Re: Sailfish Android version update
 

sorry, but how is that better for ~98% of the people who doesn't know anything about coding? I mean, I do know how to compile some basic stuff on linux, use AUR or svn or git...... But I still have to trust that source the same way I trust precompiled binary.

Re: Sailfish Android version update
 

Exactly! Forget the 98℅, published sources hardly help even the expert programmers. Who on earth has the time or expertise to review 5 million lines of code?

Having said that, I agree with juiceme on one point. I don't really care about the application being provided in source or binary, but the API should definitely be open and public. Otherwise you never know what even the intention is, let alone the implementation.

Re: Sailfish Android version update
 

That is a very old skool way of thinking. No one gives a damn about root any more, especially on a mobile device. User level is where all the important stuff is: your address books, your emails, your login details to various services including online banking... What can root give you on top of that? Install a new driver? So what?

Re: Sailfish Android version update
 

You could say the same thing about ingredient lists or expiry dates on food items, they only show what should be in there, but still someone might have poisoned your cookies. It's reasonable to assume that there are no real lies on the package, that your cookies will contain exactly and only those things listed in the ingredients and that they didn't expire five years ago. This doesn't prevent the cookie company from telling any lies (companies being called to court for false advertising is not uncommon), but it creates some trust that otherwise wouldn't have been there. I don't extensively read the ingredients on my cookies, but knowing they're there sufficiently satisfies my curiosity (side note: I'm thinking interpassivity may be at play here) and I don't think I would have bought them if there were no ingredients listed at all. Of course, this in itself doesn't explain why I would eat anything at a restaurant or at a friend's place, because usually the ingredients of the food aren't listed there.

Re: Sailfish Android version update
 

I agree, but I think root access is still relevant for installing hidden Bitcoin miners or DDoS applications and such, so situations where the attacker is not interested in data, only money or whatever the intentions behind DDoS attacks are.

Re: Sailfish Android version update
 

@nthn, I agree, although if I get it right, you compare published ingredients to published code. I would compare them to a published interface. A published code would be an equipment to a full recipe, including the order of adding the ingredients and cooking times. You get basic nutrition information (API) on most food packages but the exact recipes (source code) are usually a trade secret.

Re: Sailfish Android version update
 

for bitcoin miners, really, you dont need root.

as for the open source part mentioned by @juiceme - i agree with juiceme. Without sources its damn difficult to figure out watch going on. Sure, ordinairy users dont care probably. But having the sources is way more easy auditing. Its old-school, but damn right necessary.

Re: Sailfish Android version update
 

It is also relevant on servers that store personal data of thousands of users. Root will give you access to other users' data. I believe this is where juiceme was coming from, which is why I emphasised mobile devices. You raise and interesting point, though I am not sure how relevant bitcoin mining is on mobiles.

Re: Sailfish Android version update
 

I'd say every bit helps.

It is actually a problem, though.

Re: Sailfish Android version update
 

while all that might be true, an Average Joe will know the difference between banana or strawberry flavour on the very first bite. With codes...... not so much.
In so many situations we just have to trust the other party first and then time will tell....
But what really surprise me is that even with every bit of code open and with unhackable encryption you are still at mercy of your service provider or government because they can shut your service down or block acces. And even if you would want to build alternative infrastructure, you can't because all that is or needs to be regulated by the state.
At the end, it's jut the question of who do you trust more with your data. App developer, HW manufacturer, service provider, your govenment....... or when your ex hits you with revenge porn :D Because in the end even the person from the other side of that encrypted something can betray your trust.

Re: Sailfish Android version update
 

You did not read my post through, did you??

If you read it again you will notice I said Binary distribution can be allowed if the sources are available and mechanism for reproducible build verification exists.

This means that somebody can build the sources and verify the resulting RPM is what is ptovided!!!

Re: Sailfish Android version update
 

Yes, juiceme, I read that. And I have repeatedly said that I have an issue with that somebody.

In your idealistic world, "somebody" will review those 5 million lines of code. In the real world, nobody will even look at it. But somebody might write an alternative application if the API is public. Which was my point.

Re: Sailfish Android version update
 

@pichlo thats not @juiceme's point here (correct me if iam wrong)

By being able to recompile from sources, and comparing a precompiled binary (rpm) against own build (rpm) its a matter of comparing if checksums matches. If no match, something was changed in precompiled binary, and there is a reason to be suspicious.

Re: Sailfish Android version update
 

Sorry but that's just silly. For at least two reasons:
1) A checksum match can only guarantee that the compiled binary matches the supplied sources. Not that the sources are safe and do not contain some hidden gems.
2) A checksum is not going to match anyway. At least in my experience, every time I build something I get a slightly different binary. The compiler embeds things like the build date/time etc.

Re: Sailfish Android version update
 

No, but for installing a bitcoin miner by an innocently looking chat application, having root access helps.

At least on a decent OS. On Sailfish, you don't need root for that either :D

Re: Sailfish Android version update
 

Simplified, yes. There needs to be a reproducable build method, which will result in matching checksums. Or other verifiable methods.

https://wiki.debian.org/ReproducibleBuilds

Re: Sailfish Android version update
 

@nieldk already explained it well. In most cases the possibility of reproducible build from sources already deters the will to put in backdoors.

Also one does not need to look at every line of the 5 million LOC, there are ways to speed up the process pretty much, for example with c sources you can grep thru included headers to find the modules most likely to do some funny business and then check those.

Also there does exist way to have reprducible RPM builds :)

Re: Sailfish Android version update
 

Still no info/promise which will be the android compatibility level, 5,6,7,8...

Re: Sailfish Android version update
 

I'm totally with you regarding the desire for reproducible builds and having access to the code. But the FOSS world is not what I had in mind when posting my last post, as you rarely are forced to use a specific app there.

I was looking at big companies (banks, public transport etc) where you see tendencies towards app exclusive services. The best example may be online banking apps, for which you often see issues at TJC from nordic users: either you install and use the app, or you can't access your online banking.
The sad truth here is that there usually is no possibility to get a look at the source code. So, sure, they could include a crypto miner or something like that, but I'd say the chances for that are quite low in these cases. The bigger issue is that more and more companies go "all in" regarding data collection: try to grab as many data from users you can, maybe they can be useful (and sold) in the future. In this case, App permissions are essential, since with them you can use the app without the fear that it "steals" your address book or is constantly spying on your location.
I have to say that Google did a good job regarding this permissions in the newer Android versions. Wouldn't Android itself spy on the user so massively, it would be a great privacy-friendly system. And this is where SFOS has its advantages in my opinion: If we get similar app permission features as Android, we have a privacy-friendly base system (opposed to Android) and can get much more privacy for Apps which are (unfortunately) essential for the user.

Re: Sailfish Android version update
 

This is where our disagreement comes from. I am not convinced that your statement is 100℅ true. In a reasonably complex piece of code, it is dead easy to hide whatever you want in plain sight. In which case providing the sources will only serve to give the false sense of security to idealists like you, who naively believe that sources = guarantee of genuinity.

Regarding the Nordic bank users, as per jenix's post, I am somewhat baffled. Does that mean you guys cannot login from any random computer using any random browser? That completely defeats the whole purpose of online banking. If my bank tried to impose such a restriction on me, I would switch the bank.

Re: Sailfish Android version update
 

most likely they can. Just like I can here. But the thing is, in order to log in via browser you need some kind of cetificate/athentification/whatever and today that is mostly in a form of an app built for iOS or Android. Days of actual USB card readers and those tamagochi like HW devices are long gone. So, I can log in on sailfish browser but first I have to generate the code on in android app and if that does not work under current AD..........

Re: Sailfish Android version update
 

Meaning:
Jolla themselfs don't know what version it will be up to this point ;)

Speculating,
the anouncement alone implies they are quite confident to get any newer version running.

Hoping,
they have a newer version than 4.4 running already but are still testing with even newer versions.

Fanboy-level,
they are testing top-down, got Popcorn running but do not believe themself and can not stop testing and might fall back to Oreo if they hit a wall :D

Re: Sailfish Android version update
 

USB card readers? HW devices? Generate 'the' code? What the...? I do online banking with three banks and none of them has any of that crap. You need three things, most commonly 1) username or login ID, 2) password and 3) some kind of secondary authentication code that you specify when you register. None of that changes in real time. You can change 2) and 3), sometimes 1) in your preferences. You can log in from any browser anywhere in the world, no proprietary app necessary.

Re: Sailfish Android version update
 

sounds very insecure. And most definitely it's not the way how most banks do it.

Re: Sailfish Android version update
 

Hee, seems you in da UK-land have pretty different concept of banking than what we are used to here in the north... Are you still using checkques? :D:D

What we in Finland are using is pretty much how @kinggo explained, except that luckily we can also still use the old method of TAN slip codes. (Lucky for me since otherwice I'd be as pissed as my Swedish colleagues who only can generate codes via Androd devices...)

A TAN slip is a piece of paper that your bank mails to you, it contains a list of usually 100 or 250 one-time codes to use with banking.
In addition to that you of course need the account number and password.

The problem is that also the finnish banks would like to move to the Android-App-created BankId system, because it is cheaper to them than mailing the new TAN slip to people few times per year.
I am fearing that day with dread.

Re: Sailfish Android version update
 

Oh yes, absolutely! It is not uncommon to use a cheque to pay for e.g. school activities. Cash or cheque, but since you pay by sending your child to school with an envelope with the money in the bag and you do not get a receipt, a cheque is a better option because it is tracked.

There is at least one bank that uses the key fob type devices mentioned earlier. HSBC. Unsurprisingly, it is also known as the most awkward and user unfriendly bank under the sun. I used to have an account there once but moved away as quickly as I could. I have 2p left on the account and have not been able to close it for over 10 years. They make everything as difficult as possible.

Re: Sailfish Android version update
 

Huh, in Belgium we get card readers where you have to enter a couple of codes every time you want to log in to your account or do a transaction, the card reader then displays a code which you have to enter on the website. I've always assumed this was the same worldwide!

I'm aware most or all banks now have Android/iOS applications, but I have no idea how they work. At least I presume they don't require the card reader.

Re: Sailfish Android version update
 

in Denmark we dont accept cheques.
Oh and we have this key called nemID - which is 2FA for almost any online activity in DK public services, banks. Its also used for identifying who you are (by verifying against registered PI in central database).
you get nemID by default on a paperslip, but can also purchase an eletronic token.

Re: Sailfish Android version update
 

I think there has been a misunderstanding on how bankid is used in Sweden (and perhaps other nordic countries too). Yes, you can log in to your bank with bankid, but in most cases you can also log in to your bank with a key fob like device or similar. The problem is that the bankid identification has been adopted by many other online services in Sweden and there bankid is the only option.
* All services provided by the government
* Stock/bond exchanges
* Credit card providers (not banks)
* Insurance companies
* Retirement fund companies
* ...

You will be blocked from many important online services unless you have bankid and changing bank will not solve the problem since the other bank also provides the same bankid. We need an open standard for online identification.

Re: Sailfish Android version update
 

Aren't we a bit off topic? Now it turned to be a comparison between banks :D
Do you think that updating Alien Dalvik will improve the additional power consumption derived by using it? I hope it doesn't turn out to be the opposite, adding more features.

Re: Sailfish Android version update
 

It's fun to hear how different the things can be in other countries... I assume banks are a major source of NIH, being such a closed sector with huge legacy in their IM systems...

In Finland some banks also use the card-reader thingy to create the OTP number, altough most use the paper-slip mailed to the account holders.
Could be the electronic thingy is cheaper for them in the long run, compared to what it will cost over the years to mail a few letters to everybody couple of times a year.


Some banks in Finland use also 2FA in addition to the paper-slip containing OTP numbers, at least one that I know will require 2FA with a SMS verification to your phone if you create a payment to recipient you have not sent moey before.
That's 4 authentication methods for one transaction; accountnumber+password+OTP+SMS :p


In Finland this is similar but luckily not exactly the same!
We also need BankID for all those things, for example you cannot fill your tax-returns or register your car without it.
However it is enough to use the paper-slip OTP verification with all of the services that require authentication, you don't need any Android silliness to do it.


You are absolutely correct there; however this discussion is much more interesting to me!

Re: Sailfish Android version update
 

I totally agree. Off topic but definitely more interesting. At least we are talking about facts, not speculations :D

Re: Sailfish Android version update
 

Just to complete the list of online banking systems before we go back on topic:
Here in Switzerland you need a token for the online banking of every bank. It's needed for the login and often for transactions. There are different options (a device that generates a OTP code with the card, an USB token, a device that generates the TAN from an image and of course different iOS / Android Apps) depending on your bank.
Luckily, there are still "non-mobile-device" options, but sadly the trend is pointing towards "mobile first" and with that iOS / Android lock-in.
BankID seems to be a good example which already discriminates against those without iOS / Android. While I'm a big fan of open implementations, I think it's very unlikely that this iOS / Android lock-in will stop any time soon (but that is a topic for another discussion).

So offering support for all those essential Apps without having to use a spying system is a huge feature from my point of view.

Regarding the battery consumption, it's really hard to tell. All you do in emulators is basically mapping the System Calls of the emulated system (Android) to their equivalents of the host system (SFOS). This should basically have no big impact, but it greatly depends on the guest system and if it requires specific services to run constantly in the background.

Re: Sailfish Android version update
 

So after careful examination of all subjects around the topic we come to conclusion that we will have android version 7 for the sfos 3. Nice wrap up don't you think.

Re: Sailfish Android version update
 

Alien-Dalvik isnt really an emulator as such, you don't have to translate anything and so performance should be more or less what it would be under normal android situation.

Re: Sailfish Android version update
 

Contributing to the offtopic, in Canada and US one can do online banking from any web browser quite easily [so-far], however, things like depositing a cheque is an iOS/Android-app exclusive feature. Of course we can discuss who does use cheques these days, well, 95% of the US universities still use it for travel reimbursements of their visitors, or, some of the math institutions send the salary to their fellows by cheques (making this direct-deposit: mission seems impossible ;( ). Of course, I can simply go to ATM and deposit it through it, but that doesn't apply to the US cheques... Yet another example from the money sector are services like Revolut

Also, @jenix might correct me since I left Switzerland 2 years ago - if I wanna buy a train ticket with SBB last-minute just before hopping on the train and as a non-Swiss, I am really running late and don't have time to use the machine, isn't an app my only choice? I know that for some routes I was able to get a PDF and then they just scan the code, but not for all (at least in 2016).

This brings me back to the on-topic discussion here: these are exactly examples where I would swim against the stream here and say loudly "god thanks jolla for AD / the android layer" . It is naive to expect any improvement with the situation on the IT market today(++).

Re: Sailfish Android version update
 

As far as I know, they changed that again due to heavy criticism. You can now contact the conductor as soon as possible (best before the train leaves the station) who then sells you a ticket (being Switzerland with a nice additional fee, of course). I can't say anything about the SBB (the swiss railway company) App as the SBB seems shady as f*ck to me regarding privacy, so I keep as far away from their Apps as possible.

That's exactly my point. Being able to use Android Apps (which more and more gets exclusive features) without having to sacrifice your privacy to Google (or invest a lot of time into Custom ROMS and still having a bad feeling) is a very strong feature of SFOS.

Re: Sailfish Android version update
 

Well, I must say this thread has been very enlightening for me. You may call the talk about the banks off topic but for me it was very much on topic because it finally answered the mystery of why people like Android support so much. Indeed, if I were in such a predicament, I would almost certainly have joined their ranks too.

Re: Sailfish Android version update
 

Note that in Finland we don't have the Swedish BankID. That is a totally different system that requires Android/iOS/Mac/Windows and doesn't even work on Linux PCs due to lack of software. In Finland we can still use bank identification using the paper system (like you said above) or the various systems that different banks have.

And in Finland you could also use the state issued electronic ID to login to state services like tax return etc. There is even linux software: https://eevertti.vrk.fi/en/linux-versions

Re: Sailfish Android version update
 

No rights managing, I suppose?

on the other hand