I’m tired of collecting phones, and frankly I’m a little money strapped and kind of want to coast by on older phones for a while. But I’m wanting to de-google as much as possible.
Of the last few phones I’ve had, all are working well. Most have been able to be kept relatively up to date with LineageOS, and a couple have /e/os/ versions available for them (one official, one community)
- 
Essential Phone (Community Build e/os/…not sure if still being updated or not though.) 
- 
Moto One Hyper (No e/os/ build. Sadly not a popular enough phone) 
- 
Moto One 5G Ace (Has an e/os/ build. Currently being used as a DIY game emulator on LineageOS) 
- 
Motorola Edge 2023 (Current Phone. No e/os/ build. It’s essentially a canadian variant of the Motorola Edge 40 Neo…which are the only two newest phones to use the Dimensity 7030 chip, making it incompatible with the regular Edge 40 or 40 Pro e/os/ builds. 
I’m using /e/os/ on my Essential phone (though not daily driver) to get a feel for the software and the Murena app/account. I’m willing to give up my game emulator to put it on the newer phone if I like it (though it would suck to lose my FFVII and Chrono Trigger playthroughs)
Ideally my Edge 2023 would have a build. But I’m not going to expect a chipset used by only two phones total to garner that much development focus (and rightly so)
Anyone have more long term experience with /e/os/ and Graphene and tell me what Graphene has stronger?
Thanks


Absolutely not.
Back when DivestOS was operational, they maintained a database of bugs, flaws, and security holes that the E Foundation and Murena refused to patch.
Hell no, do not use /e/os. Use Lineage. Use Grapheme. Use Linux Mobile. Use literally anything else.
Your information is out of date. For example, the Fairphone’s bootloader can be relocked and you can buy Fairphones with eOS pre-installed (and of course locked).
To find more phones that support relocking with eOS, filter this list by “verified boot”.
Can someone point me at technical info about the risks of having an unlocked bootloader? From where I stand, the risks seem completely irrelevant (to take advantage of an unlocked bootloader, the attacker would need to have full access to your OS already). AFAIK, locking of bootloaders was never designed to protect the user, but only to let cell-phone providers restrict what phone users can do.
This article explains it quite well.
An unlocked bootloader let’s any attacker change the the thing that boots your OS and the OS itself. They might not have access to your data (every modern cellphone encrypts those partitions), but replacing the OS is practically game over. It allows tracking the password (or PIN) you enter and sending it to any server once internet access is gained.
Sorry, but that page does not seem to say what you wrote. E.g. I can’t see how a remote attacker (such as a malign webpage, email, application, …) could take advantage of an unlocked bootloader without being able to see (and modify) all the data on your phone. IOW I think what you write applies only to an attacker who has physically taken your phone (temporarily).
What I wrote mostly applies to a physical takeover because that’s way easier, but privilege escalation on an a system with an unlocked bootloader can do everything I said. But if you’re hacked and privilege is escalated while you’re using the phone, it doesn’t matter if the bootloader is unlocked. You’re already pwned.
Search for “android privilege escalation” and look through the CVEs. This advisory for example says privilege escalation can lead to the creation of additional user accounts.
Also look up rootkits. The same principle applies on phones as on computers.
But my point is that a remote attacker using privilege escalation can already do all of that even with a locked bootloader. “rootkits” don’t need an unlocked bootloader.
Sorry, bootkit. Resetting to factory settings should be enough to get rid of a rootkits, but not enough to get rid of bootkits if your bootloader is unlocked. You can read about VerifiedBoot to see how it works.
Yes, if someone gets provileged access to your phone, be that remotely or locally, you’re fucked already, but being unable to get rid of the infection is an even bigger problem.
It also makes stealing phones useless if they’re off because they will be unusable without the PIN. Sure, PINs are only 4 characters but going through all possibilities still takes time if done manually. If it’s possible to do so automatically (which isn’t always the case), then 4 numbers won’t help much, I give you that.
All in all, I depends on your threat level. If you’re defending against your grandparents, probably a PJN will stop them, if it’s a three letter agency or a big corporation with endless money, good luck.
Damn, go look up PostmarketOS on the Graphene forums. Really disappointing.
Despite Graphene’s clear limits, they claim to have a backup plan, and I like the way they communixate clearly.