262 comments

[ 4.6 ms ] story [ 302 ms ] thread
“Maru is a new kind of computing experience.”

Is it? This type of “All Your PC Are Belong To Phone” type of fads have been attempted (and so far, miserably failed) for many, many years now. Looking at the website, I see little reason why this should succeed where others have failed.

(comment deleted)
Motorola webtop on Atrix was too early - phones were just too slow for even basic browsing in Firefox in laptop mode.

Perhaps Maru is smooth enough on new hardware?

(Still have the lapdock lying around, now hooked into RPi.)

In your experience, how well does the lapdock run with an RPi? I have a lapdock lying around, and never thought of this for some reason.
Not the person you replied to but I have the same setup. The only real issue is getting the adapters so they can be connected (plenty available on a variety of websites, but of questionable quality).
It’s an OS for your phone that becomes a proper desktop OS if you plug in a monitor, mouse, keyboard etc.

I don’t think this has been done before, or maybe I’m just hopelessly unaware?

Either way, I think it’s quite interesting.

Motorola Atrix, Ubuntu Phone, Windows Phone 10 has Continuum. It's been tried before.
I stand corrected then.
I don't think this makes sense until phones are basically as fast as current laptops.
The flagship phone for this OS is the nexus 5 which uses a 2.26 Ghz quad core qualcomm chip and has 2 gb ram. The hw limitation seems to be the low ram limiting the number of memory heavy desktop apps you can run. Definitely not a video editing rig and vbox doesn't work on arm hosts, but this is good for spread sheets / typing up papers / scanning things with your camera and quickly editing them on a desktop with out any data transfer hassles.
Exactly, the complaint of power users is that "it'll never be as powerful as my Core i7 desktop". Were a phone solution seamless enough to dock into my kvm switch, I'd power up my 'workstation' far less often.
The CPU speed for all mobile devices is deceptive. You can't actually run the CPU at that speed for anything but the tiniest amount of time, without immediately running into the throttling brick wall.
Doesn't Apple have laptops in their current lineup which are less powerful than their top of the line phone?
The MacBook isn't a very strong machine. Wouldn't be surprised if A10 beats it even in single-core performance.
And now, also Samsung DeX, but that one requires a Galaxy S8 and a special dock.
The dock is really just breaking out the USB-C port to the various docks no reason it couldn't be replicated with a USB-C hub other than software lockin. Not sure there's any reason it couldn't be done with any other phone that has USB-C either.
I think the big factor with the DeX dock is the big fan that runs to cool off the phone while it's in that mode.
Yeah, but these would never work with VR. The moment phones became capable of delivering smooth VR, i.e. smooth graphics, the phone PC became a strong possibility for quotidian tasks.
Yes, and it took around 20 years to go from the patent for the first underpinnings of applications for phones other than communication in the 1970s to Simon Personal Communicator in the early 90s, and then another 10-15 years for the first smart phones to emerge. If people gave up because it "had been tried before", we wouldn't have any of the technology we had (in fact, we would still be planting crops with wooden sticks because Thog got trampled trying to chase some wildebeest off of his early attempts at farming).
Nobody is denouncing it because it isn't new, they're just saying that they shouldn't claim it's a new kind of experience when it doesn't really seem like a new kind of experience.
Wooden sticks? Crops? Bet they took a few iterations to get right too.
Continuum is arguably a successful implementation of this idea, with the unfortunate handicap of being on a platform nobody wants.
Many Windows developers do want UWP, it is Longhorn done right.
Microsoft is giving it another go with Windows S, which is continuum without the phone part.

I have a windows phone with continuum and tried it, and while it is executed quite well, it wasn't very useful due to the lack of apps. You can use any windows 10 device as a screen/keyboard/mouse, but usually the laptops I have near me are mine, so they already have everything I need. If it had an ability to carry a self-contained programming environment I might have played around with it more.

It does make a fine fallback presenting device. You put your powerpoint slides on the phone, and if all else fails you can project your slides to any w10 laptop that's near.

It may not be new to the world, but it's likely new to users. Many recycled ideas go on to change the world in a second (or third, or nth) attempt.
Well this probably isn't going to succeed where others failed, but the idea is good.

I'm glad someone is trying to move forward with the idea of using the very capable computer in your pocket as more than a phone. I mean my current phone has more ram than my last laptop....

I really wish this was a viable option, but the lack of active cooling (and mediocre passive cooling) for phones really makes the phone-as-desktop a non-starter for anything but light web browsing or text editing.
But if you think about it, the use case for almost 80% of the people out there that use laptops or desktops is for web browsing and office work (text editing etc) which phones should be able to handle well.
Think of any task that has ever caused your laptop fans to spin up, and cross that task off of what is possible on a phone-as-desktop list. No high definition video calls. No 1080p gaming. No fully functional IDEs (intellisense and interactive linting/compiling is computationally expensive). No high definition movies. Video/batch photo conversions are probably out, though may be possible at 1/10th speed.

The most successful tablet-laptop attempt thus far has active cooling simply so they don't have to throttle back performance.

It's possible that more energy efficient processors will come about and prove me wrong, but they've been working on the heat dissipation problem for decades now (yes, even in desktops/servers).

You are over-exaggerating quite a lot to say the least. Microsoft Continuum currently works on Windows 10 Mobile with passive cooling just fine. Samsung DeX has active cooling in the dock though, to be able to handle even heavier loads with SoCs as close to thermal limits as possible, without headroom.
I can do hi-def video calls and video playback on my phone already; the video encode+decode is handled by dedicated hardware. Ditto for certain types of video conversions. Gaming is at 1080p, equivalent to PC games from perhaps 10 years ago.

This is with a mid-range phone from a couple years ago. I think you're being overly pessimistic.

A modern phone CPU is way closer to a modern desktop CPU than what most people think, due to the mobile-first (and power-efficiency-first) nature of most of the current CPUs in the market - in the detriment of pure performance. Power-efficiency matters more than pure single-threaded performance in both the mobile and server markets.
On the other side of things, there are certainly laptop computers without active cooling-- the new MacBook, for instance
The future doesn't look so bleak, Microsoft already made a phone with water cooling -

https://www.extremetech.com/mobile/215724-microsoft-announce...

And desktops are emerging without fans too -

http://www.fanlesstech.com

Anything that involves radiant cooling relies on radiator size and surface area. Neither of which are present in abundant quantities in a phone form factor. Especially when you add a rubber case (an insulator) to avoid damage from falls.
The Samsung DeX dock has a fan to cool off the phone while it's docked in desktop mode.
(comment deleted)
I think it might succeed because it's built on Android with Android apps.

  Shared storage
  
  SD card data like camera photos and downloads are shared so you can coordinate your work seamlessly.
This might be confusing for some, given that the only devices supported right now are Nexus devices, which famously lack an SD slot.
It's confusing because Android phones have a SD card mount for the internal storage (and external SD cards are yet another SD card mount).
Is it running a Debian with XFCE when Desktop?

If not, is it able to use the Nix package manager or something like this?

If you like this you might like: sentio.com
First time hearing about Sentio, very cool, thanks!
Web site currently down?
Hey, were you able to access? Site doesn't seem to be down from what I can tell. I'm part of the team at Sentio. Feel free to message me if you have any issues :)
Was coming on here to post exactly the same; backed it on Kickstarter but still waiting for the device to arrive; they changed the name from Andromium to Sentio (negative change, IMO, sounds like an age-related medical product now), but it's a similar concept. However, I've not looked into the technicalities of Sentio in terms of the issues raised elsewhere on this page, so hopefully they don't have them...
If you like this you might like: sentio.com
The fact that this spins up a Debian desktop when you're in desktop mode seems to make this a much more viable option than some of the previous attempts at this, which expected you to want to use only android apps on your desktop.
I'd love to have both, though. Debian apps for productivity, android apps for communications/games, side by side on the same screen with shared storage and maybe synchronized state. As it is, I have to manually sync state between the two devices which results in missed messages and inconsistent state.
So, it would be cool to have Debian as the base OS and Android running in a container. When in Phone mode, Android is front and center and when in Desktop mode, the base Debian host is. Could then still access the Android container.

If the UIs supported a seamless mode, that would be icing.

I'm concerned about driver support in Debian.

It's Android devices after all...

In the worst case you might have to run a kernel built for Android instead of the default debian kernel (e.g. lifted off the android OS for that type of device), depending on how it was packaged up. Hopefully those aren't built with certain useful features turned off.

For devices that support a vanilla android, I imagine the driver issue is already worked out and there would be no problem getting them to work in a kernel that you can compile yourself, even if not the default debian kernel.

libhybris reuses hardware drivers from Android, as used by sailfish, ubuntu touch, plasma mobile et alia.
Does libhybris support X11 with GPU accel now? It didn't when I tried to use it in the past
I'm not sure, I thought most projects were Mir or Wayland based - not X.
I would spend a lot of money on a device that did that well.
I hope this is where Google is headed with Fuschia OS. I wouldn't want to hack together a seamless transition from phone to desktop environment on Android. With a whole new platform written from the ground up to support it makes sense to me.
True, however the way this is implemented makes it seem as though the "desktop" and "mobile" states are different computers entirely. What I would like to do is be able to use desktop versions of android apps when plugged into a display. This would have the advantage of allowing me to use, say MS Office in desktop mode if I have the android app installed.

I realize that some may have a strong preference for OSS software, which a debian desktop would be excellent for.

Looks like Windows 10 Mobile Continuum. Even the types of apps being used in the screenshots echo Office being used in Continuum screenshots.

https://www.microsoft.com/en-us/windows/Continuum

The difference to me is that Continuum is still just a mobile OS that is scaled up. They even point that out in their promo material, it's a "desktop-like experience." Maru, while it looks very early in development, isn't a desktop-like experience. It's a desktop experience because it's running a desktop operating system.
Well, so is Continuum, technically. Windows Phone is its own SKU of Windows 10 but it's still Windows 10.
Yes. And with Windows 10 on ARM's x86 emulation functionality, I would not be surprised to see broader application support in future buildf of Continuum.
I hope that can revive Windows Phone, or it'll be a wasted effort.
Windows mobile has had a similar feature for a while, but you know, windows. I've thought for a while that this is ultimately the way computing is moving - single device that fits in your pocket. I love my laptop, but there is no substituting the portability of a smart phone that seamlessly syncs with panels at home and at work.
On the other hand, although I love my phone's portability, there's no substituting a few hundred watts of processing power and a few terabytes of storage in a decent desktop.
Sure. But I have my phone anywhere, and peripherals are ubiquitous. My beefy silicone devices...not.
I guess that's my point, in a way. I've got my phone everywhere, but its utility is inherently limited by its power. My beefier machines are powerful, but inherently mobility-limited by their form factors. Plugging the phone into a dock or something increases its I/O abilities, but doesn't give it the extra benefits that make the non-portable computers useful.

> and peripherals are ubiquitous.

I'm not sure what you're specifically thinking of, with that. I know that I've got many more PC peripherals than phone ones.

I mean "I can take my phone most places and expect to find both a HDMI-capable display and Bluetooth input devices." Of course, I don't expect massive computing power - but even as a thin client to more powerful machines, this would suffice; and always having a netbook in your pocket is also useful.
I think this may be the future of computing, but not yet. A high-end phone may have the computing power to replace simple desktop systems, but connectors to the peripherals haven't been standardized yet.
With USB-C this shouldn't be a problem whatsoever. In fact, the peripherals largely already exist. Given the driver support, these should just work "out of the box" with an up-to-date linux kernel.
If you have a monitor, mouse, and keyboard, you may was well have a computer. Seriously, if you have a laptop-like enclosure for all those things to make them portable, adding a SoC to make it a PC is what, $20-$40 to be on par with this in terms of compute? And last I checked, it's still not The Year Of The Linux Desktop. This is gonna crash and burn.
But, besides that, don't you think it's pretty cool?
You don't get the value proposition. This isn't for cost saving, it's for time saving and organization.

Here's where we are today: If I spend any significant amount of time away from one of my devices (phone, laptop, desktop), it piles up with dozens of notifications. Even with cloud based apps, there's no shared state. So when I get back to a device, I have to clear away all the notifications, assuming that they must have appeared on the other device at some point. And if I change a password on my laptop, because of one of the dozens of data breaches that have happened this month, I have to retrieve my new password out of my password manager and re-login on my phone. At any given point, 2 or 3 apps on my phone are in a "logged out" state because I use them primarily on one of my computers, so i'm actually not getting all my notifications everywhere, and I miss some of them.

Also, even with google drive, not every file on my computer is immediately available on my phone and vice versa. So if I need access to a file on the go, there's a good chance it won't be there.

I don't expect this to solve all these problems, but I'm looking forward to a day when I don't have to carry my laptop everywhere I go.

You can get shared notifications. I have Cortana on my Android phone pretty much exactly for this reason.
(comment deleted)
Your post makes me wonder if this constant back and forth switching is actually conducive to productivity.
"What is the default sudo password in Maru Desktop?

"maru" is the default sudo password. When installing debian packages, you may need to enter "root" as a password"

Oy.

Similar to Chromium OS, right?
Not when combined with "they start sshd up by default, listening on the local network, with the default user maru and password maru."
I am really surprised that the "single computing / storage device" idea which can switch between different screens and input methods seamlessly (and maybe support plug-in CPUs) is just is not happening, though the concept here is a small step in that direction.

Having everything in the cloud seems to have made this somewhat redundant for most users, though I still hope one day I can carry all my data around, of course given proper encryption and backups and the ability to distinguish between safe and possibly monitored (public) displays/inputs.

Or maybe wireless displays are missing so that decision to quickly do a task with a mouse and keyboard leaves out the cable plugging aspect.

I prefer the idea of a phone that can be plugged on a better hardware (desktop) and quickly boot on it... without the need of turn of the phone and the changes on desktop appearing on phone...
I always thought this was going to be the direction of the original iPod. Any day now...
I think all the walled-garden ecosystems of apps and device interoperability are also contributing to the slow progress on this front. Nobody with the resources to do so wants to develop open protocols that would enable easy collaboration on this kind of thing. We may get there one day, but you'll need to pick Google, Apple, or Amazon and buy your device, monitor, peripherals, and cloud services from just that one company.
I think it's a neat idea, but computing is cheap nowadays. When you have a nice screen, battery, and enclosure, throwing in some compute isn't a huge deal.

As you mentioned, I think this makes it redundant with the cloud when you can make thin-ish clients for everything, like Chromebooks, or Apple and Microsoft's initiatives to seamlessly transfer your workflow from one device to another.

I just don't see the use case. For work, most people have a work computer and that's separate from their personal computer. Tons of people no longer have a computer at home, those that do are likely gamers, developers or artists that all have a huge archive of files they work with and require more power than a mobile device can supply. I wish these companies would stop trying and just make an open, mobile, general purpose computer for mobile use cases.
I don't have a separate computer. I only have one single computer for work and personal things. I use it heavily for both. If something happens to my computer and it goes down for a few days, I'm screwed.

I personally would love something like this. Just in case I need to get some work done off my phone. I do no want another computer.

Do you not keep old computers as you update?

Have you considered having a cheap chromebook backup or something?

What for, dust collection? I refurbish them and give them away - by the time I upgrade, the machines are still comparable to mid-low current ones.
No. I'm a nomad and move around all the time. I carry everything I own with me. I am not going to carry two computers.
That's a really small convenience (if it is at all, I have my doubts) for such a expensive feature that doesn't have many practical uses. It's killing a lot of otherwise exciting projects.
"Tons of people no longer have a computer at home"

Sure, and those people are the perfect target market for being able to connect to full keyboard, mouse, and display from their phone without the need to buy another computer.

They don't want that. No one is sitting at a desk unless they're working or gaming. The tablet keyboard is enough and way more convenient for most users. There is a ton of talent and time being wasted on a feature no one really wants. MS, the only big company trying for this feature (and failing hard), can waste all the time they want, but the worlds needs a competitive open, general purpose mobile device and the projects keep dying because they can't figure out a good way to implement a feature no one needs (because there is no good way to implement a feature no one needs).
Its anecdotal, but I don't personally know, or have ever heard of anyone in my social network, regardless of age, not using a computer at home.
Ubuntu Touch was expected to have that. Their crowdfunding video for the Ubuntu Edge showed an Android e-mail app that read/wrote to the same datastore as Thunderbird when it was in desktop mode.

I'm not sure how it worked as Ubuntu Mobile really kinda died off and I never tried it myself.

There are many other projects that have attempted this (none of which I can remember, but I've seen this concept a bunch). It makes a lot of sense. Your phone is already running a Linux kernel. You should be able to create a chroot or a container system that has a standard Linux distribution. You add some hardware/hotplug hooks, some data-sync apps and you should have a Linux desktop hidden in your phone.

various GNU/Linux-in-a-chroot projects exist on Google Play and f-droid. In the other direction, Anbox attempts to run Android inside a container.
The problem with phone computing is that it's still the weakest option:

Phone < Laptop < Desktop

I used to have a Sony Vaio that I would hookup to big screens at each work space.

Now I use dropbox to sync desktops. My main machine has a GTX 1070 running a 4K @ 60Hz with an m2 SSD, and it was half the price of my laptop (I had to build it, but I had fun doing it). It's ten times as fast. And no more laptop hugging.

I think the key is working with the premise that any Maru user will have a main laptop or desktop. For example, if I could work with my phone in a window on my desktop, that would be amazing. And where I don't have a more powerful machine, I would just connect my phone directly to the monitor. Also dropbox is a must.

I'm surprised my Android doesn't do this already though... How hard would it be for a smartphone to double as a ChromeBox?

Because fundamentally they always end up being two computers in one, they just share the storage.
I find it amusing the promo shot shows it running on an Apple Thunderbolt display - which famously does not support HDMI input, only Thunderbolt - for which there is no MHL adapter.
Pretty sure this is incorrect, as I had an old DisplayPort Apple Display that I used with HDMI input, and from what I understand, the Thunderbolt displays also supported DisplayPort. Granted, the adapter was not cheap, but it did work.
The Thunderbolt displays do not work with Mini-DP connections despite sharing the same physical connector. The DisplayPort signals still need to be encapsulated in a true Thunderbolt connection, so they don't even work with pre-Thunderbolt (but still DisplayPort) Apple Macs.
The Thunderbolt displays use the same connector type as Mini Displayport, but only a Thunderbolt handshake turns them on. There's no power switch, so it doesn't work.
I was thinking the same thing. Apple mirrors... err.. I mean displays only have a thunderbolt connection, you couldn't connect your phone to it.

Yes, you could use some HDMI to DisplayPort adapter and in theory the thunderbolt display should support that, but you'd lose the webcam, ethernet, firewire, USB, microphone, speakers and daisy chaining support as DP does not support the data pipeline.

Could theoretically be the older model (Cinema Display) which is Display Port. Then it would be HDMI > DP and should work ;).
I'm wondering how secure it is.. According to https://github.com/maruos/maruos/wiki/Tips, they start sshd up by default, listening on the local network, with the default user maru and password maru. That seems like a bit of a red flag and makes me wonder if it is the tip of the iceberg.
That seems like a bit of a red flag

A basic and egregious security blunder is more than a bit of a red flag.

and makes me wonder if it is the tip of the iceberg.

If you already see that the tip sticking out has a mine on it, the tons of iceberg only give you the difference in the degree of egregiously bad.

I mean, don't install it on anything with data you care about. This isn't exactly a hardened product.
+1!

The way I see it, this is a "toy" (for the time being). The "2013 devices" makes me thing that this is a "toy" for people like "us" that have a Nexus rotting away somewhere and "it would be cool to fool around on your 30-inch screen and nothing more!

It would be better if they would up-front say "this is not secure", "this is a demo", "this is a toy", "this is not the OS you're looking for".

Imaginary CEO-CTO dialog:

CEO: hey! I just read that we can throw away the PCs and replace them with some old phones that we can buy for $50 on ebay! START!!!

CTO: but.. let me explain.. I quit!!

> The "2013 devices" makes me thing that this is a "toy" for people like "us" that have a Nexus rotting away somewhere

I'm writing this on a 2013 Nexus, thank you very much! A year ago it stopped booting and I tried searching for a newer, comparable tablet to replace it: no such device exists. I ordered a replacement main board and couldn't be happier. Until someone makes a new 7-inch tablet with a full HD display, it will continue to not rot in my hands for a few more years.

I'm using a N5 as my primary phone... It seems mad to me that the life expectancy of a phone is so short those days. :P
same here...and the only thing bad is the battery life :-/
I was surprised when I came to replace my 7 inch nexus that there wasn't a recent 7 inch tablet from a major player with good reviews. I ended up going for the nVidia Shield tablet K1, which despite being an iteration on a more than 2 year old tablet seemed pretty good. I've been happy with it so far.
What's wrong with "2013 devices"? Nexus 5 probably has more alternative OS choices than any other phone available: LineageOS (based on Android 7.1), Ubuntu Touch (UBports continuation of the project), Plasma Mobile, Sailfish, and Maru OS. And what is the real benefit of having a newer device if the old one is still very capable of running modern OSes and applications?
You sure you don't want a 5000MP camera? Lol
I bought my Nexus 5 in 2013. It's still running pretty smoothly. Every time I see an app render using the N5 frame, I chuckle. It just reiterates my thought that I made a good choice when I bought my phone, and I like that feeling.
> This isn't exactly a hardened product

Bolting on security later seldom works well.

It's a POC.
I think it's totally fine to be a POC unless you market it as a finished product (e.g. on your website).
Indeed, back when I had a Nexus 5 laying around collecting dust, I gave it a whirl. It was interesting but certainly not ready for prime time. The phone side of the OS was about as bare as could be, and buggy too. The PC side was slow and just as bare.

As a gadget enthusiast, I loved tinkering with it. But it is simply not practical for daily use (yet). I think it could end up being a nice FOSS alternative to Microsoft's Continuum project, especially if the developer can get it working on a newer device.

From what I've seen the site doesn't give any indication that it's this insecure. The default assumption should be that an OS is secure, and an OS should be secure by default, with tons of big warnings that something isn't secure.

This isn't just "unhardened", this is a lack of basic security, and after Mirai, nobody should be doing this shit.

(comment deleted)
Default passwords on things that are on by default is "full stop" bad. This is on the same level as passwords in clear text e-mail.
Man, why'd they have to go and do that. :-(

So many other options: not enabling sshd per default, ask for a password, display a random password on the phone, allow uploading a public key... possibilities are endless.

Looking at the Github [0], it looks like a fairly alpha product targeted at technical people and has one contributor. I think giving the project some slack at this point seems reasonable. I guess if there is major concern about this, one could submit a PR?

[0]https://github.com/maruos/maruos

The website is super polished and doesn't mention anything about being alpha quality. It would be easy to install this on your phone without any idea you were making yourself vulnerable.
It's version 0.4, so it's a pre-release build.
welllll, so are plenty of packages people install into production software every day. i think pre release means less to people these days.

and sure, you can blame it on the people using the software, but that doesn't stop a bunch of ssh servers with default credentials being open to the network.

super polished

My definition of super polished includes 'renders without javascript enabled'.

I tend to agree, but the non-technical user that might make themselves vulnerable by installing weird OSs on their phone (already a rare beast) will most likely not run without Javascript.
I don't disagree, it's not exactly a uncommon practice. I think Raspberry pi for instance does this. Not defending it, totally stupid, just pointing out they aren't alone in this.

The fact passwords are on by default for sshd on most distributions is crazy.

Raspbian DID this. They now ship with SSH off by default.
They should have done this:

1. User tries to SSH to rpi over LAN from their laptop.

2. rpi SSH server sends back a request for a torrent of the 1999 smash hit "The Matrix"

3. laptop sends torrent "The Matrix" iso.

4. If the average latency dips below a threshold value, don't connect.

5. If it's done in five minutes, connect.

6. set rpi's SSH server to key-based authentication for strong keypair that was generated on user's laptop.

7. Done.

And suddenly there would be no escape from the matrix, no seriously may I recommend matrix.org for you?
iOS jailbreak used to do this, for the root user. The password 'alpine' was the codename for iOS 1.0.
after installing it change the password on that user. red flag fixed.
You should leave the default user's password blank on embedded Linux images! Why does everyone set them up with default passwords!? I'm surprised the raspbian maintainers have not realized this yet.

sshd won't let you login with an empty password by default.

What percent of pi users don't connect a keyboard and monitor? I don't mind having a default password since when ever I've used a pi I ran it headless and configured it on first boot with SSH. It would make sense to force the pi user to change there password on first login, can't remember if this is the case.
You could set it up using the serial console then.
Does the average Raspberry Pi purchaser have the hardware or knowledge to connect a serial console?
I almost never do. I ssh into it.

To be fair, I had a Pi2 and used it to watch videos but it died and my tablet or my TV+USB key are more convenient to use now. I guess some people would use a Chromecast instead.

If I remember correctly, raspi-config starts when you first login and that's a big hint to go and change the password. But after that there's something that nags you to change it but doesn't force you. I think this is entirely reasonable.
it can be useful for debugging. you can disable it once you get the desktop to work.
Preetam here, founder and lead developer of Maru.

Thank you for all the critical feedback on security in this thread. Maru used to ship with sshd disabled [0] but it was enabled because of all the requests I was getting from users who wanted to run the system headless without needing an HDMI display and BT keyboard/mouse around to set sshd up. I assumed that users would change the default password after the initial login, but as many of you have pointed out, hope is not a strategy when it comes to security. I've opened up an issue [1] to fix this.

Please feel free to open up issues (or, even better, PRs!) at any time if you have further suggestions for improvement. It's thanks to feedback like this that Maru continues to move onwards and upwards.

[0]: https://github.com/maruos/maruos/issues/22#issuecomment-2296... [1]: https://github.com/maruos/maruos/issues/76

There's is a fundamental issue here that comes up with lots of small organizations around security: If your process for prioritizing work is based on which issues people complain about the most, you will never prioritize security issues until its too late. Security problems are never obvious until the horse bolts.

It is very easy to accidentally add egregious security vulnerabilities to products if you don't know what you're doing. In fact, accruing small security issues (like this SSH password problem) is the default state of the world.

As a user, I pay the cost when products I use have bad security. If I get hacked via your product, it might be embarrassing for you, but its my device and my data that gets compromised. And because of that, I expect most small companies will not care about their product's security as much as I do as a consumer.

Of course, once a company grows large enough they'll hire a person or a team to look into their software security. At that point they'll fix all the obvious security issues. The database will gain a password. The root AWS account will stop being shared out amongst employees. Work laptops will have full disk encryption turned on to protect against theft, etc.

But until then, as a customer, I should be really nervous. How can you tell the secure products apart from the insecure ones? Well, one of the most obvious signs is that secure products will have already fixed the obvious mistakes. Things like connecting to backend services using unencrypted HTTP. Things like a backdoor-by-default SSH password published on the website.

That is why we (security wonks) make a big deal out of small security problems when they're obvious. They're a sign that nobody has even taken a look at the security situation, and for every obvious problem there's probably 10 more that aren't obvious. This issue might get fixed, but thats why your reply doesn't make me less nervous.

---

And thats a shame, because your project seems super cool and I really want you to succeed! This has come across much more negative than I intended, and I'm more frustrated at the startup industry over this than I am frustrated with you or what you're doing. Hopefully you can get a security review done at some point to make sure there aren't any other simple problems that need to be dealt with. I'm looking forward to seeing where it goes.

If it looks like a duck, and quacks like a duck...
Well, if you see the issue where this was enabled, the author had it originally disabled for security reasons so it's not that he's unfamiliar with the reasons why one shouldn't have it enabled. He did it on request from a user while knowing the security risk so that means it's less likely that he's made mistakes so much as yielded to users. And the latter thing is a lot easier to solve.
Raspbian had the exact same problem and decided to have it disabled by default and:

"Now it's very simple.If you want to enable SSH, all you need to do is to put a file called ssh in the /boot/ directory.Thats all. And don't forget to change the password"

So how about 'touch sdcard/boot/ssh' to enable ssh ?

There are legitimate use cases for sshd with default logins. Headless and embedded systems come to mind first. Of course, this should not reach production stage.
Based on Android, which unless I missed something huge, translates into all device drivers and most apps being closed source and requiring full access to anything, that is, the best place to put malware into. To me it can appear more secure if compared to the usual bloatware ridden smartphone, but a Linux PC with all software, including most drivers, being OSS, is a different story.
As one of the backers for the doomed "Ubuntu Phone" kickstarter, this really looks like a great alternative. I will have to play around with it this weekend for sure.
Why is it built on Marshmallow instead of Nougat?
Something like this takes a while to build. They likely started before Nougat was released.
Preetam, lead dev here: Correct! Maru started on Lollipop actually and moved to Marshmallow with the 0.3 release. It can be a PITA to port upwards to a new Android version if there are significant changes in the internal system APIs (these are open to rapid change between major versions of Android, unlike the stable app-facing framework APIs). Anyways, hoping to move to Nougat before too long...
I really hope all phone OSs go this direction. I love my laptop(s) and they're great for doing serious work, but sometime when I'm, say, composing an email on my phone and it starts getting long, I'd love to be able to plug in to a monitor and keyboard and keep going.
Maybe this is the answer to the impending cabin baggage laptop ban.

Carry a keyboard and screen in your hold bag, the phone with your data and applications in your pocket.

And a power source for the screen...
I keep hearing people say that technology can't solve political problems. This has never been more true than in this case.

Instead of contriving ridiculously convoluted solutions to a non-problem we could simply stop electing politicians who propose implementing ludicrous airport security theatre.

I agree, but... which ones would those be again? And are they generally electable based on on other platform planks?

THe problem here is that most of the public believes that security theater is real security. Unless that changes, most politicians will espouse their "firm positions on security" in order to help them get elected.

THe ones who "get it" tend to be in the independent/libertarian camps (last I looked) - and they don't get a whole lot of public support.

Therein lies the rub, doesn't it? The first thing to do is convince people that voting independent or libertarian (or for that matter for an outsider candidate such as Bernie Sanders in the Democratic Party primaries) isn't un-American or unpatriotic or whatever weird notions people have about not voting mainstream but their democratic right and an absolutely reasonable thing to do (perhaps the only reasonable thing in today's political environment).

I think it can be done. If you think of another notorious modern two-party system neither of the UK's dominant parties today existed before the 19th century. Given how fast opinions spread these days it should be possible to bring about significant change in a matter of years rather than decades. Think about how quickly movements like the Pirate Party became successful in some countries. That they declined just as quickly again in most of these countries can be mostly attributed to their own stupidity rather than systems that are inherently averse to change.

It may be difficult to explain to a grumpy TSA agent that your device is not in fact a laptop!
So, with the recent discussion about banning laptops on flights form Europe into the US, I was wondering about something like this. A way to still have a computer but in something the size of your phone. Not just a phone OS, but a full desktop OS. Obviously the small screen size is an issue, but I wonder how that could be handled. Possibly from the airlines with some form of display input for a screen on the back of the seat? Not sure, really. Either way, interesting stuff.
Maru == (Windows Continuum || Google Fuchsia)
I think the most interesting question is, how do they handle the different interfaces between phone and desktop. A touchscreen needs a very different UI than a desktop with mouse and keyboard.

If I read that correctly, they are just ignoring the problem and share files on the phone between Android apps and programs running on Debian, which seems like it could work most of the time. (No idea if there is Blender for Android, but I am pretty sure there are .doc readers for Android.)

It looks like they run android when you are in "phone" mode, then when you connect it up to a monitor it boots Debian