Language Selection

English French German Italian Portuguese Spanish

Purism

Syndicate content Purism
High-quality laptops that protect your freedom and privacy
Updated: 2 days 21 hours ago

OpenPGP in Your Pocket

Tuesday 9th of February 2021 10:00:01 PM

Access to the smart card reader on the Librem 5 is something we at Purism have been looking forward to for a long time. That day is finally here; those who have their Librem 5 can follow this guide to set up access to the smart card. Orders shipping soon will come with the card reader already setup.

https://videos.puri.sm/promo/pgp.mp4

If you need to set up your smart card reader, these are the steps to enable it:

sudo apt install stm32flash git

Download the scripts:

git clone https://source.puri.sm/angus.ainslie/ttxs-firmware

Change working directory to our newly downloaded folder.

cd ttxs-firmware

Upgrade the smart card reader firmware:

./scripts/stm_reflash.sh

And set up the smart card:

./scripts/smartcard_setup.sh

A more detailed version of these steps can be found here. OpenPGP cards are available for purchase in our shop.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post OpenPGP in Your Pocket appeared first on Purism.

Librem 5 News Summary: January 2021

Wednesday 3rd of February 2021 05:47:34 PM

We have gotten feedback from a number of Librem 5 customers that they would appreciate more frequent email updates about the status of the Librem 5 project. We are a big believer in “opt-in” for services, but while we have tended to err on the side of not spamming people, and instead allow people a number of opt-in options to get news (as we document in this post), we’ve decided to turn the dial one tick toward more frequent email updates for people who only want Librem 5 news and don’t want to subscribe to our newsletter. This will take the form of a monthly email sent to any pre-orders who have not yet received their phone that recaps the news from the previous month.

Shipping Estimates

January has been a very busy month on the Librem 5 front. Each week we continue to ship out more Librem 5s to backers and we now have a good sense of the average number of phones we can ship out each week. This is important because that feeds back into our “Just In Time” manufacturing approach that ensures we always make slightly more Librem 5s than we can ship in a time period. Shipping more means making more, and it turns out we have been able to ship more than we initially predicted. We are also scaling the team up even further not just to address the order backlog, but also the steadily increasing demand we see for Librem 5s each day, so future manufacturing runs will be much larger and we will be able to process through orders more quickly.

With these shipping throughput numbers in hand, we had hoped in January to be able to predict when every pre-order would ship and calculate when we will hit shipping parity–that date when all pre-orders are fulfilled and a new order is shipped within our standard 10-business-day time frame. Due to a number of factors we explain in this longer blog post, including a potential CPU supply chain issue, we could only generate shipping estimates for some pre-orders.

The good news is that we were able to calculate shipping estimates for almost everyone who was part of the initial crowdfunding campaign (which accounts for a large number of orders) and have sent emails out to all pending orders with order dates up to October 20, 2017 with the very last of those orders estimated to be shipped in May. Orders after that date will need to wait a bit longer for estimates until we have ensured we have secured CPU supply to fulfill them.

As we secure CPUs and feel confident in shipping estimates we will send further shipping updates out, and given the higher density of orders during the crowdfunding campaign compared to afterward, we expect new shipping estimates to get much further into the order backlog in terms of pre-order date.

Librem 5 Blog Posts

We have created a video and blog post series for the Librem 5 called “App Showcase.” Each article and video in this series aims to highlight a single app that is currently available in the Librem 5 PureOS Store. So if you are curious to see how apps run on the Librem 5 and how to use them, check out the following App Showcase videos we published in January:

In addition to the App Showcase series, we also published a blog post and video to document how to reflash the Librem 5, and published articles on our kernel work in the 5.8 series as well as the 5.9 and 5.10 series.

What’s Next

In February we will continue to ship out more Librem 5s each week, and hope at some point within the month to also calculate and send more shipping estimates. We have also recently gotten the OpenPGP smart card reader working and are finishing up work so that it can be enabled by default on future shipments. For existing customers we are also finishing up a video and article on how to enable and use the smart card reader on existing Librem 5 phones. We are also working on an update to our past battery life articles that will document the current state of power improvements on the Librem 5.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

The post Librem 5 News Summary: January 2021 appeared first on Purism.

App Showcase: WhatIP

Friday 29th of January 2021 08:50:21 PM

If you need to find something on your network, get your IP easily, or test your system’s ports WhatIP has you covered.

https://videos.puri.sm/promo/whatIP.mp4

While the Librem 5 can act as a phone in the above video it was acting more like a server. The host Librem 5 was running Dictionary services, an SSH server, Apache2 web services, Server Lab Inventory, and Samba. Because PureOS relies on the solid core of Debian, I was able to copy-paste from Debian howto tutorials with little to no changes.

With great power comes great responsibility

It’s important to follow proper setup procedures when hosting anything on your persons. As you move around wifi networks, so do your services. Just like hosting in the cloud, you have to take responsibility to properly set up and update your software. Strong passwords are a must in case you want to attach to an untrusted network like a coffee shop or airport.

Summary

From finding your local printer’s IP, all the way to verifying self-hosted services are properly running, WhatIP has you covered.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Showcase: WhatIP appeared first on Purism.

Reflashing the Librem 5

Saturday 23rd of January 2021 12:22:46 AM

Reflashing the Librem 5 is the best way to remove your personal data and put the phone back into factory defaults.

Warning, this procedure will completely erase everything on the device! Make a backup beforehand!

The Librem 5 gets reflashed from a separate 64-bit x86 computer running PureOS (or booted from the live PureOS disk).

Reflashing from that computer is as simple as installing the needed packages:

sudo apt install git python3-jenkins python3-tqdm uuu

Downloading the flashing scripts:

git clone https://source.puri.sm/Librem5/librem5-devkit-tools.git

And flashing the phone for Evergreen (mass-produced version)

cd librem5-devkit-tools sudo ./scripts/librem5-flash-image

Detailed directions including how to flash the older Dogwood/Chestnut/Birch versions can be found here; while the above procedure is demonstrated in this video:

https://videos.puri.sm/promo/reflashing.mp4

If you’re not running PureOS or a recent version of Debian or Ubuntu, you may need to alter the install step for your distribution. If all else fails, you can build a live USB of PureOS, boot it, and flash the Librem 5 from there.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post Reflashing the Librem 5 appeared first on Purism.

Getting Purism News

Thursday 21st of January 2021 06:02:23 PM

We have a lot of irons in the fire at Purism whether it’s hardware development like the Librem 5, Librem 5 USA, or Librem 14, new products like the Librem Mini v2, or the wide range of software projects we maintain at https://source.puri.sm/. As a result, each week there is news on at least one of these fronts.

We often get questions about the status of various projects, in particular from customers who are part of a crowdfunding campaign who want to know the answer to the all-important question: when will I get my device? In this post we will cover all the different ways you can stay up to date on Purism news.

Web

The best place to stay up to date on Purism news is at https://puri.sm/news/ which is where we publish all of our progress reports, product announcements, HOWTOs, press releases and other news, along with larger so-called “think pieces” that we publish from time to time that discuss our values and the industry at large. If you use RSS, you can add https://puri.sm/feed/ to your feed reader and always know when we publish something new.

Social Media

We maintain a number of social media accounts both on platforms that share our values and more mainstream platforms we don’t approve of, so people can share our articles and news with their friends who are still on those platforms. Following any of these social media accounts will let you know when we publish new articles or have new sales or other promotions:

Video

We create quite a bit of video content from HOWTOs to demos and host all of it on our own website. Each video on one of the alternative platforms we will list also have a corresponding article with an embedded video on our own site. Videos that are embedded in articles on our site are also hosted by Purism so that’s the best way for privacy-focused customers to access our videos without sharing data with any third parties.

Even though we host our own videos, we also know that some customers prefer using other platforms to view and track videos. We also know that some customers like the convenience of only tracking our videos and not the rest of our articles. With those needs in mind we also publish each of our videos on Youtube and LBRY:

Email

When it comes to pre-orders we do periodically send email updates to customers letting them know the current status of their order. However we are also sensitive to the fact that many customers don’t want to be bothered, and would consider frequent updates on a project to be spam, while others want to know each time there is an update, however small.

As a result, when it comes to unsolicited emails, we typically avoid sending unsolicited emails to customers unless there is a specific status update to their order, or we feel that a news update is important enough that we feel customers wouldn’t view it as spam. For example, for the Librem 5 project, customers who were part of the initial crowdfunding campaign on average have gotten only a few emails a year.

For customers who want frequent updates and prefer email over the above options, we offer a newsletter you can subscribe to and receive curated digests of our news every few weeks. To sign up, just scroll down to the bottom of this page and you will see our newsletter subscription form. Just add your email and click Subscribe.

Stay in Touch

Whatever method you choose, please do choose at least one way to stay up to date on all of our news. We stay very busy here at Purism and there’s always something new to report.

The post Getting Purism News appeared first on Purism.

Parler Tricks: Making Software Disappear

Monday 18th of January 2021 04:47:09 PM

Much has been written and broadcast about the recent actions from Google and Apple to remove the Parler app from their app stores. Apps get removed from these app stores all the time, but more than almost any past move by these companies, this one has brought the power Big Tech companies wield over everyone’s lives to the minds of every day people. Journalists have done a good job overall in presenting the challenges and concerns with this move, as well as addressing the censorship and anti-trust issues at play. If you want a good summary of the issues, I found Cory Doctorow’s post on the subject a great primer.

Sawing the Market in Half

Instead of rehashing any of those arguments, I wanted to highlight one area that wasn’t covered quite so much. Regardless of how you feel about Parler, an important thing to note is that this is far from the first time, nor will it be the last time, that Google and Apple remove controversial software from their stores. Because of their duopoly over the phone market, when they want to, Google and Apple can simply make software disappear.

What should concern you is that if the industry continues on the path they have started with phones, this same control will be coming soon to a laptop near you. The end result will be that whether or not you are allowed to install and run software on a computer you own, would no longer be up to you. It would be dictated not by laws or governments, but by a small group of Big Tech companies. This will all be in the name of security, but is all about control.

Sleight of ARM

It’s well-established that iPhones are locked down with an App Store that tightly restricts what software can be installed and run. I’ve written much in the past about how they exert that control and more recently about how that control is already extending from their phones into their laptops. These changes are happening gradually with tweaks in each OS update and added security features in each new piece of hardware. In particular, in light of the new ARM-based Macbooks the trend is clear: a future where Apple laptops behave like iPhones and Apple can remotely control what software you are allowed to install and run on their devices, in the name of security, but really so that they can control competitors.

Tricks Up Android’s Sleeve

This is part of the article where Android users feel smug. After all, while much more of their data gets captured and sold than on iOS, in exchange they still (sometimes) have the option of rooting their phones and (sometimes) “sideloading” applications (installing applications outside of Google’s App Store). If Google bans an app, all a user has to do is follow a list of complicated (and often sketchy) procedures, sometimes involving disabling protections or installing sketchy software on another computer, and they can wrench back a bit of control over their phones. Of course in doing so they are disabling security features that are the foundation for the rest of Android security, at which point many Android security experts will throw up their hands and say “you’re on your own.”

Also, while Android allows the same kind of restrictive features as iOS (and is working toward the same advances in secure enclave enforcement of them), they are often a generation or two behind. Due to Android fragmentation, the level of control the vendor enforces on a particular phone is left up to that vendor. This allows the vendor to make extra money pre-loading third-party software on your phone you can’t remove. That means whether you can sidestep Google App Store bans largely depends on which phone you have and which vendor sold it. But if you look at the app restrictions already on ChromeOS, and understand that the ultimate goal for Google and Apple is to merge their phone and desktop OSes into one convergent OS (like we’ve already done), you can see that what happens on the phone will ultimately happen on the desktop.

Straightjacket Escape

If the industry continues down this path with this same duopoly, the future promises more restrictions on users as their computers get more locks they can’t escape. Software developers for these platforms will face the constant risk that their apps might get banned and disappear from computers whether because of legitimate policy concerns or just because Big Tech decided to make a competing app. Customers will live under the uncertainty that their favorite apps might disappear just because the company that made them got into a fight with the App Store owner.

Fortunately there is an alternative. The solution is to choose hardware and software from companies that value your freedom. One reason that Purism believes so strongly in Free Software (and why PureOS is 100% Free Software) is because of the freedom it gives users to escape any locks a vendor may try to impose. If you don’t like what an app does, you can change it. With Free Software, if an app store were to remove software, or even if a developer were to abandon a project entirely, the source still exists so others can package and maintain it independently.

The Librem 5 phone runs the same PureOS operating system as Librem laptops, and it features the PureOS Store which provides a curated list of applications known to work well on the phone’s screen. Even so, you can use the search function to find the full list of all available software in PureOS. After all, you might want that software to be available when you dock your Librem 5 to a larger screen.

We aim to provide software in the PureOS store that respects people’s freedom, security, and privacy and will audit software that’s included in the store with that in mind. That way people have a convenient way to discover software that not only works well on the phone but also respects them. Yet you are still free to install any third-party software outside of the PureOS Store that works on the phone, even if it’s proprietary software we don’t approve of.

You don’t need our permission to use your computer how you want with the software you want.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

The post Parler Tricks: Making Software Disappear appeared first on Purism.

App Spotlight: Dictionary

Friday 15th of January 2021 11:01:23 PM

Among the easily installable and ad-free apps within the PureOS store is Dictionary. This is a simple tool that lets you search through numerous online or local dictionaries and translation sources.

https://videos.puri.sm/promo/dict.mp4

After install, the defaults are perfectly suitable for most users to look up data online:

Offline search:

For those that want to become invisible; you can air gap your Librem 5 from all networks while still using self-hosted services like translation. To install locally hosted dictionary services run the following commands:

sudo apt install dictd sudo apt install dict-gcide sudo systemctl start dictd sudo systemctl enable dictd

If you’d like a few extra dictionaries to look up data in:

sudo apt install dict-freedict-eng-*

You’ll also want to point the Dictionary app at your new service:

Becoming a Server:

Not only can the Librem 5 locally host and use Dictionary services, but it can share the service with your network. To do this, edit /etc/dictd/dictd.conf to accept non-local connections.

Lookup what you need to, and keep your data in your control.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Spotlight: Dictionary appeared first on Purism.

Librem 14 Update: Shipping Starts in February with Extended Battery

Friday 15th of January 2021 05:20:26 PM

The Librem 14 is our dream laptop and we know many of you are looking forward to getting yours. In our last post we talked about some of the final tweaks we made that resulted in shipping being delayed until January. The bad news is that we won’t be able to start shipping Librem 14s until February, but the good news is that everyone will be getting our (as of yet unannounced) extended battery option by default! Read the rest of the article for details.

Supply Chain Challenges

If you talk to anyone in manufacturing they will tell you that this has been a particularly challenging year for the supply chain. Whether you are talking about toilet paper, N95 masks, rubber gloves, or semiconductors, the global pandemic has made supply chains less reliable, and lead times and shipping times incredibly unpredictable. We already ran into supply chain challenges with the Librem 14 earlier when Intel announced CPU shortages, and most recently when we were preparing the first run of production Librem 14s we hit another issue: we couldn’t get the 3-cell batteries we were planning to use until after Chinese New Year! If you are familiar with manufacturing in China, you know that the entire country essentially shuts down for weeks, so this is far from ideal. However it turns out we could get our 4-cell extended battery in time.

The Librem 14 Extended Battery

When we first designed the Librem 14, it was with a 3-cell battery and second M.2 storage slot. Later on, we evaluated having the option to include a 4-cell extended battery increase the capacity by 33% with the expense of covering up the second M.2 storage slot. Because of that, we decided at the time to make the 3-cell battery the default, and offer the 4-cell extended battery to customers as an after-market optional upgrade.

These recent events have caused us to re-evaluate that plan. We realize most customers will probably never use the second M.2 storage slot of their laptop, but they would appreciate having the extra battery capacity. So we are going to default to the 4-cell extended battery on Librem 14 orders, unless the customer fills both M.2 slots, in which case we will fall back to the 3-cell battery.

For existing orders with both disk slots populated, this would mean your order gets delayed until March when we get 3-cell batteries, but if you don’t want to wait, we will work with you if you want to modify your order (simply contact our support team with your order number). For everyone else, we will start shipping their Librem 14 with the 4-cell extended battery in February.

Thank you so much for your patience while we finish up the Librem 14. Hopefully the surprise upgrade to an extended battery will help take some of the sting off of the extra wait!

The post Librem 14 Update: Shipping Starts in February with Extended Battery appeared first on Purism.

Purism and Linux 5.9 and 5.10

Wednesday 13th of January 2021 08:32:37 PM
Purism and Linux 5.9 and Linux 5.10

Following up on our report for Linux 5.8 this summarizes the progress on mainline support for the Librem 5 phone and its development kit during the 5.9 and 5.10 development cycles.

Librem 5 updates

One of the most notable additions is a first devicetree description for the phone. This is important to have upstream since it describes how the hardware is wired up. Without that, it’s impossible to boot a mainline kernel. We added descriptions for the various phone revisions themselves (up to the Dogwood board) and also for the MIPI DSI controller of the imx8mq SoC. From this point on, we’ll incrementally add the missing pieces, for example from the display stack, just like we’ve done for the devkit back in Linux 5.2.

Librem 5 LCD panel

Speaking of the display stack: The phone includes a different LCD panel than the devkit and we had to add a driver for it:

Devkit updates

Another milestone we reached (and had promised earlier) is that the devkits’ display now works with mainline Linux directly. All needed drivers are there and the hardware is described accurately in the devicetree upstream. It’s not only nice to be able to use a mainline kernel without (m)any patches, it’s important in order to keep the hardware supported for a long time. The hard parts had been done before and that’s how the final pieces for the display look like:

Audio Codec

The wm8962 audio codec needed a small update to allow userspace to utilize hardware mono downmix for cases where mono output to a single speaker is desired only, like on a mobile phone:

Code review

During these rounds, we contributed 24 Reviewed-by: or Tested-by: tags to patches by other authors. Also, we would like to thank everybody who reviewed our patches and helped us, especially Sam in the DRM layer and Shawn and Krzysztof in the devicetree area. It’s supposed to be fun but we know it not always actually is, so that’s much appreciated.

Sources

Have a look at our Linux tree to see what is currently being worked on and tested (or help if you feel like joining the fun).

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post Purism and Linux 5.9 and 5.10 appeared first on Purism.

Librem 5 Update: Shipping Estimates and CPU Supply Chain

Tuesday 12th of January 2021 10:29:22 PM

It’s been a busy holiday and New Year’s season at Purism as we continue to ship out Librem 5s to backers each week. We know for those who haven’t received their Librem 5 yet, what they most want to know is when their Librem 5 will arrive. In summary, we will be providing shipping estimates within the next week to the backers within the original crowdfunding campaign (orders through October 2017), but not all backers yet, based on our confidence in the estimates. The rest of this post will explain what is going into our shipping estimates, and why we can’t yet provide shipping estimates to every backer.

When we published the shipping FAQ we explained some of the factors in the shipping calculation:

That calculation depends not only on their place in line, but also on our knowing our average and maximum weekly phone throughput in advance, which we don’t expect to know until we are at least a few weeks into the process. We expect to have a good idea on these projections by the end of the year, however.

Now we are happy to say that we not only have a good idea on our shipping throughput, we actually exceeded our expectations for how many we could ship! So hopefully by the end of this week, or possibly the beginning of next week, we will be contacting a large group of backers who we feel we can provide a reliable shipping estimate. Note that this will be a separate email from the emails we already send out each week to confirm shipping information to the next group of backers who are ready to receive their Librem 5.

The Road to Shipping Parity

Back when we published the shipping FAQ, we expected that by this point we would be able to provide every backer with an accurate shipping estimate and be able to predict when we would hit shipping parity–the moment when all of the backlog has cleared and a new order would be fulfilled in our standard 10-business-day window. Once you know how many Librem 5s you can ship in a week, it seems like it would be a relatively straightforward calculation to apply that to a person’s place in line and estimate a shipping date.

Making Librem 5 Just In Time

In our case the calculation is a little more complicated due to the fact that we employ a “Just In Time” manufacturing process for the Librem 5s, which is pretty common in the industry. We estimate our shipping throughput and make slightly more Librem 5s than we think we can ship in a period of time. The next manufacturing run of Librem 5s then arrives around the time we complete shipping out the previous run. This has a few benefits, but the main benefit is if we were to identify a hardware problem in the existing Librem 5 manufacturing process (whether a systemic flaw, or a flaw in a particular manufacturing run) it impacts a smaller number of Librem 5s and can be fixed for future batches.

So when making these shipping estimates, we not only factor in our shipping throughput, but also the size of future manufacturing runs, which we now are increasing based on the fact we’ve exceeded our initial estimates. We can then calculate which run a particular order would be in, when we will make that next set of Librem 5s, and be able to estimate when a particular Librem 5 will ship. We also factor in and plan for events like Chinese New Year, which cause essentially everything in China to shut down for a few weeks.

CPU Supply Chain

One downside to using Just In Time manufacturing is that you must factor in all of the different lead times for all the different individual components that go into the Librem 5. While some components have relatively short lead times, others sometimes have lead times extending out multiple months. You have to factor all of this in to ensure that everything is ordered in advance so that it arrives just when you need it.

If you talk to anyone in manufacturing they will tell you that this has been a particularly challenging year for the supply chain. Whether you are talking about toilet paper, N95 masks, rubber gloves, or semiconductors, the global pandemic has made supply chains less reliable, and lead times and shipping times incredibly unpredictable. It’s left everyone in the industry scrambling from source A to B to C down to Z sometimes to find inventory. It even added a delay a few months back to our Librem 14 timeline due to Intel having trouble fulfilling all of their CPU orders.

Our customers have told us they want ever more information on what happens behind the scenes of making a phone like the Librem 5, so in the interest of transparency we are sharing what we’ve been hearing from our own suppliers. The iMX-8 processor we use in our Librem 5 is also popular in the automotive industry, and currently NXP has been hit with a global semiconductor shortage due to a dramatic increase in demand from auto makers.

This shortage has increased the lead times for CPU orders, which is of course a critical component in the Librem 5. As we started getting word about this shortage we were proactive in sourcing and purchasing all the CPUs we can, and continue to do so, while also factoring these increased lead times into future orders.

What Does This Mean For Me?

What does this mean for you? Based on our efforts thus far there’s a good chance it will not affect your shipping time as we continue to track down new CPU supplies and plan for future manufacturing runs. So far it hasn’t caused a delay.

However we wanted to let everyone know about this potential issue far in advance, because it will impact how many people get shipping estimates. We only want to send shipping estimates when we know for sure we have the CPUs to fulfill them, so this week instead of sending estimates to everyone like we had planned, we are only sending estimates out up to the point we have CPUs that will arrive just in time. This happens to coincide with all the orders placed through October 2017–the end of our original crowdfunding campaign.

As we secure more CPU supply, and feel confident about the supply chain for future manufacturing runs we will send out additional shipping estimates. Hopefully soon we will be able to account for the whole backlog and can calculate when we hit shipping parity.

Certification Update

We’ve also gotten some questions about the various hardware certifications for the Librem 5 including Respect Your Freedom (RYF), FCC and CE. While we designed the Librem 5 to qualify for each of these certifications, we had to wait to start the certification processes until we had the final mass-produced “Evergreen” Librem 5 since changes in the hardware would require re-certification.

Each of these certification processes are under way. While the transmitters in the Librem 5 (the removable cellular modem and WiFi card) already have FCC and CE certification, we are seeking certification for device as a whole. We are still in the middle of these time-consuming certification processes and will post an update to our site when there is any news on any of these fronts.

Thank You

We want you to have your Librem 5 as soon as possible and appreciate everyone’s patience as we continue to process orders and get through our backlog. It’s everyone’s support through this monumental process that has made the Librem 5 a reality.

The post Librem 5 Update: Shipping Estimates and CPU Supply Chain appeared first on Purism.

App Spotlight: Sound Recorder

Thursday 7th of January 2021 09:53:26 PM

Sound Recorder is simple to install and a powerful way to record in the studio or on the go:

https://videos.puri.sm/promo/sound_recorder_v2.mp4

The app itself is deceptively simple, it offloads all of the audio device setup and selection to the OS layer, which can be managed in settings:

With the brunt of the setup automatically handled by PureOS, you can set up the basics from within the app menu.

Actually using the interface could not be more intuitive. Simply hit record to record, and click a past entry if you want to listen to it.

A Quiet Solution:

Silence is ideal for any recording studio or sound room. The fans in a standard x86 computer can impact the end result if kept too close to the mic. When I first built my sound closet room I cabled long runs of USB and power to prevent having to use a computer near my mic. This sucked as I had to print out my script and I couldn’t check the recording status during the session.

Being able to read the script off a screen and having access to the audio controls drove me and my roommate to build this fanless monstrosity:

This did the trick for years but did suffer from major stability issues which were endlessly frustrating to deal with mid recording. Now with USB-C dock support getting better and better, using the Librem 5 has solved all my recording issues and has now permanently replaced my sound room computer.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Spotlight: Sound Recorder appeared first on Purism.

Purism and Linux 5.8

Thursday 7th of January 2021 02:37:45 PM

Following up on our report for Linux 5.7 this summarizes the progress on mainline support for the Librem 5 phone and its development kit during the 5.8 development cycle. That was already a few months ago. We missed publishing this earlier and the recent development cycle summaries will follow shortly.

Devkit updates

The Librem 5 devkit saw a minor update that will save some power:

arm64: dts: imx8mq-librem5-devkit: Use 0.9V for VDD_GPU arm64: dts: imx8mq-librem5-devkit: Don’t use underscore in node name

USB power management

Runtime power management in the USB stack is quite mature and well supported. We added one piece for the Designware DWC3 hardware IP that has been missing: support for runtime power management when devices are connected and disconnected on an external bus:

usb: dwc3: support continuous runtime PM with dual role

Librem 5 Light and Proximity Sensor

During a phone call, the Librem 5 naturally might be near the user’s ear. We added a new interface to Linux to allow userspace to decide when an object is close to the device and added support for the vcnl4000 proximity sensor:

Documentation: ABI: document IIO in_proximity_nearlevel file iio: vcnl4000: Export near level property for proximity sensor dt-bindings: iio: light: vcnl4000: Add proximity-near-level dt-bindings: iio: Introduce common properties for iio sensors dt-bindings: iio: vcnl4000: convert bindings to YAML format

Librem 5 Display stack

Certainly, our largest addition during this development cycle has been adding support for the NWL MIPI DSI controller. For the devkit, this marks the last piece that has been needed for the mainline kernel to support the full display stack. The Librem 5 phone is one-panel driver away from having the same:

drm/bridge: Add NWL MIPI DSI host controller support dt-bindings: display/bridge: Add binding for NWL mipi dsi host controller

Code review

This round we contributed 6 Reviewed-by: or Tested-by: tags to patches by other authors. Something we can still improve on for upcoming cycles.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post Purism and Linux 5.8 appeared first on Purism.

App Showcase: Weather

Monday 4th of January 2021 11:34:21 PM

Weather apps are one of the few apps people use every day that needs a location to work, but weather apps on most smartphones are notorious for capturing and selling your location data.

The Librem 5 is designed to protect your privacy, and include a privacy-respecting Weather app. When opened this retrieves weather data from the Norwegian Meteorological Institute, and only them.

The Norwegian Meteorological Institute has a free and open data policy with the goal of benefiting society, in many ways similar to our ideals at Purism.

https://videos.puri.sm/promo/weather_v2.mp4

Weather features an hourly overview, as well as a 10-day forecast.

As you would expect on a privacy device, you can disable automatic location and enter your position by hand.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Showcase: Weather appeared first on Purism.

The Future of Software Supply Chain Security

Thursday 31st of December 2020 11:22:16 PM

All indications are that software supply chain security will be the biggest issue for the security industry in 2021. The largest security story of 2020 was the supply chain compromise of SolarWinds Orion which allowed attackers to ship malicious updates with backdoors to Orion customers with perfectly valid signatures. Once these updates were applied and attackers were in these networks, this access allowed a large-scale attack of government agencies and tech and security companies, perhaps one of the single largest attacks of US networks in history. In some cases the level of compromise was so deep, including compromised administrator credentials, that the general guidance has been for victims to rebuild infrastructure from the ground up.

Supply chain security is not a new concept (I wrote about how Purism protects the digital supply chain over two years ago) and many researchers have recognized it as a legitimate threat for a long time. Yet the industry overall has been slow to recognize the risk and in fact perverse incentives have led to many in the industry doubling-down on security solutions that rely heavily (in many cases rely entirely) on the exact kind of security measures supply chain hacks defeat.

The proprietary software industry can’t fix the software supply chain problem because they largely created it and depend on it to maintain control over customers. In this article I’m going to explain how this happened, and what the future of supply chain security looks like.

Perverse Incentives

The core problem with the security industry is the perverse incentives that drive security architects to design solutions where security is a secondary effect or sometimes even a marketing excuse, when the main priority is to increase a customer’s dependence on the vendor. The majority of professional security architects out there use the same playbook, and are unable to design secure software without falling back to chains of binaries signed with vendor keys.

There’s nothing wrong with code signing as a security measure when it’s limited to its intended purpose: a “seal of approval” assuring a customer that software has not been changed after it left a vendor. This seal is especially important when you are shipping software in binary form since you can’t as easily audit that software for malicious changes like you can with source code. Code signing is a widespread practice and even Linux distributions use it as a way for users to verify software packages came from that project.

The problem with code signing is in how it has been extended to exert control. In addition to verifying whether software has been modified, those signatures are also used to enforce policies that only allow software to be installed or to run that the vendor explicitly approves. The proprietary software industry is dependent on code signing with vendor keys as the foundation for most if not all of its security, because it enables vendors to exert this control over their customers in the name of security.

Exerting Control

Nowhere do these perverse incentives have a stronger impact than the smartphone industry, which has become the test bed for the most advanced applications of code signing to exert control, with Apple at the forefront. In the name of security, every piece of software you install or run on an iPhone must be approved by Apple. They act as the gatekeeper over what’s allowed in the App Store and can revoke previously-approved applications from competitors, which has led to lawsuits and anti-trust hearings.

In the beginning this control was enforced by comparing code signatures in software, but as customers have gotten more sophisticated in their ability to bypass this control (literally called jailbreaking because these controlled environments are called jails), vendors have doubled-down on code signatures backed by specialized hardware. From the moment the computer starts, code is sent to this hardware for approval–only if signatures match vendor approval does this hardware allow it to run.

While the explanations for these sophisticated measures is security–stopping hackers and even governments from breaking into your computer–the reality is that the majority of the time these measures just prevent end users and competitors from doing something the vendor doesn’t like. Worse, this approach anchors all security and all trust in the vendor and their signing keys. Compromise a signing key and the whole house of cards falls down.

The House of Cards

Most security experts agree that end-to-end (e2e) encryption (where only the two endpoints control the keys) is the best way to secure communication between two people. Experts also almost universally agree that adding an encryption backdoor–an extra key controlled by the vendor or handed over to authorities that can unlock e2e encrypted messages–cannot be done securely. This is because there is no such thing as a backdoor only authorities know about. Even if you trusted authorities to have a key, eventually attackers will get access or otherwise compromise that key and then the security of all of these previously-secure messages is defeated.

This, by the way, is why the NSA is known to store encrypted communication automatically and indefinitely. Even if they can’t decrypt it today, they might be able to decrypt it eventually, due to a future flaw discovered in the encryption, or the disclosure of the key.

Ironically, many of the same experts who speak out against encryption backdoors, design security systems that anchor all trust in their company’s signing key. Little effort is spent designing systems that can detect and respond in the event a signing key gets compromised. Yet we know these keys get compromised, and between the Stuxnet malware and the SolarWinds Orion supply chain compromise we have two large-scale global examples of how high security systems can be compromised for months without anyone knowing, when they blindly trust key signatures.

This contradiction between what security experts say is secure and what they design for their companies illustrates how perverse incentives compromise secure design in favor of control. Improving supply chain security requires giving up some or all of this control, which is why you will likely not see real solutions come from proprietary software vendors.

Canned Solutions

We could learn a lot about how to secure the software supply chain from how we secure the food supply chain, and in my article Protecting the Digital Supply Chain I draw many analogies between them:

The food supply chain is important. Food is sealed not just so that it will keep longer, but also so that you can trust that no one has tampered with it between the time it left the supplier to the time it goes in your grocery bag. Some food goes even further and provides a tamper-evident seal that makes it obvious if someone else opened it before you. Again, the concern isn’t just about food freshness, or even someone stealing food from a package, it’s about the supplier protecting you from a malicious person who might go as far as poisoning the food.

The supply chain ultimately comes down to trust and your ability to audit that trust. You trust the grocery and the supplier to protect the food you buy, but you still check the expiry date and whether it’s been opened before you buy it. The grocery then trusts and audits their suppliers and so on down the line until you get to a farm that produces the raw materials that go into your food. Of course it doesn’t stop there. In the case of organic farming, the farmer is also audited for the processes they use to fertilize and remove pests in their crops, and in the case of livestock this even extends to the supply chain behind the food the livestock eats.

If the food supply chain worked like the proprietary software supply chain, we’d buy food in opaque jars with a factory tamper seal on them, but without expiration dates, ingredient lists, food allergy warnings, or nutritional information. The factories would never get inspected for cleanliness or audited to see if they use spoiled ingredients or processed peanuts in the same facility. Most importantly, we wouldn’t be able to check the food ourselves beyond that tamper seal–we wouldn’t have a sense of smell, taste, or sight. The only way we’d know if the food was tainted is by eating it and waiting to see if we get sick.

The Future is Clear

To improve software supply chain security we need the ability to audit software like we audit food and this requires much more transparency–transparency beyond what proprietary software vendors allow. Tamper seals (code signing) are important, but not close to being sufficient to catch tainted software. As the SolarWinds Orion hack shows, food can be tainted at the factory before it gets into those tamper-sealed jars.

The software supply chain will get attacked, and third parties and motivated customers must have the ability to detect tainted code quickly, beyond simply relying on their vendor to notice, looking at a tamper seal, or waiting to see if their network gets sick. The best hope we have to improve supply chain security is in the combination of free software and Reproducible Builds.

Free Software

At the initial level free software and proprietary software use similar security measures to protect against supply chain attacks. A software repository is owned by a limited list of maintainers who control what source code and files are allowed in the repository and approve all changes. Both free and proprietary software developers these days typically sign their code changes with a personal signature verifying that the change came from them. When the software gets packaged, that binary package is also typically signed with a key owned by the company or software project so the end user can verify that the package hasn’t been modified by anyone else, before they install it.

Free software adds an additional layer of supply chain security that proprietary software simply can’t, due to the freedom of the code. While an attacker can try to sneak malicious code into the source code itself, it’s much more challenging to hide that code long-term, given that code changes are not only audited by the software maintainers themselves, but any interested third party as well as security researchers and even regular end users. While some security researchers are just as comfortable auditing binaries as source code, for many it’s a lot easier and faster to audit code for backdoors when the code is freely available.

This is one reason why Purism offers a 100% free software operating system, PureOS, on our computers. By only installing free software, all of the source code in the operating system can be audited by anyone for backdoors or other malicious code. For processed food to be labeled as organic, it must be made only from organic sources, and having our operating system certified as 100% free software means you can trust the software supply chain all the way to the source.

Reproducible Builds

Unlike proprietary software, free software can also address the risk from an attacker who can inject malicious code somewhere in the build process before it’s signed. With Reproducible Builds you can download the source code used to build your software, build it yourself, and compare your output with the output you get from a vendor. If the output matches, you can be assured that no malicious code was injected somewhere in the software supply chain and it 100% matches the public code that can be audited for backdoors. Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.

Much of PureOS is already reproducibly built, and we are working so that ultimately all software within PureOS can be reproducibly built starting with the base install and expanding from there. We not only intend on publishing our own reproducible build results, but also tools and guidance so third parties and customers can perform their own audits. That way, customers aren’t limited to learning about supply chain attacks from us, they can audit and detect attacks themselves.

Global Collaboration and Investment

While free software and Reproducible Builds don’t prevent supply chain hacks entirely, they make those attacks much more difficult to hide and provide valuable methods of detection you can’t find anywhere else. For instance, in the case of the SolarWinds Orion supply chain attack, if it had used free, reproducibly built software, third parties could have compared the tainted binary against their own audit infrastructure and detected the compromised software update within hours. Instead, the attack was only noticed over a year later when FireEye was investigating a hack that released their own internal tools.

If critical software were free and reproducibly built, even if companies didn’t audit every binary they get from a vendor, they might at least audit their highest-risk third-party software with the most access inside their network. Given the cost of repairing the damage from these kind of supply chain attacks on government and private infrastructure, building this audit infrastructure for critical software seems like a wise investment. The load could also be distributed among public and private agencies across the world, starting with critical software projects and expanding beyond that as resources allowed.

Over the next year or two you will likely see many vendors touting proprietary solutions for supply chain security that coincidentally require you to anchor all trust in them. Solutions to this problem won’t come from proprietary software and can’t come from any one vendor, it requires a collaborative approach that gives customers more control over their software, and grants them and independent third-parties the ability to audit the supply chain themselves.

The post The Future of Software Supply Chain Security appeared first on Purism.

App Showcase: Password Safe

Wednesday 30th of December 2020 06:48:04 PM

Using strong passwords is a good way to help protect your accounts. On the Librem 5, we recommend you use Password Safe to keep track of and generate better passwords.

https://videos.puri.sm/promo/pass_safe2.mp4

Password safe is compatible with Keypass databases, this helps make the switch simple if you’re already using a password manager.

Own and manage your own keys, on your own hardware.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Showcase: Password Safe appeared first on Purism.

App Showcase: Backups

Tuesday 29th of December 2020 07:16:24 PM

Déjà Dup is the recommended way to backup your data on all Librem hardware. It allows you to schedule backups or restore past backups.

https://videos.puri.sm/promo/bk.mp4

Before you run a backup, you’ll need to set up somewhere for the backup to go. In most cases, that will be an internal SD card. FAT32 will work for backups but is not ideal because it lacks support for large files. Likewise, larger SDs come with an NTFS partition, which is not suitable for use with PureOS. The solution is to reformat your SD with EXT4. Install Gparted and you’re off.

With an SD card installed and formatted, you can open the backups app, and select the files you want and don’t want to be backed up, then start a backup.

Restoring after a backup is straightforward and intuitive. Select the backup by date and let the restore begin.

If you run into issues starting GParted. Try applying this workaround:

sudo apt install x11-xserver-utils DISPLAY=:0 xhost +SI:localuser:root

As the video pointed out, you may also need to install python-gobject if you see the error: No module named gi.repository.

sudo apt install -y python-gobject Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Showcase: Backups appeared first on Purism.

Phosh Overview

Tuesday 29th of December 2020 03:44:44 PM

This article is a repost from https://honk.sigxcpu.org/con/phosh_overview.html

phosh is graphical shell for mobile, touch based devices like smart phones. It’s the default graphical shell on Purism’s Librem 5 (and that’s where it came to life) but projects like Postmarket OS, Mobian and Debian have picked it up putting it into use on other devices as well and contributing patches.

This post is meant as a short overview how things are tied together so further posts can provide more details.

A PHone SHell

As mobile shell phosh provides the interface components commonly found on mobile devices to:

  • launch applications
  • switch between running applications and close them
  • lock and unlock the screen
  • display status information (e.g. network connectivity, battery level)
  • provide quick access to things like torch or Bluetooth
  • show notifications

It uses GObject object system and GTK to build up the user interface components. Mobile specific patterns are brought in via libhandy.

Since phosh is meant to blend into GNOME as seamlessly as possible it uses the common interfaces present there via D-Bus like org.gnome.Screensaver or org.gnome.keyring.SystemPrompter and retrieves user configuration like keybindings via GSettings from preexisting schema.

The components of a running graphical session roughly look like this:

The blue boxes are the very same found on GNOME desktop sessions while the white ones are currently only found on phones.

feedbackd is explained quickly: It’s used for providing haptic or visual user feedback and makes your phone rumble and blink when applications (or the shell) want to notify the user about certain events like incoming phone calls or new messages. What about phoc and squeekboard?

phoc and squeekboard

Although some stacks combine the graphical shell with the display server (the component responsible for drawing applications and handling user input) this isn’t the case for phosh. phosh relies on a Wayland compositor to be present for that. Keeping shell and compositor apart has some advantages like being able to restart the shell without affecting other applications but also adds the need for some additional communication between compositor and shell. This additional communication is implemented via Wayland protocols. The Wayland compositor used with phosh is called phoc for PHone Compositor.

One of these additional protocols is wlr-layer-shell. It allows the shell to reserve space on the screen that is not used by other applications and allows it to draw things like the top and bottom bar or lock screen. Other protocols used by phosh (and hence implemented by phoc) are wlr-output-management to get information on and control properties of monitors or wlr-foreign-toplevel-management to get information about other windows on the display. The later is used to allow to switch between running applications.

However these (and other) Wayland protocols are not implemented in phoc from scratch. phoc leverages the wlroots library for that. The library also handles many other compositor parts like interacting with the video and input hardware.

The details on how phoc actually puts things up on the screen deserves a separate post. For the moment it’s sufficient to note that phosh requires a Wayland compositor like phoc.

We’ve not talked about entering text without a physical keyboard yet – phosh itself does not handle that either. squeekboard is the on screen keyboard for text (and emoji) input. It again uses Wayland protocols to talk to the Wayland compositor and it’s (like phosh) a component that wants exclusive access to some areas of the screen (where the keyboard is drawn) and hence leverages the layer-shell protocol. Very roughly speaking it turns touch input in that area into text and sends that back to the compositor that then passes it back to the application that currently gets the text input. squeekboard’s main author dcz has some more details here.

The session

So how does the graphical session in the picture above come into existence? As this is meant to be close to a regular GNOME session it’s done via gnome-session that is invoked somewhat like:

phoc -E 'gnome-session --session=phosh'

So the compositor phoc is started up, launches gnome-session which then looks at phosh.session for the session’s components. These are phosh, squeekboard and gnome-settings-daemon. These then either connect to already running services via D-Bus (e.g. NetworkManager, ModemManager, …) or spawn them via D-Bus activation when required (e.g. feedbackd).

Calling conventions

So when talking about phosh it’s good to keep several things apart:

  • phosh – the graphical shell
  • phoc – the compositor
  • squeekboard – the on screen keyboard
  • phosh.session: The session that ties these and GNOME together

On top of that people sometimes refer to ‘Phosh’ as the software collection consisting of the above plus more components from GNOME (Settings, Contacs, Clocks, Weather, Evince, …) and components that currently aren’t part of GNOME but adapt to small screen sizes, use the same technologies and are needed to make a phone fun to use e.g. Geary for email, Calls for making phone calls and Chats for SMS handling.

Since just overloading the term Phosh is confusing GNOME/Phosh Mobile Environment or Phosh Mobile Environment have been used to describe the above collection of software and I’ve contacted GNOME on how to name this properly, to not infringe on the GNOME trademark but also give proper credit and hopefully being able to move things upstream that can live upstream.

That’s it for a start. phosh’s development documentation can be browsed here but is also available in the source code.

Besides the projects mentioned above credits go to Purism for allowing me and others to work on the above and other parts related to moving Free Software on mobile Linux forward.

The post Phosh Overview appeared first on Purism.

App Showcase: Lollypop

Thursday 24th of December 2020 04:48:40 PM

Within the PureOS Store, you can easily install Lollypop, a desktop music player that has been adapted for use on the go. Simply put your music in ~/Music and start the app.

https://videos.puri.sm/promo/lollypop2.mp4

Like most music players, you can select a category like, genres, artists, and albums, but you get the extra bonus of being able to use the desktop features like Audio Scrobbling.

Cut out the ads, and keep the music playing, try out Lollypop today.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Showcase: Lollypop appeared first on Purism.

App Showcase: Animatch

Tuesday 22nd of December 2020 04:03:19 PM

Animatch is a fun, easy to install app on the Librem 5. Pop open the PureOS store and install.

https://videos.puri.sm/promo/Animatch.mp4

Each subsequent level is more difficult, changing the shape of the board and adding additional items into the game.

Like all our software, this is install-able on a Desktop as well as completely open for you to modify share, or reuse.

Discover the Librem 5

Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.

Order now

.column-6:after { content: ""; min-height: 225px; /* padding-bottom: 30%; */ display: block; } .column-6 img { bottom: -0px; } @media only screen and (min-width: 600px) { .column-6:after { display: none; } .column-6 img { bottom: 0px; } }

The post App Showcase: Animatch appeared first on Purism.

Why FSF Endorsing PureOS Matters

Monday 21st of December 2020 07:23:19 PM

It was three years ago today, December 21, 2017, that the Free Software Foundation announced it had endorsed PureOS. Getting FSF endorsement is not an easy task and involves a lot of rigorous evaluation. Sometimes people ask us why we decided to create and maintain PureOS instead of using an existing distribution such as Debian (which PureOS is based on). After all, it’s a lot of extra work to maintain your own distribution, and even more work to maintain one that qualifies for FSF endorsement. In this article we will discuss why we consistently choose the harder road and why PureOS being endorsed by the FSF benefits your freedom, your privacy and your security (in particular supply chain security).

Tech companies, especially those who are in the FOSS community, often find themselves in a situation where they must choose between compromising on their values to take an easier path, or sticking with those values even if it means a lot of extra work. At each step in Purism’s history we would have had a much easier path if we had compromised like so many others have. Instead we have consistently chosen the longer and more difficult road because we believe in free software to our core.

Choosing the Harder Road

It would have been a lot easier to rebrand an off-the-shelf laptop, slap a pre-existing Linux distribution on it, use proprietary drivers for everything, and not care about coreboot support. There are plenty of successful businesses out there that do precisely that.

It was a lot harder to design our own laptop not just so it had kill switches to protect privacy, but design it so that all the hardware worked out of the box with free software drivers and the CPU supported coreboot. It was also extra work to maintain our own Linux distribution that only had free software, so we could qualify for FSF endorsement.

It would have been a lot easier to take an off-the-shelf ARM phone that already had kernel support with proprietary drivers, and use some pre-existing mobile-only OS. It would have been easier (and thinner!) to discard modularity and just have everything on one chip.

It was a lot harder to design a phone from the ground up so that it would qualify for RYF (a designation that not even everyone in FOSS community values, much less society at large), that separated the cellular modem from the CPU, and made it possible to disable it with a hardware kill switch. It was also harder to invest the software engineering time to have our phone supported in the mainline Linux kernel and write (and upstream!) phosh/phoc/libhandy/squeekboard so that the current Linux desktop ecosystem could work on a mobile platform not just in PureOS, but Debian (and any other distribution that wanted to package it) as well.

What’s In It For Me?

So why is it so important that the Free Software Foundation endorsed PureOS? In addition to the fact that we firmly believe in free software, we also believe that having an operating system that runs on 100% free software directly benefits you and the rest of society. We often say that we sit on a three-legged stool of Freedom, Privacy and Security. Let’s talk about how an OS that runs 100% free software directly benefits you in each of those categories.

Freedom

Perhaps the most obvious benefit of PureOS being 100% free software is freedom. Every piece of software in PureOS has a corresponding source code repository that is licensed with a FSF-approved license. This means you are free to download, inspect, and modify any of the software in PureOS directly. If you want to improve a piece of PureOS software you are free to fix it and share your fix with the rest of the world under the same freedom-preserving license.

You are also free from the whims or poor decisions of a software maintainer. If a software developer decides to abandon their project, if they take it in a direction you or the community don’t like, or if you submit improvements the maintainer doesn’t accept, you are even free to create a competing version of the software (forking) based on your modified code.

Privacy

Privacy is perhaps a benefit that isn’t so obvious in free software. Yet, one of the main effects of smartphone apps being proprietary shareware is that they are funded by and large by ads and directly or indirectly capture and share your private data. This same approach often extends into proprietary desktop applications as well.

Because PureOS is 100% free software, it doesn’t suffer from these same privacy problems. Why? Besides the fact that all software has to go through a rigorous acceptance process before it is added to the OS, if a developer decided to write software that benefited you while also violating your privacy, you would be free to fork their code and remove the privacy-violating bits.

Many proprietary phone apps hide their privacy-violating features as well. After all, why exactly does a flashlight application need full access to the Internet, your contact list, your location, and your photos? In the free software world, you could inspect such an application and confirm whether they are actually capturing any of that data, discover how they are using it, and disable or remove those bits.

Security

The final area where free software provides a huge benefit is in security. Supply chain security has started to be a hot topic in the security world, for good reason, and you cannot get better supply chain security than with free software. While we’ve written about protecting the digital supply chain before in the context of how we protect our products both in firmware and software, it’s worth highlighting here where a free software OS provides the biggest benefits.

At the initial level free software and proprietary software use similar security measures to protect against supply chain attacks. A software repository is owned by a limited list of maintainers who control what source code and files are allowed in the repository and approve all changes. Both free and proprietary software developers these days typically sign their code changes with a personal signature verifying that the change came from them. When the software gets packaged, that binary package is also typically signed with a key owned by the company or software project so the end user can verify that the package hasn’t been modified by anyone else, before they install it.

Yet we have seen that supply chain attacks can bypass these security measures most often by compromising build servers, injecting malicious code into the binary package, and getting it signed with official signatures so it looks legitimate. While supply chain attacks do sometimes target the source code itself, it’s rarer because it’s easier to trace and more difficult to hide changes to the source code long-term, even with proprietary software which has a smaller group of people allowed to audit the code.

Free software adds an additional layer of supply chain security that proprietary software simply can’t, due to the freedom of the code. While an attacker can try to sneak malicious code into the source code itself, it’s much more challenging to hide that code long-term, given that code changes are not only audited by the software maintainers themselves, but any interested third party as well as security researchers and even regular end users. While some security researchers are just as comfortable auditing binaries as source code, for many it’s a lot easier and faster to audit code for backdoors when the code is freely available.

Finally, free software has a gigantic advantage over proprietary software in supply chain security due to Reproducible Builds. With Reproducible Builds you can download the source code used to build your software, build it yourself, and compare your output with the output you get from a vendor. If the output matches, you can be assured that no malicious code was injected somewhere in the software supply chain and it 100% matches the public code that can be audited for back doors. Because proprietary software can’t be reproducibly built by third parties (because they don’t share the code), you are left relying on the package signature for all your supply chain security.

Conclusion

We are proud of PureOS’s Free Software Foundation endorsement, not only because we spent a lot of effort to get it, because we believe in free software, or because of our Social Purpose Corporation charter, but also because we believe free software directly benefits our customers and society at large and that is why our laptops, PCs, servers and phones all ship with PureOS.

The post Why FSF Endorsing PureOS Matters appeared first on Purism.

More in Tux Machines

Stunning GNOME 40 Beta is Ready. Download and Test Now!

The GNOME team announced the availability of the official GNOME 40 Beta images in an email announcement. You can download and try the images now to experience the design overhaul. Read more

Can Linux Run Video Games?

Linux is a widely used and popular open source operating system that was first released back in 1991. It differs from operating systems like Windows and macOS in that it is open source and it is highly customizable through its use of “distributions”. Distributions or “distros” are basically different versions of Linux that can be installed along with the Linux core software so that users can customize their system to fit their specific need. Some of the more popular Linux distributions are Ubuntu, Debian and Fedora. For many years Linux had the reputation of being a terrible gaming platform and it was believed that users wouldn’t be able to engage in this popular form of entertainment. The main reason for this is that commercially successful games just weren’t being developed for Linux. A few well known video game titles like Doom, Quake and SimCity made it to Linux but for the most part they were overlooked through the 1990’s. However, things have changed a lot since then and there is an every expanding library of popular video games you can play on Linux. [...] There are plenty of Windows games you can run on Linux and no reason why you can’t play as well as you do when using Windows. If you are having trouble leveling up or winning the best loot, consider trying AskBoosters for help with your game. Aside from native Linux games and Windows games there are a huge amount of browser based games that work on any system including Linux. Read more

Security: DFI and Canonical, IBM/Red Hat/CentOS and Oracle, Malware in GitHub

  • DFI and Canonical offer risk-free system updates and reduced software lead times for the IoT ecosystem

    DFI and Canonical signed the Ubuntu IoT Hardware Certification Partner Program. DFI is the world’s first industrial computer manufacturer to join the program aimed at offering Ubuntu-certified IoT hardware ready for the over-the-air software update. The online update mechanism of and the authorized DFI online application store combines with DFI’s products’ application flexibility, to reduce software and hardware development time to deploy new services. DFI’s RemoGuard IoT solution will provide real-time monitoring and partition-level system recovery through out-of-band management technology. In addition to the Ubuntu online software update, RemoGuard avoids service interruption, reduces maintenance personnel costs, and response time to establish a seamless IoT ecosystem. From the booming 5G mobile network to industrial robot applications, a large number of small base stations, edge computing servers, and robots will be deployed in outdoor or harsh industrial environments. Ubuntu Core on DFI certified hardware and Remoguard brings the reassurance that no software update will bring risks and challenges of on-site repair.

  • Update CentOS Linux for free

    As you may know, in December 2020 IBM/Red Hat announced that CentOS Linux 8 will end in December 2021. Additionally, the updates for CentOS Linux 6 ended on November 30, 2020. If your organization relies on CentOS, you are faced with finding an alternative OS. The lack of regular updates puts these systems at increasing risk for major vulnerabilities with every passing day. A popular solution with minimal disruption is to simply point your CentOS systems to receive updates from Oracle Linux. This can be done anonymously and at no charge to your organization. With Oracle Linux, you can continue to benefit from a similar, stable CentOS alternative. Oracle Linux updates and errata are freely available and can be applied to CentOS or Red Hat Enterprise Linux (RHEL) instances without reinstalling the operating system. Just connect to the Oracle Linux yum server, and follow these instructions. Best of all, your apps continue to run as usual.

  • Malware in open-source web extensions

    Since the original creator has exclusive control over the account for the distribution channel (which is typically the user's only gateway to the program), it logically follows that they are responsible for transferring control to future maintainers, despite the fact that they may only have the copyright on a portion of the software. Additionally, as the distribution-channel account is the property of the project owner, they can sell that account and the accompanying maintainership. After all, while the code of the extension might be owned by its larger community, the distributing account certainly isn't. Such is what occurred for The Great Suspender, which was a Chrome extension on the Web Store that suspends inactive tabs, halting their scripts and releasing most of the resources from memory. In June 2020, Dean Oemcke, the creator and longtime maintainer, decided to move on from the project. He transferred the GitHub repository and the Web Store rights, announcing the change in a GitHub issue that said nothing about the identity of the new maintainer. The announcement even made a concerning mention of a purchase, which raises the question of who would pay money for a free extension, and why. Of course, as the vast majority of the users of The Great Suspender were not interested in its open-source nature, few of them noticed until October, when the new maintainer made a perfectly ordinary release on the Chrome Web Store. Well, perfectly ordinary except for the minor details that the release did not match the contents of the Git repository, was not tagged on GitHub, and lacked a changelog.

What goes into default Debian?

The venerable locate file-finding utility has long been available for Linux systems, though its origins are in the BSD world. It is a generally useful tool, but does have a cost beyond just the disk space it occupies in the filesystem; there is a periodic daemon program (updatedb) that runs to keep the file-name database up to date. As a recent debian-devel discussion shows, though, people have differing ideas of just how important the tool is—and whether it should be part of the default installation of Debian. There are several variants of locate floating around at this point. The original is described in a ;login: article from 1983; a descendant of that code lives on in the GNU Find Utilities alongside find and xargs. After that came Secure Locate (slocate), which checks permissions to only show file names that users have access to, and its functional successor, mlocate, which does the same check but also merges new changes into the existing database, rather than recreating it, for efficiency and filesystem-cache preservation. On many Linux distributions these days, mlocate is the locate of choice. Read more