What’s happening (or not) at Replicant

Two months ago, I (Paul Kocialkowski) gave a talk about reached milestones and ongoing development on Replicant at FOSDEM, one of the biggest yearly European gatherings of free software developers. I was thrilled to meet people interested in Replicant there and pleased to chat with many other free software developers, working on various fields. As usual, talks were recorded and most of those recordings are now available on the FOSDEM website, with no exception for the embedded devroom, where I gave my talk and joined an embedded freedom roundtable with Carsten Munk from Jolla and the attendance. A WebM version of the talk is available on the Conferences page of the wiki.

Back from FOSDEM, most of my work was focused on U-Boot (the universal bootloader) for the LG Optimus Black and Sunxi (Allwinner) devices. Things are starting to look good on the LG Optimus Black, which now correctly boots Android without random run-time faults. As usual, things are moving very slowly due to the lack of time. The next step there will be to submit the first batch of LG Optimus Black support for inclusion in upstream U-Boot.

The Replicant code itself hasn’t changed much in the past months, since I am focusing on bootloaders development at this point. In addition, Gitorious is now closing down and while we have all the source code uploaded there backed up, we’re looking for an alternative solution that doesn’t compromise on the core values behind Replicant and offers significant guarantees. Because of this situation, nothing is to be committed to the repositories before they are moved to a new location, that we are yet to find.
However, some security updates were kindly submitted by the community and those will be reviewed and integrated as soon as everything is back up and running.

So hopefully, things will start moving faster in a bit!

25 thoughts on “What’s happening (or not) at Replicant

  1. > Unfortunately and despite our best advice, Fairphone people have decided to go with
    > a Qualcomm platform. This means that there is no interest from the software
    > freedom perspective, thus I won’t be spending any on my time on the device. Of
    > course, I am very much a supported of the ethical approach on the manufacturing
    > line, but it doesn’t make the device acceptable regarding software freedom.

    I think that the Fairphone’s crew need to do a step at time, they have to propose an interesting and powerful enough modern device (not too much a niche device), and I think that the Qualcomm solution in place of the Mediatek one (see the GPL trouble [1] with that productor) represent a step in the right direction; I really hope that in future there are a possible collaboration between the Fairphone project and the Replicant one to find a chipset powerful enough to be commercially attractive and that respect the guidelines of free software and privacy that distinguish the Replicant project. Maybe, since the modularity of the Fairphone 2, it’s possible to develop an alternative “motherboard” (the main piece of the phone) with an alternative chipset so it could become a good platform to develop on. Or maybe this is only a dream…
    Thank you for your work, I am not an informatic people but I will be glad to help you in some way!

    1. http://www.xda-developers.com/have-you-paid-your-linux-kernel-source-license-fee/

  2. 1) The situation is moving forward these days and we’ll be set to announce the solution in the near future. There is still some technical setup to do and we’ll be all good after that. We have tried not to rely on third parties, even those that are members of the free software community.

    2) As soon as the Replicant source code comes back up, we’ll be able to keep updating the code, with security fixes as usual. Shellshock was fixed, but the application to detect it may wrongly claim that it is still vulnerable due to the bash version that wasn’t hanged (we only backported the changes). I suggest you try an actual shellshock example and see whether it is actually vulnerable.

    3) Well, news go fast apparently! This is still just an idea and I have just started seriously considering that possibility. Though it would obviously be a good thing to have around, I probably won’t have time to spend into it. The idea would rather be for me to bootstrap and guide the effort, while encouraging others to spot and fix the current security issues we have.

    However, this only really makes sense with a device that offers sufficient guarantees regarding privacy/security such as the Optimus Black, so there is currently no hurry and I prefer to work on the latter for now. The idea would be for those things to come together eventually.

    4) Unfortunately, Android doesn’t handle external devices well. Adapting the system to change that and allow plug-n-play more easily is still on my todo list, but I seriously lack time to get it done, given other priorities that I have. It most likely won’t work as-is with Replicant. Also, the kernels used on devices may be to old.

    5) The first one is scheduled to be in French and the second one in English. However, I may also present the first one in English if the audience prefers it that way. On the other hand, I won’t go from English to French for the second talk. In any case, I’ll be around all week and it’ll be no problem to have a chat in English 😉

    6) Both have their bootloader close to being ready. Once the Replicant source code is back up, I’ll be able to bring Replicant support to those. I’ll mention the situation in greater depth during my RMLL talk!

    Thanks for your interest in my work and sorry for the delay to respond your (long) inquiry.

  3. Hi,

    Any update on the code hosting situation? It’s been 2.5 months and when doing ../tools/repo sync there are lots of “fatal: repository ‘https://gitorious.org/replicant/blahblahblah/’ not found” errors

  4. Hey Paul,

    I have a few questions for you.

    1) Have you settled on a Git Repo or whether or not you will host the Repo on Replicant.us? GitBull, NotABug, and Savannah all look like great options to me.

    2) Will you be releasing new images which include the critical security updates sometime in the near future? This seems fairly important. Also, I think that the CyanogenMod version that some of the Replicant images are based on have ShellShock vulnernabilities, based on me running the F-Droid Shellshock Vulnerability Scan app on my Galaxy S3 CyanogenMod phone which I think runs the same version that you based the S3 Replicant image on. Can you confirm that this vulnerability has been patched by Replicant or will be in future images?

    3) I love the idea you had in the forums related to coming up with a variant of Replicant that would proxy traffic through Tor by default. It is my firm believe that this variant OS would bring the Replicant project a lot of press and attention and would likely result in getting some more contributors working on the project. The Tor community is thriving right now and I really think it would be wise to do what you can to try to get some of them excited about the possibilities of running Tor on a FOSS android OS. The TailsOS is going great, but there aren’t any out of the box Android OSes that route everything over Tor like Tails does for desktops and laptops. Who knows, maybe someone could build off of your varient the ability to run it with Amnesia and make a Android Tails platform a reality. I mean, these couple of groups mentioned in the forum link below told the media that they were going to come out with some Alpha versions of secure Android platforms and never even delivered anything at all, but they still some decent press on it. http://redmine.replicant.us/boards/33/topics/3969 I think there would be a lot of press if Replicant came out with a working OS that delivered this feature out of the box. I don’t know how time intensive it would be to impliment this variant, but I think the time and effort you put into it would likely be extremely worth it.

    4) I know that the current devices don’t have free firmware for Wifi shipped with them. Is there a chance that the tpe-n150usb USB adapter would work with all of the current Replicant devices? https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb If this would work, do you think it would be wise to include its driver in the next batch of images? I’m suggesting this one specifically because it has the FSF Respects Your Freedom certification.

    5) Will your RMLL 2015 talk be in English or have subtitles if not? Any English speaking Replicant talks on your schedule?

    6) How is your work on the LG Optimus Black and Sunxi (Allwinner) devices progressing?

  5. > Which platform (instead of Qualcom) they should have been choose for authorise the freedom solutions?

    The could have chosen a modern platform that doesn’t check the bootloader’s signature, such as the i.MX6, OMAP4/5 or Allwinner.

    > I ask this question cause i thought that all the SOC platform (and CPU in general) were in closed hardware.

    The fact that the hardware is not free (if that’s what you’re talking about), despite having consequences regarding our ability to change the situation, does not implicate that it cannot respect our software freedom.

    > PS: You should make a big campaign on a crowdfunding site like Kickstarter to go faster and to expand Replicant to other phones.

    You can already donate to Replicant via the FSF at https://crm.fsf.org/civicrm/contribute/transact?reset=1&id=19
    Generally speaking, money is not what is blocking Replicant from moving forward at the moment. Only contributors are really lacking to the project.

    Thanks for your support!

  6. Hi,

    Thanks for your answer.

    Which platform (instead of Qualcom) they should have been choose for authorise the freedom solutions?
    I ask this question cause i thought that all the SOC platform (and CPU in general) were in closed hardware.
    So does it really make a difference?

    Thank you! 🙂

    PS: You should make a big campaign on a crowdfunding site like Kickstarter to go faster and to expand Replicant to other phones.

  7. Unfortunately and despite our best advice, Fairphone people have decided to go with a Qualcomm platform. This means that there is no interest from the software freedom perspective, thus I won’t be spending any on my time on the device. Of course, I am very much a supported of the ethical approach on the manufacturing line, but it doesn’t make the device acceptable regarding software freedom.

  8. > How is your work on the LG Optimus Black and Sunxi (Allwinner) devices progressing?

    Well, most of it takes place at http://git.code.paulk.fr/gitweb/ and I haven’t done so much in the past few weeks. Nor will I for the next few ones.

    > Does school end for you soon, leaving the summer free to focus on Replicant?

    Yep, that’s the plan, but I have yet to see to what extent I manage to stick with it.

    I’ll be talking about what’s happening at RMLL 2015 (https://2015.rmll.info/) in Beauvais (near Paris) at the beginning of July.

  9. How is your work on the LG Optimus Black and Sunxi (Allwinner) devices progressing? Does school end for you soon, leaving the summer free to focus on Replicant?

  10. Well, I’m not giving an ETA for it. It may happen at some point this summer, or perhaps not. It all depends how the work on other devices comes along. In any case, moving to a newer version is still not a priority.

  11. What about update to 4.4? It was scheduled for summer, is it still valid?

  12. > Well, I’ve seen how it reflected on free software on example of Nokia. Not to mention MS is one of major driving forces behind of UEFI “secure” boot (which actually should be named “locked boot loader” to reflect what’s going up, especially taking Intel’s “boot guard” tech into account).

    I’m not saying Microsoft has been doing us a lot of good, I’m just saying: wait and see.

    > Ms never gave up on “embrace, extend and extinguish” and Cyanogen seems to be victim own popularity. Not everybody could retain good intentions when they feel some MONEY.

    Things seem to be going that way, apparently.

    > And while I do not like Android at all for being rather close thing, designed and developed in google internals and not really compatible with anything else, it is good that people like you are existing and struggling to de-bastardize world.

    I don’t like it either by the way. It’s just a pragmatic solution for the short term.

    > Not to mention I like u-boot and use it a lot.

    Yay U-Boot!

    > Yet I would prefer to boot something like Ubuntu on allwinner based device – hopefully they could manage to create less poisonous ecosystem than Google did. I really dislike android apps ecosystem – it is proprietary minded and full of misbehaving, trojan-like apps (and whole Google is all about same attitude).

    Well, wait long enough and Debian will come to save the say.

  13. > What matters is how it reflects on the code with regard to free software and privacy/security.
    Well, I’ve seen how it reflected on free software on example of Nokia. Not to mention MS is one of major driving forces behind of UEFI “secure” boot (which actually should be named “locked boot loader” to reflect what’s going up, especially taking Intel’s “boot guard” tech into account).

    Ms never gave up on “embrace, extend and extinguish” and Cyanogen seems to be victim own popularity. Not everybody could retain good intentions when they feel some MONEY.

    And while I do not like Android at all for being rather close thing, designed and developed in google internals and not really compatible with anything else, it is good that people like you are existing and struggling to de-bastardize world.

    Not to mention I like u-boot and use it a lot. Yet I would prefer to boot something like Ubuntu on allwinner based device – hopefully they could manage to create less poisonous ecosystem than Google did. I really dislike android apps ecosystem – it is proprietary minded and full of misbehaving, trojan-like apps (and whole Google is all about same attitude).

  14. > Once cyanogen partners with Microsoft, they can’t be trusted anymore

    I fail to see the relevance of this. It doesn’t matter who CyanogenMod decides to team up with. What matters is how it reflects on the code with regard to free software and privacy/security. If this is only about shipping Microsoft applications with the non-community CyanogenMod version, it shouldn’t affect us.

    > Needless to say, it puts more focus on alternatives.

    It might, but perhaps not for legitimate reasons.

  15. Once cyanogen partners with Microsoft, they can’t be trusted anymore and are expected to be troublesome in terms of privacy, predictability and backdoors/unwanted software of all kinds. Needless to say, it puts more focus on alternatives.

Leave a Reply

Your email address will not be published. Required fields are marked *