Congrats to the Matrix team (mostly Matthew/Arathorn?) for this! This is a really cool proof of concept for making a native mobile client for Linux. One question, though: my understanding was that some of the work needed to use megolm/olm correctly and securely was in matrix-js-sdk (unless I read the audit wrong). That said, how much work would need to be done to current Qt/GTK SDKs to replicate this (I assume it's mostly key management stuff), and how would the team keep this in sync with any changes made to the JS SDK in the future? Alternatively, am I misunderstanding something fundamental?
I've already backed Purism's Librem 5 campaign, and I think everyone else should too, if they care about a fully free handset. It can be found at https://puri.sm/shop/librem-5/ if you were looking for it.
At the moment about 60% of the code required to do e2e encryption is in the main SDK layer (as it has to hook into all of the Matrix API stuff, client UI/UX and local storage), and 40% in libolm. This isn’t great as it makes porting the app code between platforms more work than it could be and risks bugs - but we have already ported it to ios and android, and kitsune is working at porting to libqmatrixclient and penguin42 is porting it to glib for use in libpurple. In future we’ll try to push more of this down into crossplatform library on top of libolm (libolmmatrix?) which can then have a slightly hairy API to call back to the main SDK to do HTTP and storage operations etc - but for now we’re trying to get it out of beta in the current architecture before we then go and refactor it all.
So: in an practice a native Librem client would use libqmatrixclient or something similar, with the application layer E2E functionality handled by that library - but in future that could be factored out to simplify life for everyone.
Another approach could be to use a sidecar process to proxy the traffic and offload all the E2E stuff (which we need for a shim for simple clients anyway - even curl etc). But nobody has yet stepped up to build this, plus integrating with UI is a bit of a pain (local popup notifs + local web interfade for key management?). It would be a superfun project for someone wanting to play with E2E though!
Too bad that the Purism Libre5 won’t qualify for FSF’s RYF¹ certification². I’m sorry, I really don’t mean to come off as snarkily dismissive as this might appear. Let me try again.
This project certainly seems to try to do their very best, and what they have achieved might be all that’s possible to achieve at the present time. I just wanted to, as politely as I might, note that there are those of us for this is a dealbreaker, and that we will rather go without than get the current good-enough product. (If there were none of us, there would be no commercial incentive for any company to keep improving in the right direction.)
I really don’t mean to dismiss anyone’s effort; honestly.
Considering how they phrased it and the fact that no phone has the FSF's RYF certification I would tend to think it's because it's currently impossible.
That they took the time to add a note about RYF certification and that they will continue to keep the FSF up to date on this shows that they do care about this. I honestly don't think there's any more you could ask of them.
> it's currently impossible. […] I honestly don't think there's any more you could ask of them.
I don’t dispute that. I have no ill will towards them. I just, you know, won’t actually be buying the phone until one exists which is RYF-certified. I just felt it important that someone pointed this out – while surely their effort towards RYF compliance counts for much, it won’t get me all the way towards actually buying it. I’ll wish them all the luck in actually achieving it, but I (at least) won’t be buying anything until they actually get there.
I suppose I can understand this reasoning a bit, but it seems a little counter intuitive to me. There is literally no alternative. And without efforts like this it's unlikely there would ever be something that is RYF compliant. Accomplishing something like RYF certification requires work, money, and someone willing to try to accomplish it. There is someone that is willing to invest work to at least attempt to accomplish it, but they need money. Why not support them in their quest for this?
Suppose that I’m a vegetarian, but I really like sausage (maybe I acquired the taste before becoming vegetarian), but there are, for some reason, no makers of vegetarian sausages. Should I then accept whatever sausage is available which has the least amount of meat in it? Of course not; I’ll simply go without sausage.
Even if a sausage maker came along and tried to attract the vegetarian buyers with a new kind of sausage which had no meat in it, just a little bit of gelatin in it. They say they can’t currently make vegetarian sausage without any gelatin in it, but they’re working on it. Should I “support” them and buy the sausage with gelatin in it anyway? Of course not; I’m a vegetarian; gelatin means it’s off the table.
(I’m not necessarily really a vegetarian, of course; it’s just an analogy.)
I don't think that analogy is a fair comparison to make because it doesn't fairly portray that Purism doesn't have a choice in this. It is the upstream manufacturers who control this area, and they will have no reason at all to make something which is RYF approved unless someone big enough is pushing for it.
So to make this comparison more apt, it's more like a sausage maker who is focused on making vegetarian sausage. Now, it just so happens that they'd also love to make these sausages vegan sausages, but the suppliers of the contents of the sausage just don't make a "meat" which is vegan because literally no one with any power has asked for it before. If no one buys their sausages there is literally no chance of a vegan sausage being produced because there is just no reason for it.
Even that isn't really an apt comparison because it doesn't correctly portray the ubiquity of cell phones. I guess instead of a sausage maker it would be something more like "a producer of food", where there is literally no vegan food anywhere. So what I don't understand in all this is why someone who wants an RYF certified cell phone would choose not to support the one group even attempting such a thing. You don't even need to eat the sausage or use the phone in this case either, they just need the support.
This analogy is not good, because for a vegetarian there are other easy-obtainable things to eat. On the other side, in the case of handheld portals into the digital world, we do not have easy-obtainable alternatives.
Besides this weakness, the analogy relies on fanatism. One can easily become nearly vegan and have virtually all of the benefits while not needing to be totalitarian nor fanatic.
(I’ll answer about my thoughts and opinions are instead of what I am actually using.) I would not be adverse to using a “feature phone” – i.e. a non-updateable non-smartphone. It’s hard coded; no one can affect the software in it, so it would be OK if I can’t either. Of course a free (RYF-certified) phone would have much better features (including inspectable privacy guarantees), which is why I’m considering such a thing.
I can’t know that, which is why I wrote “Of course a free (RYF-certified) phone would have much better features (including inspectable privacy guarantees), which is why I’m considering such a thing.”
If they manage to launch Libre 5, the future iterations may fix this shortcoming. If Libre 5 fails, we are stuck with Android & iPhone, which have much bigger problems.
> we will rather go without than get the current good-enough product
What are you using now?
> If there were none of us, there would be no commercial incentive for any company to keep improving in the right direction
Well, no, the current Librem5 campaign shows there are folks who are willing to shell out money for something drastically better than any other solutions out there today. It's not perfect, but I would rather encourage companies who are striving towards perfection even if they are not perfect today.
I think Purism understands that there are still gaps in coverage, they even admit it on the campaign page. If they no longer make progress towards closing those gaps in future products, then I'm right there with you.. they should be dropped.
My philosophy aligns more with the FSFE than the FSF.
Oh, sorry - missed it in the FAQ. My understanding (which isn’t particularly well researched) is that any 3G or 4G packet data requires implementing algorithms (compression and error corection stuff) which are unfortunately encumbered with software patents, and cannot be implemented in a FOSS manner unless someone paid the licensing fees for everyone (similar to Cisco paying the H.264 patent fees for OpenH264), or the patent pool gets bored and relinquishes their patents.
Unsure - https://en.wikipedia.org/wiki/LTE_(telecommunication)#Patent... is pretty depressing, if 3-5% of handset manufacturer revenue goes on paying off the patents :( Separate to patents, I suspect there are also 'secret' constants (lookup tables for compression codes etc) which folks may attempt to copyright, a bit like the DVD CSS secrets...
I really hope the Librem 5 meets its target (I'm a backer). I'd also hope that the fundraising deadline could be extended if it only needs a few more days to complete. Having a FLOSS phone platform, especially with a strong communication platform like Matrix at its core, is something that should ultimately do a lot of good for the continued growth of open source/free software.
Fundraising campaigns are rarely linear and often see an upsurge at the end, but it's still clear that the fundraising trajectory is slightly behind the $1,500,000 target at the moment.
> TL;DR: If you love FOSS-friendly hardware and if you love Matrix, please preorder a Purism Librem5 Matrix-native smartphone, so we can fully bring native Matrix communication to both phones and desktop!
Something about this header rubs me the wrong way. This is not "hey, throw us 10 bucks because $reason" (The Librem 5 seems to be 599$ and it's not from a company I moderately trust to ship a good product, on time)
Call me cheap, but I've never bought a smart phone for more than 300 EUR, and they've all worked fine at the time (HTC Click, HTC Vision, (ok, the Kingzone wasn't great) and Nexus 5X (still 100% fine with it, right now).
I am very excited for this. I will buy a free software phone with Matrix as a first-class citizen in a heartbeat. Matrix and Purism seem to be putting a lot of effort into paving the way for truly free phones.
I've already backed Purism's Librem 5 campaign, and I think everyone else should too, if they care about a fully free handset. It can be found at https://puri.sm/shop/librem-5/ if you were looking for it.