Me too, the mobile device landscape is definitely shaped by consumerist values. Divest has been intriguing me lately as well, I used to think it was a more flexible, less hardened alternative to Graphene, but it seems to have continued on down the road a ways past Graphene now. That wiki looks super interesting, I’m going to check it out. Just a quick look through what they have looks like high quality info.

Yes that’s the benefit of verified boot, and it is a helpful security feature. However, if you’ve used or are using Windows or Linux as an operating system, then you are comfortable with using a device that does not have verified boot (not sure about iOS and Mac, I’m not familiar with them). The risk you’re talking about with malicious code being injected in to an app you’ve chosen to trust is a threat to any device, verified boot or not. Modification of the kernel is an attack vector, but it certainly isn’t the only way for an app to cause mischief on your phone and devices are all relatively as vulnerable to developer or supply chain attacks.

Using software someone else developed always comes down to trust, unless you are auditing the code for every app you use, which I don’t think either you or I are. Having features that increase security in some technical way feels good but may lull us a sense of security. For instance, here’s a quote from a security researcher that I ran across in the past. It’s regarding the reputation for security that iOS has:

Erez Metula, founder of a a security and penetration testing firm called AppSec labs: “There’s a myth that iOS apps are more secure than Android. But the truth is, iOS apps are even worse in terms of security. When we do penetration testing for our customers, we’re often asked to test their Android and iOS versions of the same app. We have realized that since iOS developers incorrectly assume that iOS is ‘more secure,’ they allow themselves to make bad security decisions that open up vulnerabilities in their app.” He added, “Interestingly, since Android developers think that Android security is worse, it pressures them to follow better security practices.”

The same is true for us users. Security features are important, but user education and awareness is the most important element of keeping ourselves from ‘making bad decisions and opening up security vulnerabilities’ in our device usage.

Thankfully like you said, there are thousands of highly qualified individuals vetting the code of mainstream open source projects, which saves us regular users in the case we face an xz situation. A few principles that outway security features like verified boot in my book are:

1. Use open source software whenever possible, and make sure that it is widely used and visible to others.
2. Check the “issues” section of the documentation frequently. Even widely used software can be riddled with unpatched security holes (I’m looking at you Nginx Proxy Manager 😄)
3. I may get some hate for this one, but use a trusted middleman like F-droid as your app vendor for apps that do not have wide circulation or visibility. They run basic checks of the code for safety before uploading to their repos, checks that regular users are not able to do.

Unless you are being targeted by a stalker, a malicious state actor or are downloading disreputable software, the average user (with a little bit of knowledge) would be just fine on /e/ or lineageOS. Tens of thousands of people are right now without any problems.

Like you say, it is moderately de-googled, which is a fantastic improvement over stock android any way you spin it. I believe that was the point of the original commenter, as it is mine. However there are those blobs that do get left in (in every ROM, including even DivestOS which is the most aggresive in this regard). Install a firewall or network monitor on a device that’s only been somewhat deblobbed and you’ll find that they are not little black boxes sending all your data to Google, but instead are there to do things locally like software interaction with hardware in the phone that is from another company like Broadcom.

Any ROM on a Samsung phone probably lags on security updates due to Samsung itself being slow to release them, though they do seem to be doing better lately. If the ROM itself is slow to push updates, the most you’ll wait is 2-3 months. That’s pretty much not a problem unless you’re being threatened by state level actors, and is the state that the majority of stock android users are in. In fact, stock android can often be years out of date because their manufacturer just doesn’t put them out.

Regarding dependence on Google services (play store of otherwise), let’s be honest, GrapheneOS users almost always install sandboxed play services, work profile or not. I don’t blame them, it’s how I have Graphene installed on my phone. However, this not a privacy oriented thing to do, it releases a flood of information to Google, much more that a simple connectivity check or SUPL ping. It’s not as much as fully integrated play services though, which is good. MicroG may be theoretically less secure, but it is certainly more private. It simply asks for less information from you than play services do.

The relockable bootloader subject is bit of a pet peeve of mine. Personally, I do choose to use a pixel so that I can have that added security, as it does have value. However, to say that without a lockable bootloader you are compromising your security and by extension privacy is what i would consider an overstatement that creates fear and uncertainty. Your security and privacy only become compromised if a thief steals your physical device then also has the know how to execute a sophisticated software based attack on the phone using adb. This just isn’t something that happens. In the many years I’ve been around the android ROM community, privacy/security focused or otherwise, I’ve not heard of this happening even once. To tie it back in to the OP, this scenario is actually a perfect use case for the app mentioned in this post, it offers you the ability to remotely wipe the device if it’s been stolen.

It can be an issue from a software angle though too, but then you would have to download and install a piece of malicious software that is specifically targeting phones without verified boot. At that point there is a greater issue though, because you can download and install malicious software that is targeting phones that DO have verified boot active just as easily. All that’s necessary is to be well informed and have good security habits and behaviors, it’s how desktop competant windows and Linux users have gotten along just fine all these decades.

It’s easy to get swept up in the security dogma of the android ROM community. In my opinion, some of it is helpful, but some is not practical or useful for every day users.

I’m not sure what your point is with this reply?

I’ve seen that page before, it’s helpful for getting your bearings with the different android ROMs, but take a look down towards the bottom at the “Supported Devices” section, and also compare the /e/ section to the “Stock Android” section.

/e/ does quite a good job removing Google’s presence from Android. It’s been awhile since I watched it, but this techlore video does a good breakdown of it.

Edit: actually that’s not the one I was thinking of, I’ll keep trying to find it, but it broke down the actually network connections that different degoogled ROMs were making and /e/ did very well.

Edit 2: couldn’t find the video, it’s lost somewhere in my watch history from 2+ years ago. In any case, even jumping to lineage from stock android is a great move, and /e/ makes many improvements on Lineage in removing further dependence on google code. Better to use a phone you already have than to purchase a new device just to run software that has security features you likely don’t need. It makes me think of buying a car for it’s top speed of 160 mph when you’re only ever going to be driving the speed limit.

Or you could get it directly from their github releases using obtainium if you don’t like to mix repos in to fdroid.

I’ve tried it, but I am a little picky about UI personally. It functioned well while I used it, but had a very dated style. Totally a cosmetic issue though.

I tried it back when it was under the simple tools developer. I couldn’t get in to his apps (aside from the calendar) for some reason. They all felt half-baked. It’s nice to see that the fossify forks are getting some love, I’ll check it out again.

I don’t have any idea of how conplicated it would be, but a phone app would be a nice option. The stock dialer that comes with FOSS ROMs is OK functionally, but visually looks like it was from 2010. Plus it’s not available through F-droid or other open source app store. Koler is the only serious dialer alternative I’ve seen, and while it looks nice it has always been super buggy.

You might like oneshot. It’s not quite as full featured as some mood trackers are, but the design is pretty nice. It hasn’t had updates in a year or so, so daily you might be worth checking out too.

I hate that so much but you’re probably right 😅

Saber notes is really good. It’s more for notes, annotating PDFs and simple artwork than anything graphic design level though.

I initially started out with that, it worked fairly well but I did notice a significant speed increase when syncing after getting the Joplin server set up. The downside is having another service publicly exposed though, a more minimal set up does have its benefits.

Yeah, I hear you there. I usually get overwhelmed by the time I get to the “B” section.

I think (looking back at your post) the most important thing that helped me was learning how to use docker-compose. All of my services are in docker containers and are much more manageable then trying to do a bare metal install.

With that comes the struggle of security though, as docker containers use their own set of firewall rules distinct from the main firewall rules you might have setup on your server. If you end up using docker, do a few searches on how to secure those firewall rules for the containers themselves.

I have definitely benefited from other peoples current set up lists, I’ll leave mine here in case it sparks some interesting directions for you.

• Diun - notification service for when new images are released for any running docker apps I have up.

• Immich - self-hosted photos backup. Incredible app, its extremely refined and feature complete.

• Jellyfin (Linuxserver.io image) - personal media streaming service. The Linuxserver.io version was much easier to set up than the stock jellyfin version.

• Joplin server - self-hosted back end for Joplin notes sync. Much faster and more reliable than the 3rd party sync targets like one drive or Dropbox.

• Mealie - recipe management.

• Nextcloud - so many things. Calendar, files, kanban, contacts, etc… Personally I find Nextcloud’s documentation hard to follow, so I’ve linked the video tutorial I used to set mine up.

• Nginx proxy manager - reverse proxy with basic protections built in. I’m on the fence on suggesting this one and have been considering switching to something else, as it rarely gets updates these days. It is the only one I’ve been able to wrap my head around though. Zoraxy, Traefic and Swag are all other options. You mentioned having Nginx set up already, so this might not even be an issue for you.

• Paperless-NGX - document server and archive. All you need is the docker-compose.env and docker-compose.postgres.yml from the linked directory. Tweak the compose and env values as you see fit and remove the “postgres” from the file name before firing it up.

• Portainer - basically just a GUI for viewing docker services. You can manage docker images and stacks with portainer, but I would recommend just learning the docker-compose method in general.

If you ever run into instructions for setting something up with a regular docker command but want to convert it to a docker-compose.yml file instead, this site is super useful: composerize.com

Definitely check DB Tech’s videos put on YouTube. He covers a ton of self-hosted apps and how to set them up. You’ll have to sift through a bit, not all the apps he talks about are really necessary, but I basically learned self-hosting through his channel.

Look for stuff on authelia, crowdsec or fail2ban with regards security for your server and decide what direction you want to go there.

Christian Lempa’s channel is also good, though can be more technically oriented.

EDIT: also, this github repo has an amazing (though overwhelming) list if self-hosted services. Awesome Self-hosted.

It does go quiet for months at a time, but then someone will make a post and everyone will jump in and post their current set up. Then it goes dark for another few months 😄

Nice, I haven’t tried that termux widget yet. Here’s a Lemmy community just for android home screens if you’re interested: !c/android_homescreens@lemmy.ml

Awesome setup. I tried kvaesitso in the past but couldn’t get comfortable with it. I’ll have to give it another shot and try to get it dialed in.

You should post this over in !c/android_homescreens@lemmy.ml, it would be appreciated there too.

Awesome!

Try the package html2text. I haven’t used it before, but I think it might be what you’re looking for. Interestingly, it was originally developed by Aaron Schwartz, one of the co-founders of markdown.

Other than that I’ve seen people being pretty successful with a combination of wget and pandoc. I don’t know how well that would work in scripts though.