Is Fairphone really interested in sustainability?

Fairphone make claims regarding sustainability. They claim that their phones are better because you can just replace parts instead of having to buy a new phone. However, they keep bringing out new phones and those off us with older versions con’t receive updates. I bought a FP3+ in November 2021 and now II found out that Fairphone has pledged to continue software support until Aug 2023 which is only a year away. I’ve heard that they’re aiming to add two more years but that’ll be August 2026, when my phone will be less than 5 years old. Am disappointed.

5 Likes

I mean Fairphone’s support claims are already a stretch:

Release vs EOL date:

  • FP1: December 2013 through July 2017
  • FP2: December 2015 through March 2023
  • FP3: September 2019 through September 2024
  • FP4: September 2021 through September 2026
  • FP5: September 2023 through September 2028

On the Linux kernel side:

On the Qualcomm side, they typically only provide three years of support for their platforms, yet:

For bonus fun:

  • FP2 was running Android 10 with its claimed March 2023 support, despite Android 10 not having any Pixel Security Bulletin’s since October of 2020

This means:

  • FP2 was already truly unsupported a year after release
  • FP3 was already truly unsupported months ago, despite claims of longer support
  • FP4 and FP5 will be met with the same fate

To be clear:

  • I do genuinely appreciate that Fairphone keeps providing updates for so long, I just wish the support claims were actually properly clarified.
  • Fairphone was doing CVE backports for Linux 3.4 until the very end which was pretty awesome to see, but at the same time such CVE backports do NOT make a kernel secure.
  • Running end of life kernels or platform blobs is insecure, despite whatever ASB patch level is claimed.

Edit:
Fairphone can easily address this situation:

  • Rename the current support dates to “best-effort support”.
  • Add a proper “full support” date, based on the soonest EOL date of all given underlying components.
  • Examples:
    • FP2: Full support until October of 2016, Best-effort support until March of 2023
    • FP3: Full support until January of 2023, Best-effort support until September of 2024
    • FP4: Full support until December of 2024, Best-effort support until September of 2026
    • FP5: Full support until December of 2025, Best-effort support until September of 2028
  • Post a PR writeup about transparency and a call to action to other vendors to provide longer support periods.
15 Likes

The software updates always have an end of life defined on the release date of the product. If you buy a phone two years after the initial release, you lose two years of upgrades. To be more precise about Fairphone history with software :

And a new phone every two years is quite long between two models in the phone industry.

7 Likes

I replied the topic created by @Najma_Zaman and not yours which is very clear.

Understanding question: What does this mean in relation to the Android Security Bulletin, which lists Android 10 updates until February 2023?

1 Like

@AnotherElk
ASB is core/required monthly security patches. Google provides ASB patches for all supported branches (eg. 11, 12, 13).
PSB is recommended monthly security patches, they are not Pixel specific. Google only provides PSB patches for the latest branch (eg. 13).
See my detailed explanation here: Patch Levels - DivestOS Mobile

1 Like

I’m always very puzzled by people who seem to think a device that stops getting updates is EOL and imply that it needs throwing away as a result - which is what the OP of this thread seems to believe, since the title mentions sustainability.

You do realize a device that stops being updated keeps working, right?

The software simply starts becoming more and more stale, and whatever exploits left in it won’t get fixed. But it’s not like it’s going to start randomly rebooting, or corrupt your data, or hordes of barbaric hackers that were barely kept at bay by constant updates will suddenly breach your crumbling OS and plunder your data.

Unless you’re unlucky and there was a really nasty exploit left in your outdated software that gets discovered 2 years down the line, and you’re doubly unlucky that this exploit doesn’t involve you visiting sketchy sites (like an SMS exploit), nobody will hack you. You’re perfectly safe

Or rather, you’re a little less safe: kind of like driving a 60s car on modern roads: if you crash, your old car doesn’t have crumple zones or shoulder belts and you’re more likely to get injured. That’s what comes with old things…

As for software that does stops working over time, it mainly concerns the browser - not because it stops working but because the internet around it keeps changing. All you need to do with that one is keep it up to date, like you do now. Browsers tend to keep being updatable a lot longer than the OS underneath.

So yeah, it’s not great that a device stops being updated. But that doesn’t prevent you from using it 5 more years - or however long you can keep it working with spare parts - unless there’s a compelling reason not to, like a really nasty exploit that really makes it unsafe to use, and that’s highly unlikely to happen. But stop thinking the device is good for the trash!

17 Likes

This is terrible advice. When software is not maintained anymore it really deprecates your smartphone. It not only affects your privacy/security, but also that of others. For example if your phone leaks data, that data could also include personal information of others. It’s not responsible to continue the use of such a device.

As for the overview made by @SkewedZeppelin, nice! I see you’ve spend some time to make your point clear. I mostly agree. However, there are a few details missing.

It would be best to always have upstream kernel support, but there are several Linux distributions that backport fixes such as Debian and Ubuntu work together on this. The open-source giant Red Hat does it too, and also SuSE. The CIP project glues those contributions together into a general kernel release with some added maintenance effort. The 4.19 CIP kernel is e.g. supported until 2029. I don’t know the details, so I can’t tell you if this is a release fully suitable for a smartphone.

The SoC’s you list are if I’m not mistaken the announcement dates, not the release dates. There aren’t (m)any phones with the 782g SoC out there yet. And who knows, maybe that SoC has 5 years of software support by Qualcomm (due to a special FP agreement or something else). We might learn more about this in the coming months.

But when Qualcomm drops support then I suppose it’s not a fully supported device anymore, so I agree on that and the appropriate labels to manage the expectations for the customers.

11 Likes

I’m a few decades old now and I’m here to tell you that’s fearmongering. There is some truth to it sometimes, but that’s just plain not an issue for most people who don’t have elevated threat models. That’s you and me.

If you phone doesn’t leak data in 2023, it’s not likely to leak anymore data in 2025. Or in 2027. Unless, like I said, an exploit is discovered in the meantime. And if it’s truly bad enough, even outdated devices that normally don’t receive updates anymore usually do get a security update.

Besides, the trick to avoiding most security issues is to not install unknown stuff without vetting where it comes from and what it does, or visit sketchy sites willy-nilly. If you’re willing to put some effort into not doing unsafe things, you almost always avoid problems even with possible-insecure OSes.

People these days really drank the constant-update kool-aid and have no sense of reality anymore. Small wonder we all managed to survive until online updates became a thing…

8 Likes

I’m also a few decades old and active in the IT security community, both as a professional and as a hobby. What you’re saying here is completely false. The threat is very much real. It’s not a commercial scam. It’s a legit reason to move on to a new device.

If only you truly had such control and avoid any issues. You really don’t, even if you minimize your app selection. Best you can do is wipe the device and power it off if there are no security updates anymore.

Maybe signup for an ethical hacking course :wink: You’ll change your mind really fast.

5 Likes

Well, I did enough hacking in my days to almost end up in the pokey 23 years ago. Which is why I don’t usually give my name. So don’t worry, I don’t need a course.

I’m not saying security updates aren’t important. Things get updated all the time for very good reasons. What I’m saying is that not everything needs to be buttoned up like it was a critical server, and often good computing hygiene and common sense is plenty secure enough.

I was about to launch into a lengthy argument to explain why, but actually I don’t think I can be bothered. Not to mention, it’s getting quite off-topic and I wouldn’t want to get scolded again by the forum’s Gods.

You do you and I’ll do what I’ve always done, and we’ll both be just fine :slight_smile:

6 Likes

That’s not really a credential that tells anyone anything, also not something people can verify.

And what makes a server a critical one? The crown jewels, those jewels are often sensitive data such as financial data, medical data, personal information. And guess what, that’s on your phone.

Exactly my point: if you keep those things on your phone, you’re bonkers. Such data belongs on your encrypted, backed-up NAS at home, not on a mobile gadget you carry around and leave on your desk all day long at work or forget at the local bar.

And if you keep those things on an out-of-date phone, you’re even more bonkers.

That’s what I keep saying: don’t do unsafe things.

I have very good reasons not to provide anything you can verify, and I don’t really need to prove anything to anybody anyway. I was just saying, just because I’m a random dude on a random forum advising against automatically hopping on the compulsory update treadmill - which isn’t only driven by the need for security, I might add - without applying some critical thinking first doesn’t mean I don’t know what I’m talking about.

4 Likes

CIP is geared towards industrial and automotive use as well as anything a specific partner may need.
Rebasing a Qualcomm kernel onto a CIP branch would be non-trivial, may even be easier to simply push forward the kernel as projects like postmarketOS (vendor to mainline) and LineageOS (3.18->4.4, 4.9->4.14) have been doing recently.

Indeed, still +/- six months or so, would be nice for more accurate dates.

All I really want to see. :slight_smile:

The vast majority of people do exactly this, hence why such security is so critical.

Literally people here right now with an FP3 who think it isn’t outdated, despite running an EOL kernel.

1 Like

You probably think of a file that says “financial data”, “medical data” or “personal data”. Things don’t have to be labeled or be in a specific folder. You at least have a browser (with passwords stored and a page/search history), email (which often enables someone to reset accounts and gain access) and probably a messenger on your phone. That already is a goldmine, even if your phone is encrypted. Because that storage is not encrypted when that software runs in memory (like your NAS). Then your phone maybe gathers information about you, such as the amount of steps you take. That information is precious. Surely a security professional would understand that. And you’ll probably come back with some reply why you’ve protected yourself against certain things. Anything but keeping up with security updates, right? :nerd_face:

Anyway, this is becoming a one on one conversation. Best is to DM me. And otherwise I’ll DM you if you still reply here. Let’s not hijack this thread.

I think, the answer is yes!

I see the conversation about software support, that’s a part of being sustainable. It’s also about production, transportation, repairability, reuse of parts, refurbishing and more. It’s about closing the loop. I see that Fairphone is struggling with this, but is expanding the support (hard- and software) with each phone, what they learned from previous phones.

I believe that the best part is, set your goals to be 100% sustainable, lifelong support (without EOL), closing the loop, reuse all parts and materials (maybe not using new materials). And I see already bits and pieces of this to other phone companies.

So Fairphone is in my opinion a pioneer of sustainability.

12 Likes

Yeah, it’s probably better advice to just switch to a custom ROM once your manufacturer provided image is no longer updated. In my experience LineageOS on average providers New Android veraions for old phones for much longer periods of time. That can give you a few more years of security updates.

And in contrast to other manufacturers Fairphone doesn’t exactly make it hard to do so and even provides some degree oft service even if you had flashed a custom ROM before. So in the end it could of course always be better, but at least in comparison to other companies Fairphone is pretty far up there.

4 Likes

very interesting. is it possible to upgrade the kernel for our phones?

This can only go so far, please read this: Patch Levels - DivestOS Mobile

Anything is possible with enough time or money.
As in, someone has to be dedicated to it somehow.
People really like the LG G5, Pixel 1, and OnePlus 5 so they went beyond to make them work on newer kernels (Because Android 12 requires Linux 4.4+). They’re also widely available second hand and cheap!

edit: re (CVE) backports: social.kernel.org

1 Like

This is something I don’t really understand. On one hand, FP upstreams support for FP4 into mainline kernel. On the other hand, it ships the ancient 4.x kernel on the official OS. When I asked support for newer kernel (to e.g. get support for newer USB network cards), they told me it’s not impossible, but it’s nowhere on their roadmap. So why do they do all the work with upstreaming? Is it just to ease development of things like Ubuntu Touch? I’m really lost in this…

2 Likes