Thanks
Just a reminder how impossible it is to remain up-to-date
on everything that is happening now!

excellent !
This actually raises a question I have been muddling over:

Part One
The one and only usecase I see for Android
is a few applications which do not get ported to linux.

I downloaded the latest RemixOs to examine
whether I could lock Android inside a KVM-QEMU virtual machine,
and it does appear doable.
The idea would be to firewall any and all data
emitted from the VM to remain secure,
leaving only such data available as necessary to run
individual applications.
Imagine (for example) running the Uber application to get a ride
with exactly whatever is necessary to arrange the trip
and absolutely zero anything else getting sent.
And that only when you actually need a ride,
comms sending completely disabled at all other times.

This is a solution, but rather heavy and clumsy.

Part Two

I have over the past years begun migrating everything I use
into VMs in order to have:

1. hardware portability
2. easily cloned or backed up with zero drama
3. security isolation (banking and work stuff)
4. and other operational compartmentalization
   (I have some very heavy lifting data processing projects
   which have their own libs and daemons,
   unwelcome in my desktop environments)

and this is exquisitely nice.
Moving a webservers becomes simply a matter of which
box to put it in, zero reconfiguration involved.
[I dreaded rebuilding an old Drupal install knowing it would take weeks to get that and all the associated multiple databases hanging on yet another cluster of packages rebuilt.
I simply imaged the machine for KVM and copied it onto a KVM host.
Open a port and it was a done deal with zero sweat.]
Same for my processing work images.
We had been using VirtualBox for several years,
but this year we have abandoned all that
and gone to KVM and it is sweet.


I have not worked with Docker or other such mechanisms

intending to provide virtualized applications,
but this seems like it might be part of a solution
to providing an Android segment on top of a pure linux OS.


Part Three
Running linux apps atop a Hacked Android, ala Halium,
seems upside-down, security wise.
<Imagine carrying your groceries home in upside down bags>

Turn it right-side up running Android apps on top of a linux OS
might be an answer, but some uncomfortable thoughts linger.

The problem with Halium is that vulnerabilities
are cooked into the kernel and services before
we even get to the part about running linux software.

The flipped side of running Android applications
on top of a linux modded to translate Android services
sounds okay but what about those services?

What might be a "Docker" type of implementation
sounds like a solution - the Ubuntu Touch used AppArmor
but the way it was implemented was to firewall everything
And it fails in certain ways.

That Uber App (there is nothing working like that for UT)
if it ran in an apparmor containment
might seem fine, but:
the local boys with their stingray tower network can still
track you and listen to your microphone,
watch your camera etc.
even though Uber is locked away from other apps.
(Please understand I am not referring only
to government surveillance:
there are other far more dangerous types
using fake cell towers these days and they are terrifying.)

How could we firewall just that [Android] portion of a device
that represents a threat to the system ?
All the regular opensource software we run is not a worry,
but that random Android Blob seeking your cc number
is all it takes to ruin your day,
much less some blob phoning home to Uncle Vladimir.

This guy [ Thadeu Lima de Souza Cascardo ] has an amazing page:
https://cascardo.eti.br/blog/GNU_on_...hones_part_II/


Cheers - please go back to being happy now