On Tue, 2016-06-28 at 12:11 -0400, Greg Troxel wrote: > I see that there is some joint Guardian/CopperheadOS/F-droid notion, > which makes sense. I don't see any lists for CopperheadOS, although > I > have seen some tweets about making CopperheadOS more accessible to > those > wanting to get involved in development, but I'm finding it a little > hard > to follow as a user. So I am sending comments here. Much of this is > really a request to add answers in the docs. > > * device support > > I think it's unfortunate that the Nexus 7 (2013) is not supported. I > realize there are perhaps technical reasons and definitely there is > limited effort available, but it seems like there are a lot of them > out > there. I bought one to use for testing before upgrading my phone; > this > made it more comfortable to move from Google-provided ROMs to > CyanogenMod. (Perhaps I just need to get used to buying new hardware > every few years even though the old hardware is ok; I realize that's > an > issue far bigger than CopperheadOS.) > > The Nexus 5 is marked deprecated at > https://copperhead.co/android/docs/install > but it doesn't say why. I tend to use old computers, so the Nexus 5 > seems fairly recent to me.
The Nexus 5 and Nexus 7 are both 32-bit and lack verified boot. They also aren't going to be getting Android N from Google, which means it will no longer be possible to provide proper support after October. There's no scenario in which CopperheadOS gains Nexus 7 support, and the only way Nexus 5 support would continue is via a separate legacy branch following Google's security updates as long as they provide them. It would be a poor use of the extremely limited resources. > It might be nice to give advice about buying a phone specifically to > run > Open source/hardened AOSP; it seems like 5X or 6P is the right > answer, > with 6P costing more and likely to last a year more than the 5X > before > being desupported. The 5X and 6P were released at the same time, and there's no reason to think that one would be supported longer than the other. > > * AOSP base > > At > > https://copperhead.co/android/docs/technical_overview > > it is not clear which versions of AOSP are in use, and what the plan > is > for the future. I realize I may not understand AOSP versioning as > well > as I should, but it would be good to aim things at someone who is a > CyanogenMod user, at most. > > I think the situation is that CopperheadOS is based on Android > 6/Marshmallow. But the mr/dr split is unclear to me. The CopperheadOS releases match the stock releases. It's based on the latest stable tags. AOSP uses different branches for some devices, and CopperheadOS follows those branches. The devices supported upon the release of Marshmallow began on the mr1 branch, which then became mr2. The Pixel C was released after Marshmallow, so it uses device-specific branches adding support for it. The 5X and 6P moved to dr1.5 from mr1 and then to dr1.6 at the same time as the mr1 to mr2 migration. If you want details on why, you'll need to ask Google. The dr1.5/dr1.6 branch brought a bunch of performance improvements and some other changes not present in mr1/mr2. > * stable/development branches > > I see there is a stable branch and development branches (separately > for > dr/mr). There's the notion that the OS is basically stable except > for > obscure features, but presumably that applies to the stable branch. > Does that imply that installing it on a phone (e.g. Nexus 5) and > expecting to actually use the phone normally is a sane idea? There are no stable/development branches. There's a single branch based on an AOSP stable branch, and then releases are tagged on it. Features are generally developed in feature branches and pushed when ready, but not so much for small changes. The OS is definitely stable enough to use it as a daily driver. There are some rough edges, but they're caused by bugs from upstream Android. There are some issues in AOSP code that's not used by stock Android, and then there are also some bugs uncovered by CopperheadOS hardening features like many latent memory corruption bugs. > Can one move from stable to development and back without a full > reinstall (and data wipe)? There's no stable/development distinction. You can update to builds with the same signing keys that are more recent (in terms of the date it was built, the version is irrelevant) without wiping. > * future > > Are there plans for when 7/N is released? Will 7 be declared stable > and > 6 be desupported at the same time, or two versions, or? The plan is to migrate to N within a month, with the M branches being discontinued. Devices not receiving official N support (Nexus 5) will have to be dropped. If there aren't enough resources to migrate to N, then the project isn't going to continue. > * Google services vs open-source code > > CyanogenMod comes without Google's location service and without > google > play services. What about CopperheadOS? Can one install them > separately? Is there some fused location service, or should one > install > unifiednlp like one does on CyanogenMod? Google Play Services is not integrated and will receive no official support. Support for UnifiedNlp is desired, but likely not out-of-the- box since it's a security liability. > * root, XPrivacy > > Is one able to grant root to apps like in CyanogenMod? > > Can one run XPrivacy? Neither will be integrated or officially supported. Features need to be properly integrated into the OS via sane code. There will be no support for hacks breaking the security model, or security theater like much of the XPrivacy featureset. There's already robust support for dynamic permission control in Android and it can be extended as needed. Other features that people lean on root support to provide can be similarly properly integrated, not done via hacks. > * app compatibility > > Does pretty much everything in f-droid work as well as it works on > cyanogenmod? Sure. > * privacy > > The focus seems to be mostly about exploit mitigation, but also > privacy > (mac randomization, geotagging defaults). Has there been an effort > to > remove all code that exfiltrates data in terms of phoning home (other > than CopperheadOS update servers)? Or, is it at least stated that > any > data being sent without explicit user request is a bug? I haven't seen any evidence of code that exfiltrates data. There is code that makes a no-op HTTP request to a Google server to check if there's internet connectivity. It could be changed to another URL but it wouldn't really accomplish anything. > In particular, what about AGPS loading? I have heard that on some > systems that sends location and a unique ID. Network-based location services aren't part of AOSP, and CopperheadOS doesn't add this. > * camera geotagging > > It's nice not to ask people to turn it on, but arguably that's most > important in the phones of people not running ParanoidOS :-) > > It would be nice to be able to safely use geotagging. Basically I > would > like to geotag at limited times, especially when taking tourist-type > photos in public places. So I wonder if there is an easy toggle and > visual indication in the camera, and some sort of enable that would > time > out after 1h or so, so that when you've forgotten it is on it will be > off again. There isn't a toggle outside of the advanced Camera settings. Maybe it would make sense as a feature, but it's not going to be implemented by us. _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
