1. 11

  2. 6

    A cool thing about CopperheadOS that I didn’t see mentioned in the article is that many of the security and vulnerability fixes that they implement eventually make their way upstream into stock Android. It was easy for them to make the decision to switch from Marshmallow to Nougat, for example, because much of the work they had done hardening their Marshmallow ROM was already integrated into Nougat for them. So even if you don’t use CopperheadOS you are still benefiting from their work.

    1. 4

      Browser-Custom version of Chromium: interface is pretty standard. I was disappointed in the privacy and security setting defaults.

      I believe this is due to differing priorities, the team chose chromium for it’s sandboxing cababilities, not for privacy reasons, and would thus not necessarily want to touch the default setttings.

      The calendar app requires you to add an account to use. So far I’ve been unable to do that. Nothing happens when I press the add account button. This has made the calendar completely useless.

      I was able to add an account by using davdroid and my fastmail caldav.

      As for the lack of google apps, I’ve found that most mainstream apps can be replaced by fdroid apps or just using a website instead. The only problem with the silence (Which used to be called textsecure) app is that not many people use it.

      1. 3

        I still can’t get Signal to work (which I believe is because it relies on certain software in the Google Play Services app which is blocked by the OS).

        At this point I wonder why people still care about Signal. It has the same stupid policy as Whatsapp (requiring a phone number, leaking contact list, no custom apps on the official server) with no apparent will to change things. Even Whatsapp itself doesn’t require Google Play!

        For that, I rather use the Telegram with its memecrypto (unproved and full of snake oil crap that Moxie itself debunked in his blog) than Signal. (Right now I don’t get a choice anyway)

        1. 10

          with no apparent will to change things

          Moxie has been asking for contributions from people who care about some of these things for years. He’s made lists of what would be required for them to distribute outside the Play store, and to not use GCM on devices which don’t have Google services, but no one has written the code, just blog posts. They were doing blinded contact discovery but had to stop as it didn’t scale as they gained more users, they asked for ideas for alternatives and so far no one has come up with a solution that works.

          1. 2

            wait, what? I was using an actively developed FOSS Android Signal client and they banned it from the server side. Moxie then posted in the associated github thread saying that they would never support alternative clients. the 3rd party dev in question was perhaps being a bit entitled, but the response was very anti FOSS. the official app is clearly open source purely for auditing purposes and advertising purposes. someone out there wants signal very tightly tied to your phone number and passing everything through GCM.


            1. 2

              I never said anything about third-party clients. I don’t know how they could support them without them breaking every time a new feature gets added or the server changes. This already happened several times with Cyanogen’s WhisperPush client, and LibreSignal also had issues. This wouldn’t be a problem if it only effected the people using these clients but it also effects people using the official client that try to message these people.

              The way LibreSignal did websocket support wasn’t good enough to be included in Signal. Like I said, Moxie has posted the requirements for what a patch to make Signal work without GCM would need to do (it’s even in a comment in the discussion you linked to), but no one has written it. IMO “if you want us to support your niche use case; patches welcome” is the epitome of FOSS.

              Also, nothing gets passed through GCM, it only sends a wakeup event to the phone to tell it to poll the server.

          2. 8

            I actually like the phone number ID system, since it makes it much easier for me to get non-tech-savvy people on it. My parents have never signed up for an instant messaging system account in their lives, but they do send text messages, so the fact that Signal works “like texting, but over data instead of SMS, and encrypted” made it easy to get them to switch to it. All they had to do was install it and start using it. If they would’ve needed to create an account with a username and password, and then add people by username to a friends list, etc., they would never have done so, but the fact that they can keep “texting” my same number as before, just in a different app, made onboarding easy.

            1. 1

              I understand that it makes it incredibly easy to get into the service from a app perspective but it’s awful for privacy AND it cuts people like me off from ever being able to use it at all (not owning an android or iOS device).

              1. 2

                So use something else and quit complaining about people who do use it. You’re clearly a minority for Signal’s use case.

            2. 2

              Signal is really nice because it manages to be both OSS/publicly auditable (unlike whatsapp) and very easy to setup for laymen (unlike the majority of open-source projects). Some things, like the phone number-tagging you mentioned, are necessary to fulfill the latter purpose.