mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-12-18 12:24:35 -05:00
update: Remove DivestOS warning (#2725)
Signed-off-by: blacklight447 <niek@privacyguides.org> Signed-off-by: Daniel Gray <dngray@privacyguides.org>
This commit is contained in:
parent
f34ac66e7a
commit
0d332e72b5
@ -72,23 +72,28 @@ GrapheneOS provides the option to switch back to connecting to Google's servers
|
||||
|
||||
### DivestOS
|
||||
|
||||
If GrapheneOS isn't compatible with your phone, DivestOS is a good alternative. It supports a wide variety of phones with *varying* levels of security protections and quality control.
|
||||
|
||||
<div class="admonition recommendation" markdown>
|
||||
|
||||
![DivestOS logo](../assets/img/android/divestos.svg){ align=right }
|
||||
|
||||
**DivestOS** is a soft-fork of [LineageOS](https://lineageos.org).
|
||||
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
|
||||
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](../os/android-overview.md#verified-boot) on some non-Pixel devices. Not all supported devices support verified boot or other security features.
|
||||
|
||||
[:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary }
|
||||
[:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" }
|
||||
[:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" }
|
||||
[:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation}
|
||||
[:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title="Documentation" }
|
||||
[:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" }
|
||||
[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title=Contribute }
|
||||
[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title="Contribute" }
|
||||
|
||||
</div>
|
||||
|
||||
The [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) of firmware updates in particular will vary significantly depending on your phone model. While standard AOSP bugs and vulnerabilities can be fixed with standard software updates like those provided by DivestOS, some vulnerabilities cannot be patched without support from the device manufacturer, making end-of-life devices less safe even with an up-to-date alternative ROM like DivestOS.
|
||||
|
||||
DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [control-flow integrity](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
|
||||
|
||||
DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.
|
||||
|
||||
DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's `INTERNET` and `SENSORS` permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://grapheneos.org/usage#exec-spawning), Java Native Interface [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features per-network full MAC address randomization, [`ptrace_scope`](https://kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, automatic reboot, and Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features#attack-surface-reduction).
|
||||
@ -97,15 +102,6 @@ DivestOS uses F-Droid as its default app store. We normally [recommend avoiding
|
||||
|
||||
DivestOS replaces many of Android's background network connections to Google services with alternative services, such as using OpenEUICC for eSIM activation, NTP.org for network time, and Quad9 for DNS. These connections can be modified, but their deviation from a standard Android phone's network connections could mean it is easier for an adversary on your network to deduce what operating system you have installed on your phone. If this is a concern to you, consider using a [trusted VPN](../vpn.md) and enabling the native VPN [kill switch](../os/android-overview.md#vpn-killswitch) to hide this network traffic from your local network and ISP.
|
||||
|
||||
<div class="admonition warning" markdown>
|
||||
<p class="admonition-title">Warning</p>
|
||||
|
||||
DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.
|
||||
|
||||
Not all of the supported devices have verified boot, and some perform it better than others.
|
||||
|
||||
</div>
|
||||
|
||||
## Criteria
|
||||
|
||||
**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](../about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
|
||||
|
Loading…
Reference in New Issue
Block a user