"Librem 5 & PureOS ridiculously insecure"

and that should be in the constitution for the XXI-st century revision :sweat_smile:

i believe the question that we should ALL ask ourselves is :

“how do we create AWARENESS and easily-accessible OPPORTUNITIES (or why not ? a REWARD system) for ALL people that use NETWORKED technology or feel FORCED to use it in order to have access to HUMANITY ? for the purpose of strengthening the weakest links while simultaneously NOT weakening the hardest links in the human gene pool.”

No name, no date, no footnotes – except for some links back to other pages on the same site with all the same defects. Useless.

I always find it interesting to see/hear things from different and unexpected angles. It shines - even if partly flawed - light to areas that may have weaknesses to address. Even if they are possible only in special circumstances, it’s good to be aware for the user to manage them with their behavior (instead of system making the decision for them). And it makes sure @Kyle_Rankin does not run out of things to do (coding or writing) :sweat_smile:

Now for some “TL DR” stuff…

I think the main thing is - as has been said here a couple of time - that the base assumptions (call it security model for now) are different and in that, the Android/iOS model and the L5 model (I’m not attaching Linux to this since it doesn’t include hardware) are answers to different questions, to different needs and goals. And I’d like to remember that there are other things at play here than “only” security (including privacy in this) as there is the business model and the ecosystem of selling information (an most of it is rather general, although the personal info section is more important). The latter is so ubiquitous that it Android/iOS are more or less just support platforms to enable it (among other things) and make the user feel like they are getting something in return (like security against some things or usability etc.).

I’ve been working on this idea for some time, based partly on complex network theory (and I can only hope I can translate it here), that there is kind of a built in “tug-of-war” in every network service connection where you have the individual user and the system negotiating/struggling to set the limits which each need to achieve and maintain their respective security/safety/privacy. Both want to ensure their continued existence and neither wants to be used in a manner they do not condone. It’s a balancing act that may not have stable equilibrium, as the needs shift slightly constantly (sometimes in obvious ways like when there is a threat or attack). It’s about whose security/safety/privacy is more important and to what level that/those need to be ensured. Individual gives more value to privacy but the system needs information to trust you to let you in and make sure you are behaving acceptably. This can be applied to governments and such social systems as well. Some choices are easy, as individual can choose not to use a system or service, but the real problem lies in the ones which are huge de facto standards - almost mandatory to use if you want to be part of the world around you (or just services that keep you alive) - with which the system(s) can be made to demand a lot. All in the name of security.

But my point is not about that well known model, as it’s about understanding that system(s) and individual(s) have different needs that are in flux and they are rarely (if ever) compatible for long periods - unless one rules over the other dominantly. Once the individual gives something away, it’s control is lost forever, as they can not change and rebuild and patch like the system(s). System(s) as such are not (mostly) evil, they just are. But they can be repurposed to do nasty things and complex systems have a lot of unintended consequences (on top of the intended ones that haven’t always been well thought out) - on both points, I suggest some light reading in the form of “Weapons of Math Destruction”. The scale can be big or small.

Soooo… Having the L5 model is a step towards gaining control in this “tug-of-war” but there are more ways that we are connected to various systems that we do not (yet) have control. That is not a reason not to try to plug these holes in the damn - it’s still less water taken in, even if there still are other holes (the pumps have better chance of keeping us afloat longer - to strain the analogy). The fact that it’s difficult to do it this way and the road is long, is not a reason not to do it. And I don’t believe it’s possible to be without being connected to system(s) - it’s about finding ways to make sure both, individual and system(s owner/admin), can feel safe and secure.


This may seem blindingly obvious and/or I may have missed it but @Kyle_Rankin, has this difference in approaches between closed systems (A and i) and L5 been laid out? It might be an assumption to think that people understand it fully - what it means, what it requires from user behavior, what it doesn’t do etc. - and having that baseline stated clearly might be needed. I know it’s been talked about in bits here and there. Maybe a topic for a blog post and/or FAQ and/or About?

I think for the average customer it is completely unnecessary. In fact it would just scare off people who would have otherwise bought a Librem 5.

Have it in some deep dive material sure, but don’t plaster it on the main page for it. I don’t believe this is unethical either as Purism has every intention of helping their customers position their devices to be secure and private.

I have seen this article pop up from time to time, in xmpp chat rooms, reddit and now here. I just wish the webpage where it is posted had a comment box, so that the article could be debated there, and not having to repeat the same arguments every time it pops up in some online space.

And I saw how horrible (as in personal insults and bashing of people) the debate of this article was in some spaces, like it was already mentioned above.

This is one of those moments in which I take my “Purism hat off”, so do not quote what I am about to say as a response from Purism.

Like said above there is not one Android kernel, there are several and the state of their updates depends on many things. With a GNU/Linux distribution that supports mainline kernel you can get lifelong updates.

This article like already said above, corresponds to a world view (that several people working on Android, Whonix, and a part of the Qubes folks share) on security in which you “need” to protect the user from himself, because he is downloading and installing applications from repositories/websites with millions of not properly vetted applications, and a ton of malware applications to add to the equation. So in essence (in this world view) you need a read only file system, and permit nothing to the user.

That is the Android and windows model.

Like already said above, we try to balance security with the user still having power over it’s machine.

Basing your repositories of Debian like PureOS does, while not a 100% safe silver bullet already does a lot to address those concerns, and establishing thrust.
More and more application and packages in Debian are reproducible builds, that allow to confirm that the binary packages distributed correspond to the published source code that can be audited.
Also it is not everyone that can publish a package to the Debian repositories. To become a Debian Developer it is a very long process to establish, who the person is, the quality of his/her work and intent.

Again, while not a silver bullet this alone makes an application that comes from a Debian repo more trustworthy that from Google play store.

I imagine that Flatpak applications get FLAK in this article because it is the most similar to an Android app model and they base their review of Flatpak appliations in comparison to an Android application.

Yes, the permission model in Flatpak needs improvement, specially being able to allow a user to set the permissions before the app is installed. But in my opinion application permission management is not a silver bullet (either in flatpak or Android and it’s derivatives) as long as applications in name of user experience get designed as swiss army knifes full of features that for all of them to work on properly, they need most permissions for the system. For example a android xmpp chat application being able to make video and pictures directly and sending your location to your friend that is going to meet you and with that your chat application having access to the camera and GPS.
Application permission in this model is not enough to preserve user privacy and needs to be combined with apps that: either do less, or that come from trustworthy sources like from a trusted repository with only open source applications that the code can be audited. This we are trying to address with the PureOS store.

At this moment in Flatpak you have Flatseal which allow to set permissions post install. While not perfect as you set the permissions post install, it is a progress. And software evolves. Flatpak has been evolving.

The part of software evolving brings me to one of the points that irritates me most about this article. It treats PureOS as it currently is, as an already finished product. And that is far from being the case. It is constantly improving.
For example, we wan to work on chain of trust with securing the boot process.

The Android operating system (ASOP) is 12 years old, the system GrapheneOS is based on a distro that has 12 years of being built. PureOS for mobile is at it’s start. While we will not take 12 years to get where we want, to make an analysis of PureOS for mobile as an already finished product instead of trying to figure out: where they want to go, what they want to reach and base on that, seems to me a limited analysis at best.

As for nitpicks about the article itself:

That is supposed to be an article about: “Linux phones”. There are currently around 18 GNU/Linux, distributions for mobile devices with mainline kernel support (or working on it), and they have different models. Some like UBports even use a read only file system, as many people around the Whonix and GrapheneOS advocate (with some parallels to Android). Some have already implemented Full Disk Encryption like postmarketOS. Some are based in Debian (or Ubuntu), others in Fedora, others in Alpine Linux. And all these are evolving quite fast with rapid development.

And yet this article, instead of making an assessment the general state of GNU/Linux distros for mobile with mainline kernel support and their models in comparison to ASOP for example, it focuses on only one PureOS.

Which, for me, means either the author did not researched anything else, or I have to question his reasons.

The whole modem isolation critique in the article, and stating that IOMMU to prevent DMA is the same as physical separation? It links to a page about the linux kernel to say USB stack is not so secure in modem separation without having an explicit reference to it in the linux kernal page.
So USB stack is insecure because “the whole linux kernel is insecure”…
Also links to a page about FireWire and DMA access, when FireWire is unrealted to the USB stack.

The part of the Librem 5 not allowing Firmware updates. To support this claim, the article links to one post we made about the memory training, binary.

1 - That is not the only firmware in the Librem 5 and PureOS.
2 - We intend that in the case we can liberate other pieces of firmware to bring that firmware to users.
3 - The article makes it seem like firmware updates are common and constant in Android (ASOP), just FIY they are not

Again do not take this as a response from Purism, others have already replied better than me. This is just a semi rant post due to:

  • Being hard to maintain a cool head about this article after seeing how the debate about this article went on other spaces with personal insults
  • Having to read this article time and time again on different spaces being presented as new and having to post the same arguments again and again.

PS: That article should really have a comment section, that way the arguments would all go in one place and people that read it for the first time would read the arguments there.
(this is not a critique to the Original Poster)


Yes, I noticed that too. It doesn’t make sense. Could be poorly maintained web site (e.g. the page did at one time contain the information but no longer does) or the second article could just be poorly put together.

At a certain point … haters gonna hate.

USB security problems are real, but I do not expect that PureOS can handle them in its infancy at all.


1 Like

"If you need to disable network access, you can use airplane mode. "



Securing the USB system is something that was brought up back in 2018 (by me). There is a project that adds device pairing for USB similar to the way it works for bluetooth, but it has two major drawbacks preventing its widespread adoption. First is it doesn’t protect the BIOS or bootloader, as it hooks into the Linux kernel. Second is few users have PS/2 or serial keyboards, which means you have to register your I/O devices before enabling the whitelisting, or you can’t whitelist your I/O devices.

Still, once I get my hands on an L5, I intend to set it up, and will post here how to do it.


Well, if you buy a house the first thing you do is change the locks anyway, that the prior owner/renter may have the key to.

I think it would be great if the L5 can get a good review from Bruce Schneier, if anybody.

if you have “nothing to hide” the first thing you do in order to prove your innocence to the prior owner/renter is you completely remove all doors/windows (pun intended :joy: ) to your house. that way, no back-doors need to be installed by the prior owner/renter in order to maintain “compliance” … :upside_down_face: :sweat_smile:

Two real-world examples that i’m through:

a) Killswitch
Received an exceptionally well made malware-email. Thousands have been disregarded before, but that one directly got my attention. It said something like someone had hacked my computer and observed me for months via camera, mic and the like.
The email was that well made… nevertheless, it took me max 3 seconds to disregard it as fake. My librem 13’s mic/cam-killswitch is always off. So observing me this way for month was plain Impossible. Would it not have been my Librem, it would have cost me much more thoughts and sweat…

b) Android and profiling
I took a reset Android-phone of a mate living 600km away and officially not connected to me in any way. Combined that with a never used secondary sim-card of my mother in law. Avoided WiFi, WhatsApp and the like.
Nevertheless, it took only some days till i was asked by certain apps/webpages wether its me. It took a week till that phone and the logics making use of it and its sensors certainly talked to me as me. They had associated me with my formerly known profile using a totally unknown device and some precautions within just a week.

Those two experiences are enough for me to know, that Purism’s ideas and ways those have been realized were the right choice for me and are well worth to receive my support.

Thank you, Purism

PS: If you care about a solid base first and stabilize it later to be absolutely top-notch, you’ve got me in your boat.


No computer is absolutely secure. Forget that, at your peril.

Look at Specter, Meltdown, and a bunch of new similar, hardware attack vectors. Our allusion of security was broken in a heartbeat to billions of CPUs globally.

If you want security, don’t put it on a computer, not on Linux, nor iOS, or any other OS.

I am not buying a Librem 5 for it’s better security, rather I’m buying it because I believe in the ideas behind [FLOSS] (Free/Libre and Open Source Software) (https://www.gnu.org/philosophy/floss-and-foss.en.html).

I run Linux every day and I very much appreciated this article on Linux’s insecurity. It’s a good reminder that there is still much security work ahead. Almost every day, one or more serious Debian security bugs are fixed, as reported by the Debian Security Advisories.

On a personal level, my Thunderbird now won’t open links to my Firefox because of AppArmor. It’s a pain. But I get why we need AppArmor. I can disable AppArmor for now till I find the better way to protect it. It’s a process of locking down better, little at a time.

Security involves the product of two fundamental variables:

  1. The value of what is protected, and
  2. The difficulty in stealing that value.

The point is you don’t need to make things absolutely secure.

All you need to do is to make your own place more secure than your neighbor, i.e. make your own fence higher, and add a dog, and the crooks will likely go next door for the easier time stealing what they want. There is no surety here of course, only reasonable probability.

Looking froward to Evergreen. It’s been a long wait, but worth it.


There is some truth to that, but that just means you’re lower down the list. To actually be reasonably secure, the goal is to make the estimated cost of attacking exceed the expected return if the attack is successful. Against a wise opponent, it’s expected cost times expected chance of success vs expected return, but you have to figure some people will be bad at cost analysis and may try anyway. Of course, this doesn’t save you when a new lower-cost attack vector shows up, but that’s the reason for defence-in-depth.

1 Like

I think: expected cost vs expected return times expected chance of success

would be closer to the mark.

Took the time to read the full article about the linux phones, linux in general and android. Beside a lot of facts shown, the author on first look appears very biased - the same way i might be biased towards something like the opposite. He’s got a lot of true points and security-knowledge. But what does it help?

It’s beautiful, that android’s a very secure system with an amazing amount of precautions taken. But what does it help, if the base is secure, but all the apples within that bowl are grinning and spying at me?

Since android 6 location service is mandatory if you want to connect via bluetooth tells me app xy. And as soon as i switch on location services, a little sat-icon pops up and my firewall tells me that this app - not having done anything like that the last minutes - wants to call home.

The author disregards the Librem’s switches as pure marketing-gamble. For me those little switches phsychologically give back those little pieces of control over my system to me. Wether someone that infiltrated my system can send his data once i switch the network on again, is a totally different story and requires a lot more brains and thoughts on any system - no matter how well secured by default. But in that particular moment when i switch off the sensors, its MY DECISION to do so - and perhaps to keep it this way once i got suspicious.

Each coin has two different sides and flipping it over might show a different perspective. The technical side is just one and can be improved over time. The other side is psychologically/menthally and it slowly degraded within the last decades. To improve that one again, to bring the user back in control and being counscious about it, some little physical switches can be of great help.

And libre plus open-source - faith - is the foundation. The first step to be taken. Everything on top can be improved over time.


And if the crook is a serial burglar, then your house next to the neighbor, yours is next on the list no matter what. Depends if he’s going by street number or on the same block. If the former he’ll be on the other side of the street next time.

And how come the pinephone has six kill switches instead of Librem’s four? What did Librem forget to kill? (Not that I have either yet, just based on what I read here.)