Where is such a list? At time of writing, there is no recommendation on that page.
It’s possible to implement this in a secure way. When there’s a will, there’s a way. But if there’s no will, there’s certainly reasons.
At the very least this could be implemented as a boot option. Here’s the design plan how this user/admin/superadmin isolation could implemented in Kicksecure / Whonix: Multiple Boot Modes for Better Security: an Implementation of Untrusted Root
But it’s not wanted by GrapheneOS lead developer:
Quote GrapheneOS lead developer
GrapheneOS is not aimed at power users or hobbyists aiming to tinker with their devices more than they can via the stock OS or AOSP.
Refusing root rights without user data wipe has many repercussions. From the table iPhone and Android:
- Internal storage can reasonably easily be removed and mounted elsewhere for the purpose of data recovery or hunting malware / rootkits. - No.
- Internal storage can reasonably easily be decrypted once transferred to a different device if password is known. - No.
- Can reasonably easily boot from external hard drive, ignoring internal harddrive for purpose of data recovery or hunting malware / rootkits.- No. But any Android phone currently has this issue.
- Can reasonably easily create full data backup. No.
- Applications cannot refuse data backup (for purpose of malware, spyware analysis or backup and restore). - No.
- No culture of users can ask device (code) for permission and device (code) will decide to grant or refuse the request. - No.
Investigation of any compromise without root is hindered. Not possible to create a full raw backup, boot, create another full raw backup and then compare the changes on the disk.
Without such essential freedoms easily accessible, I consider this a platform inherent security risk as a (high profile) user suspecting they’ve been compromised, cannot hand their device to anyone capable of malware investigation. The data isn’t accessible. The device locks out the user from their own data with no recourse.
And that was asked. And someone is free to point out “there’s no I2P on Whonix-Gateway”, “there’s no I2P inside Whonix-Workstation”.
In Installation and Fix of i2p inside Whonix-Workstation by Default I have beenanswering to the maximum of my ability any and created config options to simplify this (the redirect custom workstation ports to the gateway using anon-ws-distable-stacked-tor part).
Such modding even if not implemented in the default Whonix builds is however very much welcomed.
Indeed. Undeniable. It’s a question of whether the projects wants that or not. Plans the feature, prioritizes or rejects the feature.
I guess it boils down to:
Does one oppose the war on War on General Purpose Computing?
Or asked in a different way…
Does one support the right to general computing?
The easiness of providing freedom is the critical point. Is the ease of general computing a development goal or not. Should the user be in ultimate control of all the programs running on their device or should developers control users through Device Attestation such as SafetyNet. That’s a point that should I want to be included in the mobile project comparison.
Should the user be in control or should the app vendors be in control?
Not providing easy access to root rights and supporting device attestation means that the app vendors should be in control.