It would be a more meaningful discussion if the government wasn’t controlled so much by large corporations and oligarchs.

What should they do that could prevent this? I don’t think these gestapo asked before entering.

What’s the recourse for that? Do the surviving relatives of the disappeared sue the government? How much does that cost?

I have self hosted my email since 2006. I gave up on self hosting outgoing mail in 2021, but I still keep the server up for incoming mail, and still set up throwaway accounts on there.

The hard part of hosting email is getting Google and Microsoft to accept outgoing mail. Tons of businesses that do not have visibly outlook .com or gmail .com addresses are still hosted by those servers.

I had SPF, DKIM, and a static datacenter IP address with no reputation problems. I still couldn’t get through to Microsoft, not even in people’s junk mail directory, until they manually whitelisted my address. Microsoft didn’t allow them to whitelist a whole domain. Google was a little easier, but they added new demands monthly.

In 2025, I can’t get reliable delivery to gmail .com addresses even sending from a hotmail .com address in the outlook .com web interface.

Not sure how much you’re paying for your VPN, but a virtual private server can be had for about $5 per month. You’ll get a real IPv4 address just for you, so you won’t have to use non-standard port numbers. (You can also use the VPS as a self-hosted VPN or proxy.)

$5 per month doesn’t get you much processing power, but it gets you plenty of bandwidth. You could self-host your server on your home computer, and reverse-proxy through your NAT using the VPS.

Even if you can buy it, you can’t file a warranty return if you are outside Fairphone’s small support area.

Fairphone has guaranteed 0 years of support in my country.

Swapping out random parts of the OS will certainly lead to breakage and dependency hell in your package manager (unless you just replace files without using the package manager, which might make all of this even worse).

I’ve done it, and it works. I’ve built packages of libraries and binaries before, at higher version numbers than Debian had, and deployed them to multiple Debian sid systems. They worked. When Debian caught up, I seamlessly upgraded all 3 systems with no problems.

Even in the worst case scenario of dependency hell, you would be able to downgrade to the Debian supported version. But I never had to do anything like that.

I’m not going to respond to all the rest of your post, because I don’t think it will help with anything. It seems that we have very different ideas about device ownership.

Some apps resist being backed up. “android:allowBackup=false” was one way. Apparently that can be overridden, but there are other ways apps can resist backup that can’t be overridden. It’s not clear what those are, but some of my apps definitely aren’t being backed up by Seedvault, even though they aren’t using keystore.

The apps using keystore can only ever be backed up by installing a backdoor in the TEE.

They do provide instructions for compiling from source, they just don’t support you at all afterwards. If you compile GrapheneOS and put it on your phone, they say “you are not running GrapheneOS” at that point. Unlike Debian or Ubuntu, where every package can be replaced by a hand-compiled version, and it’s still Debian or Ubuntu.

need to charge it in a public space? You better hope no one had modified the charger with something like an RPI to silently exploit your phone

Any secure Android device should be starting each USB session in device mode, set to charge only. It is usually not possible to change this mode without unlocking the screen. I don’t know what this has to do with sandboxing or unlocked bootloaders.

Crossing a border into a country and they suspect you’re some sort of threat?

How does this attack work? Are you saying they’d replace the operating system by using the unlocked bootloader? There are plenty of ways to prevent this with full disk encryption. Of course you need to check for modifications when you get it back, but that’s true even if you have a locked bootloader, because of hardware modifications and leaked keys.

Not running software that updates the hardware’s proprietary software drivers? One text message and you’ve got a rootkit.

In any of the open source Android distros, like LineageOS or GrapheneOS, those updates come as part of the operating system. The updater is open source, and doesn’t care whether your bootloader is locked. I assume a Linux Mobile system would be closer to Debian’s Apt system, which is also an open source updater than can install proprietary drivers, and also doesn’t care if your bootloader is locked.

didn’t really need an “um ackshually” about people who don’t want a secure os

This is pointlessly condescending.

Comprehensive backups, which can only be done after rooting. You can do this, but only after disabling verified boot.

They literally have a whole instruction page for it on their official website: https://grapheneos.org/build

I’ve asked, and they don’t support you at all after you build it. You can’t get updates or packages from GrapheneOS. Compare to Debian, Ubuntu, RHEL, etc., where you can compile your own newer package, install it, even replace core operating system components, and then seamlessly upgrade to the OS vendor’s version when they catch up.

What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.

Even if you don’t modify it, they tell you not to call it GrapheneOS, and don’t offer any way to install patches, besides building it again.

Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?

Yes, I understand it. I’ve opposed TPM from the start, and this is just TPM for Android. I don’t want a device that keeps secrets from me. I do want comprehensive backups, including all cryptographic keys. I should be able to access the TEE from my authenticated PC over SSH.

I’m fully aware that Widevine won’t run on a device where the owner has control over the whole device.

The code is open source, you can freely modify the OS, compile it, sign it with your own keys…

I don’t have the resources to do this (PC nor effort). They recommend 100GB+ storage and 32GB RAM for building it, and you seemingly can’t do it incrementally, since you have to flash an entire operating system at a time. I want to modify one file, like the call recording xml file. (That file is from a previous operating system I had, but I can’t provide an example of niche cases like that for GrapheneOS, because I only ever used GrapheneOS for a few days, so I don’t know what kind of small modifications I would want to make.)

Can you please explain how rooting adb only, not any apps, makes it less secure? Use concrete examples, not abstract.

Not everyone runs dangerous proprietary apps that need sandboxing. Does my offline puzzle game need sandboxing? Firefox has its own sandbox built in.

Some people consider unlocked bootloaders a feature.

Just try asking about rooting in the GraoheneOS Discord, and you risk getting banned.

GrapheneOS has a ton of locked down stuff they don’t want you to access. They make rooting extra hard, they don’t support compiling the OS from source, there’s still the TEE you can’t access even with root, and the OS filesystem is readonly to inhibit customization.

GrapheneOS promotes “verified boot” that stops you from doing many important things.

Cloudflare has IP banned me before for no reason (no proxy, no VPN, residential ISP with no bot traffic). They’ve switched their captcha system a few times, and some years it’s easy, some years it’s impossible.

This survey doesn’t distinguish between levels of cloud service provider, so I was a little confused.

Virtual private servers, cloud virtual servers (like AWS), cloud-based software where you provide code or a program and the cloud system runs it on a server of its choosing, and cloud-based systems where someone else provides the software (like Google Docs).

Jellyfin depends on proprietary Microsoft .NET, even on Linux.

It’s still better than Plex and Emby, which are fully proprietary, and have no source code. But I will stick with sshfs with kodi, and nginx plus mpv for now.

Try going to http://000.000.000.000:8080/ in your web browser (replacing the 0’s with your public IP address), on your home connection. If it doesn’t work, it means that your port forwarding is probably not working. If the page loads correctly, it means your port forwarding is working correctly, and the problem is probably your ISP doing port blocking.