You're bringing it up at the same time as Pine64 which has similar technical issues but without nonsense from the company / leadership including lots of harm. It's also a bad target, with no sign of ever wanting to make a good one, but at least they don't lie and cause harm.
Conversation
IMO Librem5 has better hardware but the marketing and misrepresentation of it is a black eye to be sure.
Still if forced to pick between them or Google right -now- while we spend a few years making long-term sustainable/secure hardware I take Purism.
2
You can't make a device with decent security based on it and it's far from being able to run a fully functional AOSP particularly with the security features supported (but far beyond that) so not sure what you plan on doing with it.
1
At least Pine64 doesn't have deliberate anti-security measures and anti-security policies / ideology. It's just not technically advanced in that regard so it's far behind the status quo / industry standards (applies to both) but the reasons are better (lack of resources).
2
Anyway, if you want to support charlatans it doesn't just mean definitely not having my support, but I'll actively oppose it.
Really not interested in building something offering trash tier security and robustness along with even worse usability.
Not a long-term path either.
2
Again. I just need something maintainable I can run in my pocket today at least as secure as my laptop.
Pixels are a dead end.
Long term I want exactly what you describe but until thaf project actually breaks ground I have to hack ogether the least bad of terrible options.
1
What you're talking about is already dead on arrival: remotely exploitable over the air via known vulnerabilities without being able to provide over-the-air patches for the issues.
What's not terrible about rolling back security so much + not having updates?
2
Explain how a Librem5 or Pinephone running Debian with just a browser with the GSM disabled except for emergencies is any worse security than my laptop running Linux.
It is just a Linux laptop with a smaller screen to me until I can someday get something I can trust to do more.
1
2
If your laptop was purchased recently from a decent company, it will at least have firmware updates for all of the major components including Wi-Fi and Bluetooth, and you can apply those by keeping the OS up-to-date as long as it's decent. Of course, you did say *Debian* so...
2
Also, your laptop probably has a modern CPU with modern exploit mitigations. Regardless of all the issues with Intel and AMD, they don't aren't as much of a disaster as stuff like a Mediatek SoC. Maybe your laptop has a modern ARM SoC since it's 2020. Maybe you run another...
1
distribution on a converted Samsung Chromebook or something similar, where you actually get a modern security architecture, etc. and just aren't using an OS on it with an application security model and modern mitigations but hardware underneath it is fully capable of all that.
My laptop is Intel with semi-neutered ME with coreboot-heads which is better than the Librem5. Point taken.
Still. If there are known vulns for the Librem5 SoC I need to know that, else I have to assume my limited use cases don't warrant use of a 0day.
1
Google ships cubic shit tons of blobs that no one has time to fully sift through even though many of them are open source.
That is a big risk too.
The reality is all options are terrible atm and it boils down to which unaddressed risks I think are more likely.