Thanks, that looks a little better, but still missing things like sending keystrokes to non-active windows. (Also, I’m on Mate desktop on most my computers.)

I just need xdotool. ydotool is missing almost everything. I don’t need programs sandboxed from each other. I don’t need that multi-DPI stuff (200% scaling works fine in X). Wayland doesn’t provide any features I’m missing.

In the garden, there are two chickens.

It would be a more meaningful discussion if the government wasn’t controlled so much by large corporations and oligarchs.

Maybe it was a phishing scheme to identify people’s IP addresses based on where they loaded the image from. In that case, each person would only receive one message. Fortunately I use a proxy, so they got nothing.

Usually it’s this, but sometimes the Recaptcha doesn’t even load (looks like an IP ban). I just submit the form, and then get an error message saying I must complete a Recaptcha, but there’s no evidence in the page of any Recaptcha to fill out.

I’m on a residential ISP. I’ve checked every IP address reputation system I can find, and see no problems (except from “Clean Talk”, but they’re so small that I doubt Google uses them).

Also, I hate knowing that I’m doing unpaid labor to help train an AI that will make the world a worse place.

I can’t make an account, because I can’t complete a Recaptcha. Google Recaptcha is used on every ubuntu.com signin page. (This means I also can’t submit bug reports.)

I have self hosted my email since 2006. I gave up on self hosting outgoing mail in 2021, but I still keep the server up for incoming mail, and still set up throwaway accounts on there.

The hard part of hosting email is getting Google and Microsoft to accept outgoing mail. Tons of businesses that do not have visibly outlook .com or gmail .com addresses are still hosted by those servers.

I had SPF, DKIM, and a static datacenter IP address with no reputation problems. I still couldn’t get through to Microsoft, not even in people’s junk mail directory, until they manually whitelisted my address. Microsoft didn’t allow them to whitelist a whole domain. Google was a little easier, but they added new demands monthly.

In 2025, I can’t get reliable delivery to gmail .com addresses even sending from a hotmail .com address in the outlook .com web interface.

I got GOG Galaxy working in Steam, through Proton, as an “Add a non-Steam Game”. I’ll have to try Heroic Launcher.

Not sure how much you’re paying for your VPN, but a virtual private server can be had for about $5 per month. You’ll get a real IPv4 address just for you, so you won’t have to use non-standard port numbers. (You can also use the VPS as a self-hosted VPN or proxy.)

$5 per month doesn’t get you much processing power, but it gets you plenty of bandwidth. You could self-host your server on your home computer, and reverse-proxy through your NAT using the VPS.

Even if you can buy it, you can’t file a warranty return if you are outside Fairphone’s small support area.

Fairphone has guaranteed 0 years of support in my country.

The point of the blockchain is to achieve distributed consensus of what’s in the database. That way, one entity can’t unilaterally change what the database says.

If you have a public non-profit institution maintaining the database, obligated to serve all legal customers, with serious consequences for tampering with it, you can get pretty much everything blockchain can do, for a billionth of the computing power.

But with that system, you would lose these features:

• partially-anonymous participants
• service of all customers, even illegal ones
• immunity to court orders

Swapping out random parts of the OS will certainly lead to breakage and dependency hell in your package manager (unless you just replace files without using the package manager, which might make all of this even worse).

I’ve done it, and it works. I’ve built packages of libraries and binaries before, at higher version numbers than Debian had, and deployed them to multiple Debian sid systems. They worked. When Debian caught up, I seamlessly upgraded all 3 systems with no problems.

Even in the worst case scenario of dependency hell, you would be able to downgrade to the Debian supported version. But I never had to do anything like that.

I’m not going to respond to all the rest of your post, because I don’t think it will help with anything. It seems that we have very different ideas about device ownership.

Some apps resist being backed up. “android:allowBackup=false” was one way. Apparently that can be overridden, but there are other ways apps can resist backup that can’t be overridden. It’s not clear what those are, but some of my apps definitely aren’t being backed up by Seedvault, even though they aren’t using keystore.

The apps using keystore can only ever be backed up by installing a backdoor in the TEE.

They do provide instructions for compiling from source, they just don’t support you at all afterwards. If you compile GrapheneOS and put it on your phone, they say “you are not running GrapheneOS” at that point. Unlike Debian or Ubuntu, where every package can be replaced by a hand-compiled version, and it’s still Debian or Ubuntu.

need to charge it in a public space? You better hope no one had modified the charger with something like an RPI to silently exploit your phone

Any secure Android device should be starting each USB session in device mode, set to charge only. It is usually not possible to change this mode without unlocking the screen. I don’t know what this has to do with sandboxing or unlocked bootloaders.

Crossing a border into a country and they suspect you’re some sort of threat?

How does this attack work? Are you saying they’d replace the operating system by using the unlocked bootloader? There are plenty of ways to prevent this with full disk encryption. Of course you need to check for modifications when you get it back, but that’s true even if you have a locked bootloader, because of hardware modifications and leaked keys.

Not running software that updates the hardware’s proprietary software drivers? One text message and you’ve got a rootkit.

In any of the open source Android distros, like LineageOS or GrapheneOS, those updates come as part of the operating system. The updater is open source, and doesn’t care whether your bootloader is locked. I assume a Linux Mobile system would be closer to Debian’s Apt system, which is also an open source updater than can install proprietary drivers, and also doesn’t care if your bootloader is locked.

didn’t really need an “um ackshually” about people who don’t want a secure os

This is pointlessly condescending.

Comprehensive backups, which can only be done after rooting. You can do this, but only after disabling verified boot.

They literally have a whole instruction page for it on their official website: https://grapheneos.org/build

I’ve asked, and they don’t support you at all after you build it. You can’t get updates or packages from GrapheneOS. Compare to Debian, Ubuntu, RHEL, etc., where you can compile your own newer package, install it, even replace core operating system components, and then seamlessly upgrade to the OS vendor’s version when they catch up.

What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.

Even if you don’t modify it, they tell you not to call it GrapheneOS, and don’t offer any way to install patches, besides building it again.

Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?

Yes, I understand it. I’ve opposed TPM from the start, and this is just TPM for Android. I don’t want a device that keeps secrets from me. I do want comprehensive backups, including all cryptographic keys. I should be able to access the TEE from my authenticated PC over SSH.

I’m fully aware that Widevine won’t run on a device where the owner has control over the whole device.

The code is open source, you can freely modify the OS, compile it, sign it with your own keys…

I don’t have the resources to do this (PC nor effort). They recommend 100GB+ storage and 32GB RAM for building it, and you seemingly can’t do it incrementally, since you have to flash an entire operating system at a time. I want to modify one file, like the call recording xml file. (That file is from a previous operating system I had, but I can’t provide an example of niche cases like that for GrapheneOS, because I only ever used GrapheneOS for a few days, so I don’t know what kind of small modifications I would want to make.)

Can you please explain how rooting adb only, not any apps, makes it less secure? Use concrete examples, not abstract.