> I'd pick Calyx over privacy grounds not Graphene. (I totally agree that Graphene beats anyone on security grounds by miles, and depending on your threat model, security could be related to your privacy)
CalyxOS is substantially less private than GrapheneOS, not just less secure. You seem to be claiming this entirely based on CalyxOS including microG rather than the sandboxed Google Play compatibility layer. Sandboxed Google Play is not part of GrapheneOS. It doesn't ship with it, and unlike on CalyxOS, there isn't a setup wizard page encouraging you to use Google services. CalyxOS uses Google services even without microG and you can't turn it off. Your claims really don't make sense. Sandboxed Google Play compatibility layer is an optional feature users can choose to use, and it uses exactly the same sandbox used for the apps themselves including the apps people want to use with it. Those apps include Google's libraries including the Play SDK. You're relying on exactly the same sandbox for the client-side part of Play services as Play services has containing it. That's actually not entirely the full story since Play services is API 32 and always has the best available sandbox, while many apps have a lower API level and get a somewhat weaken sandbox, like API < 28 not having a per-app instance of the untrusted_app domain.
GrapheneOS has a bunch of added privacy features, not simply security features. This page is a list of features added on top of AOSP 12.1: https://grapheneos.org/features. It does not list features implemented by GrapheneOS upstream that are present in AOSP 12.1 since those are no longer features differentiating it.
Privacy depends on security, and CalyxOS recently went 4 months without shipping the Chromium and Android security updates. How is that supposed to be private? They also covered up how bad it was and wouldn't admit to how much was missing. They've consistently done that. They've covered up security vulnerabilities in their code. They denied there were leaks in their "firewall" app toggles and are still pretending as if there aren't leaks even though those were explained to them in the past and they're well aware their approach doesn't work properly.
> If we're speaking of FAKE_SIGNATURE.... No it doesn't? If implemented properly (I don't know how Calyx do it, but I know I do), only apps in firmware are allowed to use FAKE_SIGNATURE, and if you build your firmware with only microg that has FAKE_SIGNATURE, then only microg can fake signature. Also it can fake exactly one signature, which is Google's. It's probably possible to make that patch better, if some people gives us reasons it is a flaw.
Except that microG is missing security checks and the full security model, and by doing this you're directly bypassing a security check.
> Really, please tell me in which threat model does using microg hinders security, maybe we can find a fix. So far, I've never heard any.
Projects spreading libel about security researchers lose the privilege of getting vulnerabilities reported to them and patches made for them. microG has a bunch of blatantly missing security checks and based on what you're saying it should be no problem for others to find and fix those. Also, how are you going to add all kinds of cross-app signature checks, pinning and parts of the missing security model to an app ideologically opposed to some of these things?
> With regards to privacy, I take unprotected opensource software over Google trackware no matter the sandboxes you put under it. Windows has a better sandboxing model than Linux, yet I feel much better doing random apt installs, than downloading random Windows apps.
microG still uses proprietary Google services and the proprietary Google libraries are still included and being used by every app using it. People can see for themselves that Google Maps entirely works without Play services other than compass calibration, and that the Ads SDK works fine without Play services. microG is open source middleware sitting between closed source libraries and services. CalyxOS includes the privileged Google eSIM apps by default which give Google your IMEI, with no warning about that.
GrapheneOS does not use Google services by default. CalyxOS uses Google services by default with no off switch even without microG and has privileged Google services in the OS.
CalyxOS is substantially less private than GrapheneOS, not just less secure. You seem to be claiming this entirely based on CalyxOS including microG rather than the sandboxed Google Play compatibility layer. Sandboxed Google Play is not part of GrapheneOS. It doesn't ship with it, and unlike on CalyxOS, there isn't a setup wizard page encouraging you to use Google services. CalyxOS uses Google services even without microG and you can't turn it off. Your claims really don't make sense. Sandboxed Google Play compatibility layer is an optional feature users can choose to use, and it uses exactly the same sandbox used for the apps themselves including the apps people want to use with it. Those apps include Google's libraries including the Play SDK. You're relying on exactly the same sandbox for the client-side part of Play services as Play services has containing it. That's actually not entirely the full story since Play services is API 32 and always has the best available sandbox, while many apps have a lower API level and get a somewhat weaken sandbox, like API < 28 not having a per-app instance of the untrusted_app domain.
GrapheneOS has a bunch of added privacy features, not simply security features. This page is a list of features added on top of AOSP 12.1: https://grapheneos.org/features. It does not list features implemented by GrapheneOS upstream that are present in AOSP 12.1 since those are no longer features differentiating it.
Privacy depends on security, and CalyxOS recently went 4 months without shipping the Chromium and Android security updates. How is that supposed to be private? They also covered up how bad it was and wouldn't admit to how much was missing. They've consistently done that. They've covered up security vulnerabilities in their code. They denied there were leaks in their "firewall" app toggles and are still pretending as if there aren't leaks even though those were explained to them in the past and they're well aware their approach doesn't work properly.
> If we're speaking of FAKE_SIGNATURE.... No it doesn't? If implemented properly (I don't know how Calyx do it, but I know I do), only apps in firmware are allowed to use FAKE_SIGNATURE, and if you build your firmware with only microg that has FAKE_SIGNATURE, then only microg can fake signature. Also it can fake exactly one signature, which is Google's. It's probably possible to make that patch better, if some people gives us reasons it is a flaw.
Except that microG is missing security checks and the full security model, and by doing this you're directly bypassing a security check.
> Really, please tell me in which threat model does using microg hinders security, maybe we can find a fix. So far, I've never heard any.
Projects spreading libel about security researchers lose the privilege of getting vulnerabilities reported to them and patches made for them. microG has a bunch of blatantly missing security checks and based on what you're saying it should be no problem for others to find and fix those. Also, how are you going to add all kinds of cross-app signature checks, pinning and parts of the missing security model to an app ideologically opposed to some of these things?
> With regards to privacy, I take unprotected opensource software over Google trackware no matter the sandboxes you put under it. Windows has a better sandboxing model than Linux, yet I feel much better doing random apt installs, than downloading random Windows apps.
microG still uses proprietary Google services and the proprietary Google libraries are still included and being used by every app using it. People can see for themselves that Google Maps entirely works without Play services other than compass calibration, and that the Ads SDK works fine without Play services. microG is open source middleware sitting between closed source libraries and services. CalyxOS includes the privileged Google eSIM apps by default which give Google your IMEI, with no warning about that.
GrapheneOS does not use Google services by default. CalyxOS uses Google services by default with no off switch even without microG and has privileged Google services in the OS.