
| The tb3 cord is removable but so special that it might as
| well be hardwired. The dock end has a big plug with both a
| usbc and barrel connectors in one big chonk. The usbc part is
| normal so you _could_ replace that cable with another, but
| you 'd lose power delivery.
|
| The video outs seem to be a bit marginal. They work but they
| seem to be easily disturbed, like they are right on the edge
| of not working. The screens lose sync and reconnect once in a
| while. Once in a while is not multiple times per day, but
| probably at least a once or twice most weeks, but also some
| multiple weeks with no glitch. My magnetic usbc adapter
| surely contributes.
|
| Somewhere between half the time and all the time, the
| external monitors do not wake when the laptop wakes from
| sleep, and by sleep I mean just the first level like just
| blanking the screens. I don't have any swap or hibernate
| configured. But all I have to do to restore both screens is
| just rock the magnetic usbc connector 90 degrees to break the
| connection, wait 2 seconds or so, and let it snap back, and
| both monitors come back on and the xubuntu xrandr tool
| automatically restores the profile that uses them positioned
| the way I had them.
|
| If I'm lucky, maybe even most of my ssh sessions survive the
| temporary loss of ethernet. oh-well-emoji haha
|
| I got the same model of dock for my gf and she has a lg gram
| and only one external minitor, and she's running windows, and
| her monitor loses connection all by itself even when not
| idle/blanked, sometimes multiple times in a day, sometimes a
| couple weeks with no problem.
|
| I have gone through a few different attempts at getting new
| higher quality cables and shorter runs etc.
|
| So I think the display flakiness is in the docks and not in
| the laptops or the OS's or the monitors.
|
| But it is suuuuch a sweet little unit, and it does work so
| 99% well. Everything else are these big ugly boxes that are
| big enough that they might as well just be mini pc's and skip
| the laptop. Or they are nice looking small but junk guts.
|
| HP Elite ZBook TB3 dock 1DT93AA#ABA
| hansel_der wrote:
| > I had to do a number of tweaks to get into a usable state
| using Fedora 35
|
| might be worth the effort of testing other distros (i hear
| arch has the bleeding edge)
___________________________________________________________________
(page generated 2022-05-03 23:01 UTC)