this post was submitted on 22 Feb 2024
1112 points (96.1% liked)

linuxmemes

21378 readers
2077 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 1 year ago
    MODERATORS
     
    you are viewing a single comment's thread
    view the rest of the comments
    [–] pkill@programming.dev 1 points 9 months ago* (last edited 9 months ago) (1 children)

    AOSP is not proprietary. Also security is not achieved merely by the merit of being libre, see CVEs for sudo, glibc or Apache HTTP server or even the Linux kernel itself.

    And when it comes to proprietary firmware updates, in case of x86 one such notable example is the microcode which is pretty important to keep updated for security.

    [–] lemmeee@sh.itjust.works 0 points 8 months ago (1 children)

    AOSP is not proprietary.

    I never said that it was.

    Also security is not achieved merely by the merit of being libre, see CVEs for sudo, glibc or Apache HTTP server or even the Linux kernel itself.

    Being libre is the basic requirement to even being considering something as secure, but it is not enough by itself. I agree.

    And when it comes to proprietary firmware updates, in case of x86 one such notable example is the microcode which is pretty important to keep updated for security.

    Generally that's what people say, but is it really that simple? A new firmware version might fix some known vulnerability, but its developers might have also introduced a new one on purpose. So a known vulnerability might have been fixed, but you might have gotten a new one that isn't yet known. So I don't know if that's really so much better. Also I assume that the only way to exploit those vulnerabilities is through malware? But if you only run free software, the risk of getting malware is very small.

    [–] pkill@programming.dev 1 points 8 months ago* (last edited 8 months ago) (1 children)

    I agree with you that every proprietary software must be presumed to be a trojan with a backdoor but still some critical, low level free software being decades old C codebases with oftentimes millions of LoC has proven to be a double-edged sword where on one hand most of it is super optimized (just compare launch times of lightdm or GDM to e.g. regreet) but on the other hand by pure probabilistics it's more likely to contain some vulnerabilities accumulated over the years of imperfect code reviews.

    Sure I believe it's worth hoping and supporting initiatives that might one day bring us to something like RISC-V smartphone with high level of hardware security that'd run something like Alpine (a minimalist distro) but based on Redox OS. Maybe that'll come true in a couple of years.

    But right now GrapheneOS even despite proprietary hardware is the best option security-wise, unless you're willing to tinker with hacking together some RISC-V SBC-based device (which might even have better battery life than most smartphones by up to 60%!), but the optimization of basically any software is going to suck so badly. And forget compiling any Rust code on the currently available RISC-V CPUs. want memory safety? pick something with a VM/GC instead.

    [–] lemmeee@sh.itjust.works 0 points 8 months ago (1 children)

    You are right that some projects are more likely to have vulnerabilities than others. But at least with libre software any expert can look into it, fix it and distribute the patch to others.

    I don't have much hope for RISC-V, since most SBCs that use it seem to require a custom Linux kernel, so it's the same problem that we have with ARM. Maybe things will get better at some point, but unfortunately most people don't seem to care. I haven't heard of Redox before. It looks interesting, but it's a shame that it's not under a GPL license.

    But right now GrapheneOS even despite proprietary hardware is the best option security-wise

    Maybe you are right and Graphene with F-Droid is the most secure option. I don't think it's necessary to have all of its features, since we don't have them on desktop either, but it would be nice to have them on mobile for sure.

    unless you’re willing to tinker with hacking together some RISC-V SBC-based device (which might even have better battery life than most smartphones by up to 60%!)

    That's crazy! Is RISC-V so much more efficient than ARM?

    And forget compiling any Rust code on the currently available RISC-V CPUs

    Is that not possible?

    [–] pkill@programming.dev 1 points 8 months ago* (last edited 8 months ago) (1 children)

    Apparently there are multiple crates but no official toolchain so unsure how that works in practice. You're still limited to either waiting for hours or cross-compiling though since currently the best available RISC-V CPU is quad-core 2.5 GHz (which still looks hella promising, 2 years ago best we had was 1.5 GHz dual-core). This blog post by Drew DeVault goes into detail of how daily driving RISC-V looked like 2 years ago. I suppose these days it looks noticeably better, especially since Samsung and Apple have been eyeing RISC-V adoption due to ARM consortium doing some monopolistic shit with their licensing. But eventually, so far, not enough critical mass was attained and afaik the whole drama mellowed out a bit.

    Regarding the energy efficiency, some experimental units managed to even be manifold better at this:

    https://arstechnica.com/gadgets/2020/12/new-risc-v-cpu-claims-recordbreaking-performance-per-watt/

    But on the other hand, studies involving some RISC-V models show quite the contrary when it comes to energy efficiency, although the thermal performance is much better:

    https://link.springer.com/article/10.1007/s11227-024-05946-9

    And below is a screenshot from a comparison by Gary Explains using more microcontroller models. So it really depends on the specific model, but it seems like the design of RISC-V has some solid potential to beat ARM in terms of energy and thermal efficiency.

    [–] lemmeee@sh.itjust.works 1 points 8 months ago

    I didn't know there was no RISC-V toolchain for Rust, that's kinda weird!

    You’re still limited to either waiting for hours or cross-compiling though since currently the best available RISC-V CPU is quad-core 2.5 GHz (which still looks hella promising, 2 years ago best we had was 1.5 GHz dual-core).

    Compiling anything on PinePhone is also painful :D. But I suspect there is probably a lot more ARM packages available in distros and some app developers release ARM builds.

    Those energy efficiency comparisons are pretty interesting! x86 is also improving, so I'm curious if there will ever be x86 phones.