I was simply following the standard convention of saying "Linux" to mean the entire OS that is found in popular distros like Debian, Arch and Fedora, whereas people generally say "Linux kernel" to refer to just the kernel. Saying "GNU/Linux" is problematic because most distros contain software which isn't part of GNU and isn't approved by the FSF, but I will use that term for lack of a better one.
By the way, it is just as problematic to say that GrapheneOS is "Linux" because GrapheneOS is using a kernel which has been substantially modified by Google, and Qualcomm's drivers for the Snapdragon which GrapheneOS uses are only designed to support an Android kernel, not a mainline Linux kernel. GrapheneOS doesn't use mainline Linux kernels and it usually takes 3-4 years for the mainline kernel to fully support new Snapdragons after they are released, so I don't know why you are even bothering to make this argument.
> There's a far larger and better ecosystem of open source apps for Android than there is for the products that you're marketing...
Just to be clear, I'm simply a customer of Purism and PINE64 who owns the Librem 5 USA and PinePhone, so I don't represent these companies and I'm not marketing their products.
I'm not sure whether there is a larger ecosystem of open source apps for Android rather than the GNU/Linux distros that run on the Librem 5 and PinePhone. If we are talking about apps which are designed to run on mobile phones, then you have a point, since it will take a while to adapt all the desktop software to be mobile-friendly, but Kirigami or libhandy/libadwaita is getting added to a lot GNU/Linux desktop software to make it adaptive. Google purposely does not label software with FOSS licenses in the Play Store, so it is hard to count the number of FOSS apps for Android. I count 4472 apps in F-Droid (https://f-droid.org/repo/index-v1.jar), whereas Debian 11 "bullseye" (which is what PureOS and Mobian are based on) has 59,551 packages. I know that not all FOSS apps make it into the F-Droid repo and the Debian repo includges the entire operating system and many of its applications use multiple packages, so we are comparing apples and oranges, but I don't see much evidence that the Android FOSS ecosystem is "larger and better" than the GNU/Linux ecosystem.
I often find that I need to install proprietary apps when using LineageOS because I can't find what I need in F-Droid, whereas I generally don't install proprietary apps in my GNU/Linux systems, so from that point of view, GNU/LInux is "better". Also a sizeable number of the FOSS apps that I encounter in F-Droid contain some code which was originally written for GNU/Linux, whereas I rarely find code in GNU/Linux which was originally written for Android.
> This is not accurate. It still has an SoC with a ton of components aside from the SoC despite your inaccurate claim that it doesn't, and those components still need to be isolated with an IOMMU.
I stated that "the Librem 5 doesn't need an IOMMU" to isolate the WiFi/BT, cellular modem, GNSS and USB controller, but in case you are worried, the i.MX 8M Quad SoC in the Librem 5 does have a Resource Domain Controller (RDC), Arm TrustZone and On-chip RAM (OCRAM) secure region protection, which does isolate the CPU, GPU and VPU. See section "3.2.2.4 Resource Domain Control and Security Considerations" in the "i.MX 8M Dual/8M QuadLite/8M Quad Applications Processors Reference Manual". (NXP requires registration to download the manual.)
> Those are minimum guarantees of full security updates, not end-of-life dates and the number of days you get those for the Librem 5 is ZERO. The only recommended devices for GrapheneOS are the Pixel 6 and Pixel 6 Pro, which means that there is at least 5 years of full security updates for the devices we support.
The GrapheneOS FAQ lists the Pixel 3a released in May 2019 as a "supported" device, but the Pixel 3 released in October 2018 is listed as "end-of-life" because it no longer gets full security updates, so that tells me that most people are using GrapheneOS on devices that have a 3 year lifespan.
I downloaded the Pixel 3a's "bonito" kernel (https://github.com/GrapheneOS/device_google_bonito-kernel) and I see that it is using kernel version 4.9.292. Mainline Linux 4.9.292 was released on 2021-12-08 and 4.9.0 was released on 2016-12-11. Call me crazy but I prefer to use an up-to-date mainline kernel rather than one that is over 5 years old and takes 3 months to get the latest security patches from kernel.org. (To be fair, I should mention that the Librem 5 issn't yet fully supported in mainline Linux, so you can't run the latest mainline kernel on day one of its release, but the Purism devs say that mainline support is coming.)
> Your claim of lifetime security updates is completely bogus and demonstrates the extreme lengths Purism goes to in order to mislead people and profit from it.
Purism says that it went way over-budget trying to develop the Librem 5 and its software, which is why it has been raising its prices. Considering the roughly 20 companies that lost their shirts in the past when trying to develop mobile Linux, it is unrealistic to think that Purism is doing this for profit. (See: https://amosbbatto.wordpress.com/2020/07/17/mobile-linux-tra...)
Granted that NXP will stop providing firmware updates for the i.MX 8M Quad in 2033, and I expect that the firmware updates will end much sooner than that for the RS9116 WiFi/BT, BM818 cellular modem, Tesio-Liv3 GNSS, etc, but there is no reason to not expect lifetime software updates, because the Librem 5 should soon have mainline Linux support. Purism has worked hard to upstream its code changes to parent projects (Linux, wlroots, geoclue, ModemManager, GTK, GNOME libraries, GNOME applications, etc.), so that future releases of these projects should run on the Librem 5 with minimal work. Phosh was designed as a thin overlay on top of standard GNOME libraries and applications (which have substantial support from IBM/Red Hat, SUSE, Canonical and Google) and roughly 176k of the roughly 250k lines of code that Purism has created for the Librem 5 are now incorporated as official GNOME projects. (see: https://amosbbatto.wordpress.com/2021/12/15/amount-code-libr... ) What this means is that it shouldn't cost Purism much to keep providing future software updates. In addition, postmarketOS and Mobian developers are now participating in the development of Phosh which has become the most popular interface among PinePhone users, so even if Purism dies as a company, it is likely that the community will maintain the interface. For more info, see: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque...
So then Alpine Linux isn't Linux either? That's not a standard convention at all. It's a way of misleading people, and you're doubling down on it.
> By the way, it is just as problematic to say that GrapheneOS is "Linux" because GrapheneOS is using a kernel which has been substantially modified by Google, and Qualcomm's drivers for the Snapdragon which GrapheneOS uses are only designed to support an Android kernel, not a mainline Linux kernel. GrapheneOS doesn't use mainline Linux kernels and it usually takes 3-4 years for the mainline kernel to fully support new Snapdragons after they are released, so I don't know why you are even bothering to make this argument.
Why are you specifically talking about Snapdragon when the current generation and only recommended devices use the Exynos-based Tensor SoC? Current generation devices are using Generic Kernel Images and DO NOT have substantial modifications to the kernel. It's entirely possible to use the kernel.org LTS releases.
GKIs have a stable ABI for kernel modules, and all of the kernel modules for all the generations of devices were already open source despite inaccurate claims to the contrary here.
> Just to be clear, I'm simply a customer of Purism and PINE64 who owns the Librem 5 USA and PinePhone, so I don't represent these companies and I'm not marketing their products.
You're marketing their products and are heavily involved in spreading misinformation about AOSP and GrapheneOS. We consider you to be malicious and you're now involved in spreading libel about our developers. There will be a response to that if you continue down that path. It's likely that you're financially tied to them.
Please stop contacting our project members and refrain from involvement in our community going forward. It will be considered harassment and will be responded to as such.
> I'm not sure whether there is a larger ecosystem of open source apps for Android rather than the GNU/Linux distros that run on the Librem 5 and PinePhone. If we are talking about apps which are designed to run on mobile phones, then you have a point, since it will take a while to adapt all the desktop software to be mobile-friendly, but Kirigami or libhandy/libadwaita is getting added to a lot GNU/Linux desktop software to make it adaptive. Google purposely does not label software with FOSS licenses in the Play Store, so it is hard to count the number of FOSS apps for Android. I count 4472 apps in F-Droid (https://f-droid.org/repo/index-v1.jar), whereas Debian 11 "bullseye" (which is what PureOS and Mobian are based on) has 59,551 packages. I know that not all FOSS apps make it into the F-Droid repo and the Debian repo includges the entire operating system and many of its applications use multiple packages, so we are comparing apples and oranges, but I don't see much evidence that the Android FOSS ecosystem is "larger and better" than the GNU/Linux ecosystem.
This is another demonstration of how unserious you are about remotely sticking to the truth where you venture off into claims that aren't even remotely plausible. F-Droid is a tiny subset of the overall open source Android app ecosystem. Again, it doesn't even have Signal, Firefox, any Chromium-based browser or MANY other widely used open source apps, let alone non-widely-used ones. I have no clue why you're referring to the total number of packages in Debian as anything to do with the number of mobile applications. It's another completely, thoroughly dishonest misrepresentation of the truth.
> I stated that "the Librem 5 doesn't need an IOMMU" to isolate the WiFi/BT, cellular modem, GNSS and USB controller, but in case you are worried, the i.MX 8M Quad SoC in the Librem 5 does have a Resource Domain Controller (RDC), Arm TrustZone and On-chip RAM (OCRAM) secure region protection, which does isolate the CPU, GPU and VPU. See section "3.2.2.4 Resource Domain Control and Security Considerations" in the "i.MX 8M Dual/8M QuadLite/8M Quad Applications Processors Reference Manual". (NXP requires registration to download the manual.)
It does not isolate either the on-SoC or off-SoC components in a remotely comparable way to Snapdragon, Exynos or Tensor. It's also not configured for production use and security properties which could have been provided are far from all being provided.
> The GrapheneOS FAQ lists the Pixel 3a released in May 2019 as a "supported" device, but the Pixel 3 released in October 2018 is listed as "end-of-life" because it no longer gets full security updates, so that tells me that most people are using GrapheneOS on devices that have a 3 year lifespan.
The current generation devices have a minimum of 5 years of support, as has already been stated. The Pixel 3 still receives GrapheneOS updates. It's considered a legacy device as the Librem 5 would have to be considered a legacy device already due to inability to reach the current Android security patch level for many reasons. This was already stated multiple times, and you're once again doubling down on inaccurate claims.
> I downloaded the Pixel 3a's "bonito" kernel (https://github.com/GrapheneOS/device_google_bonito-kernel) and I see that it is using kernel version 4.9.292. Mainline Linux 4.9.292 was released on 2021-12-08 and 4.9.0 was released on 2016-12-11. Call me crazy but I prefer to use an up-to-date mainline kernel rather than one that is over 5 years old and takes 3 months to get the latest security patches from kernel.org. (To be fair, I should mention that the Librem 5 issn't yet fully supported in mainline Linux, so you can't run the latest mainline kernel on day one of its release, but the Purism devs say that mainline support is coming.)
The Pixel 3a / Pixel 3a XL are on the March 2022 Android security update including for the kernel and have additional patches backported to them. Their kernel is based on the Android Common Kernel, which is only indirectly based on the kernel.org releases. Ubuntu doesn't use the kernel.org releases in general at all and that does not mean their kernels are less secure, just because they do not update to newer kernel.org releases because there are none for their kernel branch, which they maintain themselves. This is how Linux works across distributions. Can you name one distribution directly shipping kernel.org releases without patches? Even Arch Linux doesn't do that.
A subset of the kernel.org changes is shipped by AOSP on a monthly basis with additional backports by GrapheneOS. The kernel.org releases are shipped by AOSP as part of the quarterly updates, they get shipped approximately every 3 months. GrapheneOS is fully capable of shipping the latest kernel.org releases but we found that there are too many regressions including security regressions and we stopped shipping them faster than AOSP for most devices. The current generation devices, which for some reason you feel like ignoring in favor of 3 year old ones use Generic Kernel Images and can be trivially updated to the latest kernel.org LTS without any changes since there are ZERO device-specific changes to the kernel. Maybe you should stop trying to make dishonest and misleading comparisons by comparing the latest generation of one device to 3 generations ago for another device, while adding in your own inaccurate claims to that.
For your information, the Pixel 3a has not been vulnerable to many of the most recent serious recent kernel vulnerabilities unlike the Pixel 6 because it's on the 4.9 branch instead of the 5.10 branch. The 5.10 branch has massively more complexity, attack surface and does not offer substantially improved security. The new mitigations in the Android 5.10 common kernel.
The Librem 5 is incredibly low-end hardware with many corners cut being sold for now 1299 USD. You go across platforms marketing their products with thoroughly dishonest claims and spin. It's highly likely that you have a financial stake in the company's products because nothing else would explain your devotion to so thoroughly misleading people and marketing their products across many platforms.
> Granted that NXP will stop providing firmware updates for the i.MX 8M Quad in 2033, and I expect that the firmware updates will end much sooner than that for the RS9116 WiFi/BT, BM818 cellular modem, Tesio-Liv3 GNSS, etc, but there is no reason to not expect lifetime software updates
It's a completely false and outrageous claim that it will receive 'lifetime' updates but I see now that you're narrowing it down to simply receiving INCOMPLETE support/updates for the software indefinitely which applies to anything where you can install another OS and you're simply admitting to your explicit attempt to mislead people.
Not receiving firmware updates for every component, which is already the case today, means it's end-of-life. The Librem 5 is already end-of-life by the definition implemented by GrapheneOS. It cannot reach the current Android security patch level. There is no Android security patch that it could reach, since even the earliest ones required avoiding security weaknesses which are unavoidable on that hardware. It's a highly insecure device and no amount of your / Purism (likely one and the same) dishonest marketing is going to change that.
Linux kernel updates in no way guarantee security support for all the drivers, etc. which are being used, and there is no such guarantee for any of the device support code in userspace or any of the userspace projects. Security updates are not provided for many Debian packages. Only a subset of the security fixes get backported in the first place to those that are supported. Using Debian in no way implies getting indefinite or even current security support.
Any further contact with the GrapheneOS project or project members on your part or any further attempts to spread misinformation about it will be considered harassment as I already said earlier. We aren't interested in communication with you. If you don't stop contacting us, spreading libel about our project members and misinformation about our project, we'll begin contacting organizations/projects where you're involved about the harassment and malicious behavior across platforms towards an open source project.
Anyone can look at https://news.ycombinator.com/threads?id=amosbatto and see that you're heavily involved in marketing and providing customer support for Purism, which unfortunately involves spreading a lot of misinformation about both Purism's products, the company and about other open source projects which you aim to steer people away from and towards buying their products. We've already requested that Purism avoids contacting us and trying to harm our product. That extends to you too. You need to stop. This is your final warning.
As I already stated earlier, if you continued to spread misinformation, an article will be posted on our site with all the information that I posted here and more. That's going to be happening now. If you continue, then there will be a response directed towards you personally too, because you have made it person with the libel that you and other Purism employees/associates have regularly spread about us across platforms.
Let me state for the record that I have no financial stake in Purism, and I do not represent the company. I am simply a customer of the company who tries to correct the misinformation that I see being posted about the Librem 5 on public forums like this one, because I think that Purism is doing important development work for mobile Linux. I am using my real name "Amos Batto", and anyone who does a simple internet search can find my personal blog, my github page, my facebook page, etc. and verify who I am.
> If you don't stop contacting us, spreading libel about our project members and misinformation about our project, we'll begin contacting organizations/projects where you're involved about the harassment and malicious behavior across platforms towards an open source project.
This is ludicrous. You posted information which I consider to be incorrect about the Librem 5 on this forum and at r/Purism. When I responded to correct the record, you accused me of engaging in "harassment and malicious behavior across platforms towards an open source project".
Everyone can see your behavior and it fits a consistent pattern. You go out of your way to criticize other open source projects on public forums. Then, when people try to respond on the technical points, you accuse people of harassing you and trying to harm your project, which is simply not true. Responding to the technical points that you raised on a public forum is not an attempt to "contact" you or members of your project and it certainly is not "harassment" as you term it.