Driver updates on librem 5

I am at the point where I need to replace my phone and I want to get a librem 5 but I’m concerned about driver updates. I’ve read that some important modules (such as wifi) don’t get updates (in particular security fixes) which is concerning; but also, there’s a lot of FUD about purism so I’m not sure if this claim is actually true.

Does anybody know of a reliable source I can use to check whether librem 5 gets driver updates? I don’t consider “it seems to be working on my device” to be a reliable source. I have a similar concern about firmware updates.

Thanks!

For all default software and packages, see Repositories & Suites - PureOS Software (version byzantium and byzantium updates is current [based on Debian 10], crimson is in the works).

Just to understand your question better, how well versed are you with linux? Your concerns are warranted but the operating system works in pretty different ways (not t mention L5 specific technical structure regarding the wifi and modem cards) making the risks a bit different than with Windows, IOS and Android, to some extent. I’d also direct you towards the community wiki which has some of the answers to pertinent questions: Frequently Asked Questions · Wiki · Librem5 / Librem 5 Community Wiki · GitLab

As I’ve said before, L5 is definitely an adventure, you will need to do and learn stuff yourself, and there is a distinct possibility that updates and improvements won’t materialize like you might expect from some global behemoth of a company. You are welcome to browse the forum - current and historical/developing topics to get more info.

Firmware updates are manual:

The reliable source would be to ask Purism. Contact - Purism user documentation

I would say I’m an advanced linux user but not a kernel or hardware developer. In a past life I had a job assessing the impact of security bugs on specific linux machines.

Yeah I’m fine with that, if I get a librem 5 I see it as investing brainspace in the pureos software stack not just buying a product. I just want to make sure that CVEs get patched.

Which I am totally fine with as long as the firmware is getting security patches on a reasonable timeframe.

… fair

Anecdotally, Debian security fixes (and other fixes) do flow through. However that is much wider than just driver updates.

Well, my automatic reply says that there is a backlog and the threads on this forum about support delays are not encouraging. They are understandable - Purism is a relatively small company whose purchases scaled quickly - but my current phone recently broke so my purchasing decision became more urgent.

I think I can trust the Debian project. Not that they will always be perfect - nobody will - but that they will generally handle things responsibly and in a manner that is timely relative to the severity of the issue.

I’m a little more concerned about the hardware though. The tech specs state that the current WiFi chip comes from SparkLan and I don’t see any mention of this company in the CVE repository. I find it difficult to believe that their hardware has never had a single security issue worth mentioning, so I am left to assume that this manufacturer either lacks responsible security practices internally or is not transparent about their security issues. Neither possibility inspires confidence.

I did email their support team asking about their security policy, but I’m not optimistic about hearing back because their online form is only for business contact, not consumer contact.

There is also the possibility that vulnerabilities have not been found - possibly because there hasn’t been enough research at all or enough, or nothing has been found, or nothing has been revealed.

As I wrote in the other thread about CVEs and BOMs, the various sub parts need to be checked too. The card uses Synaptics chip and apparently those do not show up in databases either but . Same possibilities as with Sparklan there, though. However their fingerprint readers are there.

It should be noted that CVEs are not limited to manufacturers. Other entities, even rival companies may issue the - for instance Google has made several of their competitor (and their own products). So, it we should expect at least some CVEs, if there were any to be found. More likely, the software side gets more research and smaller products get less scrutiny, resulting in less CVEs. So, no proof either way - just observations.

This is fair, but doesn’t increase my confidence in the product. If the vulns aren’t disclosed just because nobody has paid enough attention, then I expect that there are a lot of shallow vulns that would be easy for an experienced researcher to find. And due to Purism’s focus on privacy and security - something that makes a certain type of influential and problematic person take notice - I would expect that certain reckless actors will be collecting vulns without disclosing them, putting me at risk if I use this device.

I want to use this device, but I have an urgent need to acquire a device which I can trust to be secure from knowledgeable adversaries, and I am poor enough/in enough debt that I can’t acquire multiple devices. Once I have money again this will be one of my first purchases, but ultimately I think that this project needs to be more mature before I can rely on it as my daily driver.

Replying to this thread so that I get notified of updates. I’m a bit curious if a sufficient answer to the original question is found. I have been using a Librem 5 as essentially my only phone for almost 1 year 10 months. I have thrown money shamelessly at the device to solve all problems I encountered so that this could be my one true phone regardless of what the world had to say about it. But I still largely feel that I have no idea what CVEs are hiding in the shadows. I don’t know what I cannot see – of course that’s also why I like the Librem 5, because I can pop open a terminal and tcpdump the device on a whim. It’s a choice and I like being able to have this choice. But what if tcpdump was lying? The OS can’t tell me about packets that it itself never knew existed.

But once we create faith-based computer security – that is to say, “I want to have faith tcpdump is telling the truth” – that we put ourselves completely at the mercy of people whose entirely livelihood depends on hacking us. [Isn’t that what all the other devices were anyway, though?]

And, in truth, I’m nobody. I’m not worth hacking and so no one does. I walk the world with this thing in my pocket, idly happy at the thought that I am like a technological alien among the Androids, performing those few tasks that I desire to do with a handset, until among the people they tell me to use The App. When they tell me to use The App, I become the laughing stock of their group. The Amish among technologists – but strangely because I wanted better technology.

Is one of them living rent-free in my Sparklan chip for fun? Unless they told me, I wouldn’t even notice.

This gets us to the part that makes L5 special (well, other than normal - mostly different). The separation of the cards (modem and wifi/BT) is supposed to be the protection against potentially exploitable hardware. Even if firmware wasn’t totally flawless. The separation is supposed to mitigate it, but is it “total”, “mostly” or “a bit, in some cases” - those, as I see it, haven’t been researched that much (which connects to CVEs and security research). Then again, it’s often impossible to prove a negative, an absence of any vulnerability… which is why occasional tcpdump (or other check) may be needed [by Purism, user personally and by other community members too, if not outside specialists as well].

I keep coming back to this statement and worrying about how Librem 5 will go for you in this case.

I just got into bed and I’m writing you from my Librem 5. It’s actually not my Librem 5, because after I initially used my Librem 5 at some point I made a choice that I wanted what this thing stands for at any cost. So I bought a “Liberty Phone” which is the bigger and better Librem 5 (in terms of specs and capabilities). Using these has been such a saga. There’s duct tape on my phone that I’m writing from right now. Do you want to know why?

To know whether a Librem 5 is right for you depends highly on your computer skillset and what you want the device to perform. I graduated at/near the top of my class in a computer software related bachelor’s degree half a dozen years ago. Smart phones were almost always a joke to me. I’m a computer user; the “smart” phones to me seemed simply like worse computers. I got my first one when I started my degree program, when someone else gave me a $100 junk Android based on the idea that I was “supposed” to have one of these. I’m the type of person that would turn off the autocorrect. I want it to do what I want. Within my first year of having one of those, I changed the notification sound to “HEY! LISTEN!” from that little fairy in the Zelda games when I was a kid. It was so hilariously annoying but epitomized my perspective on what these devices are and what they do.

What is your phone for? Can you give a specific answer to that question?

I used those old Androids as a way to have access to SMS, and to have convenient internet access from more locations. That’s about it. It’s other uses were mostly stupid. In my last year at university, I changed phone plan providers and got a more powerful luxury Android phone. With my new provider, it’s been possible for me to text and call with a computer now for almost a decade. Last time I spoke with their customer support, they informed me that Librem 5 is not compatible with their cellular service, but what Big Brother doesn’t know won’t hurt him.

When my Liberty Phone arrived, my job “upgraded” that same weekend to a new system that required Android or iOS app as the only way to “securely” log in to work. They forced me to get a past-end-of-life piece of junk with a busted screen out of a drawer to log in, because using my Made in America $2000 phone wasn’t good enough for their programmers. They use a software login constructed by Microsoft, so for some reason it wasn’t possible for their software to support operating systems like Microsoft Windows or Linux as a “secure” means to log in. Then, it was published in the news that this same login system had a vulnerability known internally to Microsoft for years, which Microsoft kept secret because fixing it would’ve cost too much money, resulting in the U.S. department of energy (nuclear weapons) and FBI/CIA/etc all getting hacked by foreign adversaries because of what Microsoft knowingly sold to the government. And that same “secure” login is why I had to get my broken-screen, foreign made end of life Android out of the drawer to log into work.

And this is how I arrive at my sort of paranoid opinion that the purpose of “phones” appears to be to construct a global dominion over all the humans and not anything that I actually need. I generally prefer desktop computers.

So, I say that I have been using my Librem 5 for almost 1 year and 10 months. But when my phone rings, I find out 6 hours later when I check the call history in my service provider’s web portal on my Librem 14 laptop. If I need to call someone, I plug a headset in the Librem 14 and use it to make the call. In order to ensure their global dominion, the phone providers artificially throttle Librem 5’s when calling, or something. But a Librem 14 has a big processor and mine has a lot of RAM, so the call goes through fine. In 2006 we were able to do 6 hour Skype calls on pentium chips in large PC towers with half the RAM of a Liberty Phone today, and probably a lower clock speed. I don’t really know why the other side of my call would say my Librem 5 would have bad audio quality if it wasn’t something they did intentionally. I can play music on my Librem 5 uninterrupted for hours, or record audio fine with the camera app, or stream 1080p video when docked to a monitor or TV to prove the internet works.

I stopped receiving texts on the Librem 5 a few months ago. I don’t care about that anymore, really. I open Firefox on my Librem 5 and check texts in the web portal of my provider. This also allows WiFi based texting, which is convenient and requires less battery, so that I can typically keep the modem physical switch off anyway. If I roam away from WiFi out and about, I kill the WiFi switch and engage the modem, usually using it for data only anyway and then just keeping that same Firefox window up.

I attended a seminar back in my days as a university student where a former NASA engineer explained the revolution in ARM processor battery optimizations utilized by iOS to achieve more or less the same function output but without requiring constant energy supply from the battery. I wish I had taken better notes. I’m guessing the Librem 5 compiled the desktop Linux kernel ported to ARM without these optimizations, whereas the Android fork of the Linux kernel most likely includes them. What this means is that the Librem 5 burns battery power up like a laptop, not like a phone. The Librem 5 battery lists its storage at around 4400 mA or some similar unit if I recall, whereas my previous busted Android had only 4000 of the same units when I looked it up. Despite this, the Librem 5 battery goes for 7ish hours without use, 4-5ish hours without use if the modem switch is on, and less if I’m actively doing stuff – but the old Android can stay powered on for 3 days in airplane mode. That’s been a big issue for a lot of people on this forum.

But I don’t have that problem anymore because I made it go away. As I was about to get into bed to write this post for you and share a brain dump to warn you about the choice to financially lock yourself into Librem 5, I picked up my Librem 5 and realized it had run out of battery idling today and shut off. But I wanted to sit with the phone in bed and write you this message.

So I opened my bag. Last night I got home from a 7 hour bus trip at 2 am. In my bag I had 4 Librem 5 phone batteries, and 2 chargers. I had forgotten to charge any of the batteries today, but I checked all four with the chargers and one of them still had a charge! So, using chargers lying around my messy room – I have about 8 of them, more chargers than batteries, because the chargers cost $8 on Amazon but seem to break apart easily – I loaded up the 3 dead batteries from last night and the dead battery from my phone, to each their own wall charger, then I slapped the good battery into my phone and hopped into bed.

Historically, ripping the back off of my Librem 5 twice daily to switch the battery – so that I could always have the phone at the ready, and never wait while I leave it plugged in – was a behavior that actually damaged the molded plastic backplates Purism ships with these devices. They kept ripping apart.

And so we circle back to understanding why there is duct tape on my phone. I asked an LLM to suggest a fabrication site to me, then paid the #1 suggestion to make me a replacement backplate for the Librem 5 with a 3D printer. This 3D printed nylon is more powerful and doesn’t rip even if I pop it off and on everyday. But the downside is that the 3D printer was creating from the Purism STEP file they published (in the spirit of open source hardware) which was clearly originally designed to use in molding plastic. So on the fine details, the 3D print never quite fit right. But with duct tape to enlarge the physical tabs that attach – adhesive down so its not adhesing the backplate on, just making its tabs fatter basically – in such case the 3D printed back stays on yet is more easily removable than the original Purism backplate.

It’s honestly been really great using the 3D printed one.

Anyway, ever-increasing use of GNU/Linux in my life made me a terminal junkie, and so I often whip out my phone and do stuff in the terminal emulator. I’m not sure what I would do without that and I’m dubious that I could ever stand to go back to Android.

So I am a Librem 5 user, but maybe this is a consequence of inputting a large supply of money to demand this luxury. If we understand that the purpose of phones is to build global dominion over all the humans, and if you try to fight that then you will be made to suffer by the system – and if you’re okay locking yourself into that suffering with the limited money you say you have, because it’s worth it to you to pursue freedom from undemocratic global dominion – then this might be the phone for you.

Edit:

I reviewed this message for spelling and made a few corrections. My Librem 5 has gone from back around 70-80 percent or whatever when I got in bed, now to 25% from all this constant typing. [As you may see, I also made some other forum posts before this one from bed on this charge.] So, I’m probably going to power it off and set it down and rest. I hope that I have helped you to make good choices.

If you, too, are only allowed to do your work by logging in with Android or iOS, I can tell you that it’s about $400 per year for a high end VPS running Android that is always on in the cloud waiting for when you need to pretend you have one of those.

Goodnight, and good luck with your mobile phone situation.

I’ll post here if/when I hear back from Purism and/or SparkLAN.

I don’t think this is fair. There are people whose livlihoods depend on hacking random people (either for clearly nefarious or self-righteous, but possibly reckless, reasons) but most tools like tcpdump are made by people who are just trying to make their computers work right and are gracious enough to share their code.

I missed this before. Do you know of an official article explaining this in more detail? Internet searches didn’t find an authoritative source. If I can drop the trust level of my WiFi chip to the trust level of my router, that would be a HUGE win.

One of the important use-cases is for work. If I’m at risk of dropping text messages for hours or longer I can’t use this phone.

A use-case that I am concerned about for the future is sensitive political discussions, which is why I’m so concerned about CVE patching. That’s the kind of thing that would be worth investing resources to target me as an individual, rather than the dragnet surveillance that I’ve historically been concerned about on principle.

For sure. Maybe I did not describe well what I meant to say. On at least one occasion, I recall hearing in the news that Apple was monitoring the internet traffic of one of their cloud server clusters and discovered that the servers were sending out internet packets before booting. This led them to the realization that the hardware – manufactured in China – had Chinese government hardware surveillance built in secretly when the hardware was constructed, and it had been done so lazily that it was still calling home even when the server was “turned off” or something like this, so then Apple was able to find it. The implication was that the “surveillance chip” shoved secretly onto the servers Apple bought was doing its own computing and networking independently. I would imagine that if an Apple developer were to run tcpdump on one of those compromised servers, they would never see the packets in question since tcpdump is an operating system program that looks at what packets the operating system is sending. If your operating system has compromised hardware sitting outside of it but on the same chip, you’re going to need some physical device capturing what crosses the wire, which in the example I’m referring to I recall hearing it sounded like Apple indeed had.

I live in the United States so I can type in here and say that it’s quite likely that Joe Biden, Kamala Harris, and Donald Trump are all three old and stupid compared to who should be running this country. I can say that I want different leadership that isn’t at retirement age. (Kamala was advertised as a “young” person because she is at the retirement age instead of past it.) And it’s really nice, I can even go so far as to say that maybe all these people have weird romances, and maybe the three of them are hugging in a bed together right now.

But from a technological standpoint, I’m posting on Purism forums without a VPN, so Purism can look up my IP address and geolocate that IP if the government asks them to, and even if they don’t the Dlonk account has shared enough random anecdotes about myself that a government operative could EASILY link the Dlonk account to a certain other online account of mine on another website, and then link that other account to my real life name using other publicly available information. Ergo, my first and last name, and address, will be associated with this post in the future if the United States is taken over by an AI dictator, and my accusation that all this country’s leaders are old people in bed with each other WILL be used against my social credit score if that AI dictator wants it to be.

There are obviously a huge number of things wrong in a country run by such old and stupid humans, but one of the things that we got right (at least for the time being) is that some of our “free speech” rights remain.

Realistically, even without knowing what CVEs are affecting you, I have a hard time imagining that using a “phone” of any nature is a good way to have “sensitive political discussion.” If I was going to do that – for example if I was going to visit China and then post accusations that a certain person resembles Winnie the Poo, I think that I would probably use a VPN, then use the Tor network, then while using both of those at the same time I would probably create new accounts for any site where I was going to post. And most sites don’t even allow that anymore, so I fail to see where you’re even thinking you would post information at that point. Then, after I posted the memes insulting the glorious leader on a burner account made from behind the VPN+Tor – if I was going to do that – I would probably erase the hard drive of my local computer to try to dissociate myself from the record of what I had done. Then, I might consider fleeing the country calmly anyway. Isn’t that how it works over there? I’m a bit out of touch. To be honest, when I was a kid I really enjoyed watching Winnie the Poo cartoons, so if I made the “mistake” of accusing someone as being similar to one of my nostalgic childhood experiences, it wouldn’t even feel like an insult to that person from my perspective. But it’s been a long time since I saw those cartoons. Maybe I’m missing why this is such a touchy subject for some people.

But, point is, I would do all of that stuff with a PC where it was easier to get it done. I’m not sure I want to bother with the VPN+Tor+possibly more stuff on a “phone.” I guess the Librem 5 could probably download a browser with Tor, but can you even do that on Android and iOS? I personally haven’t tried.

OK, lets try. Many of the features kinda connect together. If you really want deep background on the design, I still recommend the former CTO’s presentation from 2019: A mobile phone that respects your freedom - media.ccc.de Her forum post is probably more to the point about the separation, however…

First I’d like to send you to read some background material on the phones structure and how the schematics and x-rays are available for you to check your own device for tampering and how the hardware kill switches work (former is for general security and latter is connected to the separation. See 4.1 on Frequently Asked Questions · Wiki · Librem5 / Librem 5 Community Wiki · GitLab (and also: Librem 5 component list · Wiki · Librem5 / Librem 5 Community Wiki · GitLab) The announcement of these were in: Breaking Ground – Purism and more about the features in How Librem 5 Solves NSA's Warning About Cellphone Location Data – Purism

Then, I’ll point to a long-ish article in the same wiki about security comparison between Android and L5, which explains a few things that are not straight forward comparable, as a background. See 4.3 on Frequently Asked Questions · Wiki · Librem5 / Librem 5 Community Wiki · GitLab

Here are some quickly found mentions and links regarding firmware-jail (setting limits to card firmware and what they can do): Shipping new SparkLAN Wifi cards with Librem 5 – Purism and Privacy in Depth – Purism

For controlling against what goes in and out of cards, there is also the Open Snich artticle as a bonus (about what’s possible): Snitching on Phones That Snitch On You – Purism

I hope those have the info you seek. I know it’s a bit much and now, after all these years, I see that Purism really should put together a concise whitepaper that - with out any marketing blog wordings - describes the security concept (what the whole system ended up being - positives, weaknesses and to-do list), how L5 hardware and software create this combination/balance of freedom, security and privacy [all relative terms].