Slightly disapointing experience on Oneplus Nord (avicii) with 0.20

raudi · January 10, 2022, 10:26pm

Please forgive my disappointment, I just bought the Oneplus Nord (because it’s the most promising of the murena devices), invested a good part of my weekend and I guess my expectations were too high…

Disclaimer: This is not the first time I modify my Android, I’m here since I got my HTC Dream (aka G1) in 2009 an flashed “JK Rom” on it, which I soon switched for CyanogenMod which some of you still might know. I am an IT professional and privacy activist.

I flashed e-0.20-q-20211215151799-stable-avicii.zip

The technical problems/ issues:

Location /GPS not working consistently
Sync for the photos is not working
Camera crashes when switching the cameras (when switching past camera 3)

The camera not working, I totally understand, I was not expecting that the small team can adjust the camera to the hardware.
The sync not working is surprising given that the sync of notes, tasks etc is working perfectly. Also there is the workaround with installing the Nextcloud client, so that is also OK
I still have to observe the issue with the location not working. After the last reset it suddenly worked, I’ll update on that

But what really is the show stopper the absolut no go is the “Apps” ( /e/ App Store).
For the workaround I had to install “Nextcloud” and the App Store say it’s from “unknown” and there is no way to say if it is original (in https://doc.e.foundation/apps#how-can-i-make-sure--apps-in-the-installer-are-not-tampered-with-but-original you say that the PGP signature or checksum can be checked but I don’t see that, I have to trust the AppStore). But to use Nextcloud I have to give it my ecloud credentials…

I would be really happy if you could tell me that I made a mistake, that I didn’t see something, that I made I mistake in my thinking, that I can trust the /e/ App Store.

Otherwise I can only use the applications that come preinstalled plus all that is open source (Bitwarden and Signal Secure Messanger are among that) plus the ones where I can download the apk from the manufacturer (Threema is one of them) and as a last resort (I guess, because I didn’t try yet) I can install the app on a second phone and copy them over via ADB which I have to repeat with every update.

(If you ask why do I trust the Google Play Store more than the /e/ App Store - well this is simple: because the manufacturer of the apps (e.g. Revolut) link to their app in the google store, so I know it is the official one)

best regards
Patrick

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services phone

AnotherElk · January 10, 2022, 10:37pm

If you don’t like the /e/OS Apps installer, just use F-Droid for Open Source Apps and Aurora Store (from F-Droid) as a Google Play Store client for the rest.

The /e/OS Apps installer is a constant subject of debate because of its nebulous source for Apps, which is Cleanapk, and there’s not much more info about them than this … https://info.cleanapk.org/ … which is why many users prefer to use the F-Droid and Aurora Store combo.

tcecyk · January 11, 2022, 2:29am

(lenghty reviews are helpful)

author “unknown”: I filed this at F-Droid Apps "unknown" in /e/-Apps Client (#4427) · Issues · e / Backlog · GitLab - the problem being, fdroid manifest files are not uniform and have author info lacking most of the time. Cleanapk could choose to display another sourced field, see the issues last paragraph for details
the fdroid pgp signature check is in code, not GUI surfaced
some in-App GUI verification help would actually be great. Fdroid apps would be easy to independently verify, Gplay harder, as there is no app publishers certificates directory - people scrape it though and it is auditable, as the signing certificate for an appid is “stable” (I omit details but this is basically it). You can check any sourced apks cert against a known-good one
it is fine to give “Nextcloud the app” ecloud credentials, it is supposed to authenticate against ecloud.global
/e/ Apps + cleanapk: this sees debate yes. Not to make this lengthy: the entities seem close, make your own call. You already do trust /e/ as image builders and in my opinion, that trust can be extended. The apk download source is due to change anyway from what I can see in upcoming versions
Apk installs are tofu - trust on first use - if you had at time of install a legit apk, an update apk signed by a different certificate with the same appid cannot be installed (“Apps” had bugs though in regards of a specific system appid names, this got fixed)

petefoth · January 11, 2022, 9:34am

Please do give us a clue about that. Is the source repo for the new Apps publicly visible?

tcecyk · January 11, 2022, 11:17am

that development version floated in the testing channel some weeks ago. It queried gplay directly or at least for the fetch itself, Aurora like. Not that I think it is a good direction, I’m obviously pro-mirror

petefoth · January 11, 2022, 11:40am

I think it is a good direction. It takes cleanapk.org (about whom nothing is known but plenty is guessed) out of the loop, and removes my primary objection to Apps, which has always been “We don’t know where the apks are coming from”). With this change that will be out in the open

FOSS apps from F-Droid
other apps from Google Play store

Of course it will take Apps some time to become as mature and “unbuggy” as Aurora Store and F-Droid, which is why I think the correct direction is to include those apps in /e/ OS and not try to create a forked combination of the two. I always prefer to use ustream, rather than fork

tcecyk · January 11, 2022, 2:23pm

We don’t know where the apks are coming from

in the apk trust model, download origin is not important - the original publishers certificate is. If you have this pinned to the appid once you can happily download future updates from anywhere and verify apks are in line with past apks certificate. This publishers certificate is not in a public directory you can query - google does not offer this - you have to do the accounting yourself by building this directory. This is a technical burden, but is manageable. Some apk mirrors surface this into their UI (apkpure / apkmirror) - and you as user can verify what is shown there locally too and crosscheck with gplay. Tampering will be evident. Gplay is trustworthy as entity, but you individually have leverage too.

I understand the skepticism and there are of course risks in ongoing maintenance, but I think pulling cleanapk into the twilight does the people running it a disservice. Iterating on ways to establish trust is a better strategy than relying on the gplay api directly and getting your rug pulled without notice

petefoth · January 11, 2022, 2:46pm

And who are the people running it? I don’t know, because they are keeping themselves in the twilight. If they were to open up about who owns or controls them, then I would have not objection to using it. Until then…

tcecyk · January 11, 2022, 4:20pm

And who are the people running it?

I have a hunch, but as much as I understand users, I do understand an entity that wants to evade the corporate kind of litigation.

Anyway - /e/ has the option to solve this technically as outlined.

piero · January 11, 2022, 11:30pm

I must insist @petefoth, i really think you are wrong on this point.
i believe that nobody owns them, and nobody control them.