When comparing against something like a Pixel running GrapheneOS, it's honestly a bit more puzzling to me. Granted, I'm definitely not the audience for this, but with G_OS you can do most things that a regular phone can do, without taking several minutes to install Firefox.
As much as I love privacy (going as far as having a semi-random username), this phone is a bit puzzling. I hope someone can throw more light on this.
I'm not familiar with GrapheneOS but I assume it follows the usual model when repurposing Android devices of taking various closed source blobs (i.e. drivers etc) and rebuilding the open source bits around them? If so, this approach usually locks you into a Linux kernel version to remain compatible with the blobs which limits you on kernel features and fixes as well as who knows what exposure the blobs have to offer, which also will likely never get updates.
Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source. GrapheneOS only supports devices with proper security support for all the firmware, drivers, etc. and again there are no closed source kernel drivers. We can support pretty much any mobile device with alternate OS support since any serious one will have AOSP support. Most devices have lackluster security and don't meet our requirements. We're working with a hardware vendor to get a non-Pixel phone actually meeting reasonable security requirements.
Librem 5 has a bunch of components where they are not shipping updates. You have things very much backwards on that front. The Librem 5 does not come close to meeting the security requirements to run GrapheneOS. It has a bunch of poorly secured and insecurely configured legacy hardware often without proper updates available, components that are not properly isolated via IOMMU, no secure element or all the stuff that comes along with that (HSM keystore with a nice API used by apps, Weaver to make disk encryption work for users without a high entropy passphrase like 7 diceware words, insider attack resistance, working attestation not depending on hard-wiring hashes and a lot more) and many other things. The OS they use has a near total lack of any systemic overall privacy/security work or privacy/security model and only falls further and further behind. The most exciting feature for securing devices right now is hardware memory tagging support in ARMv9, but there are years and years of tons of important privacy/security work done in a systemic way across hardware/firmware/software which are missing there before worrying about stuff like that.
Marketing something as private/secure and spreading tons of misinformation and outright lies about the mainstream options doesn't make it secure or more secure than those. It's actually pretty funny that they mislead people about the isolation of hardware components like the cellular baseband in other devices when the vast majority of mainstream phones (iPhone, Pixel, Qualcomm SoC devices, Exynos SoC devices) have it done quite well when they don't. Strange that they get away with these games of misrepresenting things, hiding the fact that they still have entirely proprietary hardware and near entirely proprietary firmware for the SoC and other hardware components, etc. Hiding proprietary stuff doesn't make it go away. Not updating it doesn't make it go away and simply ensures a highly insecure device.
I ran AOSP builds for years and that's a half-truth at best. Sure for the kernel proper, you have the source. However, there are a fair number of closed source drivers for the GPU, modem, wifi etc. From the GrapheneOS Wikipedia page[1] it sure looks like they're following this model.
If I am mistaken and there is a miraculous state-of-the-art SoC with completely open source drivers being used by a major handset maker, do tell. You'll be a hero in the open source world for pointing out something everyone else has overlooked.
> Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source.
It has everything to do with things being closed source. Try doing a Linux kernel major version upgrade with binary-only drivers for key components sometime. It sounds like the only reason GrapheneOS works is because they're 'drafting' off of the kernel and driver work done by Google, not that they've cracked that particular nut themselves. Nothing wrong with that, but it does limit the useful life of a device to the first major security issue they can't fix due to a lack of source code.
Regarding the rest of your response, you're assuming that I was speaking to the Librem 5 specifically, I was not. Notice that I was only speaking about the goal of a 'pure' Linux phone since that was what seemed to be being asked about. Personally, I have a PinePhone[2] and wasn't interested in rehashing the various issues with the Librem 5.
[1] https://en.wikipedia.org/wiki/GrapheneOS
[2] which itself is far from perfect, but comes a lot closer to being a 'pure' Linux phone.
As stated earlier, there are no closed source kernel drivers for AOSP, GrapheneOS or even most mainstream Android devices running the stock OS.
The reason for using an LTS kernel branch with 6 years of support from kernel.org is stability. Porting forward the drivers to each new kernel release is entirely possible and isn't a lot of work when it's done incrementally. Not that many changes are even required. The issue is that there are substantial regressions in each Linux kernel release and it takes at least 4 months or more to get a production quality kernel for a specific hardware target with nothing break, the massive CTS/ITS/VTS passing, etc. Pixel 6 uses the Linux 5.10 kernel branch which was the latest at the time, and those LTS branches have 6 years of support from kernel.org and expanded support with more bug fixes / security enhancements / other improvements via the AOSP common/generic kernel. It's entirely possible to move to a newer LTS branch. There are no closed source kernel drivers. Is it worth the time, when newer LTS branches have substantially more attack surface and tons of regressions that are going to need to be detected/fixed? Bear in mind it would not expand the lifetime of devices at the moment, time several hardware components won't receive more than 6 years of firmware support.
There are already people who have gotten the mainline 5.15 kernel working with the Pixel 6, but from 5.10 to 5.15 there are a lot of regressions, and there's a lot of new attack surface. There's a reason that ONLY the Pixel 6 among the Pixel family has been vulnerable to several serious core Linux kernel vulnerabilities disclosed in the past few months including the branded dirty pipe vulnerability. There are both advantages and disadvantages to using a newer LTS branch. Unfortunately, one of the disadvantages is that there are more bugs overall, including more vulnerabilities overall. Many software projects mature over time and the rate of finding vulnerabilities goes down. That's not the case for the Linux kernel. It's having vulnerabilities introduced at a faster pace than they're fixed. It isn't better from a security perspective to use the 5.15 LTS rather than the 5.10 LTS, especially with the additional changes backported by AOSP including security enhancements like mitigations, not just bug fixes. It may be a good idea to move to the new LTS branch once it has matured for 1-2 years, but definitely not months after release.