What Happened to Running What You Wanted on Your Own Machine?
Posted2 months agoActive2 months ago
hackaday.comTechstoryHigh profile
heatednegative
Debate
85/100
General Purpose ComputingDevice OwnershipSecurity vs Freedom
Key topics
General Purpose Computing
Device Ownership
Security vs Freedom
The article discusses how the freedom to run any software on personal devices has been eroded over time, with commenters debating the trade-offs between security, convenience, and user control.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
139
Day 1
Avg / period
22.9
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Oct 27, 2025 at 4:50 AM EDT
2 months ago
Step 01 - 02First comment
Oct 27, 2025 at 6:07 AM EDT
1h after posting
Step 02 - 03Peak activity
139 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 6, 2025 at 6:38 AM EST
2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45718665Type: storyLast synced: 11/20/2025, 8:18:36 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Linux.
Some folks don't like digital identity controlled by government, but it seems like the alternative is digital identity controlled by oligopoly.
A much bigger problem for running Linux on phones is that standard Linux runs like crap on phones. It doesn't have the mainline driver support amd64 computers have, and the battery life optimizations that make Android usable need to be reimplemented on top of Linux to get a day's worth of use out of your phone. Unfortunately, most Linux applications are written for desktops where they expect the CPU to be running all the time, the WiFi to be accessible whenever they want, and for sleep/suspend to be extremely incidental rather than every two minutes.
Banking on GrapheneOS
Linux as an answer doesn't address the needs of 99% of people, so 98% will never adopt it. It's better to meet people where they're at and push for sideloading and alternative app stores.
As much as I want to agree with this author (and do, to an extent) they are also providing the exact and honestly-pretty-good reasons for why this is happening: computers have breached containment, and they did it a long time ago. Computers are not just for us weird nerds anymore and they haven't been for some time; they're tools for a larger, more complicated, more diverse userbase, many of whom are simply not interested in learning how to computer. They just want shit to work, reliably. Random software on the Internet is not a path to reliability if you also don't know how your thing actually works.
I mourn this too but let's not pretend it's simply what happened because corporations are evil (though they are for sure that).
there are plenty of "honestly-pretty-good reasons" we plebs shouldn't have access to general purpose computers, and we're only a few decades away from them reclassified into the equivalent of fully automatic rifles.
Then I have raspberry pi and steam deck which I use for messing around with and running whatever weird software.
I do understand the broader point. I know a few elderly people in particular who are walking targets for cybercrime. But I wish we had more differentiation. Locked down, easy to use phones for those who want or need that, and more open phones that act similar to laptops for those who know what they're doing (or, in any case, are willing and able to bear the risk).
If this was genuinely about security and UX then they would continue to provide viable "escape hatches", but it isn't and so they don't. That's what's being criticized.
I would characterize it more as Google is responding to the needs of the vast majority of its users, most of whom do not care to run unsigned software, certainly don’t write it, and have no need of escape hatches. Escape hatches are great, but each also represents a security weakness waiting to be exploited.
And not to leave it merely implied: they are also responding to large development organizations who want locked down platforms in which they can distribute, and more importantly crack down on those who would pirate their, software.
> more importantly crack down on those who would pirate their, software.
If you represent the interests of corporations then try leading with that next time.
> Escape hatches are great, but each also represents a security weakness waiting to be exploited.
Besides being a broad statement that lacks citations and no doubt relies on contrived examples where this was implemented poorly, it's also clearly a violation of the EU Digital Markets Act.
I don't. I'm just saying Google and whichever boogeyman you'd care to slot into position 2 share the same interests. Far more than you or me and Google anyway.
> Besides being a broad statement that lacks citations and no doubt relies on contrived examples where this was implemented poorly
To a laymen user, any software that is running without code signing has a much much much higher chance of being something that has gone wrong rather than Joe Public found a cool image editing app that doesn't want to be distributed via the Play store. Are there exceptions? Sure, I'm certainly a big one. Does that mean I don't understand Google's position here? No.
> it's also clearly a violation of the EU Digital Markets Act.
If true, they'll end up in court, same as Apple did.
Don't give me these "political" answers. That's just another broadly-agreeable statement that's completely unrelated to the one I asked you to substantiate:
> Escape hatches are great, but each also represents a security weakness waiting to be exploited.
There are 3 problems here:
0. If Google genuinely cared about Android security to this degree, they wouldn't be giving threat actors 4 months to run wild with 0-days before publishing them:
https://news.ycombinator.com/item?id=45158523
https://xcancel.com/GrapheneOS/status/1964754118653952027
1. Crossing the escape hatch != security breach
Mobile security relies on sandboxing, not on Google's approvals. Even the most malicious app approved by Google shouldn't be able to steal information, access information from other apps without authorization, or execute actions on user's behalf.
Whenever this core principle is broken due to inevitable security vulnerabilities, it should be treated as such and promptly patched. Instead these shortcomings are used as convenient excuses to advance these political goals.
2. An escape hatch can be anything:
- "allow installation from unknown sources" like we've always had
- secret settings menu + PIN/password + require a switch to be flipped in the recovery menu during boot + require an ADB command to executed + warnings at every step.
- ADB commands + switch in recovery menu + time delay + require a full device reset with all data being lost
First one is somewhat vulnerable to social engineering though I've personally never encountered a device where someone was tricked into doing this, so it must be more resistant than downloading malware on Windows.
Second is close to impervious to social engineering. Grandma isn't going to be accessing the recovery menu or running ADB commands any time soon.
Third one, while far too restrictive in my opinion would still be better than nothing, it would be impenetrable to social engineering, and safeguard any existing data on the device even in case of a serious concurrent vulnerability in the Android sandbox.
Are all of these completely unacceptable?
On the balance of probabilities, "Joe Public" isn't being tricked into doing anything, he is trying to install ReVanced to get ad-free Youtube.
Having money and using them without supervision is a safety risk. You can unknowingly buy food that isn't good for your health. And good food is what you actually need. So transfer your money to me and I will benevolently manage your diet for you. No other motives but your safety and wellbeing, I swear.
By the way, can you really trust the supermatkets? They sell alcohol and alcohol is bad for you.
This is a recurring pattern: people make bad choices, mostly out of ignorance, but no one blames the public because we always assume that in a democracy the costumer and the voter are always right.
Behind every corrupt politician or every greedy corporation there are thousands or millions of negligent and ignorant voters and costumers.
So it sucks ass that a greater and greater share of what we consider computing has to occur in platforms that are utterly locked down to the core, but again, at the same time, putting my "regular user" hat on here: I don't want my phone to run anything from an untrustworthy source. My computer? Shit yeah, I'll try just about anything with a healthy skepticism as required, but not my phone. Losing a computer is irritating. Losing a phone is a fucking MESS.
When the software on these locked down devices breaks down, and it does, everyone is helpless.
When a zero day is found, again everyone is helpless.
If we cannot understand how something works on all layers, stability and security are only promises.
yet :D
https://learn.microsoft.com/en-us/windows/win32/secauthz/app...
https://learn.microsoft.com/en-us/windows/security/hardware-...
Trusted computing and even remote attestation have legitimate use cases. It's good, great even, that they exist. But just like everything, they can be used against you.
And this might be a reaction to the fact that music piracy is quite easy; if it wasn't, perhaps there would be no Spotify where you get basically All The Music in existence for peanuts. (Note that no equivalent subscription service exists with regards to movies or games: Netflix and Xbox Game Pass have only a limited selection of content included in their subscription.)
On UNIX, Sun was the vendor that introduced the concept of SDK SKU, thus for having developer tools, an additional SKU had to be bought, and the until then largely ignored GCC sundenly got a new focus of attention.
Mainframes and micros always needed having a group of folks from the vendor professional services for specific kinds of configurations.
I still remeber working on traditional timesharing UNIX systems, one single server for all teams, what you get to do is decided by IT for your role.
There are plenty of examples from the past on how this has been happening already.
The clones relied on GW-BASIC and later QBasic, which came on disk and was bundled with DOS, to supply this functionality, and didn't have BASIC in ROM. In fact, some early BIOS implementations, if they did not find a bootable disk, displayed a message "NO BASIC FOUND" or similar.
I beg history to prove me wrong.
For anyone interested, please look at Hardware attestation and TiVoization, thanks.
if the computer won't allow to install or use other software until you install a vendor-signed version of systemd on a vendor-signed kernel we'll be there. it's about hardware attestation, not signed software, though.
Combined with uutils, which is MIT, you can build a nice (!) walled garden.
Let me say I have seen enough shenanigans over the years.
[0]: https://en.wikipedia.org/wiki/Tivoization
Kernel being GPL has no point currently. Require hardware attestation with Microsoft private keys + systemd-boot + systemd + uutils can create a nice walled garden, allowing "vendors" to build locked-down hardware-OS pairs.
More importantly, uutils is MIT, which can attest at every level, without sharing a line of source code.
This will affect everything from small appliances to big iron and it can be very ugly.
> The uutils project reimplements ubiquitous command line utilities in Rust. Our goal is to modernize the utils, while retaining full compatibility with the existing utilities. We are planning to replace all essential Linux tools.
This is hell of a self-tutorial.
If this was GPL licensed, I'd love to try these. But at this point, it's looking for pushing GNU out of the Linux ecosystem, completely.
[0]: https://uutils.github.io/
https://wiki.archlinux.org/title/Unified_Extensible_Firmware...
What prevents Microsoft from updating Windows PC standards and eliminate the possibility of turning off secure boot and allowance of enrolling your own keychain in the secure boot process?
These are long games. Being comfortable today doesn’t guarantee same comfort and allowances tomorrow.
Ironically, we’re discussing this under Android’s increasing restrictions.
The same Android which was championed as the bastion of mobile freedom when it first came out.
I worked at a big company where GPLv2 software could be used in our systems but not GPLv3. Is it better that that GPLv3 software didn't have more users? The company didn't contribute much back so maybe it's not a big loss.
The GNU freedoms never specified the right to run free software side by side with proprietary software on the same hardware; so the FSF should actually be fine with such an outcome.
https://www.fsf.org/campaigns/free-bios.html
If my bank requires me to use a phone for transfers (mine doesn’t), it might be acceptable to leave one in a desk drawer powered off as you would do with a hardware authentication token. It’s a special device for occasionally accessing a service. Fine. But when governments and industry collude to force citizens to carry these devices in order to live life normally, that’s not OK.
My intent is to be as stubborn and obnoxious as possible in resisting this until they either give up and provide an alternate path or lock me away for noncompliance. Fortunately there is still an alternate path available for most things, primarily thanks to elders who have trouble with new tech. (Thank you elders!)
Or… acknowledge this is a fear of a future 30, 40, 50 years away that may never happen, which is never an argument.
It’s like saying the government, because they have power, and the SCOTUS, because they have power, could decide to kill all children. Yes, they could. No, it’s absurd to let that power keep you up at night, or say the solution is to abolish their power.
Ha! Let me know how to achieve that and I will. I’ve advocated, donated, and volunteered for years on behalf of a number of causes, some with excellent organizations promoting them, and yet things continue to get worse. The only minor victories have been temporary delays of bad policy.
No, the best response for the average citizen is stubborn noncompliance and constant passive resistance. Drag your feet until the whole thing comes crashing down. And encourage your friends to do it too! (But don’t stop trying through conventional politics, maybe one day it will work. Just don’t get your hopes up.)
The banning of Parler did more for activism and awareness regarding platform control than all FOSDEM. Of course, HN happily piled on in favor of this decision, missing the moment to build common ground on platform control, for the sake of political expediency.
If the government, or tech, starts regulating out things people actually care about, then you’ll have your sway. The rush to technical solutions seems to imply we already internally agree tech and government aren’t going to do anything the average person cares about - as it assumes the “bad future” can happen without a national policy discussion anywhere.
> HN happily piled on in favor of this decision
HN is not a monolith with a single opinion. The loudest users at the time (not just here, all over the internet) were pro-censorship political activists, so maybe that caused you to interpret things that way.
> If the government, or tech, starts regulating out things people actually care about, then you’ll have your sway.
The public will not respond until the groundwork has been laid to make effective protest impossible. Only then will important things be regulated out. Until then it will just be “nerd stuff”.
This is a lazy argument, as I can safely say that 80% or more of HN has the same political bent, and every community ever has said “but not everyone.”
Read the comments on the Parler deplatforming. See what was upvoted. See what the consensus was. Nobody cares about the principles, even here, when rubber hits the road.
Imagine if the undesirables, on either side, started actively using all the decentralized censorship-resist tech for their cause. Would the builders and commentators here be saying “working as designed,” or would there be a sense of fury, a sense of “not like that?” A sense of “that was supposed to enable my cause, not yours?”
Suppose Proud Boys coordinated their Jan 6 activities on Signal and Tor. Suppose Truth Social was built on ActivityPub and MAGA developers were the loudest voices at FOSDEM advocating for censorship-resistant protocols. How do you feel? Are we still citing the same principles? If not, we never believed them.
> The public will not respond until the groundwork has been laid to make effective protest impossible. Only then will important things be regulated out. Until then it will just be “nerd stuff”.
I’m looking at history and noticing that 99.9% of revolutions did not have the internet required to be successful.
I disagree, but even if you were correct: like, what’s your point? Are you grouping me in with them because I happen to be posting here? I reject that characterization.
Edit: I feel like this is an attempt at some kind of “gotcha” based on the example you provided. No, I don’t believe access to tech should be gated based on politics. IMHO everyone should have access to private and secure systems, as part of their human rights regarding speech, thought, and personal privacy. I attempted to raise this point in several venues during the “deplatforming” fad and explained how the political pendulum made it a bad idea. The mob remained unconvinced.
> I’m looking at history and noticing that 99.9% of revolutions did not have the internet required to be successful.
You tell me how people are going to protest effectively in the face of:
- Ubiquitous visual surveillance and facial recognition
- Ubiquitous audio surveillance via pocket spies and things like Flock/ShotSpotter/other competing systems
- Ubiquitous ALPR systems and GPS-enabled “digital plates” being trialed in some areas
- Data mining coupled with AI behavioral analysis (sloppy but likely good enough)
- An increasing percentage of cars with remote shutdown capabilities
- The replacement of cash with digital currency that can be remotely disabled
The future looks a lot like China, but without their “economic miracle” that has kept the population satisfied.
And even so, perhaps it's later than you realize. Device attestation in the browser is the final nail in the coffin, and it's a question of "when" not "if" major sites start requiring it in the name of "safety" from bots.
I recently found a plugin that can alert to JS doing shady "fingerprint-like" activity. I did not expect it to go off quite as often as it does now.
It would seem that some sites are already asking _very_ probing questions about the browser so it's only a matter of time before they go one step further and demand proof and gate on furnishment of that proof.
Sure thing!
https://jshelter.org/ is the homepage.
Having important info on your device and having that device accessible to the wild, wild, internet is a very real problem. If the "walled garden" is a flawed solution we should work on a better one.
Think about it: you need permission to run software on your own hardware. Every time you launch a Mac App, it checks in with its masters to be sure its okay to do so - every time you install an app on your mobile device, it does the same thing.
People accept this terrible state of affairs because the "user experience is better" - but this is a fallacy. Under the cover of 'security issues' that their are incapable of fixing, due to very poor architecture decisions, OS vendors have instead bolted on an insanity and sold it to the user as progress.
Every computing device should have everything it needs, onboard, to write software for that computing device. That they don't is because the OS vendors are cowardly running from the bloat of yesteryear and adding more bloat tomorrow to cover it all up.
There will be a backlash against this. We see it already in the retro-computing and alternative-platform hacking communities, which are growing and growing, exponentially, by the year.
Its only a matter of time that someone wraps up this freedom-to-use concept in hardware that is sexy enough to compete with the totalitarian-authoritarian platform providers. Any .. day .. now ..
Meanwhile to install a kernel extension you now have to reboot into safe mode and disable part of system integrity protection (with big warnings that it's at your own risk).
For the average user, kernel extension are already gone, and unsigned software not far behind.
The wisdom of such a freewheeling ecosystem in today's era is maybe debatable, but given how user-hostile the mainline OS and software vendors can be, I say there's still plenty of room for that ecosystem and it should be preserved.
Thanks, you missed the point.
Or were you saying something else that I misunderstood?
The best argument “for” building codes is the same as “for” secure platforms; that people should be able to expect a certain level of competence when buying a structure or phone.
But if you want to do it yourself, there should be a path.
I have mixed feelings about unenforced regulations. Having unenforced regulations opens up the possibility of targeted abuse of any individuals that are not a cultural fit in the eyes of the government offices and being very relaxed regarding anyone that fits in. This also drives the need for very detailed and expensive inspections prior to purchasing a home and that is a loaded topic all by itself.
Is that a problem these days? It was over a decade ago that I last needed to jailbreak a phone, nowadays it’s just "I’d like to unlock" "Ok".
Source: 7 years of running deGoogled Android phones and 11 years of running ROM’d Android phones before recently moving to iOS and giving up.
Pretty sure I read Google was no longer going to publish device tree sources for Pixel phones, which will make ROM development for them significantly harder, whether or not the bootloader is open.
So not as great as I thought, but also not as bad as you made it seem ;)
[0]: https://github.com/zenfyrdev/bootloader-unlock-wall-of-shame...
This in combination with using webapps where possible
I should be able to run a crypto wallet I downloaded from a Kim Jong Un fan site while high and it shouldn’t be able to do anything I don’t give it permission to do.
It’s totally possible. Tabs in a web browser are basically this.
I can do it with VMs but that’s lots of extra steps.
The only place it seems to fall flat is network I/O - LAN access requires permission, but dialing out to the wider Internet does not.
Compare Windows, which has jack (except for bloated anti-malware hooks in NTFS.)
Linux is _trying_ to replicate macOS with Flatpak/XDG portals, but those still need more time in the oven.
Source: I use both a MacBook and a Linux desktop daily.
No it isn't, and no it doesn't.
And it is quite demonstrable that Windows can function without Secure Boot.
95% of people don't know what "Run your own software" means, because to them, the app store lets them chose what apps to install. And they don't get viruses and malware like their 2008 laptop did.
That being said, there absolutely needs to be a mechanism for "lowering the gates" if the user wants full control of the device they own.
Hardware cryptoprocessor. Keys are held in a tamper resistant secure element. You're not gonna get at those keys without pouring some serious resources into the task.
The keys are owned by the corporation and used to establish a root of trust from boot. If you change anything at all to suit your interests, verification fails, your machine is identified as "tampered with" and designated as untrusted.
And yeah, it's a politics problem, not an economic one. If corporations could simply push Trusted Computing without a corrupt police (and military) backing them, we would be there since the 90s already.
https://www.eff.org/deeplinks/2019/06/felony-contempt-busine...
We’ll probably get to the point where you need a verified id to buy a phone that does attestation. Tamper with it and go to jail. Who’s going to hack that?
A small, hardly exclusive list of things we have been unable to protect through technology:
- DVD/Blu Ray/HDMI copy protection
- Windows product registration
- Device jailbreaking (manufacturers are constantly running to keep ahead of this but old versions are frequently unlocked even with iOS)
- Classified diplomatic documents
- Classified details of warfighting equipment
- Identities of federal employees (and even covert agents)
- Nuclear secrets
Technical measures aren’t always the weak point—bribery works just as well. As the US tech stack continues to decouple from China, they will also have the motivation to break our systems.
iOS jailbreak enthusiasts say it wasn't practical since years.
Some state secrets leaked. Many did not.
I don't disagree, but is that really a game you want to be playing with your government and your bank?
The fact that you can make it pass in some cases using Magisk and so on is because it's spoofing an older device (launched before Android 8) without hardware-bound keys and Google is deliberately allowing that in order not to blacklist the genuine users.
However, once Google decides that the collateral damage is tolerable and those devices should no longer pass Play Integrity, then it's game over. You can't spoof any newer stuff, as you can't produce the desired signature -- only the hardware can do it and the hardware won't do it.
The only way would be if the manufacturer screwed up and it's possible to run unsigned code (or signed by a different key) and maintain a pristine bootloader, or if the hardware key leaks somehow. In either case, the key is per device so Google is always free to blacklist that device if it really wants to. (Verification of the signatures is always done off-device, through Google's servers.)
So then the problem gets moved up to why are you (or group of you) not powerful enough to negotiate being able to run what you want and either not need “them” or be important enough that “they” need you.
And the answer will come down to the fact that 90% of people don’t care about running whatever they want on their machine, and they want the cheapest, quickest, easiest solution.
How tiresome.
You're right, we gotta become more powerful. Via radicalization. They seek to marginalize us. To turn us into second class citizens. To destroy free computing as we know it, destroy everything the word hacker ever stood for. If you're on this site and this doesn't radicalize you, then I don't know what to say to you.
Gotta start lobbying governments to make it a literal crime for them to discriminate against us in this manner. Just like racism.
My brother in <deity of your choice>, you are not on a Hacker site. This site exists as the community arm of one of the most capitalistic venture capital ecosystems on the planet.
When are you all going to stop expecting HN to be what it’s not?
Off topic but how does this work for non-believers?
"My brother out of" ?
I am allowed to own multiple computers. Many do. I've got a Linux hand held, a windows desktop, an iPhone and a MacBook. All with varying degrees of freedom and function. I don't feel like I'm constrained right now.
HDCP is an example of the other thing in my mind. It adds zero value to anyone's experience. Any potential value add is hypothetical. You can't survey a person after they watch an unprotected film and receive a meaningful signal. It's pure downside for the customer. There's no such thing as competitive Netflix lobbies.
If I want to run arbitrary code, I'll do it on my windows box or fire up a Linux VM in the cloud somewhere. I don't need weird problems on my phone. If you are trying to touch all platforms at once, try using the goddamn web. I've been able to avoid Apple enterprise distribution hell with a little bit of SPA magic and InTune configuration for business customers. For B2C I just don't see it anymore. You need to follow the rules if you want to be in the curated environments.
How far away are we from hooking up a vision model to the display output of let’s say, Battlefield 6 and hooking in mouse+kb input from said vision model + an aimbot that perfectly replicates a top performing players mouse movements?
I’d say not very far away.
Much like how in online chess, no technical solution can attest that a move is really from a human brain and not a chess program running on his phone.
Protecting 1 million grannies is an entirely different risk class than the security implications of stopping everyone from using their devices as they see fit.
Protecting 1 million grannies means everyone loses ability to install apps that:
Using Linux is also not a real choice. To access my bank and health services in my country, I require a mobile device that is remote attested by either Apple or Google which are American countries. Hell, it's becoming closer to reality that playing online video games requires remote attestation either to "prevent" cheating or for age verification.Thus the risk widens to the sovereign control a nation has over its own services. A US president could attempt to force Google and Apple to shutoff citizen access of banks and health services of an entire nation. Merely the threat could give them leverage in any sort of negotiations they might be in. For some nations in the future, the controlling nation may be China I imagine.
I think the real regulatory solution here is to break up monopoly practices. While the EU's DMA is all well and good in some ways, the EU is also pushing Chat Control... In a more fragmented market it becomes impossible for a bank or health service to mandate specific devices for access (they lose potential customers) so you could theoretically move to a device that doesn't do draconian style remote attestation that breaks if you go off the ranch. We need more surgically precise regulatory tools than sweeping legislation that would keep using alternatives like Linux or FreeBSD or whatever actually viable. It also makes it much harder for that same legislative body to enforce insane ideas like Chat Control.
The answer is not protect users from themselves. The answer is more freedom, with a legal framework that helps all users have more choices while helping victims acquire restitution.
There are more
AROS, GNU-HURD and more
you can always contribute code, maintain an app, report a bug
You can buy HW to run AOSP, like Raspberry-PI or RISC-V
We are the consumers, we have the wallet.
137 more comments available on Hacker News