The solution, I think, would be a regulation that forbids manufacturers of any chip or device CPU from making obstacles to reprogramming the device (using fuses, digital signatures, encryption etc). So if you buy a device with CPU and writable memory, you should be able to load your own program and manufacturer may not use technical measures to stop you. The goal of regulation would be preventing of creating digital waste, vendor locks and allow reusing the hardware.
Of course, features like theft prevention won't work, so the user should be able to waive this right.
Regulation should prevent Google from subsidising manufacturers to use Android. Arguably the recent antitrust legislation [2] applies in this case because they're effectively paying manufacturers to place that horrendous and impossible to remove search bar on the home screen.
[1] https://www.androidauthority.com/graphene-os-major-android-o... [2] https://www.justice.gov/opa/pr/department-justice-wins-signi...
I get that this is in the name of security hardening. And you can make a build that has limited root access and is officially supported. But GrapheneOS isn't the end-all solution to computing freedom. Although hopefully on those devices you will be able to install custom OSes (root capable build of Graphene or otherwise).
Devices built to officially support GrapheneOS MUST include first class support for using an alternate OS that's not the official GrapheneOS, which is part of our requirements at https://grapheneos.org/faq#future-devices. These requirements apply to official GrapheneOS devices in the same way as devices using a Google Mobile Services stock OS. Combined with the OS being open source, that's what gives people the freedom to legally and practically use/make forks of it with arbitrary changes.
Userdebug builds of GrapheneOS are officially supported, although we don't recommend using them on a production device. Setting ro.adb.secure=1 for a userdebug build does preserve most of the security as long as ADB isn't used, but not all of it. It still downgrades security when ADB isn't used since the changes to accommodate having root access and other debug features via ADB have an impact beyond when it's actually used. It doesn't destroy the overall security model in the way people typically integrate root access where a huge portion of the OS has it and it's accessible to apps in a persistent way.
GrapheneOS doesn't make any connections to Google or Qualcomm by default, unlike all the other other Android-based systems. https://grapheneos.org/faq#default-connections
See https://eylenburg.github.io/android_comparison.htm
As previously mentioned, GrapheneOS hosts a proxy for the Qualcomm SUPL service. In addition, it removes unique device identifiers from the requests, that would normally be present.
GrapheneOS supports the Pixel tool for provisioning eSIMs, but it's fully sandboxed and doesn't share any data with Google.
Modifying the official builds by replacing part of the core OS with Magisk and then using that to modify the rest of the OS dynamically is what's not officially supported and strongly discouraged. That doesn't mean there isn't official support for root, which is available in userdebug builds without the same massive negative impact to the security model of the OS.
Implementing a more flexible permission model + sandbox would probably involve too much work for them.
Hopefully AVF might make things a little better if we'd be able to run Android VMs on Android - so you'd be able to run a rooted VM inside GrapheneOS.. but this depends on Google keeping Android open source, yet QPR1 was not released.
I'm secretly hoping that this will be Framework or Nothing.
https://wiki.lineageos.org/devices/#motorola
For family, I just got a used Edge 30 Neo for ~100$ and put LineageOS on it, and it works like a charm. Phones like the Moto g84 go for even less and still can be bought new for a decent price.
Xiaomi would be even cheaper, but I would highly discourage getting one because the unlock process is plain ridiculous nowadays.
And as others have already noted, if you don't mind getting a phone that's a few years old, a used Pixel 5 is not expensive (still happily using a Pixel 4a and don't see why I would need to upgrade).
You will lose DRM-based apps (e.g. Netflix), Payment apps, and bank apps though.
There are societies today (I live in one) where some businesses are starting to accept payment only through a banking or payment app, no cash, no card, nothing else. And these apps will only function in the very narrow circumstances of "I bought a device which runs software from one of two American tech monopolies and follow all their frequently changing rules for using various software that's unrelated to the payment I need to make." This limitation is mostly in place due to the banks believing it will make things more secure. Security is important, but not important enough that you get to start denying innocent people the ability to make payments or exile them from the banking system because they had some kind of dispute with Apple or Google. Governments need to step in with access mandates here, otherwise this problem WILL come to a jurisdiction near you sooner or later.
The argument that this is actually a security benefit is a farce. It doesn't do anything. If the device is compromised then it's going to capture your password and send it to the attacker without attempting any attestation. So the only time the attestation is attempted is when the device isn't compromised.
It's clearly not about real security. It is about control. You follow the rules and get Google's blessing or no SafetyNet for you. These rules include things like ensuring that the user can't access their own data without the controlling app's permission.
The new attestation system Google introduced recently (which I think also more strongly forces hardware-based attestation for phones that support it and is therefore more difficult to bypass) actually does that – the very highest attestation level requires running a security update not older than one year if I remember correctly.
What remains to be seen how much that'll get used in practice – users with rooted phones or custom ROMs are rare enough that a lot of vendors seemingly have no qualms excluding them, whereas users with outdated phones are probably a somewhat more sizeable number.
Let me offer another perspective. The OS vendor actually has significant control over your device. They could plant backdoors in different layers of the OS.
Therefore, in their defense, if the OS doesn't come from a trusted source (in the bank's or Google's point of view), your bank's credentials are essentially compromised.
You could argue that there are backdoors either way. They are just controlling which party gets to plant the backdoors, after all.
"Compromised" means that someone has them who will use them for unauthorized activity. When your device is infected with malware because it's running the same version of Android it came with that hasn't received a security update in several years, entering your credentials into that device will cause them to be compromised. When your device has a custom ROM that isn't sending your credentials to anyone it isn't supposed to, they are not compromised.
But the first device passes attestation and the second one doesn't. Moreover, that is the common case -- the version of Android that came with the device is likely to be older and have more vulnerabilities than a custom version installed later. Which means that passing attestation isn't just uncorrelated with uncompromised devices, it's actually anti-correlated with them. Requiring it is forcing users to keep and use the older OS with known vulnerabilities on that device.
I managed to get a US refubished Pixel 2 somehow with a fuselocked bootloader here in Ireland. I bought it second hand but I've no idea how it got that way. But I'm suck on the Pixel image and I wanted to use it for ROM testing etc.
The reality is however that if you look at active current projects being able to use digital IDs to access fundamental freedoms like communication without child safety rails in Europe is going to require Apple or Google's permission because politicians like it that way.
You can think things should happen in a way all you like, but they are not going to, because governments have vested interests in the opposite direction.
Other manufacturers do the same, where you have to wait a period of like 45 days before being able to unlock, and then have to ask permission on their website to unlock your bootloader.
wandering the web to find an exploit is way beyond my spare time.
Yes some banks still allow classic clunky 2FA(sms, card readers, sometimes SIM generators) but it'll all eventually go away in favor of "locked and favored" os unless legislation fights against it.
Fortunately, they backed off and decided to abandon the proposal after massive backlash. But we don't know when we will see a 2.0 version of that.
For example, you can't relock the bootloader on any device except pixels. Why? No reason. Just fuck you, I guess.
That's a huge security hole that they're creating, intentionally.
What's going on is they are hoping that if you do use other software that you get malware or get scammed. They are literally, actually, undermining their own device's security just to send a message.
These people are psychotic.
> as well as those now using push MFA with their apps for every large purchase.
Our banks use SMS OTP (not required for mobile app) for all operations - I assume otherwise the amount of fraud would be exorbitant.
> Recently I needed to install an app from the UK government to prove my identity via camera to renew my driving license, and that doesn't work in GrapheneOS either. I can do it in person (for now) but there is an extra fee.
Interesting that the government relies on a proprietary, foreign platform.
Except regulations are now moving in the opposite direction: to mandate device locking.
You can buy a refurbished Pixel 5 for less than 200$. Great screen, great camera, 5G, the works. It's definitely not an "outdated" device, and it runs Graphene or Lineage with minimal hassle.
The Pixel 8 and 8a aren't that expensive either. And keep in mind that they are supported until 2030 and 2031 respectively. [1] They not only receive security updates for 7 years, instead of the 5 years for previous Pixel generations, but also have stronger hardware security, by implementing the ARM memory tagging extension. [2]
More seriously: I believe many refurbished resellers do swap a new battery on the higher quality tiers.
Also, the basic premise is that you can buy a decent Pixel phone for an affordable price, not that it has the very best price/value out of any device. I would also wager that the Pixel 8 has massively better cameras than a Samsung A16, so not apples to oranges.
You can also use 2 SIMs on a Pixel by using an eSIM.
[0] https://droidian.org/ [1] https://www.notebookcheck.net/Lenovo-ThinkPhone-by-Motorola-...
No contention that Graphene is safe, but categorizing other OSes as "pretty bad when it comes to security" because they don't copy Graphene is a bit of a stretch.
Operating systems lagging far behind on privacy and security patches are definitely quite bad when it comes to security. For example, the official releases of /e/ for the Pixel 7 are still based on Android 13 and do not include any of the Pixel kernel, driver of firmware patches released from October 2023 and later. Eylenburg's table doesn't put much emphasis on this since it's contained within a couple rows which do not adequately communicate how delayed the updates are and how much that matters.
In addition to the official Android and OEM privacy/security patches, there are also major privacy and security improvements in each major Android release. Android also doesn't backport most Moderate and Low severity patches which are no longer given CVE assignments. Most privacy patches are considered Moderate or Low severity if at all. Many privacy improvements also aren't considered to be bug fixes since they're improvements to the intended design of the system. Only bug fixes considered to have a High or Critical severity security impact are backported. The comparison table could cover a bunch of standard Android privacy/security improvements to emphasize the importance of keeping up with the only actual LTS branch.
Interesting position. It is a valid criticism but brings its own problems.
For the Android comparison, GrapheneOS is the only privacy and security hardened OS included in the comparison. DivestOS used to be included before it was discontinued. An OS not including Google Mobile Services and branding itself as private based on that is a much different thing than a privacy and security hardened OS. Which other Android-based hardened OS could be included in the comparison?
None of the operating systems listed in the comparison include app accessible root access. Giving unconstrained root access to a huge portion of the OS including the application layer including a GUI application for managing firewall rules is not a well secured to implementing it. Managing firewall rules is entirely possible to implement while following the principle of least privilege and not substantially reducing OS security. In fact, Android has standard support for it and all of the operating systems included in his comparison rely on it if you want to do fine-grained traffic filtering.
RethinkDNS is a good example of an app providing support for local filtering via the VPN service app feature without losing the ability to use a VPN. RethinkDNS supports using a WireGuard VPN or even multiple chained WireGuard VPNs while doing local filtering of both DNS and arbitrary connections. It can filter connections based on the results of filtered DNS resolution. That's the approach that's used by Android so that's inherited by every OS in the comparison.
GrapheneOS is the only OS that's listed fixing all of the leaks for standard VPN lockdown feature which is needed to prevent leaks for firewall apps including RethinkDNS based on the VPN service app feature. That's not listed by the table, although it could be and it would make sense for someone to file an issue proposing listing it. Many GrapheneOS privacy and features are not listed by Eylenburg's comparison and a lot of what's listed are under huge categories such as "Hardened system components".
I was arguing on the other axis. It's got good coverage of OS options, but the list of features is indistinguishable from someone saying "okay, this is what GOS does; how do others compare to each of its selling points?"
> None of the operating systems listed in the comparison include app accessible root access.
There is a difference between not shipping something by default, and being actively hostile to it.
> Giving unconstrained root access to a huge portion of the OS including the application layer including a GUI application for managing firewall rules is not a well secured to implementing it.
Agreed, that would be foolish. Thankfully, nobody is suggesting that. Just use a permission prompt, like every android root solution has for... over a decade? I don't think I've ever seen anyone not putting root behind a permission prompt, actually.
> RethinkDNS is a good example of an app providing support for local filtering via the VPN service app feature without losing the ability to use a VPN. RethinkDNS supports using a WireGuard VPN or even multiple chained WireGuard VPNs while doing local filtering of both DNS and arbitrary connections.
AFAICT, RethinkDNS demonstrates the problem quite nicely. On, say, my laptop, I can configure arbitrary VPNs and firewall rules, and I can configure them independently. Android conflates them such that - if not using root to work around the official way - your firewall app and your VPN app must be the same app. It's nice that RethinkDNS has specifically added wireguard support to its firewall app, but the fact that they needed to is a symptom of a poor design.
great for playing around with or if you want to install something like GrapheneOS.
Why would you make essential security features illegal? Do you want to fly on a plane where the flight control software was maybe overwritten?
>So if you buy a device with CPU and writable memory, you should be able to load your own program and manufacturer may not use technical measures to stop you.
The problem is Google and Apple locking down their Operating System, this is not a technical limitation on hardware.
I don't understand it. Whoever owns the place can replace any part of it, including computers. So being able to overwrite software doesn't change it. Furthermore, plane computers are not a consumer hardware.
You could make a better example with patched car software.
> The problem is Google and Apple locking down their Operating System, this is not a technical limitation on hardware.
The initial ROM bootloader contains hard-coded signature which prevents you from replacing Apple/Google software.
No need to strip out every wall, we just have to think about the problem and put doors at necessary places so we can enjoy both freedom AND security.
But long-term, Android is such a massive code base, and was designed more for surveillance and consumption, than for privacy&security and the user's interests.
I think getting mainline Linux on viable and sustainable on multiple hardware devices is warmer, fuzzier foundation. (Sort of a cross between Purism's work on the Librem 5, and PostmarketOS's work on trying to get mainline Linux viable on something else.)
You just have to somehow speedrun the decades of development that went into Android to make it decently run on mobile hardware.. never really understood this "throwing out the baby" direction - the UNIX userspace model simply doesn't work on mobile (I would wager it also doesn't work on desktop anymore), has no security (everything runs as your user which made sense when you ran some batch job on a terminal with multiple other users, but nowadays when a single user has as many processes as all the user had back then it effectively means no security between any of those programs), there is no real resource control, no lifecycles, so the device will burn scorching hot and have terrible battery life.
On Android (and iOS) apps were always living in a world with lifecycles so if they wanted to operate correctly, they had to become decent citizens (save state when asked, so they can be stopped and resumed at any moment). This also fits nicely with sandboxes and user permissions, etc.
So without developing an alternative user-space for "GNU-Linux", it's simply not competing with android in any form or shape.
And even if you do, now every GNU app has to somehow be ported to that userspace API (you can't just kill GIMP or whatever Linux process)
Isn't this mainly due to proprietary drivers and firmware?
Android devs actually backported a bunch of work to the mainline kernel with regards to low-level energy management, but that's only one half of the story. The other is your phone stopping unused apps gracefully, and being able to go back to sleep regularly.
I switched from Windows to Linux it's been 2 years. One of the few things I missed on Windows, was the native WhatsApp app, as the Web WhatsApp it's horrible. Then a few months Meta killed the native app and made into a webview-app :)
e.g. HellDivers 2 didn't work well until recently on Linux. If you are playing certain factions it is a very fast paced game and I would frequently experience slow downs on Linux.
So if I wanted to play HellDivers 2, I would have to reboot into Windows. Since running kernel 6.16 and updates to proton it now runs better.
And the latest gen finger print scanner only works between 10-50% of the time depending on the day, humidity, etc., no matter hof often you re-enroll a fingerprint, enroll a fingerprint multiple times, etc.
And the battery drains in 3-4 hours. Unless you let powertop enable all USB/Bluetooth autosuspend, etc. But then you have to write your own udev rules to disable autosuspend when connected to power, because otherwise there is a large wakeup latency when you use your Bluetooth trackball again after not touching it for one or two seconds.
And if you use GNOME (yes, I know use KDE or whatever), you have to use extensions to get system tray icons back. But since the last few releases some icons randomly don't work (e.g. Dropbox) when you click on it.
And there are connectivity issues with Bluetooth headphones all the time plus no effortless switching between devices. (Any larger video/audio meeting, you can always find the Linux user, because they will need five minutes to get working audio.)
As long as desktop/laptop Linux is still death by a thousand paper cuts, Linux on the desktop is not going to happen.
I really wish it was seamless and good, but it just isn't (and frankly it's a bit embarrassing it isn't given desktop environments for GNU Linux have been in development for 20+ years).
For example the laptop I had from my previous employer (a pretty beefy Dell) was failing to go to sleep, I had to unplug the charger and the HDMI cable on my desk each night, otherwise every second night it was keeping my monitor lit on the lock screen; when low on battery it clocked the CPU down so much that the whole system froze to a grinding stop not even the mouse pointer was moving, and even after putting it back on the charger it remained similarly unusable for a good 10 mins..
Like I have been using Linux since the Xorg config days when you could easily get a black screen if you misconfigured something, but at least those issues are deterministic and once you get to a working state, it usually stays there. Also, Linux has made very good progress in the last decade and it has hands down the best hardware support nowadays (makes sense given that the vast vast majority of servers run Linux, so hardware companies employ a bunch of kernel devs to make their hardware decently supported).
This doesn't happen on my ThinkPad but does on my MacBook. If anyone else faces these kernel panics on their Mac, you have to set your monitor to a hard 120hz rather than a variable rate on the macOS display settings. KDE handles the variable rate just fine on the ThinkPad for me.
I moved to Mint almost 4 years ago at this point, running it on a now fairly old Dell G5 from 2019. Runs as smoothly as ever.
I had one problem during this 4 year run (botched update and OS wouldn't start). Logging to terminal and getting Timeshift to go back to before the update did the trick. Quick and painless. I could even run all the updates (just had to be careful to apply one of those after a reboot).
I have no idea what you are talking about. Maybe I am just very lucky with Linux.
I think desktop Linux will not improve until people start acknowledging the issues and work on it. It's the same as the claim that Linux is very secure (which Linux fans will often repeat), while it has virtually no layered security, and a fairly large part of the community is actively hostile towards such improvements (e.g. fully verified boot).
I have both Linux machines and Macs and Linux has always been objectively worse when it comes to driver and software issues. It's just has a large number of paper cuts.
I use both Linux machines and Macs (at work) and Macs has always been objectively worse when it comes to usability ajd development. It's just has a large number of paper cuts.
Well, show me that magic OS that works on "just about any computer", because I am sure Windows ain't that. OSX only works on their select devices, and Windows have its own way of sucking. Let's be honest, there are shitty hardware out there and nothing will work decently on top. People just try to save these by putting Linux on top and then the software gets the blame.
IME a lot developers don't even use Linux on their desktop machine. I've met three developers that use Linux professional IRL. A lot of devs have a hard time even using git bash on Windows.
I am always called up by people at work because I am "the Linux guy" when they have a problem with Linux or Bash.
Sure, there are a lot of people that use Linux indirectly e.g. deploy to a Linux box, use Docker or a VM. But if someone isn't running Windows, 9 times out of 10 they are running a Mac.
More generally the thing that has paid the bills for me is always these huge proprietary tech stacks I've had to deal with. Whether it be Microsoft's old ASP.NET tech stack with SQL Server, AWS, Azure, GCP, what pays the bills is proprietary shite. I hate working with this stuff, but that what you gotta to pay the bills.
In corpo-world. Everyone is using Windows. If they are using Linux it would be through a VM or WSL. I guarantee none of those people are using Linux at home.
So for every developer you know that is using Linux, there are many more people using Windows supplied to by their IT department.
And I guarantee that you're wrong, because I work a corporate job where I have to put up with Windows and am 99% Linux at home. (The other 1% is *BSD and illumos.)
The vast majority of developers I have worked with (and I've contracted a lot of places) know next to next to nothing about Linux. They can barely use a terminal (Powershell, CMD, Bash/Zsh) and often can't do anything outside of the IDE.
If they do use Linux. It be on a Raspberry PI that gets stuck in a drawer after a few months.
To those that keep voting me down on this. The teams and environments you work in are the outliers. I've had to accept that I am in the minority as a Linux user even amongst software professionals.
[...]
> I never said that nobody uses Linux.
I'm willing to believe that this is just a misunderstanding resulting from nonliteral exaggerated language for effect, but ... yes, you did.
That was my original comment. It is pretty easy to that to assume that when someone says "none" in a subsequent comment they mean "almost none" following that statement.
I think what it fundamentally comes down to is that for consumer-oriented Linux to see widespread adoption, it needs to succeed on its own merits. Right now, and since forever, Linux exists in a space for the majority of consumers who consider it where they think "I might use it, because at least it's not the other guy". A real contender would instead make the general public think "I'll use this because it's genuinely great and a pleasure to experience in its own right". And that's why I have absolutely zero faith in Linux becoming a viable smartphone ecosystem. If it were truly viable, it would have been built out already regardless of what Android was doing. "Sheltering Android refugees" is not a sustainable path to growth any more than "sheltering Windows refugees" is.
I have zero faith in a Linux smartphone. What will happen is that there will be some GNU/FSF thing with specs that are 15 years out date and you will have to install Linux via a serial console using Trisquel and the only applications available will the Mahjong (yes I am being hypobolic).
I realised a few years ago when one of my friends didn't know what the browser was on her phone, that any notion of people caring about the OS outside of branding is pretty much non-existent.
Many developers would need some help to get offline functionality and updates right though.. And it would be really nice if these apps didn't require parsing megabytes of JavaScript libraries on startup.
One can dream! :-)
Making a guess: nope. Same underpowered SoC, in order to save $5.
Differention, that is what all OEMs care about, netbooks already showed us that.
another tailwind might be in the gaming scene. I have the general sense that SteamOS has been an interesting gateway for technically-minded folks to be impressed by this Linux thing. A similar model for mobile phones might be a tailwind (like a SteamOS for ARM?) The reason why that's perfect is because it undermines the Google monopoly and creates an app ecosystem that people will absolutely flock to, at least for games ($$).
We'll finally get our ecosystem diversity back when the next geopolitical happening happens and Google bans Chinese android apps on bullshit pretexts.
Wait a few years more.
The Chinese will eventually find it easier to sell their Chinese ecosystem devices to the world instead of catering to Google and American three-letter agencies.
Sure some apps won't work for whatever reason & HN commenters will have incredibly scathing things to say about that, but I bet there's a lot of folks who'd be cool with missing an app here or there.
It sucks to be losing Android, but IMO it's an ecosystem in free-fall. Bootloaders are locked more and more, there's literally zero AOSP hardware buyable now, and the roms scene has diminished not grown over time.
I totally think theres a Steam Deck moment waiting around a corner, where what seemed impossible a year ago shows up and is dead obvious & direct, and we all wonder why there were so many doubts before.
IMO, I think Microsoft gave up on running Android apps on Windows because they read the writing on the wall: Google will use Play Integrity/Protect to ensure Android apps only run on Google-approved devices/operating systems and nothing else.
I think this is the ultimate fate for Waydroid, as well.
I disagree. I have been using de-googled / de-spywared Android for a decade now and I really love it. Once you remove google mobile services and rely on open source applications Android feels really good.
Also its questionable if projects such as purism or even the pinephone will ever offer such good security and privacy as a de-googled Pixel with GrapheneOS will.
Google began shipping Google builds of the APEX modules via the Play Store to work around non-Pixel devices not shipping the latest monthly, quarterly and yearly OS releases. For Google Mobile Services devices, many of the APEX modules are required to be the official Google builds from the Play Store. The changes to APEX modules are released as part of the quarterly and yearly AOSP releases.
GrapheneOS has apex modules disabled and never had the need for that.
So is it stuck in Java 12?
I disagree. The Android security model is better than the Linux one. I am very happy with GrapheneOS, I don't have much to complain about.
The problem is that Google sucks and nobody enforces antitrust laws. But it's not just Google: how many Android manufacturers don't suck, really? Do they contribute to AOSP at all? Probably not. Do they build reasonable devices that could run something like GrapheneOS? Nope. Just relocking the bootloader is often a problem.
In some ways it probably is, but it still isn't that good in my opinion (although some of the problems have to do with the way the settings and controls are working rather than the security model itself, there are also problems with the security model itself too). (I think there are other problems with Android (and other operating systems) too.)
I was talking about the security model.
It felt at the time like there was positive progress, more bits getting mainlined at a trickle but at least steady trickle rate. But it feels dark now. At least the GPU drivers everywhere have been getting much better, but I get the impression Qualcomm couldn't even ship a desktop/laptop after years of delay, is barely getting that in order now. It feels impossible to hope for the mobile chips anywhere to find religion & get even basic drivers mainlined.
Even if that was true, AOSP is better for privacy and security than any other Linux distro.
https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...
That's definitely not the case. There have been repeated cases of developers shipping malicious code which ended up in distribution package repositories. Defining malicious is difficult and incredibly privacy invasive behavior is often not considered to be malicious. That software is also generally being used without a mandatory app sandbox with a proper permission model, so it can access whatever it wants for the most part beyond self-imposed restrictions.
There are similarly maintained package repositories for Android such as F-Droid. It adds the people doing packaging as trusted parties. Contrary to common misconceptions, Linux distributions and F-Droid are not meaningfully auditing/reviewing the upstream code and therefore not actually significantly reducing trust in the upstream projects. There substantial delays for updates with how most are maintained, so that gives time for external parties to find issues but doesn't mean it won't be packaged and shipped anyway.
This is not true for Debian, which is the upstream of PureOS.
> therefore not actually significantly reducing trust in the upstream projects
And yet, it has practically negligible number of malicious apps, especially compared with Google Play. It's far from perfect, and you are right that the sandboxing should be further improved. Nevertheless, it is a security model working in practice for a large userbase of Debian. It works especially well for technical users.
That's like saying using a hole in a wall is a different approach to security than putting a lockable door in a wall. Sure no security is s different approach to security, but it's not an effective one.
>There are no malicious apps in GNU/Linux repositories
Maybe not intentionally malicous, but there have been bugs that can cause applications to act maliciously such as deleting users files. If an application gets exploited it could also do malicous things. Just because you trust the author of a program, that doesn't mean that sanboxing is pointless. Additionally programs like the terminal are a free for the user to run things like curl | sh which can run malware infecting the system and run wild since there is no security to stop it from doing almost anything.
>Purism
The wiki page pretty much says that they don't have privacy or security and don't have the resources to implement such features unlike Google or Apple. They also make some claims to try and pretend their platform is secure and private in order to help sell the Librem 5, a product they made with inferior privacy and security compared to Android.
That is a feature of Play Services and not a part of AOSP which is what we are talking about.
>Or Google delaying security patches
Like it or not coordinated vulnerability disclosure is a thing in the industry and is done by other Linux distros too.
Australian users of alternative app stores should make a complaint to the ACCC: https://www.accc.gov.au/about-us/contact-us-or-report-an-iss...
In the past, they forced Steam to implement proper refund policies, and they are currently suing Microsoft about the way subscribers were duped into paying more for "AI features" they didn't want.
Tell them to lodge a designated complaint to the Australian Competition & Consumer Commission (ACCC).
ACCC complaints are designed for individual grievances while a designated complaint from a designated complainer is supposed to address "significant or systemic market issues that affect consumers in Australia".
If you're in the US, UK or EU, please contact your government.
This is why I switched to Android, just for Google now to pull the rug from under my feet again ...
Like most coders, I also prefer the permissive MIT/Apache/BSD licensing for most software projects but incidents like these make me question the direction we are heading towards. They raise fundamental questions about freedom itself - looking at the broader picture, is having a restrictive kind of freedom (GPL) often more beneficial than having full permissive freedom (MIT/Apache)?
What leverage does a community of engineers have to insist on anything? Android could be entirely closed source. So could Chrome.
It would be naive to assume that the power dynamics in our society can be fundamentally altered by a 10 line software license.
You're right that broadly speaking, there is very little that could be done to stop this but having a culture of "everything GPL" in an organization definitely helps. For example, Sun was farsighted enough, though they couldn't stop Oracle from acquiring MySql, Oracle was still forced to keep MySql under GPL and they were able to salvage MariaDB too.
Similar was the case with Java. Oracle tried everything in its power to control its use and direction including legal means, it's only thanks to GPL that alternative implementations like OpenJDK and Amazon Corretto still exist. We can't even imagine the state of these software today if Sun hadn't licensed them under GPL originally but used some other permissive license instead!
I don't know much about Android's history but if Dalvik was created exclusively by Google and they had no intention of open sourcing it fully... it'd be akin to a closed source Java app on top of the open source OpenJDK... which would be allowed.
The era when people paid an affordable fee for software they could use however they wanted was much better. But it got squeezed out by free software on the one side and serf-ware on the other.
The proof is in the pudding and the pudding is rotten.
Edit: then again maybe it's unfair of me to blame the decline in paid for software on open source.
Charging for free and open-source software is not only possible, but encouraged Stallman himself.
You see the same effect mirrored in illicit distribution of copyrighted works. Sharing movies increases box office revenue. Sharing albums increases music sales.
The people who get a copy for no charge weren't going to buy a copy in the first place. When you expose them to the product, some percent go on to become fans, advertising the work, and perhaps giving money to support it.
Read through my past comments from last year to find more info.
Thanks for your work! I have enjoyed RCU and now use it regularly for backups, file transfer, etc. I'm glad to hear that it seems to be sustainable.
And it's not a service, it's a copy. Customers are explicitly allowed to resell it, and they have. And I still earn enough cash to continue developing it.
And I have the search engine top hits. And I have thousands of social media comments linking to my website. Copying a business isn't just about copying the product. They have to copy my reputation, too. And my sales channels.
Stop being so afraid. Selling free software is good, and sustainable, and those who think otherwise are extremely naive, ignorant, or with ulterior motives.
There's no doubt putting up your source code makes your business much easier to copy. If I spent a year building something sophisticated with the intent of selling it, why would I give someone else, with possibly more resources to market, a free competition? It may have worked out for you, but I think so non nonchalant saying "its not a problem ever" is rather bold.
This is a known problem even in the hardware space, where Chinese companies will copy an existing problem 1:1 and flood the amazon market with 20 different listings.
No, it's not. Under capitalism, if Amazon could just take your book and start selling it without paying you a cent then nobody would be incentivized to write books anymore. That's the entire point of copyright.
I don't know what your business is, maybe you really carved out a niche that works for you, but it's not built on top of solid principles. I think you've just been lucky enough not to catch the wrong kind of attention because the more successful you are, the more economical it is for someone to invest resources into stealing your lunch.
If you deal with the typical consumer base then the single most important thing is always going to be the price and that's the one thing you'll never be able to compete on.
> Copying a business isn't just about copying the product.
You're really getting your wires crossed here. This "wisdom" is used to show that you can't win by simply copying someone else's winning idea. A reseller isn't copying your business, they're just reselling your product.
And the entire point of copy/left/ is to make the code a public good, a commodity. Everyone owns the code I write, and everyone is entitled to make a business from it.
If they have better marketing than me, earning a lot more money than me with the verbatim program, that sounds like my software was priced wrong and I should set the price higher. How high -- $50,000/copy? Who knows. If someone wants to make themselves my distributor, they /should/ get paid for that.
That kind of competition -- yes, it is competition -- would inspire /cooperation/. That would give both of us, the distributor and myself, incentive to work together to maximize both of our profits.
Another example is with my program itself. It's a desktop application, a local management client for a tablet that otherwise must use its manufacturer's cloud service. I am directly competing with the manufacturer. When I receive money for my program, $12/year, they loose a customer of their service, -$36/year. BUT -- many, and I mean MANY of my customers told me they would have returned their $500 tablet were it not for my software, after using which, made them keep the hardware. I estimate that my software has saved the manufacturer over $500,000 in returns.
That means: my software has /increased/ the total value of my competitor, and we are /both/ making profit. My software literally expanded their market.
And if a distributor of the verbatim program wants to expand /my/ market, I'm all for that. But I don't think they will, because /they know/ that anyone else can do exactly what they're doing. They need to add something of value. Sometimes, marketing can be value, sure. More value is derived from the program itself -- that's why people buy it in the first place. Not because of its marketing, but because of its function.
And if they improve my program, the function, they MUST release the complete corresponding source code, and they MUST do so granting forwards the same copyleft privileges I gave them. And that means I can, and will, take their improvements and merge them back into my original product. And since I have the first mover advantage, the reputation, the search engine hits, the community engagement, I will probably win.
And if I don't win, the user /does/. They get a better product at a better price. That's the WHOLE POINT of free software, that it's good for the user, not for the developer. It's the kind of software I use myself, so I elect to write it, too. It's the world I want to live in.
You have an obsolete understanding of the world, a misunderstanding of the motivations of free software, and are totally wrong about the dynamics of selling free software.
> If someone wants to make themselves my distributor, they /should/ get paid for that.
I have to admit you're the first person I've ever talked to who would be happy to let others commercially exploit the fruits of their labor without any sort of compensation, while actively trying to make a living from that labor yourself, fascinating!
> That kind of competition -- yes, it is competition -- would inspire /cooperation/. That would give both of us, the distributor and myself, incentive to work together to maximize both of our profits.
If you really want to call that "competition" it's unfair competition, more specifically free riding. You make the software, they sell it for cheaper and keep all the money, that's the premise of my concern because your license allows it. They don't really have an incentive to work with you because their goal is rapid exploitation of their victims.
> When I receive money for my program, $12/year, they loose a customer of their service, -$36/year.
Categorical error. You didn't make that money by exploiting their labor, you made that money by making a better product with your own labor. That is real competition unlike the scenario we're discussing.
> That means: my software has /increased/ the total value of my competitor, and we are /both/ making profit. My software literally expanded their market.
Sure, the OEM makes the tablet and you make the software which is an obvious symbiotic relationship. It's also a categorical error because it's not comparable to the scenario we're talking about.
> But I don't think they will, because /they know/ that anyone else can do exactly what they're doing.
Why would they care? It's not like they're investing any real effort into it. They just need to make a few sales to offset the ~30min cost of setting up a cron job and creating a listing.
> And if they improve my program
They won't, that's not the type of actor I'm concerned about.
> And if I don't win, the user /does/. They get a better product at a better price. That's the WHOLE POINT of free software, that it's good for the user, not for the developer.
That's a really weird take on the free-riding problem. Yes the user wins for a few months before you go out of business - that is generally bad for users because it means the end of support.
> You have an obsolete understanding of the world
Yes, clearly. This is the first time I've read about a story like yours and I've read a dozen stories about high profile projects being forced to relicense from AGPL to BSL/SSPL or another non-free license, stories of people having their projects cloned and having their lunch stolen overnight.
People would rather watch ads than spend $1 to remove them, they'll visit a small business to get extensive advice and then buy from Amazon because it's 10% cheaper, they'll buy a terrible quality $2 gadget from Temu over a locally manufactured, high quality gadget for $10, but you want me to believe that given the choice, most people wouldn't take a "75% off" deal in a heartbeat...
What's fascinating is that you just described every employee, ever. At this point, I'm giving up on you. Consumers are price sensitive? Please, they buy Funko Pops and Frappachinos by the millions. It's not about cost, it's about convenience and authenticity. People will pay for convenience, for software that does what they want, from its official source.
It's cheap to sling bullshit like yours and costly to refute it. It's costlier to build a cash-positive business selling copies of free software, in the face of that code, and binary builds, being available -- by others, for no cost -- in various package mangers and popular source repositories.
You're just wrong, dude. You don't know what you're talking about. I'm tired, and done, arguing with you.
Really, employees do work "without any sort of compensation"? Are you even listening to yourself?
Stop projecting, if you don't want your arguments to be scrutinized then don't engage in debate.
But that wouldn't hold up if games were released under a FOSS license. There would be nothing stopping me (maybe trademark law? I'm sure there are workarounds) from setting up "SteamForFree", rehosting every game with the same user experience as Steam, and offering access for a small monthly fee to cover hosting costs and make a tidy profit.
I'd like to offer source code, allow modifications for personal use, while prohibiting redistribution and certain types of commercial use (e.g. companies over $x million in revenue). That's a pretty fundamental mismatch between what I feel comfortable with in order to protect my income and what FOSS licenses allow.
I do think though that disallowing "certain types of commercial use" is a poison pill that would prevent your project from getting any significant adoption.
I think a better option would be something like GPL but with the "you can redistribute copies of this to anyone you like without paying me" part stripped out. (Maybe replaced with a provision that allows transferring your license to someone else, but then you're not allowed to use it afterwards.) The goal being to protect consumer freedom to exercise ownership rights over their software (including the ability to modify it) without simultaneously trying to abolish the copyright system and killing your own funding mechanism in the process.
Remember that people regularly walk into small businesses and spend 15 minutes talking to an expert asking questions about the products they sell. As soon as they get quoted a price of $120 they scoff and order it from Amazon because it's $20 cheaper. Consumer price sensitivity is... extreme.
Every open source product that takes in real money sells services and support, or they sell closed "premium" features. Oh, and the third bucket, philanthropy.
More generally, they want to have a contract for services with someone. That's what's really meant by "support". Not merely being able to call tech support, but having people backing their services. The really big places have their own engineers, and the really small places can't afford it, but the middle-sized places would rather pay you to support them as needed, than hire someone on their side dedicated to managing your product.
The illusion of support can also sell just as well as actual support. Just see Oracle vs Postgres...
We need a non corporate model of software development, something like worker owned coops.
I think without open source something similar might have happened to a lot of software, but instead of becoming Open, they'd become gratis (free/zero cost), or almost so. The heart of the matter is that software has near-0 cost of distribution, so making 1 trillion is basically the same cost (to the developer) as making 1 unit. So since developers have free economies of scale, they are highly incentivized to lower the price to capture most of the market, I think. Software also requires relatively little maintenance, it doesn't rot[1] -- good software basically lasts forever with some minor up-keeping. Add in competition, and the tendency is for cost to go to near 0, at least for relatively popular software. But then there are two problems:
(1) If the company goes under, the software is lost, or rather it could be reverse engineered with huge difficulty and some information loss about the actual code.
(2) The incentives are still not well aligned with users. The makers are incentivized to rely on advertisements, get (and sell) user data, make their software addictive, and more.
On (1), FOSS software guarantees the source will be available and can be ported to new systems, basically becoming a common good. On (2), the incentives are very well aligned for FOSS, development can become a community effort, and in the rare case a developer would turn to collecting and selling user data or dark patterns, the software can be forked for example. In particular Open source funded by grants, donations and community/voluntary work is very aligned with public interest.
I get the downside that it could be unfair that developers aren't being paid as much, but I believe it wouldn't be much of a difference in income (for those kinds of software), and we can and should as a community donate to open source efforts (and since it's clearly in the public benefit I think governments, companies and all sorts of organizations would be wise to do so).
Finally, you're basically still free to create and sell closed source software, you just have to compete with community and volunteer efforts. I think it's well within your right (and it might make sense in some cases, say niche software). But I think it's worth considering carefully wether it's best for the product, for you and for the community to have it closed or open.
(also, indeed you can sell FOSS, but to be honest I don't know of many success stories in this regard (anyone share some examples?); I know arduino which is open software/hardware was very successful selling their genuine boards/having a pay request on download that you can dismiss. On Linux package managers make this difficult, although Flathub recently added donation buttons!).
[1] There are some issues popularly called "software rot", but it's basically some relatively minor (compared to the rot of many physical goods) compatibility issues when interacting systems change.
The trap was there all along and developers fell right into it.
Of course, Stallman strongly eschews the ambiguity and misdirection inherent in the phrase open source, and in this particular instance the considered use of 'free' or 'freedom' is precisely what we're now all upset about the impending loss of.
Anyone who is already running a rooted Android or otherwise customized OS isn't affected by this, only developers who want to distribute their app to users.
Unless, maybe the EU, enforce a right to repair and tinker we'll be at the mercy of these companies with their walled gardens.
And we would have been in a better position to lobby for this if unions were widespread in the tech industry, which they are not.
Freedom cannot exist without discernment.
If you have a free and open society but allow Nazis, because you allow everyone, how long will you be free? Not long. The Nazis will use their freedom to take everyone else's.
Freedom demands a simple rule. We accept everyone who accepts everyone.
Fundamentally, GPL shares this rule. That is the point of it. Our labor, when shared, should be shared just the same when used.
If we were to accept and enforce this rule, billions of followers of some major religions would not be eligible to be part of a free and open society.
The actual power-wielder who regulates these things is a government (or rather its justice system), a warlord, nowadays maybe an AGI, but definitely not society and not "We, users of orange social media". These mechanisms work for thousands of years, paradoxes gonna paradox.
He's right that freedom requires restriction. The problem with the paradox of tolerance is that it masquerades as a meaningful principle while leaving the actual restrictions unnamed.
P.S. it also is worth noting that, to the extent that the GPL works, it's precisely because it doesn't rely on vague principles. It's specific about what's restricted, when, and how.
If there is anything prescriptive to it, it's the implication that no principles will ever suffice. In which case you need to find a way to reframe the problem.
It's of course not a perfect analogy since the original Free Software still exists, but since in practice the dependency was from free towards non-free, like in this instance, it still works. Google and its anti-freedom practices are still in effective control of the Android ecosystem even though it's still technically free by way of AOSP.
And just as how some people argue that intolerance of the intolerant by a tolerant society is bad, so do some people argue that things like the GPL is bad because it prevents downstream modifications etc. going from free to non-free. Maybe this will help re-evaluate the culture around this stuff.
I’ve always thought this was hand wavy nonsense. Tolerance and tolerating is so ill defined in these discussions that they end up pointless.
I’m also not sure game theory supports that intolerance wins out if you view it as repeated instances of the prisoner’s dilemma.
What you describe sounds like the paradox of intolerance but I fail to see how that can be applied to free software.
Freedom in general: You can't have absolute freedom because that includes the freedom to take the freedom from others.
In software: You can't have absolutely free software because ... ? I fail to see how free software might infringe on the freedom of others.
People are not stupid.
People aren't stupid, but the fact that Google is in this situation proves that we should have been less naive.
Best example of how the communist/fascist/liberal democracy triad completely falls is looking at China, which has facets of all three and none at the same time.
This makes it difficult nigh on impossible to have a real political discussion, as they fail to amount to more than connotative terms to be applied to outgroups, and do not map to political reality in any meaningful sense. Anyone can turn into the fuzzy outline of a nazi if you squint really hard.
Nuances needed to make any sort of sense of 21st century politics, especially its newer entries, are the tensions between cosmopolitarianism vs communitarianism and technocracy vs populism.
The problem with using such an outdated political map is that many of our contemporary problems are missing from it, and go unresolved until enough frustration builds that there is an ill-conceived popular upheaval that forces the issue. Rather than addressing the technocratic European Union's lack of accountability to its citizens, we get Brexit instead, which could likely have been avoided if the political map wasn't so out of touch.
Which becomes self-reinforcing: attempting to save yourself is perceived by the other as oppression.
I don't mean to simply blame all sides here. Facts on the ground do exist.I think I can justify how some players are worse than others, and that there might be a way out of the vicious cycle when some individuals say "no, that assertion no longer seems reasonable."
But given that it's gotten monotonically worse for decades, I don't see that happening any time soon.
I'm pretty sure they're not the same.
There are plenty of stupid people around.
We interact with them every day.
American education isn't great, but it's not radically worse than many other rich nations. The difference doesn't seem sufficient to justify the extreme separation of ideologies. (That is, I'm not arguing in favor of one or the other, but the level of hatred between the two implies that at least one is wildly off base.)
Most people, might not be 'stupid'; but complacency in the population is enough to drop the guard down.
In the case of the nazis, the population might even support them.
You can see it again and again in the success of voter suppression acts and the deceitful tactics played by authoritarians.
Arguments only work when both actors respect good arguments.
I'd argue what you describe as "half-hearted" is actually more true to open source and libre software than restrictive licensing.
Seeing him walk my steps 15 years later has been eye opening for the brutal cultural change.
They’re socially conditioned to assume that anything free is a scam or illegal, that every tool is associated with a corporation, and that learning itself is going through certain hoops (by the uni, the certificator or whatever) so that you get permission to earn money a certain way.
As more doors get closed, I fear this process will solidify.
To be fair, there are also legit reason for why it evolved this way. It's mainly for quality and reliability. There is so much crappy sloppy work from unqualified workers, and it used to be even worse.. The easy available free knowledge really helped to rise the standard even for people without proper education in an area.
There's the obvious fact that tech has become the new path to high salaries, and culture changes when people are pursuing the money rather than the trade.
There's the centralisation and capture of resources - app stores in mobile, message boards moving to reddit then being astroturfed, hardware closing to repairs for water resistance/ form factor reasons...
There's also the death of piracy limiting access to resources. Apps, courses and books were files pirated massively, online services kinda stopped that.
I don't think free/open source resources failed to catch up in quality, but I do think they failed to soften friction and remove the barrier of access. Consider mastodon vs twitter, creating a website vs a facebook page, sideloading an app vs app stores, reading a manual vs an influencer course.
It always is.
> There's the obvious fact that tech has become the new path to high salaries, and culture changes when people are pursuing the money rather than the trade.
There is nothing new about this. Education and skills have always been a path to salaries. Even a thousand years ago, craftsman and artisans had a better career than any random farmer. And with education, there is will always follow standardization and certification at some point, because where money flows, scam grows, and societies have to protect their interests.
This is all nothing new, or harmful by itself. The problem is that all those legit interests, can also be too overprotective or even abused for someone's greed. It's always a balanced battle between legit interests and someone's greed. But many countries seem far to much leaning to the greedy and abusive side at the moment.
> There's also the death of piracy limiting access to resources. Apps, courses and books were files pirated massively, online services kinda stopped that.
Piracy is not dead. It's always been a battle of life and death of individual sources.
And yet, it continues to decline year over year.
Piracy is technically illegal, but that didn’t stop us.
My hope is that LLMs will help open source developers provide reasonable alternatives to the gatekeeping and spyware that corporations are now making their bread and butter. Example: Recent tried to use Unity LTS for a small project - the software is a joke now, basic functionality is broken out of the box. A couple of hours with an LLM and I had all the features I needed using a more lightweight library, monogame. Not an operating system, but I'm hoping the pattern will continue as LLMs get more proficient at code - the moat of "this is hard and laborious to do" will be drained.
For example, try to learn from an online resource and you’ll see that the most popular sources (YouTubers, twitchers, etc) are all preparing a rug pull to a non free resource, slipping undisclosed ads as content or straight up selling snake oil.
I grew up assuming that a random guy on the internet had always genuine intentions, even those who were assholes. Now the default is either a paid account, a bot, or someone trying to grind for personal gain. Everything’s adversarial.
I’m not necessarily advocating for this approach, just explaining why they do it.
Doesn’t the play store also charge a fee? It’s smaller from memory but it isn’t free
Also, I am highly suspicious that they check every app submitted to the app store with a human.
Made sense to me at the time and they were really into "Android should be open source" vibe, so I supported it.
10 years later, I'm also rugpulled. Their vision has dramatically shifted into trying to build a walled garden on top of Android, but now they are haunted by their open source roots, and the walled garden is just a really tall pile of bricks laid around it.
So many times we've been promised things, only for them to be delivered in a half-baked state with half of the parts open source while other parts were closed only to Google and Google approved apps.
So many times the issue trackers for different parts of the platform ecosystem have changed, that some issues are impossible to debug without using web archive. And just as many times, they have been closed, ignored for years or unnoticed, being ping-ponged among team members until they forget about it.
Yet, even with all of the closed and privatized parts of the ecosystem, they are still not able to deliver on an ecosystem promise.
They control my email, my photos, my cloud, my browser, my phone - yet cannot keep a single thing properly in sync. Still, I download something and I do not know where it went. Still, I cannot Airdrop things without a 3rd party service. Still, I take a photo only for it to appear on the cloud 5 minutes later. Still, I cannot have a "sandbox" account for testing that just works, but have to juggle multiple accounts, causing their auth system to break 80% of the time when testing.
As a developer, I do not plan to support Android anymore. I recently got an iPhone, and am now fully switching to it. Even tho I am long on $GOOG stock, because the money printer go brrr, I will be spending that money in the Apple's ecosystem from now on.
Aside from that, the masses don't care or know about any of this. A couple of HN users don't make a dent in the revenue of any large company. What we can do is work on alternative ecosystems or at least support the small companies and organizations who do with our wallets.
If you don't want to be bitten, get out of the snake pit.
Abrupt abandoning of their Nexus line for overpriced Pixel hardware was the watershed moment. The exact moment when their executives decided to ride free on open source labor.
Well, it hardly works between Apple devices themselves to begin with (sending a bunch of pictures over to a 4 years old iphone works like 1 times out of 10 trial..). At least I can use regular old Bluetooth to send stuff to any kind of device from Android without the cruel gatekeeping of only Apple devices.
So yeah, both platforms have their own ways they suck in.
One of the things it works on is the PinePhone, so there's _some_ hope of at least one viable alternative happening:
https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3...
Ofc, being evil is subjective. But also this is the first excuse of evil players!
Doesn't seem like something they consider a positive though.
On Google Play I never, ever had any app be anything close to as successful as on iOS. I think I probably made less than 1/100th the amount I did on iOS back in the day.
IIUC, you can still load apps directly via adb. Is that not correct?
I can't entirely understand Google's announcement, but it almost sounded to me like they will forbid sideloading if you're not an "official" dev (gone through their hoops). I also saw something in their statement about wanting to support hobbyists. It sounded like an afterthought.
Paid provisioning: If you have paid the developer fee, a build will expire based on the amount of time left before that payment renews, so if you build and install an app a month before your developer fee renews, that build of the app (that you installed via Xcode) will stop working in 1 month.
In any case, to say you can't put your own apps on your phone without paying a fee is incorrect, which is the comment I was responding to.
At best you can install a demo.
I'm immortal because except for the few ways I can die, like old age, I'll live forever.
The tesla car is a vehicle traveling through space, technically a spacecraft it's just literally not what anyone thinks of when they mean spacecraft.
The prisoner reference is an allusion to the usual philosophical debate on how small man made borders need to be to be considered a prison, here's a nice blog post on some parallel thought's about it[1]. The main point being most people don't believe the borders of a country a prison or if they were stuck in a state, or smaller country, a district, a building, a room. If it's only a building then what of prison camps? refugee camps? A city with its' one road washed out? Australia's a fine island to be stuck on but marooned on a desert island and suddenly people are saying they're trapped.
You are literally saying a 7 day limit on a piece of software working still makes it count as what people consider an app and have been arguing that people are wrong for calling apple out on not letting you install your own apps for free. You're as technically correct as saying you can use a tesla car as a spacecraft.
[1] https://philosophersmag.com/philosophical-conversations-in-p...
edit: just remembered the immortal thing, fair enough, but then again highlanders are considered immortal even though chopping off their heads kills them.
It’s not worth further of my time to debate with this level of irrationality.
I have no problem with a store having a small admission fee - that's perfectly reasonable and they do have operational costs. It would be nice if they had some way to waive the fee for popular OSS to garner some god will with the devs.
Taking a 30% cut of revenue on the other hand ... both platforms are guilty of this
For someone who is making money from it, sure, but that's exactly who this isn't about. The way they get screwed is by the 30%.
A fixed fee -- in any amount -- is screwing the people who aren't in it for the money. Because to begin with, it's not just the fee, it's the bureaucracy that comes with the fee.
You're a kid and you want to make your first app, but you don't have a credit card.
You live in a poor country and maybe the amount you can lose without noticing when you're rich isn't the same there. Or even if you can get the money, you may not have a first world bank account and the conglomerate isn't set up to take the local currency.
You're a desktop developer and you're willing to make a simple mobile app and give it away for free as long as it's not a bother. The money is nothing but the paperwork is a bother so you don't do it, and now the million people who would have used that app don't have it and have to suffer the spam-laden trash alternative from someone who is only in it for the money.
And suppose the amount is as trivial as you propose. Then why does a multi-trillion dollar conglomerate need that pittance from a million ordinary people?
Reminds me how in the 1970s and 1980s there used to be these ads in the back of magazines in which a person who supposedly became a millionaire sold pamphlets for $5 telling his secrets to success. The obvious question was why such a successful person would need $5 from poor people (unless that was one of his secrets to success, I suppose).
But I can also see the clutter argument. Windows app store has been and still is a nightmare to use.
It feels like we had a good system, but then lost it. I have no idea what it takes to get it back.
I don't understand the "clutter" argument at all. What does it matter if there are a billion apps? You already need a functioning system to show the better ones at the top whether the worse ones are 50% of the total or 99%.
On top of that, this isn't about their store anyway. They're charging this fee to the people not using their store.
> Windows app store has been and still is a nightmare to use.
The big problem with all of these is that they're charging too much. Apple takes 30% because they ban the alternatives. People only use Windows because they have dependencies on legacy software distributed outside the store, so Microsoft can't ban that or there would be no reason to use Windows. And when you don't have to use the vendor's store, they can't even get away with charging 15%, because it turns out platform stores are actually worthless.
Because people want platforms to provide both of two separate things. First, they want the long tail. They're a chemist or a mechanic or a photographer or a farmer and they want that half-finished app some grad student in Minsk wrote ten years ago that does the thing only people in their specific sub-specialty care about. And second, they want a curated list of apps so that when they're looking for a messaging app or a finance app it only shows the ones that don't steal their contacts and sell their financial records to data brokers.
The problem with platform stores is that they try to do both things at once, which isn't possible. Either the store has everything or it doesn't.
What you actually want is for there to be stores that only contain the curated stuff and simultaneously a reasonable means for ordinary people to install things from the long tail. Because sometimes you don't know which one to trust, which is when you want the store, and other times you know exactly what you want to install because this time it's your field and you and your colleagues are the experts, even though the store has no means to vet an app their reviewers don't understand and only 100 people in the world are using.
You can have a platform that gives you each one via different but each widely used paths. What you can't have is a store that curates the long tail.
Because the store gets spammed by million of bot applications ? Having a small fee for store review is probably a decent noise floor.
You can still develop apps on your devices without a dev license - the week long cert is annoying, they probably want to avoid people side-loading via this mechanism (which I am against FWIW).
But you can develop on your devices without paying 100$/year
They're a search engine company. They can't figure out how to put real apps on page 1 and spam apps on page 500?
Also, then why are they charging the fee if you use someone else's store?
> the week long cert is annoying, they probably want to avoid people side-loading via this mechanism
It seems like you understand their underlying motives, so then why are you defending them?
Okay, just so we're all on the same page: that 100 dollar fee IS NOT for publishing your app. That's not what that is. That's a separate thing with its own costs.
That 100 dollars is just the fee to even make an app. Even if your iPhone never has an Internet connection. And even if you literally load the app via USB to your iPhone only.
It's just extortion. It cannot be justified. Apple does it because they can - there are zero technical reasons behind it.
This is incorrect.
You make it sound like you cannot even get started unless you pay a $100 fee. You do not need to pay Apple any fees to make an app and put it on your own device. You have to pay the fee once you want to distribute it on the App Store.
If you want to load the app on your own phone WITHOUT the app store, you MUST pay Apple 100 dollars.
Unless you want to rebuild the app every 7 days, which any reasonable human will conclude is a stupid ass arbitrary limitation.
Again, it cannot be justified with any technical means. Please, don't even bother trying.
Trying to get me on an "erm well akshually" level semantic argument means you're wrong, you know you're wrong, and now you're just being annoying.
Both of us can agree that the 7 day limitation is far too stringent to be a legitimate solution. So we will go ahead and pretend it does not exist, because for all intents and purposes, it doesn't.
> That 100 dollars is just the fee to even make an app. Even if your iPhone never has an Internet connection. And even if you literally load the app via USB to your iPhone only.
Someone reading this would get completely the wrong information.
Because I can still see the words on my screen. To reiterate, semantic arguments are meaningless and do nothing to serve you. If anything, with each passing comment, I am doubting your human-ness, because I don't believe human brains typically act this way.
It is very unreasonable.
You need to pay $100 to execute code on a device that you own. Without a 7 day time limit. And only if you have the technical expertise to do so. This is not a fee for distribution/integration. This is feudal rent.
Yes, a world where you can sideload an app on an iOS device, without time limits, but you have still pay $100 to put it on the app store, is a much less shittier world, indeed.
1) You can continue to install unsigned APKs via adb with the upcoming update.
2) Signing APKs for sideloading requires a Google development account which is a one time fee of $25, no yearly fees.
So still a free sideloading option available, and if you want to avoid adb it is a one time cost that is 1/4 the annual rate on Apple.
If you want to send your app to a friend to download and install it directly on their phone (without using a computer with ADB), you need to be Google-approved and register your app first.
2) Unless they decide to ban you (they can if you don't show any activity in the developer account for X months) and of course because you were verified you can't simply apply again and pay again, because you were banned!!!!
2) In regards to inactive accounts, from Google's policy page:
>If you have never submitted an app for review and the account is more than one year old, it’s considered inactive.
>If you have apps, the account is considered inactive if it is more than one year old, all published apps have fewer than 1,000 combined lifetime installs, the required contact details are not verified, and you have not used Play Console in the last 180 days.
>Google sends warning emails at 60, 30, and 7 days before actual closure, allowing time to take corrective actions.
While you are correct that this would lose you access to the developer account, inactivity for a year and ignoring multiple warning messages over a 2 month period gives you an opportunity to weigh your options. It doesn't even require app updates, just activity in the Play console.
But only once the company is powerful enough. We don't call Google a monopoly, because there is Apple, but taken together they certainly behave as one. Both create expectations, create expected momentum in a certain direction, people build (companies, lives) on those assumptions and boom, you can't get out and now the company changes the deal.
Is it just our assumptions that get us in trouble? Or do we need to do more?
I'm not sure how to regulate this, other than to stimulate open source, as the "for the people by the people" solution. But also that will just lead to poor expensive solutions (the market created some nice FOSS though). So the law it should be... And we're back to the problem of lobbying...
Perhaps there should be contracts: Google advertises Android as open: They should sign a contract: For how long will Android be open? Define "Open". The contract can be enforced. Or perhaps we, the people, sue now, for false advertising, although that will just make them flex their legal and lobbying muscles... And they didn't sign any contracts.
- Many APIs have been moved to Google Play Services (which is not open source), and many apps have come to rely on them. You can emulate it partially but not fully, see second point below.
- Some features like device attestation / SafetyNet fail on non-"official" devices, for example many banking or government ID apps refuse to work on open source os like GrapheneOS
It's a bit of a pain because Google just does that for me normally, but we _can_ support it. It's probably only a sprint of effort give or take. But we're deeply undermanned so it's hard to get done.
Play Store Attestation makes it all a lot simpler to use as a developer as it handles all the fiddly bits of cert attestation and also does PlayStore based app integrity checks.
Not using attestation isn't an option: we've seen in-the-wild attacks on our service using rooted devices and modified APKs.
We've implemented the lowest LOE attestation, but the more I'm learning about the AOSP standard the more I'm interested in pivoting, at least for Graphene support.
Why do we have to beg Google to keep Android open? Seriously. So many open source projects have risen out of real and concrete needs and successfully made their way into our every day lives.
A new platform needs to rise that breaks out completely from Google. I've given PostmarketOS a go (with a PinePhone) and while today I can't say it isn't a daily driver for everyone it is certainly the route that needs to be taken.
I'm still unable to use it because is not easy to break away from Android, but is a platform that I think about almost every day, because I do not want to use Android anymore and I'm willing to sacrifice certain aspects to have an open and friendly platform on my hands. And if it is not PostmarketOS then let it be another project.
We need these kind of projects, not kneeling down to a company like Google and begging for Android to be open. Effort needs to be put elsewhere. That's how major projects like Linux, BSDs and open source projects have flourished and taken the world.
Those are the players that demand excessive control over end-user devices, and thus the ultimate driver behind the problem we're discussing.
It's not that a new mobile platform couldn't possibly succeed. It's an open platform that cannot, because aforementioned players don't want it, and without them, mobile devices lose 90%+ of their usefulness, dooming them to become mere gadgets instead of (crappy, toylike) tools for everyday use.
I have a motorolla edge 2024 that I'll load whatever open source phone OS will work well enough to place calls and browse the web. I'll keep another phone for the rare times some corporate/government overlord requires it. Many folks who refuse to use smartphones, similarly own a smartphone they rarely use for systems that require them.
My recommendation is to put as little time and energy into closed, locked down platforms as you can. Feel free to complain, but don't forget you can make choices.
You can still run a version of Word from 2004. It's fine, if all you need is to write some thoughts down for yourself. But the moment you need to collaborate with other people via a Word document, you'll find it difficult without the modern version with all its user-hostile aspects - and more importantly, other people will find you difficult to work with.
Same applies to other software, web and smartphones, and to everything else in life - the further you deviate from the mainstream, the costlier it is for you. Deviate too much, and you just become a social outcast.
I've used it in the last three years to automate document generation in an enterprise because the latest versions of word:
1). Randomly break during automatic updates you can't really turn off.
2). Automatically upload everything to the cloud even when you tell them no.
This isn't the 90s when closed software was better. We are firmly in the enshitification stage of windows and office. Open source is better and is the only sane choice for enterprise.
Those are not words I thought I'd ever write in 2005 or 2015, but here we are.
Even the healthcare, which everyone thinks as a "benefit" of the progress, only resulted in having lopsided demographic pyramid with countries full of old people. I can't think of single scientific result benefiting the human race in its evolutionary goals.
If half your children didn't die by age 20 (or 5), it was possible to have much smaller families. Industrialisation and urbanisation made children net liabilities rather than household assets (providing labour even at a very young age). Financialisation of real estate along with the rest of the economy made earning and saving money critical, and made non-cash or low-cash lifestyles highly marginal (self-sufficient existence or providing many goods and services through the home directly). All that in combination with improved adult lifespans meant that the demographic pyramid consolidated at the bottom and expanded at the top. There are still countries where this isn't the case, most notably now in sub-Saharan Africa, particularly where HIV/AIDS remains endemic:
Contrast Tanzania and Italy, for example:
It's a lot harder to make an insular society which is self sufficient just to the degree necessary to create an open source smartphone :-p
Technology brings tradeoffs. Conformity in some regards, but it also opens up many new and varied ways of living.
I personally find that hard to believe and they don't explain their methodology to arrive at that number (presumably they looked at the downloads and picked a number of users based on feelings).
But, if that number is true, then I suppose you're not only right, but LibreOffice is already near 5% market share.
This is the Hacker News bubble in action. Most of the world, most of America, most of China, India, etc. haven't even heard of it. They ignore it and they thrive. Maybe you need to pay attention if you're dealing with certain European governments these days - I'm not sure because I completely ignore it and haven't paid attention since there was just OpenOffice and LibreOffice didn't even exist yet.
Open document formats have been the UK standard for things like .gov.uk for many years. About a decade IIRC. Ignored by some people (notably the Office of National Statistics, of whatever its called these days).
> Most of the world, most of America, most of China, India, etc. haven't even heard of it.
I have come across quite a few non-tech people who use Libre Office.
It has great (some people say better than MS Word with itself between version) compatibility with MS office formats.
https://finance.yahoo.com/news/chinas-microsoft-office-rival...
So if China has heard of LibreOffice, they clearly didn't like what they've heard...
Moreover, what you write is monitored, and you may loose documents based on what you write [1].
[1] https://www.wsj.com/articles/a-frozen-document-in-china-unle...
So just like MS Word then
Of course. I can make a choice. When the choice is between being able to login to secure services with my SIM embedded e-signature, use mobile banking and conduct official business and not being able to do any of these things, making choices are easy.
Running Linux on desktop is easy mode when compared to phones, and yes, I started using Linux on desktop in 1999 too with SuSE 6.0. Phones are way more interconnected and central to our lives now when compared to a general purpose computer running your $FAVORITE_OS.
Look I get it, even back then, most folks felt Windows was the obvious choice (and still do) for their jobs and so on. Sometimes you have to make do with with the unappealing choice in front of you.
For a little more context, my cracked screen iPhone can still do banking or whatever, but I chose not to pony up $800-$1200 for a new iPhone and bought the cheaper $350 Motorolla. It works for me and I think I'm not entirely alone. There are probably some cracked phones, some handme down phones that folks could use for those situations where you really need to use the closed platform, but otherwise are free to use something more open.
I support FOSS wholeheartedly, and believe that it's possible to have a device which is completely Free (not Open but, Free) from hardware design to firmware and software.
On the other hand, there are some nasty realities which bring hard questions.
For example, radios. Radio firmware is something nasty. Give people freedom and you can't believe what you can do with it (Flipper Zero is revolutionary, but even that's a tongue in cheek device). Muck with your airspace and you create a lot of problems. The problem is not technology, but physics. So, unless you prevent things from happening, you can't keep that airspace fair to everybody.
Similar problems are present in pipelines where you need to carry information in a trusted way. In some cases open technology can guarantee this upto a certain point. To cross that point, you need to give your back to hardware. I don't believe there are many hardware security devices with open firmware.
I use MacBooks and iPhones mostly because of the hardware they bring in to the table. I got in these ecosystems knowing what I'm buying into, but I have my personal fleet of Linux desktops and servers, and all the things I develop and publish are Free Software.
I also use Apple devices because I don't want to manage another server esp. in my pocket (because I also manage lots of servers at work, so I want some piece of mind), yet using these devices doesn't change my mind into not supporting Free Software.
At the end, as I commented down there the problem is not the technology itself, but the mindset behind these. We need to change the minds and requirements. The technical changes will follow.
It seems like a hardware security device could act similarly to the radio in that the general OS can ask for service (e.g. a signature), but not have access to the internals of the MCU. I don't see why these systems need to be opaque either, in fact it'd be nice to know what is running on the security enclave or LTE radio, even if folks aren't generally meant to access/modify the internals.
It'll be interesting to see how things develop. In my case, I am looking for more experimentation with the smartphone form factor. I'd like to see better options in the market.
IMO, if the radio chip just acts as a radio, and passes packets as requested, and any needed firmware blobs are freely distributable, it's fine. It's not ideal, but it's good enough to make a libre-phone.
We all know the network is spying on us anyway, and the radio should be treated as being part of the network, on the other side of the security boundary from the main processor - and since we don't trust it, we don't have to demand that it helps us verify our trust in it!
We're headed down a very slippery slope and the destination is a very dystopian reality where those in power can prevent someone from participating in society on a whim. I believe the destination has previously been described as the beast system or New World Order.
We are all definitely going to have to make a choice. That much is certain.
In some cases, it already is.
We're already far on the path you described, and there is no choice to make on it, not for individuals. To stop this, we need to somehow make these technologies socially unacceptable. We need to walk back on cybersecurity quite a bit, and it starts with population-wide understanding that there is such thing as too much security, especially when the questions of who is being secured and who is the threat remain conveniently unanswered.
That's good to hear.
I'm entirely on F-Droid, with no Google account.
I'm aware of this slippery slope for a very long time, esp. with AI (check my comments if you prefer). On the other hand, I believe that we need to choose our battles wisely.
We believe that technology is the cause of these things, it's not. Remember:
Necessity is the mother of invention.
The same dystopian digital ID allows me to verify my identity to my bank while I'm having my breakfast saving everyone time. That e-sig allows me to have a practical PKI based security in my phone for sensitive things.
Nothing prevents these things from turning against me, except the ideas and beliefs of the people managing these things.
We need to change minds. Not the technology.
I totally agree that changing the hivemind's mind is the only way to preserve these freedoms.
Is anyone making any progress on this? Beyond the FSF, noyb, and hn lurkers?
Thinking about that now... That's not great.
I do have one credit card that requires an app if you want to do thing online - otherwise its paper statements only. I use it a lot less as a result.
Except, this not really a choice or a reasonable work around.
Phones are still somewhat expensive, not to mention a time-sink to maintain. Try explaining to your parents or even close relatives that they need to abandon the phone they either spent $$$($) on our spend a $$ monthly on that they should really buy another $$$($) phone and use their "official" device like a company card.
One certain thresholds are reached, little can be done even for the committed outcast.
Another use case which Linux has a lot of trouble with is operating as a replacement for a pen-and-paper notepad. When I set a computer down for a day, I should be able to turn it on instantly and see the notes that I wrote 3 weeks ago. There are a variety of reasons this doesn't work on Linux. You say "that's an inconvenience" but there are circumstances in which being able to read those notes without needing to wait 30 minutes for the laptop to get enough charge and boot up could be a matter of life or death.
If these kinds of issues are mere inconveniences, that means the computer is a toy rather than a tool.
Not having to do that is the whole point (especially as those are not rare to most of us).
This reminds me of a Woz interview in the early days of the iphone, and his solution to it not supporting multitask was also to run two phones.
It didn't ran on computer of people that wanted Excel/Word/Powerpoint or most games. I don't think the market of people wanting to use their phone only as a server is big enough for a competitive OS to arise, but I may be mistaken
It still doesn't btw.
https://www.microsoft.com/en-us/microsoft-365/free-office-on...
Although the only problem with this strategy is that Linux got that way because of a lot of private companies that actually wanted that. Valve didn’t want to be locked in with Microsoft. Many of Microsoft’s direct competitors also don’t want to be locked in. IBM famously switched to Mac, Google has been using Mac and Linux workstations for a long time as well.
Also, web technologies like Electron made porting applications to small user bases Linux easier. If that never happened, I wouldn’t be able to use my commercial apps on Linux. This concept might be a little more of a challenge for the mobile app ecosystem, which is a mix of native wrappers like react native and native apps, and there is a high amount of dependency on native APIs for the extra sensors and hardware features phones have the laptops and desktops don’t have.
E.g., For Linux on mobile to work react native can’t be an incomplete implementation like the status quo.
If you need a locked down phone that passes remote attestation to authenticate yourself to a remote service, then whatever you use to access the service UI doesn't really matter: the only device that's necessary to have to use the service is the one you don't fully control, and which gets to control your patterns of use.
An intuition pump I like: imagine you want to put a widget on your desktop that always shows you the current balance of your bank account. You want it to just work ~forever after initial authentication (or at least a couple weeks between any reauth), and otherwise not require any manual interaction. See how hard it is (if it's even possible), and you'll know how badly you're being disempowered already.
Yes, I can come up with scenarios where this gives an attacker exactly what they need to time some scam (or mugging) perfectly. I can just as easily come up with scenarios where the same attacker uses already available (or inferrable) information for the same purpose.
Look, many banks are perfectly fine with letting you opt into showing the account balance on their app before log-in step[0]. So why not let someone opt-in to direct access to that information? Or even opt-in to allow the app to expose this information somehow. Even in a body of a goddamn notification[1] (not disabling screenshots is too much to ask, I know, surely everyone will get hacked if this is enabled).
Paranoid mentality about cybersec is a big part of the problem - in itself, but also because it legitimizes the excuses app vendors provide to force users into their monetization funnels.
--
[0] - It's not a very useful feature, since you still need to open the app - and at that point, it's faster to log in via PIN or biometrics than to "swipe down to reveal account balance" or whatever bullshit interaction they gate access through in lieu of just showing the damn thing.
[1] - The increasingly common pattern of "let's notify user that something happened, but do not say what happened in the body of the notification" is getting infuriating. It's another way to force users to "engage" with the app, and it happens to also deny one of the few remaining ways of getting useful data from the app for purposes of end-user automation.
There’s good reasons you can’t do this, and sure, maybe you don’t care about those reasons, but you’d be in the minority.
Most services offer simple SMS two factor, and then if they offer an upgrade to Authenticator or passkey then I have no iOS/Android dependency.
My bank’s website works almost the same as the phone app, I think the only difference is the lack of mobile check deposit (but nobody’s writing checks anymore).
Some services like Venmo are most popular on apps but still have a website.
My remaining hooks are:
- iCloud shared photo libraries with my family. I can use those on iCloud.com but it’s a bit more of a pain. My paid iCloud storage has been migrated to more open alternatives.
- AirTags and Find My. There just isn’t a competitor that’s anywhere near as good. It’s thankfully not a very necessary product.
- Apple Watch. (AirPods actually work great on Linux, btw, even if they are missing some functionality)
- Apple Home. I could migrate this to Home Assistant.
- Apple Wallet. This is mostly convenience. Most things that use it have some kind of alternative, like printed boarding passes. But there’s…
- Ticketmaster. The mobile website tells me I must download the app or add to mobile wallet. Barcodes are dynamic and screenshots don't work. I think the only alternative is to go to the box office before the event which can be very annoying.
2FA is either a standard TOTP generator or an SMS.
Now I do have a smart phone, because I'm not a complete luddite, but I can't think of anything other than perhaps some forms of entertainment (apple tv, paramount, disney perhaps) which might not work on my laptop. I shun things like notifications of my bank balance, is that an essential thing? How did people in the 90s cope without a per-minute balance?
> 2FA is either a standard TOTP generator or an SMS.
For now. Be grateful while you have it. Most banks everywhere are moving to 2FA through push notifications to their proprietary app, and are deprecating other channels. TOTP is becoming unusual in a bank; where I live, I haven't seen it in use in banking in over a decade (though I'm not counting SMS here; they're technically kind of like TOTP, but they're generated by the service, not on your end).
Between that and a web-wide push for passkeys, having a locked down smartphone is already becoming a soft requirement for doing anything on the web.
It is a constant trope in technical forums.
We are a minority. Solutions which might be "inconveniences" for you, might be unsolvable issues for the rest of the planet.
Most of us do not want to carry two phones around. The reality is that there is strong utility for those non-open apps and they will never be replaced by open ones.
In some parts of the world, WhatsApp is as necessary as the phone itself. Official business is conducted via it.
The rest is a personal choice, I'm happy to have a bit higher friction to check my bank's balance for example. Maps is an issue but it can be overcome.
I find this to actually be a great litmus test for the overall problem. Bank account balance is a basic piece of information that's about me, and that I need to keep track of to effectively live in our modern times. I should be able to access that information non-interactively at any time. But I can't.
Ask many banks, you'll get as many reasons for why they can't just allow me to cURL this number off an endpoint with some pre-shared credentials. Most of those reasons are bogus[0]. Now, it's not hard to identify several points where I could observe that information in-flight. There's an API that powers the app. The app itself has UI that could be queried or scrapped; some apps will even communicate this data to other apps when requested.
But good luck getting access to any of that non-interactively.
This is what all those technologies add up to. The bank says I can't have this information unless my eyeballs are physically looking at the screen displaying it - and the whole tech stack conspires to make sure I can't get it otherwise.
It's a trivial and non-critical need, but it's also exemplifying the basic user freedoms being denied to us: the ability to freely process information on my own device.
EDIT: Accessibility tools are often the only remaining workaround here, because those are uniquely hard for services to close. And as expected, accessibility became its special privilege category on modern devices, and is increasingly heavily scrutinized and limited by device vendors.
--
[0] - They're usually some kind of security or stability point, that's just a fig leaf to cover the actual reason: this is the way they can force you to interact with their app or website daily, creating an extremely valuable marketing channel for their financial products.
I hate to risk sounding like I'm beating a dead horse, but when I hear this I flash back to Attack Surface by Cory Doctorow. I interpreted his message in that book as something approximately like "you can't out-tech the bad guys", where "bad guys" can mean government surveillance agencies (probably more what he had in mind) OR "big corporations trying to control your life" (this may be me extrapolating). But even if I'm over-generalizing a bit, I think the point still stands.
"We" (open source advocates / hackers / hobbyists / makers / whatever) can't win on just tech alone. We have to use the legislative process, political pressure, social pressure, whatever, to achieve our goals. And so we should use our superior knowledge of technology to support doing that. So don't just think "how can I hack my phone to use an open source OS" but think "How can I help use technology to influence the outcome of the next election, and elect candidates who really represent the things I care about?" or "How can I help use technology to stir up enough activists making enough noise to persuade my bank to let me access my account using a non-proprietary OS", etc.
Now I'm not saying any of this is easy. By no means. Just suggesting that we need to at least approach things with that mindset in view to some extent.
Companies are moved by money, if your tech is popular enough companies will dance to your tune.
Say that you get to a point where 90% of desktop users are on linux. Is there any doubt that banks, messaging platforms and the like would have their own linux apps? no matter how many hoops you make them pass through, they won't let that piece of the cake go.
The problem is that the current way of doing things will never reach those numbers, because we give up on the tools that companies use. UX, user research, graphic design, marketing and similar roles are pretty absent from these communities; I think changing that is the mising piece.
Here's the thing: we had that already. It was called Android.
> Companies are moved by money, if your tech is popular enough companies will dance to your tune.
We're having this discussion precisely because this is not true. If your tech is popular enough, companies will use their money and influence to subvert it so it serves their bidding.
I don't disagree, and I guess I'd say that I think that is all part of the larger point. Eg, "getting more people to use (Linux|BSD|Minix|Mach|Whatever)" is part of the larger idea of "social pressure" to convince companies to behave in ways that we find desirable. So the question then is, as far as I can tell, what more can use techies do - leveraging out existing mastery of technology - to promote "(Linux|BSD|Minix|Mach|Whatever)" to people who don't currently understand the importance of these issues?
And I don't mean to claim that "using our tech knowledge" is the only kind of activism that matters. Maybe for some people it's just "donate money to the EFF every month" or whatever. But to me, that's all still part of the same general initiative.
Damn typo. And missed the edit window. Sorry. :-(
Some of the bigger open source communities, like GNOME, do some amount of these things. But I think very few people are excited enough about user studies or marketing to do them as a hobby, unlike writing code. It's hard to see how you could beat Google/Apple/Microsoft at their own game like this without a lot of money. Red Hat is probably the biggest company that might be interested in this, but still about 2 orders of magnitude smaller than the giants.
There are hobbyists and people trying to get experience eveywhere, but there’s a fundamental disconnect between communities.
Linux based phone, running Anbox to support Android apps running within containers. Effort would then have to put into support Play APIs within Anbox. Not a small amount of work, but I compare it to the state of Linux 20 years ago and how well Linux is doing today.
The integration isn't perfect (some important things like forwarding notifications to the host system are still missing) but it's already further along than you might have imagined.
The bottom line is, the only way to ensure user freedom here is by regulation/legislation.
I've used Linux for a loong time before some business-critical software ran on it. I had to have a Windows VM for years for netbanking, or before that, dual-boot for gaming.
If we're all too spoiled to give a free alternative a chance because it might be slightly inconvenient, we don't deserve the free alternative.
Not nearly enough. Not by three orders of magnitude for the market to care.
This isn't the 1990s. Computers are now mainstream.
The parties I accuse of driving this problem didn't suddenly go rogue when smartphones happened. They always wanted this level of control (and much more) - they just couldn't get it until relevant technologies matured enough.
I'm not speculating here - we have actual empirical evidence to confirm this. A clear example is that there are several countries that, unlike the US and most of Europe, went all-in on Internet banking back before smartphones. Web limitations and conventions didn't stop them from doing the same thing everyone is doing with the phones now - the banks there just force customers to install malware on their computers, so they can do some remote attestation and KYC (and totally no marketing data collection) on their PCs.
Most of the West never had this because of the inverse of leapfrogging phenomenon - big, developed economies had too fast progress and at the same time too much inertia to fully adopt a pre-smartphone solution nation-wide.
Be grateful while it lasts.
I think the government and large businesses like it that way, as it makes the mobile network providers as a sort of credit check (or “are you worth dealing with”) mechanism.
If yours doesn't, pick one that does.
The whole point of 2FA was to have two devices that you own. Now the bank is forcing your login and 2FA to be on the same device. Which is the easiest device to steal.
What about SMS is somehow worse than that?
It is extremely common for people's phone numbers to be stolen (even if temporarily), and then their bank accounts drained.
What scenario does a kiosk at the mall get control of my phone number but not control of my phone? I don't see how remote attestation solves anything here. Does the bank suddenly know a stranger is holding my phone?
We go from me needing to open a web browser on my computer and getting verified on my phone, to now my most important operations have to be from my phone. That's worse.
> The scam begins with a fraudster gathering personal details about the victim .... the fraudster contacts the victim's mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone.
SMS 2FA should simply not be used if one cares about security.
You can e.g. smooth-talk the customer service at a kiosk to give you replacement SIM card for the one you've "lost".
This is why banks increasingly don't trust your phone number, and their apps tie themselves to the phone itself, i.e. to hardware and OS IDs. But to trust those IDs, they need the phone to pass remote attestation.
> several countries
Doesn't name a single one
...
Brazil is another example - ironically, the software suite that's commonly required for banking is named after the capital of the country I live in :).
Some quick searching now also flags Slovenia and Serbia as places where some banks require custom desktop (or even Windows-specific) software to access banking services.
I'm not sure if physical tokens are being used anywhere but if they are, that's rather rare nowadays. It may be an option reserved in bigger banks or for business customers - I can see one of banks in my country offers it for a request and not by default.
Edit: it seems it's a feature for business indeed and banks opted for Cronto system - https://www.onespan.com/products/transaction-signing/cronto
Two phones is such an unsatisfactory solution because it will be too impractical, too expensive, or both, for the vast majority of people.
On the flip side of the coin, some places are locked to web apps because Google & Apple won't allow them to exist. e.g. OnlyFans and Playboy can't get in the app stores, but OnlyFans still manages to make several billion dollars a year, most of which is almost certainly mobile.
There’s no financial, political, or mass market incentive for browser APIs to have feature parity with mobile OS APIs. Approximately nobody wants to do what you’re asking for. If anything, there are incentives against doing this.
* Netflix does not load in a mobile browser, it directs you to download their app.
* web.telegram.org sends a 2FA push notification to their app
* Apple wallet/ Android wallet do not have web apps
* Popular dating apps, e.g. Hinge do not have web apps
* Some social network apps, e.g. BeReal do not have web apps. Many others have reduced features.
* I have never seen a keyless entry app that supports the web, at least not from a mainstream manufacturer.
Can you name a single browser app that can do NFC payments in the US?
I can choose to use a bank that allows me to access all of their online banking features via the browser. I can choose to work for a company that doesn't want to surveil my personal device. I can deal with the government via snail mail, or in the browser. I can use third-party YouTube clients and torrent movies and games, or simply don't engage with DRM'd media because there's plenty of entertainment out there.
Count the percentage of software you use that are open-source compared to 10 years ago. I bet it's more. It's only a matter of time before we make hardware open-source, too.
When the mainstream is evil, being an outcast is the right thing to do. Every big change begins as a small movement.
Lucky you. There are fewer and fewer such banks out there. The trend is to route login and consequential interactions on the web through 2FA on a phone - and not TOTP, but push notifications sent to the bank's app, that only runs on devices that pass remote attestation checks.
> I can choose to work for a company that doesn't want to surveil my personal device.
Again, lucky you. Most people don't really get many options for employment at any given moment, and the issue of corporate phones is usually at the bottom of the list of criteria when one is looking for a job. I.e. not a real choice for most people.
> I can deal with the government via snail mail
At a snail pace.
> or in the browser.
Modern government systems around the world tend to require some sort of identification that usually gets tied to your smartphone, either directly or via your bank.
> I can use third-party YouTube clients and torrent movies and games, or simply don't engage with DRM'd media because there's plenty of entertainment out there.
Torrents aside, that's not the case. Entertainment isn't fungible. Disney can release all Star Wars media DRM-free for everyone to download, and it means exactly zero to someone who wants to watch Star Trek, but Paramount/CBS decided to go all Ferengi on the franchise. Can't substitute one for the other. This is why the market supports so many streaming services these days - they exploit this very fact.
> Count the percentage of software you use that are open-source compared to 10 years ago. I bet it's more.
Open Source software stopped mattering once the world embraced Software as a Service model. Source code on Github means nothing if the code is actually executed on servers you don't control and have no visibility into.
That covers end-user OSS. The larger space of OSS building blocks are... building blocks. OSS libraries matter to users just as much as standard Phillips screws used inside an appliance, when they're beneath layers of glue and permanently soldered elements and join together elements explicitly labeled as "not end-user servicable".
> It's only a matter of time before we make hardware open-source, too.
That time will come around when we build a Star Trek-style replicator (and then have a successful revolution to seize this new means to production, because no way the first company to build an universal manufacturing device is going to just let people use it). Open Source Software succeeded only because software development has near-zero natural barrier to entry, so there was a large supply of bored high-schoolers and students, hobbyists, academics and other do-gooders with enough time and will to just build stuff and give it away for free. This isn't true for hardware.
Now, circling back to the main point:
> Whether we can move to open platforms depends on the choices people make.
No, it does not. On consumer side, the market is driven by supply, not demand. I.e. you only get to choose from what the vendors decide to make available to you, and they know perfectly well you have to choose something, so your voice doesn't matter.
If it did, we wouldn't be having this whole thread in the first place.
There will be fewer and fewer such banks out there if people choose to not use them, among other short-sighted decisions which produce such trends. You need to give the banks a reason to care.
> Again, lucky you. Most people don't really get many options for employment at any given moment, and the issue of corporate phones is usually at the bottom of the list of criteria when one is looking for a job. I.e. not a real choice for most people.
The first part is not true. You have plenty of options, they're just not equally good. It depends on what you're willing to give up in exchange. And you can push for change within your org.
> Modern government systems around the world tend to require some sort of identification that usually gets tied to your smartphone, either directly or via your bank.
They can have some sort of identification, but it shouldn't involve surveillance spyware on my device. If a government needs that then they're part of the problem. People form governments, you can push back against those people. Don't bend the knee to tyrants.
> Torrents aside, that's not the case. Entertainment isn't fungible. Disney can release all Star Wars media DRM-free for everyone to download, and it means exactly zero to someone who wants to watch Star Trek, but Paramount/CBS decided to go all Ferengi on the franchise. Can't substitute one for the other. This is why the market supports so many streaming services these days - they exploit this very fact.
Entertainment can be fungible if you decide that it is. I can live without watching a DRM-protected show. Watch something else. Do something else. They exploit the people which has decided for themselves that they must be loyal to certain franchises.
> Open Source software stopped mattering once the world embraced Software as a Service model. Source code on Github means nothing if the code is actually executed on servers you don't control and have no visibility into.
You can choose to not use SaaS. Host your own stuff. Give your money to ISPs that allow you to host stuff. Pressure your government to regulate ISPs. And there's plenty of offline software that doesn't need Internet connectivity. Not everything needs to be artificially-scarce cloud-slop, unless we want it to be.
> Open Source Software succeeded only because software development has near-zero natural barrier to entry, so there was a large supply of bored high-schoolers and students, hobbyists, academics and other do-gooders with enough time and will to just build stuff and give it away for free. This isn't true for hardware.
FOSS succeeded because there's a base production rate for software, software (as it gets further from the metal) doesn't need monetary incentives. When I said open-source hardware, I meant the IP. Obviously making the physical thing isn't free. But the IP doesn't need to be as scarce as it is now. Schematics will be harder than firmware will be harder than software to open-source because they're close to the hardware (which is naturally scarce), but it's possible, and will be done, and we don't need to invoke movie magic.
> No, it does not. On consumer side, the market is driven by supply, not demand. I.e. you only get to choose from what the vendors decide to make available to you, and they know perfectly well you have to choose something, so your voice doesn't matter. If it did, we wouldn't be having this whole thread in the first place.
Consumers and suppliers don't exist in perfectly separated vacuums. You can influence suppliers. There are plenty of side channels.
Here's what separates chance and choice:
If we assume that our decisions don't matter, then we're definitely screwed. If we assume that our decisions matter, then we're only probably screwed. It's up to each and every one of us to make the latter assumption.
This isn't solvable through individual choice. It's a coordination problem - and coordination problems are what underlies every actually hard problem that humanity is struggling with. War, poverty, authoritarian regimes, corporate overreach, environmental destruction, climate change - all could be solvable though choices like you describe, but in practice are not, because humans can't coordinate at scale.
Relevant search term: "meditations on Moloch".
My government, Denmark, is one of the most digitized societies in the world. While the government has allocated money to a committee to investigate how the country can become less dependent on American big tech corporations, at the same time they are planning on launching a mandatory age verification solution in 2026 where the only possibly anonymous way of verifying your age to access e.g. social media will be through a smartphone app running on either Google Android or Apple iOS. These nincompoops do not realize that this move will effectively put every open source alternative at a permanent and severe disadvantage, thus handing Apple and Google, which are already duopolies in the smartphone market, a huge moat that will lock out all future competitors form entering the market.
I have written to the relevant government agencies, and while they are nice enough to actually answer questions, their answers reveal that they act as if they are a commercial business and not a government agency that is supposed to act in the interest of the people and preserve their freedom. They argue that they are releasing a solution that will work for the vast majority of platforms and that they are continuously monitoring the market to assess whether they need to add support for other platforms. This is a cost-cutting measure which is maybe okay for a commercial entity targeting a specific market demographic, but it is an absurd way for a government to think.
Before the upcoming age verification we already had a national digital identity solution, MitID, which also comes as an app running on Android and iOS, and which is locked down to require strong integrity using Google Play Integrity. But at least here they also offer hardware tokens so people can use their digital identity without owning a smartphone and running an open source OS like Linux on their desktops. But with age verification this is apparently over, all the while the government is lying about actually making an effort to free us from American big tech - they are instead basically forcing us to be their customers now.
Governments say they want sovereignty but not if they have to pay anything for it. They also like the fact that forcing everyone to do everything through a few big businesses makes surveillance and censorship easy. No need to pass laws, just do deals with a few companies. Governments are all about central control, and its more important to them than what they see as obsolete nonsense about sovereignty.
Instead of mandating google/apple signed applications, they could instead implement some specification for a secure enclave (or whatever fits their needs - I doubt they need control over the entire OS meaning there is plenty of space for pushback for people that want to retain their rights and freedoms for their devices). If you add some sort of certification based on an open standard that would allow any manufacturer interested in the market to be verified that the "attestation" for specific apps or secrets works, then it would no longer enshrine the current winners (apple/google) and instead allow for a healthier market.
This would only be a good thing because it places power with the government and not a third party (something surely the government would prefer), and allows things to be more in the open.
And in an ideal world the specific locked down portion would not need to be active or interfere with the rest of the operating system to some extent, so people would not be reliant on the manufacturers for their applications and would have the freedom of installing whatever they want and using the rest of their device however they wish.
It would also open up for some interesting and innovative competition in personal hardware security devices.
The only real issue here is banks that don't offer an equivalent website or require the "app" as authentication factor. I couldn't care less about copyrighted media. It's only fair that I source my media from the high seas when the only options that respect their "rights" infringe my own right to run free software on my devices.
It's not about security. It's about them wanting people to use the apps. Forcing everyone to use an app streamlines the vendors' operations, reduces the state space of possible user interactions down to small number of flows they control directly, and also provides them a direct channel (communications or upsell, where applicable) to the user.
This is not a fluke or a conspiracy of small number of influential players. It's an emergent alignment of incentives across pretty much the whole supply side of digital aspect of human civilization (not "just" the market, because it's also happening in political and social spheres).
Need security before doing a $1000 transaction because everything so far was $10? Sure, ask for a physical token 2FA, NOT a YubiKey implementation.
Obviously though if I was working at Google or Apple and paid for the success of my company via incentives, e.g. stock, I would fight tooth and nail to let banks know that only MY solution is secure.
In the meantime probably the best that can be done is having a regular phone and a banking phone.
Personally, I have found smartwatches fairly useless (I do enjoy the activity tracking and notifications but that's not much really) so freeing my phone from bullshit by moving some functions to a watch could increase the value/utility of a some sort of smartwatch. Ultimately, it doesn't need to be that "smart" even.
It's not just one tiny use case that's pushing us down the road of increasingly locked down devices. It's most use cases - because no matter the service, it's more profitable for the provider to control what you can and cannot do.
And that's to say nothing of the environmental impact.
Here we are talking about installing PostmarketOS/Linux on a smartphone. The next milestone is not to get everyone on it. First we need a base of early adopters that are willing to use it despite the drawbacks. The more user those alternatives will get, the more they will be developed, the better it will get.
Sure, for the next years, it will be way behind Android or iOS in terms of ease of use, but that's the price to pay to get back control on the device you own that is probably the main computer you use everyday.
For me that's not worse than using Linux in the early 2000s, and like Linux in the early 2000s, it may even be _fun_ to be an early adopter of Linux on the smartphone.
Now we don't need to migrate everyone to PostmarketOS, we _just_ need an alternative OS for at least the ones who are willing to play with it.
That didn't work that well for Linux, though. It's still a very niche OS even on desktop.
Also, please stop with security nihilism, https://news.ycombinator.com/item?id=27897975
And good luck spoofing it these days cause they are usually backed by hardware backed tpm encryption. Which is why windows 11 only installs if there's a tpm 2.0 device detected.
It's become super dystopian in the past 10 years and I don't see it changing.
Always thankful that I got to live through the wild West days because that's going away.
The overwhelming majority of users call it "Linux" and don't care what the operating system's pronouns are.
Many Linux systems are running today without GNU coreutils or userland.
It's time to stop posting this flame bait.
It is the best answer at the moment. You can keep an absolute basic phone with all the banking and such apps loaded and nothing else. You treat it like an appliance. Your daily driver will be separate and can be running PostmarketOS or LineageOS etc.
There are several benefits off the top of my head:
1. Since you only install banking/govt type apps on your "important" phone, it stays more secure vs. putting your random game app along with the banking app on the same phone.
2. When you upgrade your daily driver, you don't need to deal with tons of re-auth steps for banking/govt apps.
3. Your daily driver can be customized to the nth degree because the pesky banking app won't be on it to refuse login because, say, you turned on developer options or rooted the phone.
4. You can even leave the basic phone at home for extra safety, if you wish, without affecting your daily driver.
5. You can root your daily driver and put as much adblocking setup as you want to boost your privacy. Your basic phone won't have enough activity outside banking/govt. to build much of a profile.
With this being the trend, you're already more likely to leave what you called "daily driver" phone home, and only take the "important" one with you.
All the Google stuff is disabled, open source Contacts app,^1 no Google Play Services, no access to remote DNS, Netguard for application firewall and port forwarding, with computer I control as gateway. 1. Have yet to find any other app that can access contacts when storing them this way, even the Meta's biggest Trojans
Meanwhile, new phone, "important phone", stays offline. Wifi off. Location off. path?.xtracloud.net blocked. Phone is used for texting and phone calls, no internet access
The "banking app" argument, i.e., either install a custom ROM or give up or submit to surveillance, is a false dichotomy. There are other options
I don't use a phone for internet banking, I use a computer I can control; there is no "banking app" (talk about high risk, geez)
The "banking app" problem is a common refrain on HN but in the real world I know many people who do not use a phone for internet banking
Mobile OS just suck. It's like being forced to use MS Windows
And for the rest, well, "just works" for what? With a little time and effort, it may even get to the case of the "just works" part is a siloed unit like a SIM card that is just installed to the device, making it opt-in and user owned...
Not That i want to kick the can down the road, but the ultimate solution (barring actually fighting for our privileges over the systems we buy) is to have that second phone, and control it either via vnc, or via a kvm which presents vnc. I know, its really absurd, complexity wise, what with tunneling and figuring out where to house said setup. However, the latter is ultimately transparent to the phone, outside of allowing a second monitor/hid to be connected to it. You could, given a VNC client then go ahead and control it via laptop or another phone.
Providers of all the service types aren't driving this because they believe locked down phones are a Good Thing. They're driving this because they explicitly don't want you to do the very things you'd want to do with your VNC idea.
Also: both banks and governments are pushing for 2FA with a mobile device being the primary, and in some cases the only, accepted second factor source.
Hopefully I'll never have to buy another closed phone.
It's important to have computing freedoms so that people who actually care end-to-end, and don't have financial incentives directed against patients' well-being, are able to build on top of products on the market, fix the enshittification, and improve functionality.
(We also need that to close the loop. It's a common story that meh products of today, which improve on bad products of yesterday, are just commercializing the fixes developed by people fed up with said bad products.)
But then, it became more and more annoying with apps blocking root access, features being unavailable to custom ROMs, etc... There are workarounds (is Magisk still a thing?), but I got tired of them.
So now, I just buy an entry level Samsung, which is well supported, runs all the apps I need (browser, financial, maps, chat, ...) and takes recognizable pictures. It is just a boring tool, like a credit card, I need one because that's the world we live in, but the object itself is of no importance.
If I want to play with a computer, I have a "real" computer. If, at some point, I get interested in smartphones as a platform, I will buy one just for this, in the same way that I have no intention of using the credit card I buy stuff with should I want to play with smartcards.
It has also killed my desire to spend money on a smartphone. What's the point of a $1000 device? What's to point of upgrading unless forced to by planned obsolescence? Why should I pay more than $200 every 5 year or so? They are all the same to me. They even all have the same form factor, besides overpriced and fragile foldables.
We should demand that they support every platform. Or at least every platform that adopts some sandboxing model.
But they don't demand the same control over laptops and desktops. Only phones. Why is that? Granted I can't deposit a check with my laptop but I can do any other banking I wish to do.
So to me it's more that they see the chance to gain this control where they didn't see it before. Phone providers are only too happy to get on that bandwagon because they get to deploy all kinds of surveillance capitalism in the name of security ("hey the banks want it!").
Granted these freedoms are slowly leaching away from laptops and desktop too with stuff like TPM, so I don't know. I've about had it though.
Oh, but they do. PCs (and Macbooks) are products of an earlier era, and the solutions of control evolved along; it looks chaotic, but that's because it's where the R&D happened over the past decades, which ultimately produced a cleaner - and more easily identifiable - mobile control ecosystem. But it's all there, if you look closely. To name few major groups:
- Many generations of DRM plugins for games, then for streaming media
- Trusted computing hardware
- Intel Management Engine and other firmware backdoors routinely inserted into hardware
- Endpoint security software, deployed widely on corporate-owned machines
Mobile solutions are just version 2.0, built on top of all that R&D.
> Granted I can't deposit a check with my laptop but I can do any other banking I wish to do.
This is the insidious part: for many banks, this is only tolerated because they force you to use their proprietary app on a trusted mobile device as a second factor! At this point, it doesn't really matter how well-controlled your main browsing platform is, because you have to use your phone anyway, and there the control happens. And, "for your convenience", the mobile app isn't just a physical security token, but lets you do banking too, which allows them to gradually deprecate the web experience.
Hint: When Windows 12 comes out, everyone, or at least everyone with a newish PC, will have a TPM module that's capable of enforcing and attesting a signed-code boot path from power on all the way down to application-level code. Windows 12 will turn these machines into Xboxes that run Excel. Many computers will also have Pluton technology, which is an on-chip TPM implementation that cannot be tampered with or removed from the CPU, and which literally came from Microsoft's Xbox division.
General purpose computing isn't quite dead yet, but there's really nothing we can do for the patient. We're just waiting for it to flatline.
Aside from music/video there are no obstacles for other apps to exist in open system.
In large parts of the world, the answer is usually "my uprooted, remotely attested smartphone". Increasingly, it's becoming the only supported method. When that's the case, what you use to load the banking UI doesn't matter anymore - the mobile device is the only actual requirement.
Those work perfectly via a browser, on any platform where the browser can run. As long as a hypothetical open OS has a browser capable with bog standard modern capabilities, it will be fine
It required me to install the application to sign in via web browser. There was no way, the web app wouldn't bulge.
I did it, checked my $5 dollars balance and deleted the app again.
Totally disgusting behaviour.
People have genuine reasons to stay with the provider / platform and usually browser doesn't cover half of their use cases.
For example I have to use Revolut because it's one of the very few banks that allow me to use Garmin Pay and work (reluctantly) on my phone without Google rootkit. Can't use, say, Curve because their privacy policy is alarming (and I had a very very weird/disappointing interaction with their compliance team).
And you've already got a good example with Netflix.
You are technically right, we still have access to these services via a web browser today. It doesn't mean we'll have it forever.
With the advent of AI browsers and AI agents, it's not hard to think of a future where LLM chat interfaces and mobile apps are the future, and web apps start getting disregarded as legacy and eventually, discontinued.
Try ordering some food via mobile application and then again via web app. You'll instantly feel the downgrade on the web app. Bugs, glitches, slow experience.
The desktop web is already the 2nd-class citizen for modern startups.
And I guess people who downvoted my counterpoint thought that it means that all services on the planet have very well functioning browser version, judging by their comments. Some don't, some do. But no one of them "requires" excessive access a native app can provide.
Some may want to have it, for some browser version is simply not a priority. But nobody needs to have additional info for those services to function.
Because the market has failed, and we have a duopoly. There are many reasons for that, but, this is the exact sort of time a govt must step in - when something becomes a utility, it needs to be regulated as such.
I agree, I don't really want to enshrine Google/Apple into law, however if they are makers of an operating system that is used like a common utility, they should be regulated as such.
The only rational step for the EU is to support open everything: Open Software, Open Hardware, Open platforms, etc...
Beggars can't be choosers. Until they pony up the cache to fork android, they're beholden to the US.
open hardware/platform is impossible if they mandate all chat is exported to gov anyway
Even govts that may be in some political climates authoritarian can and will want exceptions to this.
There is no world that I see where decisions being made by Google are a good or reasonable choice for all parties, even ones you might think would side with this decision.
Remember, this give Google more control than an authoritarian govt. Sure, there may be a cost of doing business with some countries, however, even in those cases, this is bad for them - Google can just say "sucks to suck" and they either must use their product or develop their own, but if they use their product, *Google still has more control over that authoritarian govt than the people in it*
Put simply, now, Google Is Evil.
I think we going the other way though.
For instance, this recently proposed bipartisan bill would force all (even locally installed) AI apps to repeatedly run age checks on end users, and also adds $100,000 penalties each time the AI screws up when a minor is involved, even for bugs. I don’t see any safe harbor provisions, or carve outs for locally installed / open source / open weight projects, so it’d end up handing a monopoly to ~ 1 provider that’s too big to prosecute:
https://news.ycombinator.com/item?id=45741862
The most important thing you can do right now is get the democrats to actually field a candidate in 2028 that will restore the rule of law and free markets in the US.
We don't! Instead, we go to regulators. Though I suspect your question really is "Why bother with salvaging Android at all?"
Mobile platforms are hard - famously, Microsoft failed to make Windows phone a viable platform, and John Carmack successfully argued that Meta didn't need a custom OS. Mozilla's Mobile OS that had OEM partners making real phones spluttered out, and nor for the lack of trying. Both Firefox OS and Postmarket rely on an Android foundation for HAL/drivers, IIRC. Device bring-up is hard, and negotiating with OEMs is harder still, and that comes "free" with Android-supporting devices.
Logistically, the vast majority of people who install apps from non-Play-Store sources do so ok their daily-driver phone, which is running the stock operating system. They are not tech savvy at all
Firefox OS had serious issues.
* Web standards 2013-2017 weren't ready enough.
* 2013-2017 phones still weren't powerful enough for complex JS apps to feel fast.
* asm.js was de-facto proprietary (a new FFOS with wasm would be be another story)
* The UI wasn't so great.
* Their launch devices were slow, cheap, and sucked.
* Their launch devices weren't readily available to developers.
* Their OS provided no real advantages over iOS or Android
The OS is still around as KaiOS (with a couple hundred million devices shipped IIRC) and I believe it still powers Panasonic TVs.
Interestingly, I think a FirefoxOS of today with good React Native and Flutter integration and cutting-edge WASM support could have a shot at success if not completely mis-managed.
Does there exist a company or project that has the resources to develop a smartphone with better performance, UI, and cost than Android or iOS devices? Microsoft couldn't pull it off, and I am skeptical that Meta would have been able to.
I can imagine an alternative smartphone carving out a niche audience like older users, FLOSS enthusiasts, digital minimalists, kids, gamers, privacy-focused users, etc. Perhaps over the span of decades such a project could iteratively improve while the incumbents enshittify and eventually surpass them in popularity.
But it seems more likely to me that Android and iOS will dominate consumer smartphones for as long as that form factor exists. When they are displaced, it'll probably be by some innovative non-smartphone computing device.
A new web-centric OS could fix those issues by doing a few things to reduce friction.
First, use an Android-compatible kernel version so drivers are easy to port. This gets manufacturers on board.
Second, make your App Store a non-profit that charges enough for ongoing store development and distribution. This gets devs on board.
Third, make sure you have decent third party framework support. Flutter, react native, and maybe even an Android runtime that legacy apps can integrate into their wasm binary. This helps kickstart your ecosystem.
Fourth, add better integration of webgpu and 2d canvas (which probably needs some extending). In addition, they need to add a low-level API to access DOM nodes from wasm. For security and ease of implementation (without stepping on the toes of the normal standardization stuff), this would probably be a virtual DOM with only a provably secure subset of the actual nodes being sent back and forth.
UI is an easier problem. The best design to date is still webOS. Copy their general design (maybe rip off some of their never-shipped mochi stuff).
The biggest issue as you said is financing. All these things turn into lots of developers and time. The best bet here would be replacing something like Tizen where a corporation is already investing.
And as you've pointed out, implementing support for third party frameworks and funding improvements to webGPU, wasm, etc is expensive. Even recreating the webOS UI would be a considerable undertaking.
> The biggest issue as you said is financing.
Exactly. I agree that it is technically feasible, my point is that it is economically challenging. Not impossible, just extremely unlikely.
> The best bet here would be replacing something like Tizen where a corporation is already investing.
It looks like the last Tizen phone was released eight years ago and the Tizen app store shut down four years ago. Like webOS, it lives on as an OS for TVs, but I am skeptical it can rebuild enough momentum to challenge Android or iOS.
You're hilariously underestimating the difficulty of getting the dev/user flywheel started: developers go where users are, and users won't adopt a platform without the apps they need. Microsoft was literally paying devs for submitting apps, and they mostly got variants of Flashlight apps, and none of the apps that matter. Look at the top 10 App Store/Play Store apps and ask yourself if the developers will bother with a hypothetical non-profit, upstart
AsI recall, Microsoft wanted devs using their proprietary silverlight and c# which required a complete rewrite from iOS or Android. Allowing existing apps to bundle their preferred Android runtime is a lot closer to something like containers or flatpak and is a proven way to reduce developer friction. Ironically, such an app running in wasm would be supported indefinitely while Android apps on Android eventually lose support.
However, if it's not inevitable, then those who cherish such freedoms should forcibly push back against the attempts to strip them away.
But just like with something like secure boot, they're missing the train and letting corpos dictate the implementation.
Because Google and Apple have put themselves between us and everything else.
Until we manage to replace them (by lobbying to everything including governments against them, and by working towards making the alternatives usable), we unfortunately have to resort to this. I'd even say we are entitled to this because we never asked for Google and Apple to become compulsory, they decided this.
I would personally be able to switch to Linux mobile today because I don't rely on anything proprietary (except the interrail app occasionally, damn them - but possibly waydroid would work for this)… if only there was usable and reliable hardware that could run the mainline kernel: decent battery life, decent picture quality, decent GPS, decent calls (especially emergency calls even if I haven't needed to actually make one so far, finger crossed, and Signal would do for most other situations actually).
I've daily-driven the PinePhone for a year. Call quality is awful and calls are awfully unreliable, and SMS are quite unreliable as well. Too bad for a phone. Unfortunately the phone took a big rain and now its modem is unreliable and doesn't come back up very often, but that's something a phone will likely endure in its life. Pictures are awful. GPS never worked well on my regular PinePhone. It somewhat worked on the Pinephone Pro until it died because it overheated. Linux hardware support is okayish, it was nice to run completely free software which was my main motivation for trying it but the hardware is crap to the point of being unusable serious.
The FP5 can apparently run PostmarketOS quite well. It would make an awesome Linux mobile. Camera and calls only partially work though [1]. And that's the main features of a phone.
Linux mobile itself it becoming quite decent (if one can do without the proprietary apps), what we really need is good hardware running it. Then we can begin to imagine a world with it having a decent usage share.
[1] https://wiki.postmarketos.org/wiki/Fairphone_5_(fairphone-fp...
> I've daily-driven the PinePhone for a year.
Which OS? Did you try SXMo?
I'm sure it's way better than the PinePhone, but the Librem 5 is definitely not suitable for the general public, even without considering the Linux mobile part.
> Which OS?
Mobian and postmarketOS
> Did you try SXMo?
Yes, not my cup of tea. I'm happy with a stable Plasma or Phosh; at this point, the GUI is not a concern at all for me. SXMO is a nice project but it will never target the general public, and I think we need to target the general public because I wish the general public's computing were free. It's nice that nerds can be free but it's also not good enough.
https://puri.sm/posts/the-danger-of-focusing-on-specs/
> doesn't have a good battery life
It's far from great but you can change the battery on the go. Look, you can't fight for anything without making any compromises.
I suppose your mean't you "can't".
I know, m'y life is full of compromises because of my various political opinions.
> https://puri.sm/posts/the-danger-of-focusing-on-specs/
I agree and I intend to keep my current phone at least ten years (and I hope it will be able to run Linux at some point, it's very close!), but the Librem was released with outdated specs and that was 5 years ago. It was released with outdated specs because then current hardware was not free software friendly. However, producing outdated hardware today is a huge environmental concern for me.
That current hardware is non-free software friendly is a huge concern as well, and both concerns go by hand: we are absolutely building huge piles of e-waste just because of proprietary / closed hardware.
Anyway; the Librem 5 has been a fantastic thing for the development of Linux mobile. We also won't go anywhere with phones such as the Librem 5 to make Linux mobile a reality for the general public.
> I suppose your mean't you "can't".
Thanks, yes, fixed.
Phones have become essential to daily lives and the catch22 is: companies won't support niche platforms for their apps and users won't switch until the apps are there. Android happened to get adopted before everyone started relying on mobile devices as computer substitutes. Unless a major player pulls out a Valve move and does with waydroid what Valve did with wine, I can't imagine the market changing significantly.
Imho, this is where we should fight for regulation.
"All mobile apps must allow the user to acknowledge the risks of running on an unsecured platform, but then launch normally"
Couple it with a liability shield for user security issues, if the user acknowledges risk.
The real Android lock-in is the universe of essential apps that, through developer laziness, refuse to launch on alternative platforms.
You can never catch all "bad actors". Sure, you can make a best effort, but govts are not efficient/usually work better at doing one thing, not 100 - they should be regulating the common platform not all actors on it.
Anyways, that's just as bad as what Google's trying to do.
> that, through developer laziness, refuse to launch on alternative platforms.
Android Dev is (relatively) quite difficult. The code and UI elements do not translate easily to other platforms. If a solitary developer (keep in mind, they may be a volunteer doing things in their free time, or just someone scratching a personal itch) does not then go out, purchase multiple other pieces of hardware, and write the application on multiple other platforms, that is not "developer laziness", rather that is a high cost to entry creating practical hurdles.
I already lug a small backpack around most of the time, I can leave the tablet in the bag and use buds for conversations and when I need an actual computer it'll be way better.
(Asking because this idea sounds appealing to me as well.)
Sailfish sort of did.
Individuals should look for and support alternatives. I'm currently working on a desktop running Ubuntu because I want an alternative to the duopoly of Windows and macOS.
Additionally, we should support open-source alternatives with our donations. I personally donate money every year to Ubuntu, the Gnome foundation, and Tor.
Devuan is a good enough compromise for me. The OS is stable, and the only issues I’ve had involve hacking curl|bash scripts that fail to realize they should just install the debian version.
(Steam and docker run well.)
Debian’s debate page can be read at https://wiki.debian.org/Debate/initsystem/systemd
I see the convincing arguments against systemd, mostly wrt to the support of the FreeBSD kernel in Debian. I wasn't familiar with them, it's interesting, thanks.
Why not? The point is not to not have anything supplied by a business. The point is to avoid being controlled by a business.
Ubuntu does not have the same hold over your computer that Google has over your phone. The software is open source. You can switch distros easily as it does not have lock-in.
Also in PC OSs, there isn't a corporation dictating what programs you are allowed to install. In iOS there is, and soon in Android too.
IMO, these corporations have managed to amass an amount of power where there's no longer consumer freedom. Therefore, there's no free market. We have reached a point where the law must intervene to restore capitalism.
Phones are not like PCs, you can't "just install a different OS". You also can't just build a phone from parts like you can with a PC, it comes locked in with the OS, with proprietary drivers and advanced cryptographic DRM measures.
And even if we did get things to the level of desktop Linux, we can't run any of the apps we need for everyday life. Most of these things on desktop are web-based, so you can use them on Linux, but this isn't the case for mobile and many things only come in mobile. Bank apps, government services, digital identification, mandatory companion apps for other devices...
If nothing else, we need to keep Android as open as possible because it makes it easier to port those things to other platforms and maybe one day have a proper alternative.
Oh, and it's not like we have a good alternative. The current Linux stack is completely inadequate for mobile use. An average phone has something like 50 apps the need to be able to react to any of a few dozen different local or remote events at any moment, yet also need to use approximately zero CPU cycles to do that. We need a brand new app paradigm if we want mobile Linux to succeed and it's not looking like that's going to happen any time soon.
This right here is the root of the problem.
They should be. Mine is exactly like that.
The point we are all missing, Google is not going to pull back, they have already invested in this change, it's in rollout phase, infrastructure is in place. It's not going to be rolled back. The ship has sailed. Keep Android Open is unfortunately dead on arrival, IF we are going to depend on Google.
And, are we going to keep depending on a profit oriented company to follow our bid? If so, then, we are very well have lost already.
Indeed.
> "Effort needs to be put elsewhere."
Also correct. Outside of offering (an) alternative product(s), one also needs to fight the inevitable pushback of industry dinosaurs and their political toadies.
In other words: One needs to invest in massive lobbying efforts on the same playing field of corporations as well, e. g. in the EU or the US. For without sound organizing all efforts will be relegated to hobbyist spaces with an assortment of "Are we there yet?" products.
Smartphones and function-alikes are an entirely different breed of device, or at least can be: the general-purpose computing platform for your pocket. In this market, "somewhat different" rules apply.
The very first step I believe needs to be taken is to pass strict laws to allow devices to be reflashed with whatever we want. Until we do not have that in place we will always be stucked like this. Once people can truly install from scratch whatever they want then the game should change completely.
So many good working devices go to waste because no longer supported by Google and the hardware manufacturers. They have good cameras, good wifi etc... we should be able to reflash them and install whatever OS we want on them.
It's becoming more and more difficult to install even Lineage on a lot of 6 or 7 year old hardware.
Popularity is important when we consider whole societies, but it's not particularly relevant for individuals. I don't need a buy in of Samsung to use GNU/Linux on my phone.
We should not be downloading executables and running them from random third parties in order to do mundane tasks. If they absolutely must have an app, it should be a web app, end of.
I don't think apps are going away so users need to have a switch that says, "I don't trust this company with anything". Extremely limited Internet access, no notifications, no background activity at all, nothing. It needs to be like apps for the 2nd gen iPhone: so completely neutered that webapps look like Star Trek level technology.
The reality is that both Google and Apple are not just in on this, they created this situation. They not only don't care if you download 1 million apps from the app store that may or may not be malware, they actually prefer that model. Going as far as to sabotage the web to maintain that model. Going as far as developing their own browser which is broken to maintain that model.
Which, relatedly, is why any type of argument of "safety" around the app store or play store is complete and utter bullshit. Apple and Google want you to download as much malware as possible. All their actions demonstrate that.
> but this would just hide the actual problem with interoperability and pass it down for the next underdog project to worry about.
Just consider how this wouldn't happen at all in an environment where no platform dominates in popularity (and it doesn't always happen today either, as lots of things like these are accessible via the Web from any platform regardless).
It's nearly impossible to live in the modern world without either an iphone or android without making some major sacrifices e.g. I'd love to not use whatsapp but it's not an option because all of my friends and family use it
Ironic because the foundation of Android itself is built on open source.
Right, the key point here is most of the fundamental projects were never commercial in origin and had grassroots community or academic roots. Android is built on top of a student's hobby Unix clone.
> The resources it takes to maintain something like Android far exceeds what can be funded solely by donations and volunteers.
Um, no duh a corporate project requires corporate funding. Android was never a grass roots community effort.
Perhaps this could be regulated by law or executive power, but considering that governments themselves have created apps that depend on proprietary software, I am not too hopeful. But as long as the same "app" is accessible through a browser, this remains a minor inconvenience.
That's great and all but it's just a drop in the bucket of the amount of work needed.
When it comes to consumer hardware or software targeted at end users? I think such cases are pretty rare and far in between. Firefox had a brief stint of being popular in the late 2000s, Valve is doing some cool stuff with SteamOS/Proton but I can't think of much else of the the top of my head.
Otherwise it's usually companies like Google or Apple which use OSS as a base layer for their closed down and proprietary platforms.
PostmarketOS is cool but its a product niche targeted a very tiny subset of consumers (just like Linux on desktop for that matter).
In my grad school days in the mid-90s I set up Linux because it let me write programs in a modern way, accessing all the available memory without jumping through hoops, etc. I would still switch to Windows for playing games, using Quicken, checking Usenet and email and browsing the web.
AOL not even being available on Windows and modem drivers for cheap-er hardware being Windows-only meant I had to switch back and forth (download on Windows, copy to a floppy, reboot, etc.). This sounds crazy today, but it worked "somewhat OK" for me to keep experimenting.
If we could somehow provide a similar environment for the phone, even jumping through hoops, this will enable enthusiasts to start seriously tinkering with their devices. But this is not easy -- both the hardware and the Android today place way more restrictions than much-vilified Microsoft and Intel did 30 years ago. And Microsoft tried very hard to snuff Linux out, wiping boot sectors and partition tables giving half a chance; Google will be much more successful killing any dual-boot attempts now. My 2c.
In short, Linux was possible because the underlying hardware was open and standard.
Also, none of this impacts Linux, beyond the fact that IBM clones were ubiquitous by the time Linus started writing the kernel. If IBM clones weren't around, Linux probably would have originally ran on an Amiga. It was very much expected that personal computers would run anything compiled for the CPU, mainly because the companies making them shipped very little software. I guess you could say that Linux was possible because there were PCs to buy - otherwise we'd be stuck with BSD or GNU running on computers we had to rent. But even then, what IBM did here was not directly open the floodgates to a Free OS, they just accidentally opened the floodgates to a bunch of companies entering the PC market by blatantly and legally ripping them off.
[0] Kulak is a Russian word for owners of rural land that refused to join the Soviet collectivization regime, which was then later applied to basically anyone accused of not meeting the hilariously awful production quotas Stalin put on shit. Despite this awful history, I'm appropriating the term because A) it's a good pejorative for land-owning nobility and B) it almost rhymes with Cook.
After many many years and many forks, yes. This is still clearly the right answer. Google didn't succumb to Apple and just accept things, they acquired Android and invested heavily in it. We are all grateful for that. BUT, we must also acknowledge that the time of the two horse race is over. And while OpenAI and many others are attempting to do various things, we can continue to invest and back alternatives that create a more fragmented market. Maybe they will not replace Android, that's fine, but you're not going to fix Android's problems without suing Google, which people are doing, or actively working on alternatives, which again people are doing. Change is coming.
But, I think the giants already know and accept this. The moat now is compute. A centralization of power back to the server, the rise of thin clients, and fat services.
So, it is a revolution but there's also counterbalancing forces. Still, we should ride that wave :)
The current problem with "Linux on phones" is the locked down nature of the hardware. For example, looking at PostmarketOS's support device list [0], sensors, Wifi, even phone calls don't work. Would what you're saying enable faster implementation of those support modules? (This would be really cool if possible).
[0] https://en.wikipedia.org/wiki/PostmarketOS#Supported_device_...
In that case (ie, if in order to be free we need to free the hardware, too), we need to create a hardware company that builds a phone from the modem/radio on up and owns every layer.
Obviously non trivial hahahahaha :)
AI is letting the world of bits move faster than before by exponentially reducing rework and sharing around the benefit of network effects from collective human knowledge. It's not touching hardware in the same way, and doesn't give us the same superpower.
edit: I guess the "easier" play is to convince an existing full stack phone hardware company to make us an OpenPhone that we can hack on because they believe in the inevitabilities of trends and consequences from AI and want to invest in that future. That would be cool? Any takers? Reach out cris@dosaygo.com
If you want to sponsor Waydroid to help make that happen, you can do so right now: https://opencollective.com/Waydroid (I'm not affiliated, just a fan, and it's the only realistic route to this I see).
Look at email. It’s technically open, but in reality there are a few large players who control the majority of it.
The only way open source phone software succeeds is if there is real money behind it and there is an attractiveness to it that makes people pay for it.
It's far easier for everyone if Google plays nice than to put in the work to unseat them and still keep app devs and users happy.
For me mobile OS are a broken mess, irrespective of Apple or Google, so I would love to have an alternative. Mobile phones are powerful devices that are severely handicapped by bad software. Restrictions are sold as security and there are a lot of people that even buy into these crap argument. So much so that even legislation has adopted them to some degree.
But for hardware vendors to jump on another train, a new OS must probably offer something shiny. And the average user has no idea how easy it could be to interface your smartphone with other devices without needing some ad riddled vendor specific apps. I mean you can install an ssh client on your phone, but meh... That is more or less the only app I install these days.
Google has been gradually becoming more restrictive on Android openness, slowly but surely strengtening the thumb screws.
On the long term, the best thing to happen is for them to bang make it proprietary [1] while it is still free and liberal. The shock effect will be big, and the initial changes big, too. Such will motivate the right people. Open source devs, governments, legislators, people with executive powers within other companies.
But Google is too sneakily clever for that. So they go slowly, gradually. There won't be a shock effect, or if it happens it'll be a done deal.
This is how you turn a country into fascism, too. Slowly but surely, and then bang. It is all the small steps beforehand which matter, and this is why the Execute Order 66 quote from Star Wars is so such a beautiful example in popular movie SF.
You can see how failed efforts for coups in democracies have failed recently because of checks and balances. South Korea is a recent example, but looking at the details it was a close call. In my opinion, the same was true for USA, and I don't know enough about the Brazil example.
[1] Yes, I realize Android is proprietary and AOSP is FOSS.
If I'm really lucky one of the opem source Android forks will support my device. But my current phone is not supported by postmarketOS or GrapheneOS.
I don't want a world where the market can only support a dozen devices across 4 or 5 manufacturers.
Even if you could get some traction, you're gonna have a bad time getting banks to support this OS, at which point it will be useless for most users, preventing you from ever becoming profitable.
This already happened. Banks here in Brazil like to require an invasive piece of software (a browser "plugin", though it installs system services) to access their online banking websites. For a long time, this invasive software was Windows-only, so those of us using Linux had to either beg the banks to enable a flag to bypass that "security software" for our accounts, or do without online banking. The same for the government-developed tax software, which was initially DOS-only and then became Windows-only.
But nowadays, there is a Linux variant of that invasive banking "security" software, and that tax software became Java-only (with Windows, Linux, and MacOS installers, plus a generic archive for other operating systems). So things can change.
You call it blackpilling, I call it facing reality.
The real problem was never solved to begin with: all mobile devices require proprietary drivers to function at all. Because these drivers are proprietary, the only people in a position to make them compatible with an OS are the manufacturer's dev team; and they are only interested in compatibility with Google's proprietary Android fork.
When Google starts to release versions of its proprietary Android fork, any open Android fork (or other alternative OS) will have to reverse engineer that proprietary Android fork in order to match its compatibility with proprietary firmware blobs. This will need to be done for every device.
Imagine trying to find your way through a building while wearing a blindfold. It's much easier if you are able to study the original floor plan that building was modeled after, even if the building itself has a modified design. Google is taking away that floor plan.
The situation is already medium-bad: it would be trivial to use an alternative OS if drivers and firmware were open source. It would be relatively easy if drivers and firmware had open specifications. It's difficult, but feasible in the current situation, where drivers and firmware are closed spec, but designed to be compatible with a close fork of an open source codebase. It will be extremely difficult (and technically illegal in the US) to do when drivers and firmware are closed spec, and designed to be compatible with a closed source codebase.
YOU CAN, AND SHOULD, DO BOTH.
Just use your phone as a hotspot with a real computer for computing that you can and do own.
Let's say we beg Google to keep it open now, and they acquiesce.
So what?
Do you think this same drama won't repeat in the future?
May be Goverment world wide could all fund the same OSS OS which benefits everyone. But right now I see zero incentives for any government to do it.
Many people bought Android phones because of the open capability. Even if you don't use it, just knowing you have an out is important.
And now Google is "altering the terms".
I regret having wasted a good part of my career supporting Google with the Android enterprise. They had some very good (technically and intentionally) people there, but it all got thoroughly corrupted.
With hindsight the only thing that kept them remotely honest was the Andy Rubin vs Sundar Pichai turf war, which at the time manifested as Android vs Chrome. Once that had a decided winner it was a recipe for serious trouble.
The only viable way forward for an open mobile OS is to fork Android as is. This is the only way to carry over anything resembling existing app support or all the work that goes into making a mobile OS actually work up to the level users expect. i.e. cameras through to hardware media CODECs and total system stability.
With both Android and Chromium, we're ultimately at Google's mercy.
btw, does anyone know if Huawei is following along with this in their fork?
Now I hate Google as much as the next person, but I also hate all the other Android manufacturers who just don't do better.
Ideally, major manufacturers would all contribute to AOSP to make sure that it runs well with their devices. And then we could install the "AOSP distro" we want, be it GrapheneOS or LineageOS or whatever the fuck we want.
> does anyone know if Huawei is following along with this in their fork?
They suck like all the other manufacturers: they forked as a quick solution, and then decided to go with their own proprietary codebase. If nobody else contributes, why would they make it open source?
What I see from the Linux experience is that the only way it works is to have a copyleft licence and a multitude of contributors. That way it belongs to everybody, and it moves too fast for one single entity to write a proprietary competitor on their own. But AOSP is not that: first it's a permissive licence, and only Google meaningfully contributes to it.
I was under the impression that we got that with GSI, including that Google required a device to support GSIs in order to be certified or something like that. Am I misremembering?
They are moving to their own completely proprietary OS called HarmonyOS NEXT.
As an iPhone user, I find it frustrating that deploying my own app on my own device requires either reinstalling it every 7 days or paying $100 annually. Android doesn't have this limitation, which makes it simpler and more convenient for personal use.
However, when it comes to publishing apps to the store, I take a different view. In my opinion, stricter oversight is beneficial. To draw an analogy: NPM registry has experienced several supply chain attacks because anyone can easily publish a library. The Maven Central registry for Java libraries, by contrast, requires developers to own the DNS domain used as a namespace for their library. This additional requirement, along with a few extra security checks, has been largely effective in preventing—or at least significantly reducing—the supply chain attacks seen in the NPM ecosystem.
Given the growing threat of such attacks, we need to find ways to mitigate them. I hope that Google's new approach is motivated by security concerns rather than purely economic reasons.
Personally I feel much more safe and secure downloading a random app from F-Droid, than I do from Google, whose supposed watchful eyes have allowed genuine malware to be distributed unimpeded.
I agree; stricter oversight is beneficial for the official app store. It should not be necessary (and neither should Google's (or Apple's, or Microsoft's, or the government's, etc) verification be necessary) for stuff you install by yourself.
> The Maven Central registry for Java libraries, by contrast, requires developers to own the DNS domain used as a namespace for their library.
This means that you will need to have a domain name, and can verify it for this purpose. (It also has a problem if the domain name is later reassigned to someone else; including a timestamp would be one way to avoid that problem (there are other possibilities as well) but I think Java namespaces do not have timestamps.)
> I hope that Google's new approach is motivated by security concerns rather than purely economic reasons.
Maybe partially, but they would need to do it a better way.
Making this verification mandatory is an absolute non-starter, ridiculous overreach, and a spit in the face of regulators who are trying to break Google and Apple's monopoly on mobile app distribution.
> However, when it comes to publishing apps to the store,
This isn't about publishing apps to the Play Store. If that's all this was about, we wouldn't give a shit. The problem is that this applies to all stores, including third party stores like F-Droid, and any app that is installed independently of a store (as an apk file).
> Given the growing threat of such attacks, we need to find ways to mitigate them.
How about the growing threat of right-wing authoritarian control? How do we mitigate that when the only "free" platform is deciding the only way anybody can install any app on their phone is if that app's developer is officially and explicitly allowed by Google?
Hell, how long until those anti-porn groups turn their gaze from video games and Steam onto apps, then pressure MasterCard/Visa and in turn Google to revoke privileges from developers who make any app/game that's too "obscene" (according to completely arbitrary standards)?
There's such a massive tail of consequences that will follow and people are just "well, it's fine if it's about security". No. It's not. This is about arbitrary groups with whatever arbitrary bullshit ideology they might have being able to determine what apps are allowed to be made and installed on your phone. It's not fucking okay.
In reality, the phone had 24 GB of free space out of 64 GB total. I simply uninstalled the fake cleaner and the annoying notifications disappeared.
How such an app could reach the Play Store is beyond me. I can only imagine how many people that app must have deceived and how much money its creators likely made. I'm fairly certain the advertisement targets older people specifically—those most likely to be tricked.
For better or worse, I'm pretty sure that such an app would never land into the Apple App Store.
This is not about the Play Store. This is about the whole Android platform. It's about running what you want on your own machine.
What are the requirements around domain renewal?
https://contact-the-cma.service.gov.uk/wizard/classify
It's very simple to submit a complaint.
Stallman did not find an economic model that works within our business/legal environment.
Maybe his biggest contribution is that his extreme stance and ensuing visibility probably helped shift the Overton window.
To be clear: this does not diminish his contributions in the field of software! His ideas about Free Software have been visionary and are as important as ever. One can be brilliant in one field and a fool in another. This is actually very common among technical people ("engineer's disease"). We cannot expect someone to be right 100% of the time.
The F-droid article states: "You, the consumer, purchased your Android device believing in Google’s promise that it was an open computing platform and that you could run whatever software you choose on it. "
This is an actionable issue. I believe this is a legally reasonable issue. If you buy a car and then the car manufacturer changes the car so you can only buy gas from them, or parts, that is an offense.
If you accept that users are wronged by googles action, the problem is what can be done about it?
Wrongs committed by companies like Google, Apple, Amazon are difficult to fix because of failures in our legal system. The typical legal action is a class action suit. These typically result in large "settlements" with little real effect. Users get a notice that they are entitled to $40 but only if they jump through seven hoops. Lawyers on both sides make out like bandits. The offenders have little incentive not to be repeat offenders, just not to get caught again. This is an acceptable risk for corporations and so does not act as a deterrent.
There are states Attorney Generals who can file anti-trust actions. The US government (ha ha) could file an anti-trust action. In my opinion neither of these are likely. And even if it happens, it will take years. And years.
A problem with these two legal solutions is that they rely on someone else. The result is that users are victims. We are all used to that by now.
Since we, as android users, are legally entitled to compensation - is there another way to take a legal action.
In most states the limits on small claims actions is between $3000 and $10,000. Well above the cost of an android phone. If there is one class action legal suit against google they can easily spend the money to defend it. And the time. They have the resources to do this.
However, what would happen if 1000 people filed small claims action, asking for a refund for the cost of their phone? Google is declaring war on users. They have their big legal tanks. Small claims are the equivalent of drones in the legal world.
We have the internet. We have AI. Can we generate reasonable and fair legal small claims court filings for each of the 50 states and put them online to help people.
We, the people, have learned helplessness. We need to learn something else or resign ourselves to simply being fodder for predatory actions by corporations.
Google was found to have a monopoly on android with the play store (even though you can side load other stores), Apple was found to not have a monopoly with the app store.
OK. But that is not the really bad part, the really bad part came from the appellate court this past July. Google pointed out that the Apple app store was ruled not a monopoly, but somehow Google's more open system was..
The judge, I am not shitting you, said that because Apple doesn't allow competitors on their phones, they cannot be anti-competitive. Google lost the appeal.
So now, clear as day, Google needs to kick out competition to be competitive. Good job legal system.
>This site may be associated with malicious activity or malware. Access to this site has been blocked by the Protective DNS Service Site: keepandroidopen.org Please contact your local Network Administrator or IT support if you require further assistance
But many more gadgets, while not cloud dependent, depend on an app. Think about any number of remote-controlled toys where the remote control is a phone app. Think, for example, about very expensive bicycle derailer systems that can only be configured via app.
Already I've found very neat objects whose app has long faded from the app stores, but for Android at least, you can usually find a .apk and even ancient ones often still load and run. A recent example was that for an ancient parrot ar.drone that I got at a garage sale.
Since these gadgets and their apps precede this attestation thing, newer Android devices will no longer be able to run them. Then what? Keep an old Android device around and hope that it stays working as long as your expensive gadget?
- AOSP is no longer developed in the open (if it ever was) – source releases & security patches have been severely delayed lately.
- Pixel devices will no longer be the reference devices for AOSP, and it seems Google will no longer release their device trees in the future. In addition, Google could also lock down the Pixel's boot loader and thereby prevent installation of custom ROMs.
¹) Of course focus is important, so I get why they kept the page short & sweet. Besides, while the side-loading topic is an issue that might be interpreted as anti-competitive and that institutions like the EU might be able to do something about, with the other issues it's not as clear-cut, I think.
Edit: Oh I get it, "develop for the platform" means develop and distribute. Maybe it's just me, but seems like an important difference.
Everyone is still free to develop and distribute source code.
Android (to a lesser extend iOS) has become deeply embedded in the infrastructure of modern society. It is essentially a public utility and should be managed as such.
We also have PostmarketOS (alpine base) and Mobian (debian base) as frontrunners. Supposedly Arch Linux for ARM and openSUSE Tumbleweed are also used by some on mobile.
At least with 3p app stores they could have Gpay if the app developer wanted to, but now they will be pissed and can't build a 3p app anyway since users can't install it via 3p app stores.
The whole concept is meant to poke fun at the idea of me "checking up on her" (I file her tax returns) and the entire theme is 80s pimp styled.
Every time she submits something, she'll get a random pimp remark, like "Go get that money for me, girl!". She just rolls her eyes and ignores it, but it's what made it fun for me to work on it.
Edgy stuff like that could jeopardize my account in the near future. It might just be security now, but an automated "naughty words detector" will be an obvious next step.
I doubt I will invest any more time in hobby app development if I have to deal with some humorless overbearing watchdog telling me what I can and cannot install on my own device. Very sad to see Android following Microsofts anti power user direction.
If they don't, they can sideload, and use F-Droid, and etc.
And then we can debate whether it should be default on, or default off, and how hard it should be to turn off.
(I do not use iPhone nor Android and I won't, even if they do fix these problems.)
Exactly the same.
GAFAM are controlling what you can and cannot install on your computer.
It's time for a broader law that goes beyond what is in the DMA (bootloader, OS, etc...).
Manipulation and deception tactics are particularly relevant in internet age and they are Big Tech's standard modus operandi because its found them to be such financially successful business models. Laws need to enacted to prevent such exploitation as it is unreasonable and unacceptable for the psyche/reasoning of ordinary citizens to be pitched against such psychological might.
As so often happens with such authoritarian and manipulative dictates, this Google edict comes wrapped in the usual paltry excuse of security. Even Blind Freddy knows this excuse to be bullshit and that the real beneficiary is Google. The time has come for Android to be decoupled completely from Google.
It's tragic that despite a monopolistic finding against Google the Law didn't recognize the fact.
But for iOS, that did not work well so far, as I have zero apps installed via AltStore PAL (iOS), yet some apps via F-Droid (Android).
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Volkswagen Your Face
Vincent Wants Yummy Fries
Viewing Worked Yesterday, Frank
Voyeur Whom You Fuck
Veiled Widows You Fancy
Vore Website? Yes, Free!
-Your Friend
Google wants my apartment lease to let me distribute free games, so I just won't support their platform.
This is not about security, it's about control.
someone suggested (I can't lost the link) flipping the script with a GLiNet Mudi hotspot with SMS forwarding (to e-mail); I really like this idea. It would be suuuper neat to play around with the tethered model: make SIP calls with a hacked Switch with Android installed / dedicated ruggedized VoIP phone for emergencies, or justify making and carrying a cyberdeck.
Personally, I'm hoping to revive my 3DS because I fell in love with the darn thing again (and its near infinite battery life). I heard you can make calls on the original DS with SvSIP, so suuurely that can work on the 3DS too. As a fellow gamer and android dev I'm sure you'd appreciate the idea.
I don't want a phone owned and controlled and spied on by governments and mega corporations. I want a Gibson-Neuromancer style obelisk disk blob thing that does Internet, Telephony, and Computer stuff and uses whatever I tether it to as the human interface.
Of course we know, but they always spin it as being about security.
It's not a lie if it is to secure their cashflow.
Edit: and to be clear, I’m against this change by google. I think there is value in protecting grandma from sideloaded apps (if that even happens in the real world) but this isn’t about protection of consumers, it’s about centralised control of what you can and can’t do, in preparation for handing over the reigns to an authoritarian government. ‘Security’ either to protect you from scams, protecting YouTube from third party apps, or preventing nation state hacking or similar will inevitably be the driving narrative.
My Linux phone is a PinePhone pro, which I believe is no longer being sold. It's not great. Phosh could generously be described as "in progress" last time I used it. UIs for many applications aren't built for small touchscreens like that.
I'd have to review the hardware market again if I were going to make a fresh recommendation. Librem looks cool conceptually, but they're a bit pricey, and their framing of a "Made in USA" variant as a premium feature rather than a red flag, a reputation risk, and a supply chain risk make me skeptical of whether Librem is a trustworthy entity at all, or might just be controlled opposition. That could just be me erring on the side of paranoia, though.
Which you think would be the first thing you'd put on there since Bluetooth pairing is extremely difficult to get right when you're using custom operating systems.
China will never let that happen.
I mean, the actual implementation will be that CCP signs Google DragonFly Global Root CA cert, and Apple runs Google signed firmware, but those are just minor implementation details.
I'm looking for a new phone and it's tough with the current state of things.
Also about contacting your government, what's the best approach? I'm in EU.
Actually, better, dumbphone.org and dump all financial/auth/chat apps to an old Android phone that costs some $200.
And still.
Original comment:
I don't want this. The App Store on iOS has its flaws, but it's a curated system that has a lot of checks in place to prevent malware. I have never felt unsafe on iOS and it's the primary reason I've not joined Android and the Play Store's wild west.
This is about only allowing play verified apps. Play store will remain whatever you think of it regardless of this move.
Isn't iOS a pinnacle of UI/UX loaded with most innovative features in the world backed by the most genius CEOs of all times?
Locks down how? This is literally how it is from the start. Ignoring the fact that it is completely unrelated to the topic, this is just wrong regardless.
It reminds me a bit of the book "The Constant Soldier", depicting Auschwitz guards and staff enjoying their carefree holiday at a nearby lake resort, before going back to burning people. Might seem like hyperbole, but I think we're rushing towards an ugly plutocracy.
People working for Google are not Nazis and people using Android phones are not like Auschwitz prisoners. That's a really terrible analogy.
In the EU we can report this to: comp-market-information@ec.europa.eu
State that: Google is abusing its dominant position on the market for Android-app distribution by “denial of access to an essential facility”. Google is not complying with their "gatekeeper" DMA obligations (Article 5(4), Article 6(12), Article 11, Article 15)
Attach evidence.
Financial penalty is the only way to pressure this company to abide law.
> [...] the Digital Markets Act (‘DMA’) obliges gatekeepers like Google to effectively allow the distribution of apps on their operating system through third party app stores or the web. At the same time, the DMA also permits Google to introduce strictly necessary and proportionate measures to ensure that third-party software apps or app stores do not endanger the integrity of the hardware or operating system or to enable end users to effectively protect security. [...]
They seem to be on it, but no surprise: it's all about Google's claims for "security" and "ongoing dialogue gatekeepers".
Freedom to use own hardware or software, no.
The only remaining good thing about Google is their Project Zero. They have become the same shit as every greedy company.
Google & others have slowly turned down the freedom dial over the years and we let it happen. People working for Google let it happen. I'm not aware of any inside movement protesting this like they protested against various social issues.
Security that you can't turn off is basically a prison.
What's the point of those changes? Does Google want to maintain its revenue from Play Store? Feels like a bad long-term decision, especially when Apple is releasing excellent phones.
I received _the_ most boilerplate "Thanks, bog off" response imaginable, which I presume is a good thing...
Dear $NAME,
Thank you for your correspondence.
We value people contacting us with information. This helps us to tackle anti-competitive behaviour and protect people and businesses from being disadvantaged by unfair practices.
What happens now?
Our Digital Markets Team will now analyse your enquiry using our published prioritisation principles (https://www.gov.uk/government/publications/cma-prioritisation-principles). The Digital Markets Unit (DMU) will oversee a new regulatory regime, promoting greater competition and innovation in digital markets and protecting consumers and businesses from unfair practices.
The CMA will continue to use its existing powers, where appropriate, to investigate harm to competition in digital markets. Please be aware that the CMA has no powers to take action or open a case on behalf of an individual customer or business (for example; to pursue compensation, refunds, or to intervene or adjudicate in disputes).
We prioritise the cases that are most likely to make a real difference for people and the UK economy based on our available resources and the likelihood of a successful outcome.
Can I get an update on my enquiry?
We are unable to give you an update on your enquiry.
We find all enquiries useful to inform our current and future work. However, we offer no guarantee as to where or how your enquiry may be used.
We do publish details of our cases on our website. You can subscribe to email alerts which will inform you when new information has been added.
Will the CMA investigate my enquiry?
We review all the enquiries that we receive. This helps us to understand:
whether different industries in the UK economy are competitive
if competition law is being broken
if shoppers or businesses are being disadvantaged.
Even if we don’t immediately investigate your enquiry, it may lead to us taking further action in the future.
Do I need to do anything else?
You do not need to do anything. If we need further information, we will contact you.
Thank you again for taking the time to contact us.
Yours sincerely
Carol Sampson (she/her) | Enquiries Admin Officer | Strategy, Communications and Advocacy | Competition and Markets Authority
The Cabot | 25 Cabot Square | London | E14 4QZ
It's pretty clear to me that Google's direction won't be going down this route, and in many ways I wish I knew about these before submitting my complaint. If you're reading this in the UK, consider looking at those guidance points and hamming home explicitly how this move by Google breaks those points – which, frankly, it clearly does (it is going to reduce choice and variety; it is also explicitly restricting competition and harming consumers!)
Anything that reaches a certain threshold of value to society and requires enormous effort to build and maintain has to fall back to a capitalist, for-profit, closed-source structure. That's all that's happening here.
Of course, small stuff like a software library that doesn't require much effort to build and doesn't provide much value can remain open-source. I personally think this obsession with open-source software is simply an obsession with communism and getting things for free, and not wanting getting rewarded for the value of the stuff you build, etc.
Except that both platforms (iOS as well as Android) were either born out of OSS or are still reliant on active development in such projects. They created nothing, they took something from the commons, polished it and are now rent-seeking. It was tolerated till they threatened to choke all competition and trap and rent-seek the entire world with their duopoly.
They did so legally and didn't break any rules. This is the game of capitalism, and the fact is, IOS and Android are extremely well built and developed, and no open-source project would ever come close to the hundreds of thousands of paid engineers that built IOS and Android.
You can either have capitalism and IOS and Android, or you can have communism and a society that is 10+ years behind in development. Do you really want to give up IOS 26 for a blackberry?
Android on the other hand is developed by thousands of engineers and is a much larger project in terms of monetary investment than Linux. Linux was essentially built by a single guy. Android could never have been built by a single person or even a open-source project. It's too massive.
However complex you think Linux is, its just a kernel and doesn't require a conglomerate to build and maintain for billions of users. Android does, and those developers need to get paid for the massive value they provide.
Linux doesn't need a for profit company gate keeping it to ensure it is safe and secure. And even Windows doesn't prevent you from running any executable you choose from the internet. Why are phones treated differently?
The developers need to get paid. And the developers only get paid if the system is closed-source such that the revenue can only flow back to Google which is where the developers are hired at. In other words, yes it needs to be centralized, and the reason is the money required to build Android is just too much and therefore needs to be developed under a for-profit capitalist organization like Google.
This platform has the EXACT same problem as Reddit. People can just silence you before you had a chance of discussion. What a waste of fucking time. Instead of improving our world models of reality by having discussions, you can just silence others because you disagree. Remove the fucking downvote button! Just remove it, jesus fucking christ. Who thought this button was a good fucking idea?
I'm nearly out of this garbage. The same way I left Reddit long ago. X is the only platform that allows free speech.
>will not pass integrity checks
Those apps can add support for other integrity APIs. Operating system owners can fund this work to help their operating system gain marketshare.
This is a step in the right direction to keep people safe in my opinion. Most people around the world don’t understand the risks.
The topic here is Google nuking F-Droid from orbit, probably because it has NewPipe.
99% of all car accidents with real world consequences are caused by licensed human drivers, ergo, all licensed human drivers should be removed from roads.
Same argument. It's true, and simultaneously, it skips right past all of the ramifications of the proposal, even when the ramifications conceivably result in more harm than the original problem did.
https://en.wikipedia.org/wiki/G._K._Chesterton#Chesterton's_...
You are restricting a fundamental digital right in exchange for a minuscule reduction in risk.
Before they are allowed to make any comment on scams, they should clean up their own store first.