[matheusmoreira]

He's not wrong from a computer freedom perspective. GrapheneOS is actively hostile to things like complete root access. It blows a hole in the security model. It's also very much enabled by the exact same sort of user hostile cryptography that corporations use to lock down their devices. Things like hardware attestation which protects apps from us. We can't easily do things like MITM an app to reverse engineer it.

I still it's superior to any stock Android OS but the risks associated with giving up freedom for security must be considered. The ideal is to have security while simultaneously maintaining our power as the owners of the machine.

[strcat]

GrapheneOS only supports devices where users can have full control over the OS and replace it. Choosing to use GrapheneOS is fully optional and people who don't want a strong security model can use something else. Not clear how GrapheneOS in any way hurts people's freedom by giving them a highly private and secure OS option for devices which meet our requirements. We're working with an OEM on towards more devices meeting our requirements which will support using other operating systems too. If you want another OS, you can use one. If you want to modify GrapheneOS in any way you want, that's fully supported. We provide easy to follow build instructions. You can make a userdebug build with ro.adb.secure=1 if you want root access at the cost of security.

[fsflover]

> people who don't want a strong security model can use something else

You have a very special threat model, which you for some reason always call the best or the only one reasonable. In reality, depending on the user's threat model, your approach can fail miserably. For example, if my threat model includes that Google can utilize their control over the hardware to undermine my security, then your approach fails [0]. And this is a real-world example.

Don't get me wrong, I still agree that your approach is very secure, it should exist, and you're doing an amazing job for the Community. Just that you shouldn't behave as it's the only viable one.

[0] https://news.ycombinator.com/item?id=45208925

[matheusmoreira]

> Not clear how GrapheneOS in any way hurts people's freedom

It's not GrapheneOS itself that's doing this. It's technology like hardware attestation. Stock Android is rapidly becoming just as bad as iOS in this regard.

Remote attestation is a technology that enables discrimination against us. By using it, corporations can tell we've "tampered with" our own phones by doing things such as installing GrapheneOS. That's simply not a power I want them to ever have. They should be none the wiser.

The problem is they will abuse that power to deny service to anyone who isn't using a phone owned by corporations. GrapheneOS itself will probably be among the casualties. Bank apps work on it for now but there's no guarantee at all that they'll keep working in the future. Banks can just flip a switch and the apps simply stop working. No valid attestation that a corporation such as Samsung owns your phone? No service. Discrimination.

For corporations, device security means their app is secure from us. They should never be safe from us. That is my ideological point. We should be able to do anything we want, and they should be able to do nothing we don't allow.

I understand that you're doing your best to use this cryptography to protect us. I really respect the work that's being put into GrapheneOS. In fact I'd be using it right now if I could get my hands on a Pixel.

I'm just saying this hardware attestation technology enables discrimination against us.