I just bought one of these and installed a GSI from phhusson
Unfortunately there are a few things that keep me from daily use with the GSI, notably the lid switch doesn't work without the stock firmware. Less importantly, the front screen also doesn't work, but I can deal with that.
WIP https://github.com/phhusson/treble_experimentations/issues/2...
There is no T9 keyboard on F-Droid that I can find, and everything on the Play store is adware.
Last complaint is that it's thick AF. Yes all the reviews mention it. But it's the same WxL as my iphone SE 2016, and TWICE the thickness.
When I contacted CAT to retrieve the original ROM so I could fix the lid switch issue, I was met with "we do not redistribute ROMs outside of the company". Aside from the usual "You are not GPL compliant if you don't release your kernel now!" style response, this is an asshole move.
I want to like it, I want to use it, we'll see how much resolve I have to fix the aforementioned issues. Does anyone want an unlocked CAT S22 with a GSI installed? ;)
I have an iphone SE 2016 because I too felt that new Androids were too big, switched in 2019. If too many people are upset at the price maybe you could have an Android Mini-a like the Pixel line.
I had the first Pebble and have fond memories. I have high hopes for this!!!! I also love hardware but I never made it stick for work. I was one of the first engineers at Mesur.io, but things didn't work out.
My other thought would be to make this highly configurable; there is a large cohort of HN crowd who also want an un-Googled Android phone, myself included. There are no un-Googled small android phones, however with Project Treble many of them can run GSIs such as this most popular one https://github.com/phhusson/treble_experimentations/releases . Of course Lineage OS deserves a mention, maybe you could ship with that, build on what the community already offers.
The Unihertz line of phones deserves mention, but also scorn; they do NOT support their old hardware at all. The Jelly had 1 update to Android 8.1 and was left for dead. Additionally the system updater software included in the stock ROM was spyware. So unfortunately they were written off in my book.
Finally, I would like to see band 71 LTE availability for T-Mobile in the US. It really makes a big difference in the sticks. Unihertz does not support that, and for that reason I am sticking with my iPhone SE 2016 for the moment (until I find a small Android phone....)
With regards to Unihertz, I'll add on top of what you said, that they are hiding behind ""crowdfunding"" to give non-existent customer support, while devices have already passed Google certifications months ahead (so my guess is that the device is actually already produced when they start the crowdfunding). In my case, the smartphone I ordered never arrived, and I never got any compensation for it, even though
However, hardware-wise, they aren't too bad, so once you managed to receive it, and you flashed a GSI on it, it's a rather acceptable experience. I know someone daily-driving a GSI (I think it's ProtonAOSP?) on Unihertz Jelly 2, and they are happy with it.
In my opinion, Unihertz small phones are fun, but /too/ small. As the article says, target would be 5-5.5" borderless, 4.5" in Jelly2's format, and I couldn't find any model that match. Closest is Xiaomi Qin 2 Pro (I have it, the form factor is really awesome), but it is too thin and thus its battery is abysmal. (If anyone is interested in Xiaomi Qin 2 Pro, yes it can run GSI just fine, but it requires a bit of work - feel free to send me an email for help)
I think in most (West-) European countries there are strict regulations/requirements that require ducts/pipes for any kind of power line. When my house was built (35 years ago) there were already regulations in place that required separate ducts for each group, separate groups for wet rooms (kitchen, bathroom) with grounding, etc.
Overall I found the standards of electrical work in Europe is significantly higher than US counterparts. In modern buildings every outlet and line has mandatory grounding, and GFCI is built into the fuse box on every power line for any building that's less than 30 years old. That really came in handy once when I accidentally hit a power line when drilling through the ceiling. I can't imagine doing any kind of renovation work without GFCI on everything.
I've seen none of the problems all these (presumably N American) commenters are reporting, but our power systems are famously much better in Europe. I'm from England but live in Czechia and apart from different plugs everything works the same.
I bought a rice cooker from a Taiwanese woman a couple of years ago and was shocked (fortunately, not literally) to discover that apparently Taiwan runs on American sockets and American (crappy) voltages. Luckily I had an adaptor plug and it seems to cope with 220V mains without releasing the magic smoke.
What's the proper course of action for folks like us? Report them to a GPL violations hotline?
I don't ask in jest, I just was arguing with CAT (yes the heavy equipment people) about getting ROM/sources for their Android ROM, which they've stated they won't even ship the .bin out of the company.
GPL works on the honor system because its not a life or death matter that necessitates external enforcement. There are lots of things we in society used to do simply because it was the right thing to do. Nowadays everything seems to need to be nailed down by the letter of the law in order for people to abide by them.
I think Element (https://element.io/) is worth looking at for anyone who wants something decentralized. Unfortunately I have exactly 1 contact who uses it, but that was true of Signal as well 8 years ago
For clarity, Element is merely a client (the main one) for Matrix.org. What matters is whether people are on Matrix rather than whether they use the Element client. But most Matrix users surely do use Element.
Maybe this was a case of user error but I know I was not the only person who had difficulty joining Mozilla's riot with their existing riot username when Mozilla first opened their server.
Personally, Spaces is one of the nicest chat-organization tools I've found in an app so far. I can finally group things how I like, have duplicates, and share groupings with other people. The fancier stuff with Spaces isn't super trivial, but the basics work by just tapping obvious buttons on screen.
Sub-folders would be even better for large-volume stuff like throwing multiple Discords worth of things into a Space, but I don't currently need that.
---
E2EE I have routine fights with, so yeah - Element is not great yet. But it's good enough that my siblings and I are seriously considering converting us + my non-technical parents over, now that Hangouts is horrible and we all hate how flaky it is. And it's a much, much better experience than Signal. The only other contender at the moment for that migration is Telegram (which is absolutely stellar, they're doing an amazing job).
Element isn't terrible, it's just more like Slack than Signal or WhatsApp (and I like that, different use cases). Other clients, as you mentioned, provide the latter. There's space for everyone.
Do you have any alternatives? IRC? I use Matrix to communicate with friends so I'm stuck on it for now; I too am very unhappy with the overall UX and find it painful to use.
As mentioned in the comment you're replying to, Element is just one client for Matrix, and there are others like Fluffy Chat that might suit your tastes better. Try some other clients before giving up on Matrix.
I have tried a few others, but from further investigation the issue seems to be due in large part to Synapse being incredibly slow. If you watch /sync a few times in Element (initial syncs are even worse), the TTFB for /sync is incredible. On top of this, you have Element taking up gigabytes of RAM for seemingly nothing at all, so my laptop regularly kills it due to OOM (This could also be in part due to Flatpak shared libraries / sandbox bloat).
I'm very much hoping they will hurry up with Sync v3, which would make this protocol a hell of a lot easier to use (for me, and a lot of other people). Right now booting up Element (or any other Matrix client, this is really a protocol issue) feels like a major chore, and it's something I prefer to avoid if I can. This is also why I keep Telegram installed on both my mobile, desktop and laptop.
Aside from Element, there isn't really much choice on Linux anyway. Fractal is ancient and gets stuck at "Syncing", Nheko takes up gigabytes of memory on initial sync until OOM'd, FluffyChat doesn't really work on my desktop (neither does NeoChat, Quaternion, Spectral), etc. etc. If you name a Matrix client, I have most likely tried it before and it didn't work (aside from Fractal Next, which doesn't have a release yet FWICS).
I've also considered hosting some sort of XMPP service, then bridging my Matrix account to said service so I don't have to endure the poor UX of various Matrix clients. Then again I'm not sure how the end-to-end encryption would work with that, and I would like to keep that if possible.
I have never experienced (or had to endure) an app with such poor UX as Element. Nothing seems to work quite as it should, sometimes it just plainly refuses to work, and other times you get issues which have been reported multiple years ago to the Matrix team (and still have yet to be fixed).
At this point I am very worn out of having to use Matrix, however due to my moderational duties I have no other choice.
The Matrix team had already confirmed that e2ee with XMPP is a 'contradiction in terms'. That's one of the reasons why I believe working on improving existing Internet Standards is better than switching to another trendy, non-standard protocol.
> The Matrix team had already confirmed that e2ee with XMPP is a 'contradiction in terms'.
Ahh, thank you telling me. I guess that's off the cards then.
> That's one of the reasons why I believe working on improving existing Internet Standards is better than switching to another trendy, non-standard protocol.
As much as I hate to admit it, I totally agree with you. While I personally quite like the API's and SDK's (although the JS SDK is pants, I've worked with it before), the UX of the client(s) just don't feel there yet, compared to what alternatives are offering.
I love XMPP, but UX is a client-side concern, not a protocol problem (although some protocols make it easier/harder to have good UX). Both XMPP and Matrix could have great clients, although i personally find most Matrix clients to be more polished than XMPP clients (at the price of much higher resource usage for Element due to Javascript crap).
Some polished XMPP clients include dino/gajim (desktop) and conversations/siskin (android/iOS). If you're looking for a unified-brand client/server distribution, snikket.im is a pretty cool project and could use help and funding.
It has improved tremendously, but it's still nowhere on par with solutions such as Telegram or Discord. As much as I like Matrix, the clients (which I think is where the UX lies for me, as I think it's expected that it takes effort to set up a homeserver), are horrible.
Have you seen Cinny?[1]
It's a very Discord-like client that I'd honestly the best I've used thus far. I instantly switched to it as mt daily driver on the computer and even made a donation to help out the maintainers.
The thing I miss the most is localization, but I get it's not a big priority. I just like translating things, seeing how that can help people.
I'm using it right now and it's the best on I've found. But it doesn't support the up-arrow-to-edit feature, which drives me crazy. There's an open issue for it, so I'm hoping it gets resolved (or I might try to do it myself somehow).
Other than that, Cinny doesn't address the problem of Element on mobile not working very well. FluffyChat's UI isn't very nice either.
> There's an open issue for it, so I'm hoping it gets resolved (or I might try to do it myself somehow).
Hehe, I hopened with the inte tion to do it myself too, but never got around to doing it. It would require me to learn a bit of react and I don't have the time for it atm :/
The one thing I would like to see fixed is better cross-device verification. Discord solves this in an elegant and painless way with QR codes. Element has users manually compare emoji or codes and perform steps. Anecdotal: my last experience was less than good. For some reason it tried to verify twice, but even after I verified both times, it was still showing device listings as unverified.
I don't know what went wrong, but it still needs work. I'm glad to see that it's easier than last time I tried that.
Verifying is only part of the promised solution. Assuming you've verified your own or someone else's device, Element still marks some messages as untrusted/unverifiable. Especially ugly if you get a new device or want to deprecate an old one.
The promised functionality doesn't really work reliably enough to protect against MITM, causes ugly warnings, but has been totally unactionable for years now.
Cross-device works with QR codes, unless your client doesn't support it in which case you can use emojis. For user verification emoji actually makes sense, since it basically allows you to remotely verify without access to the QR code.
You can do verification with either emoji or QR codes. Honestly I think the emoji version is far better for cases where you're verifying identities without meeting in person (one person says what the first 4 are, the other says the last 4).
I had issues with verification a while ago but recently it's worked perfectly fine.
I used to use Wire and then I got my friends to use Element. It’s been working great so far. I just wish it had support for emoji skintones in responses.
Not my intent to offend anyone and plus I'm not American so I might not know your culture well enough, but please don't. Why should we insert race in technology when 1) it's not useful and 2) it's not relevant at all. I mean, who even cares whether the smiley face is white or black or whatever else? It's just a smiley face. IMHO there are more significant areas to care for.
Why give the option for gender selection or character customization in video games? People care about seeing themselves represented. It doesn't hurt anyone to have options (other than those who have to wade through supporting unicode standards)
> who even cares whether the smiley face is white or black or whatever else?
If it doesn't matter, why not let people choose whatever they like? Personally I'm also wondering if having specifically white and specifically black thumbs-ups does not introduce more racial bias rather than the generic yellow default that I was used to, but I did notice people of color using specific colors so perhaps it does matter, at least for some of them. The rest of us can just be on (the afaik neutral) yellow, presuming that makes everyone happy.
Some current problems with Element, and with the Matrix protocol in general (there are a bunch of other clients, e.g Nheko, Fluffychat) include that you need a "homeserver" to store all your messages, and (1) there is no way to migrate to another homeserver (I gave up on Matrix after the third one went bust), (2) the homeserver has (!) plaintext access to all traffic on it, besides all the delicious metadata the spooks love and that (e.g.) Signal hands over to them with effusive eagerness, (3) there is no concept of identity independent of a homeserver, and (4) no effort at all to obscure metadata, who you communicate with and when. I don't know of any clients that let you manage separate identities at the same time, as many mail clients do. (I was running Element and Fluffy to manage two accounts, which is stupid. Maybe some do handle multiple accounts, now?)
Matrix defines a sort of end-to-end encryption, but the ends are homeservers and clients. [Some people are saying not: that homeservers don't see plaintext of E2EE traffic.]
There is talk about self-hosting in the client, but I don't know if it works yet, or ever will. Lack of encryption-at-rest, wherever it is that messages live, seems like a stupendous implementation design flaw, and makes me question all the project's other choices.
If, in fact, messages are, or can now be, stored securely, I would welcome correction. Likewise, if client-side hosting works now, or message-store migration, or a stable address despite such a migration, or any effort at securing metadata. I have not kept up since abandoning Matrix, but still want a viable alternative to Signal.
The Matrix protocol is extremely complex and getting more complex with great speed as they try to get to feature parity with Facebook and Twitter, making it hard to believe one will ever be able to trust it, E2EE or no.
Will we need to start all over again? A rigidly layered system, with a provably secure basis, probably in a single, sandboxed server talked to by all clients and gateways, with services built on top, seems needed if we want both security and features.
As it is, it seems like clients -- i.e. application services -- run in the same address space with what should be secure message transport, necessarily compromising all security with each bug added.
> the homeserver has (!) plaintext access to all traffic on it, besides all the delicious metadata the spooks love and that (e.g.) Signal hands over to them with effusive eagerness
What do you mean? Signal is known for providing minimal information when requested by authorities, e.g., [0].
oh, in my place, the police routinely stop you on the road, check your phone and if they see "whatsapp/signal" or "videos", they mercilessly beat you up, arrest you and charge you with sedition.
i know "whatsapp admins" who have been made to report to police stations because they operate "whatsapp news channels". there they are made to submit their phone and wait outside. then the phone is returned. i have suspected, for like past 3 years that pegasus style malware would have been installed during that time.
now, a lot of these issues and problems can be reduced/prevented if you were not required to mandatory link your mobile number. if they know me by a handle, rather than a phone, it would be a little bit harder to do mass surveillance and bullying.
That's awful. Are there other "security by obscurity" measures you would like to see? For example, making these apps blend in with icon changes, fake splash screens/façades that look like games? Would people have done this already if it were common to build and use alternative clients to the major messaging services?
this was last yearand it continues. i have taught people to use launchers on android like evie that lets you hide apps. that saves you a lot of roadside quick grief. same for using password protected "gallery" like simple gallery to keep stuff behind a password. a thorough check will defeat all this but saves you in the field as you can be randomly picked.
whatsapp/signal/telegram as i said is more difficult, even clubhouse because since your phone is already public, the police do join groups, public or private using any means, lets say by surveillance, by getting access from company side or "borrowing" a phone from a member. then they just get a list of names and go knocking on doors. if the number was not there, it would have been much more difficult.
That's what they claim to store (and I believe it), but that's not all they can be forced to collect.
As a simple example, they could easily log whenever account xyz connects to do a token exchange for using sealed sender. Asking that of Signal won't be something I'd expect a judge would consider excessive if there is a legitimate reason.
Yes, at the limit (not sure if US laws have caught up to Australian ones in this regard) they could potentially be forced to push an app update to carbon-copy all messages from specific people at the client side, unencrypted, to the government. This is generally why people care about having the app available on F-Droid, because you can more easily analyse DIY "supply chain security" on your own copy of the app. The other solution is what Matrix does, which is to encourage people to develop many different client implementations.
Good point. It's unclear to me how much a government could require Signal does for future use of the service. Regulated telecoms are required to provide lawful intercept capabilities for phone calls. I'm actually surprised that the government hasn't argued against E2E encryption on those grounds.
Signal is the one that only works with Google Play, thus a Google account, and a phone number. It is easy for the spooks to connect that and its IP address to every subsequent communication, after the fact.
If it's known for providing some information upon request, then at the very least it is likely it provides lots of information upon demand - including secret demands like National Security Letters.
> Matrix defines a sort of end-to-end encryption, but the ends are homeservers and clients.
This is categorically untrue. Matrix’s E2EE is between clients; homeservers can not see plaintext in encrypted rooms, and all private rooms are encrypted by default these days.
It's simply amazing to see you personally answer almost every single Matrix-related question on almost every single Matrix-related HN thread. You're literally the mastermind behind the most important internet protocol since HTTP, and yet you don't consider it beneath you to correct such basic misconceptions that nobody who so much as skimmed the spec would have had in the first place. Bravo!
> the homeserver has (!) plaintext access to all traffic on it,
Matrix homeservers have plaintext access to whatever is plaintext, though most matrix homeserver software doesn't include built-in functionality for admins to do that sort of thing; it would involve digging through the database(s). DMs are opportunistic e2ee and rooms can be plaintext or E2EE.
> besides all the delicious metadata the spooks love and that (e.g.) Signal hands over to them with effusive eagerness,
Signal is not Matrix...and Signal does not have any metadata except account creation and last-seen timestamps. Maybe the fact that you can't keep the two communications networks straight is a good sign you're not qualified to be critiquing them.
> The Matrix protocol is extremely complex and getting more complex with great speed as they try to get to feature parity with Facebook and Twitter, making it hard to believe one will ever be able to trust it, E2EE or no.
> Signal does not have any metadata except account creation and last-seen timestamps
I hate the way Signal sells it, like there is zero trust involved and everything is solved by some magic encryption. There is a lot of data the Signal could store, like who is receiving the group message you just send to, that is only guaranteed by their server's source in Github (they could be hosting another thing and you will never know). That said, Signal is still much superior in terms of metadata protection, like the sealed sender feature for direct messages which will take time to arrive in Matrix [1]. I just wished they were more transparent about what they can't store and what they can store but is not storing.
>Matrix defines a sort of end-to-end encryption, but the ends are homeservers and clients.
Just clients I think. Otherwise it couldn't be E2EE. AFAIK, if you actually can manage to verify your correspondents with whatever the identity numbers are called in Matrix, you get effective E2EE.
By that definition all encryption would be end-to-end encryption, making the term useless.
The person sending the message and their intended recipient(s) are the "ends" in end-to-end encryption. The server is not an "end".
Incidentally, the client software is also not the "end": If the system includes a component designed to forward any data about the otherwise-encrypted content of the messages to someone who is not the sender or their intended recipient (unless at the direction of someone who is an intended party to the conversation) then the system does not implement end-to-end encryption. For example, Apple's iMessage app does this with their mandatory client-side scanning misfeature.
> For example, Apple's iMessage app does this with their mandatory client-side scanning misfeature.
There's a lot of incorrect information here. First of all, it is not mandatory, it's opt-in - parents have the ability to turn it on for children under 18 whose devices have parental controls enabled. (Technically you could argue that it is then mandatory for those children, but that's no different from other parental control features.) Also, it uses on-device machine learning to detect and blur NSFW photos. They even removed the feature that notifies the parents if the child chooses to view a photo that was detected as NSFW anyway, so the contents of messages are not sent to Apple or anyone else.
I think you're conflating it with the iCloud Photos CSAM detection, which would have been mandatory and sent results of on-device scans to Apple if you have iCloud Photos enabled, but they seem to have scrapped that (for now at least) as they quietly removed all mentions of it from their website.
You're probably correct that I was thinking of the scrapped (or deferred) iCloud Photos proposal. Though this part:
> Also, it uses on-device machine learning to detect and blur NSFW photos. They even removed the feature that notifies the parents if the child chooses to view a photo that was detected as NSFW anyway, so the contents of messages are not sent to Apple or anyone else.
… suggests that there was something similar in iMessage at one point, even if it was later removed. The "on-device learning" (or rather, on-device classification) means you're effectively sharing the data with Apple's agent running on the device, and the user doesn't have the ability to turn that off. Though it wouldn't be unreasonable to consider the parent who authorized this to be one "end" of the conversation since there is a minor involved—assuming there actually is a minor involved. (These "parental controls" have been abused to monitor adults.) It would be best if that fact was somehow communicated to all the other participants, for example with a "parental control active" or "monitored account" badge on the user's icon & profile.
> (1) there is no way to migrate to another homeserver (I gave up on Matrix after the third one went bust)
partially true - while there isn't a protocol defined way, you can invite your new account to your rooms, import your encryption keys and leave the rooms with the old accounts
> (2) the homeserver has (!) plaintext access to all traffic on it
hmm, isn't that unavoidable?
> (4) no effort at all to obscure metadata, who you communicate with and when.
There is effort on it, e.g. by going P2P and eliminating dedicated homeservers
> I don't know of any clients that let you manage separate identities at the same time
FluffyChat, Syphon, and others I don't know the names by heart
> Matrix defines a sort of end-to-end encryption, but the ends are homeservers and clients.
The ends are the sessions in a room. The homserver is not an end. How did you get that impression?
> Lack of encryption-at-rest, wherever it is that messages live, seems like a stupendous implementation design flaw, and makes me question all the project's other choices.
Isn't encryption at rest usually done by the operating system?
>> (2) the homeserver has (!) plaintext access to all traffic on it
> hmm, isn't that unavoidable?
Not only is it avoidable, it’s not actually true AFAIU. It’s unfortunate (if historically justifiable) that Matrix has a non-E2EE mode, but the thing it brands as E2EE is actually deserving of the name, with messages accessible to clients only and the associated hurdles (you literally can’t get access to message history in encrypted chats from a new client on the same account unless you get one of your old clients to cross-sign, even if the homeserver will help mediate the prompt).
Matrix is not free of problems, but it does have federated, multi-party, multi-device, end-to-end encrypted chats with persistent history and forward secrecy. The underlying crypto goes by Megolm[1]. It’s slightly weaker[2] (in particular regarding backward secrecy) than the strictly two-party thing Signal does (however they brand it these days), but nowhere near the point of allowing the homeserver to eavesdrop.
> Not only is it avoidable, it’s not actually true AFAIU.
Note that new features apparently come unencrypted, even in otherwise encrypted rooms. For example reacting to messages with emoji sends the reaction non-E2E-encrypted for both all home servers to see: https://news.ycombinator.com/item?id=29656282.
Some random comments: I'd say this is something that wouldn't have happened for Signal. The comment I linked didn't make it sound accidental. In the linked issue thread, they talk about aggregation done by the server, which means that the server would still be able to tell that person A, B and C reacted with the same emoji. That sounds like a lot of information leakage to me, e.g. for people who do votes via reactions.
Signal's and Matrix's position is quite different because Signal doesn't attempt to be a distributed eventually-consistent data store but simply a message transport. This is a trade-off which costs you some metadata leakage and is what leads to aggregations being a thing that is relevant for Matrix. It also gives you a lot of power, because you can now construct generic, distributed E2EE-enabled apps for "free".
That being said, there is still a lot of it that is up in the air. From what I've gathered, there's been talk about leaving aggregations to be done client-side specifically for reactions.
Regardless, thank you for all of your work and contributions. Keeping those old PPC devices alive did more for the environment than I think you'll ever be able to quantify. Not to mention, I had a lot of fun with old PowerBooks and iMacs surfing the web.
Bootloader unlocking worked out of the box, and GSI installed without a hitch
issues right now:
- The flip doesn't turn on the internal screen
- front screen is inoperable and just displays T-Mobile's logo after installing the APK for the radio
- obviously there is no T9 keyboard with the GSI
- PTT button DOES work with an add-on app that maps keys, it registers fine
Happy to help anyway I can if you're interested