DivestOS vs. /e/ OS - security and privacy easy

Dear All,

In an F-Droid forum discussion, some devolepers underlined the strongness of DivestOS in security and privacy…someother has also criticized /e/ os security and privacy bugs strongly, creating me some dubts seriously vs. main aim of /e/ vision.

I cannot give my technical opinion about the difference vs. DivestOS, because I’m not a professional developer or architect.

For my miserable point of view, DivestOS has 2 weak points by now:

  1. Only 1 passion maintainer (as he wrote in the “About” page of their page). What about Long term?

  2. Private company in the back (neither a foundation or org) Divested Computing Group… As Ubuntu with Canonical.

I would like to discuss about DivestOS and main differences with /e/ OS in a open and transparent way.

Please try to write in a simple manner, such as no-tech users can also understand easily.

Thanks in advance for your contribution.

BR

2 Likes

The main advantage is the relockable bootloader and verified boot in my eyes…

3 Likes

FP3 now and hopefully Teracube in the future at a minimum (locked bootloader/verified)?

Also from what I have read not all Divest phones builds support locked bootloader/verified.

Edit:

:point_up_2:Right from the developer: "Relocking your bootloader cannot protect from apps, Verified Boot will however protect against that on devices where it is supported/enabled.
It however for example can protect against someone with physical access from flashing a modified keyguard that saves your password or other nefarious things."

Like Calyx it look like a great ROM but I’m not seeing all the Foogle calls pulled like what /e/ does based on what is outlined in THIS “Current state of degoogleisation” listed on /e/'s FAQ . Just a difference that is important for some. I would love to know why it isn’t for others.

Great info to understand a bit more on locked vs unlocked bootloader.

This is curious: " In addition LineageOS’s built in analytics service, CMStats, is also removed."

Companies selling E devices and services are for-profit, copying Ubuntu Canonical model.

Around the time Duval started e foundation in 2018, he and associates also formed for-profit companies - E Solutions SAS, and ECORP SAS. Some of his partners formed CLEUS SAS and claim Author and Copyrights for some source changes; see Authors files, fine prints, and so on.

One of the FAQs gives two sentences about this.

Get Support - e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data says

“Is e Foundation a non-profit or a corporation?
e Foundation is a non-profit organization created to host, develop, support and promote pro privacy tech solutions. Some partner companies handle the commercial side of the project and help finance e Foundation.”

1 Like

That sounds more like a Red Hat and Fedora arrangement.

OK I understand about the point 2 but what’s about the main differences between the two OS ?
Thanks

@Pingo

  • E and companies begain forking LineageOS ROMs in 2017-2018. DivestOS has been working on Android ROMs since 2013-2014, with inspiration from Daniel Micay (GrapheneOS).
  • E includes proprietary apps (Map) in default. DivestOS does not. DivestOS has optional GmapsWV wrapper app for only accessing google maps with web view, for better privacy compared with google maps app.
  • E includes microG for interfacing with Google Services, against their privacy goals. DivestOS does not.
  • DivestOS removes as many proprietary blobs as possible. E does not.
  • E target market is average, non-technical phone user who wants more privacy, and also wants to use all their favorite apps (impossible). DivestOS targets more advanced users who understand the difference.
  • Location services for both are similar.
  • E tries to support many many devices and “easy” installer. DivestOS focuses on fewer, non-mediatek phones.
  • E gets the info for connectivity checks and some other network services. DivestOS is more like GrapheneOS or CalyxOS - using more popular options, and not getting your data as 3rd party.
  • DivestOS uses /etc/hosts file for blocking bad sites. E does not.
  • E app store makes it easy to install more proprietary apps, with trackers. DivestOS does not. DivestOS had an optional F-Droid repository, and those apps are being added to the main F-Droid repository.
  • E default install includes cloud services (email, contacts, calendar, storage) that are not end-to-end encrypted. So E system administrators have full access to your data. DivestOS does not.
  • E spends time on a custom iPhone-copy launcher app. DivestOS spends time on a privacy browser, Mull, virus scanner, Hypatia, free space eraser, Extirpater, and more.
  • E sells phones with E installed for high markup. DivestOS sells a few used phones with DivestOS installed for very cheap, and takes offers.
  • E deGoogles LineageOS, and then helps users re-Google. DivestOS adds many security updates.
  • E does a lot of promotion and press. DivestOS does not.
  • E changed names because of trademark violations, and will be changing name again. This is like Mandrake - Mandriva trademark violation issues. DivestOS has changed some old names of apps, before being public.
  • E has “haters” and was accused and proven to cheat Wikipedia with sock puppet accounts. DivestOS has not.
  • DivestOS has a long list of credits for “giving back” technical support to other projects, including finding obscure proprietary software still in Replicant. E, other than microG financial support?
  • DivestOS has been supporting Android 11 or LineageOS 18 since March 2021. E is just beginning limited testing of “R” (11).
10 Likes

Can you elaborate on this in more detail please? I would like to learn.

Edit: I have read up a bit and actually created a chart to track how different OS’ handle the defaults of DNS (great change in AOSP with Pie/9), A-GPS, Captive Portal, the dialer, IPv4/IPv6 Availability Check, NTP, and AOSP webview.

I would love more understanding and elaboration on how /e/ vs DivestOS stacks and which is better from your view with specifics as to why (on these or just “network services”) Thanks in advance :+1:.

As I read I see the battle to win over users to each of all these privacy OS’. As I see it we are all in this together and instead of splintering we should be positive to one another. The true bad actors, GAFAM, etc. are the ones that win when infighting happens, doesn’t mean there shouldn’t be healthy debate as to the best path but I wish the view was more unified among those fighting for privacy.

1 Like

Great detailed comparison. Thanks.

Can you elaborate on this one:

I settled on /e/ for the ease of use for non technical user (my wife) and we are quite happy with it. And I like the microG as a “friendly google” I guess to soft transition from google so I worry about your comment here. Also the encryption. For some reason I thought it was but now I don’t know why I thought that.

Also for devices I found the Moto G7 that /e/ supports to be a great phone in the $100-$200 range that is fairly recent. Supported phones for DivestOS seem to be either really old and/or expensive. Although their store does have many under $100 older phones which would be good for a starter/burner/second phone.

Any idea how many people use each OS for their daily driver?

jv

And of course, /e/ has this awesome friendly and helpful community!

4 Likes

This sounds quite inflammatory…can you elaborate with some citations?

I also am interested to learn on this. Other than relocking the bootloader and verified boot, on some builds, what else is done differently? Hoping for as much detail as possible. I genuinely enjoy learning from those more learned. Thanks in advance :+1:.

1 Like

connectivity checks

E uses their own systems, with google as backup. See Infosec Handbook Review Issues : “.... /e/ .. using Google for connectivity check:” (#268) · Issues · e / Backlog · GitLab and https://e.foundation/wp-content/uploads/2020/09/e-state-of-degooglisation.pdf (PDF).

some other network services

E or associated companies get server log data when you use the app store, search, email, contacts, calendar, storage. For most of these you are logged in, and personally identified by payments if you are a paying customer.

Read the e foundation legal-notice-privacy and see if it is clear or vague. How long is server log data retained exactly?

Any idea how many people use each OS for their daily driver?

Wild guess: Less than a thousand use DivestOS, a few thousand use E. I bet E staff know precisely how many use E.

security updates
detail

You should mull over :laughing: the DivestOS website.

2 Likes

In Marvin’s words, on E’s post, microG — What you need to know. A conversation with its developer … | by /e/ Developers Blog | Medium

“Some services of microG require that your device connects to a server from Google. The most prominent of such services is the push notification service. This service would be entirely impossible without your device getting push notification from Google, and thus your device has to talk with Google servers. However, all services of microG that require connecting to Google services are optional and can be turned off without issues for those services that do not need to connect to Google. It is important to note that as long as you are not signed into a Google account with microG, these server connections remain anonymous.”

Comments:

  • A privacy ROM should, at least, make it Opt-In, not Opt-Out.
  • Connecting to Google servers is not “anonymous” because you are not logged in to a google account. If you can’t think of ways Google may correlate all the sources of info’ they have to de-anonymize you when you’re not logged in to a google service, then you haven’t heard of Total Information Awareness or Edward Snowden. Does your ISP or phone company know who you are? Do they know your IP address when you are online? Would they sell this info’ to make more profit?
3 Likes

“Haters” and cheating Wikipedia
This sounds quite inflammatory…can you elaborate with some citations?

“Indidea” dot org is Duval’s personal website. Now see “Indidea” sock puppet investigation: Wikipedia:Sockpuppet investigations/Indidea/Archive - Wikipedia and Duval’s “hater” blog post: 2020 and the minority spreading hate and fake news - Gaël Duval (blog, mandrake, /e/ my data is my data...) . Connect the dots…

Sorry, limited to 2 links.

1 Like

So, even if you are an E/ user, your feedback on DivestOS are super positives. All of you give me a first good impression on DivestOS. But it would be better if there is a open book or guide about this Android technicalities how to cook self ROM and distinguish them. Thanks

Good points. thanks. I will have to look into push notifications. I thought they would come from individual app based servers and had no idea everything is google.

jv

Thanks for this. Can you outline for DivestOS as well? What connectivity checks exist, as well as back up? Why is this better than /e/'s approach?

From my perspective the > “some other network services” reply is purely point of view basis. You can self host your own backup (which can be less secure if not educated, NextCloud. Seedvault is a good alternative to keep some of this info private) or trust another entity with the data. I’m not seeing how DivestOS is better here unless the argument is that they don’t offer such service directly. One can simply choose not to use such service (/e/'s cloud services) or put their trust in another self run service or company that provides such services…depends on one’s “threat model”, its subjective. :laughing:

Seems you are versed, please share. Also interested in my second question.:point_down:

1 Like

https://divestos.org/index.php?page=network_connections

:point_up_2:Hoping you can please share specifically what is done “better” here and why this approach is better in your view. @headwaters

2 Likes