Joshua Graves@cyberlyra @GrapheneOS @fabio echoing the building everyone up part, those gorillas will tear us apart if given half a chance.
GrapheneOS@joshua @cyberlyra @fabio Jolla is a for-profit company misleading people about what they providing. Their OS has extraordinarily poor privacy and security compared to the Android Open Source Project or iOS. Their own OS code is mostly closed source and there isn't an open source subset that's usable. Jolla has spent years falsely claiming the Android Open Source Project isn't Linux and misleading people into believing a largely closed source distribution is more open than an open source one.
@joshua @cyberlyra @fabio They've mislead people about privacy and security to an extreme, convincing people that a device lacking a proper sandbox, permission model, exploit protections, widespread use of memory safe language and many modern security features is more private and secure. They have their own invasive services too.
Informing people about the reality of their products is our response to years of misinformation about the GrapheneOS project from their team and community.
> We should be building each other up, not tearing each other down.
Companies selling phony privacy products which do not provide basic privacy or security patches, do not have a modern privacy/security model and do not have modern exploit or privacy protections aren't above being criticized due to portraying themselves as part of open source. They've put massive effort into misleading people about the Android Open Source Project and OSes like GrapheneOS based on it.
Kristoffer Lawson@GrapheneOS @joshua @cyberlyra @fabio huh, you're being pretty bloody aggressive. What exactly is your major beef?
Jolla is a for-profit company. I would expect most companies to be for-profit so as to continue operating. When has Jolla stated AOSP isn't Linux?
The OS has sandboxing and a permission model. What invasive services?
Personally I'm most interested in whether an OS can offer a beneficial experience. Given your tact against a small company, I would now rate you lower.
@Setok @joshua @cyberlyra @fabio
> aggressive
We're responding with factual information a thread with misinformation about GrapheneOS promoting an unsafe product as a better long term alternative.
> for-profit so as to continue operating.
Organizations don't need to be run primarily based on earning profits for shareholders to continue operating. An operating doing that is not putting their users first.
> When has Jolla stated AOSP isn't Linux?
It's a core part of their marketing.
@Setok @joshua @cyberlyra @fabio
> The OS has sandboxing and a permission model. What invasive services?
It has incomplete optional sandboxing a very legacy approach to a permission model.
It doesn't provide proper privacy or security patches, doesn't have modern exploit protections, doesn't have full system MAC/MLS policies, lacks verified boot, lacks secure element integration needed for working encryption for most users and more, lacks broad use of memory safe languages and much more.
@Setok @joshua @cyberlyra @fabio SailfishOS has been marketed through pretending AOSP and operating systems based on it aren't Linux. They've misrepresented what they offer as more open when their code is largely closed source. We have every right to address inaccurate claims about GrapheneOS from a company and their supporters. If people claim GrapheneOS is a dead end and worthless to promote products, why shouldn't we be welcome to respond to that with factual information about both OSes?
@Setok @joshua @cyberlyra @fabio If only these companies and their supporters were capable of marketing their products without putting down GrapheneOS, we wouldn't be talking about it in the first place. If it's happening enough then we'll make an article about it which can be improved over time and shared instead of mostly writing case-by-case responses.
@GrapheneOS @joshua @cyberlyra @fabio please point to where Jolla has made any claims about GrapheneOS.
@GrapheneOS @joshua @cyberlyra @fabio we can quibble the details, and it's up to users if those details are important. I'm sure your product is particularly safe on privacy. Second to none, in fact (it is, after all, your core value prop). But I hope you can thus admit that it is not factually correct to state unequivocally that they don't have sandboxing or a permission model (as you did).
Troed Sångberg"We're responding with factual information"
+
"It has incomplete optional sandboxing"
vs
"Every application, irrespective of its origin, is run in a Sailjail sandbox with an explicitly assigned set of application permissions to limit the scope of malicious activity achievable by exploiting a possible vulnerability in the application."
"We're responding with factual information"
+
"lacks secure element integration"
vs
"Sailfish OS includes a system service (extensible via vendor-specific plugins) which offers secure storage of data on behalf of client applications. [...]
Data storage is provided by vendor-specific plugins, and may include value-encrypted databases, block-encrypted databases, or hardware-backed secure storage."
This does read quite similar to "secure element integration" to me.
@troed @Setok @joshua @cyberlyra @fabio Providing very limited support for apps using a hardware keystore is not providing secure element integration in the OS. That's not providing working disk encryption for the majority of users not using a strong passphrase via secure element throttling. It's not providing verified boot or attestation for the OS. Hardware keystore also does not mean secure element. Most hardware keystores on mobile are implemented via TrustZone which is a CPU execution mode.
@troed @Setok @joshua @cyberlyra @fabio This is an optional sandbox implementation with incomplete containment of applications and an incredibly legacy approach to granting access to those. It's not a mandatory sandbox for applications, is not a modern sandbox actually properly containing those and does not provide a proper permission model. You're only proving our point by linking to these primitive and incomplete implementations of things which are playing catch-up to Android 4.4 from 2013.
How is "Every application, irrespective of its origin" optional?
@troed @[email protected] @[email protected] @[email protected] @[email protected] You should do basic research on how it's actually implemented. The containment is incomplete and optional.
You're the one claiming to only posts facts saying it's optional. Thus it is you who should explain how that is since the Sailfish documentation I have cited seems to disagree.
@GrapheneOS @joshua @cyberlyra @fabio you were responding to someone who wasn't even talking about your product, and with a highly negative tone. Definitely looks aggressive.
Jolla has very obviously other goals than 'pure profit at any cost'.
I've been tracking Jolla since Day -1. Can't remember them ever talking about AOSP publicly. I'm sure I might've missed something. Their website doesn't mention AOSP anywhere. So hardly 'core'.
I feel you're merely shining a bad light on yourself here.
John Mierau@GrapheneOS @Setok @joshua @cyberlyra @fabio graphene account posters please hear me: I am one of your full-throated fans... But why the HECK are you coming out of the gate all aggro?
I agree with many of your points, but have we not sent how fast attitude and arrogance can scare people off?
C'mon let's start out civil OK?
@john @Setok @joshua @cyberlyra @fabio There's nothing civil about the personal attacks being made towards our team by multiple people in this thread participating in Kiwi Farms harassment claiming one of us is insane, delusional, paranoid and more. That's ongoing on the SailfishOS forum which is linking here where people are referencing harassment content.
Jolla should do something about their forum being used to direct hate towards us with false claims and personal attacks towards our team.
@GrapheneOS @Setok @joshua @cyberlyra @fabio did any of he people in this thread do those things?
Post a link here if they did, I want to know!
If not, don't alienate more folks OK?
@john @Setok @joshua @cyberlyra @fabio
> did any of he people in this thread do those things?
Yes, our statements have been repeatedly misrepresented and lied about here. Our team has repeatedly been personally attacked, including references to ongoing harassment. Here's the SailfishOS forum thread directing people here:
There are multiple posts there making personal attacks with libel/bullying using one of our real names and referencing harassment content.
Sailfish OS: Clarifying claims about open/closed source, security and privacy
Actually Jolla say that “Sailfish OS is partially open source, but not fully open source in the sense of “every part of the OS is free/open-source.” After digging deeper and discussing I found GrapheneOS comments: Jolla is a for-profit company misleading people about what they providing. Their OS has extraordinarily poor privacy and security compared to the Android Open Source Project or iOS. Their own OS code is mostly closed source and there isn’t an open source subset that’s usable. Jolla ...