GrapheneOS is a very nice mobile OS - I use it on multiple devices and its my top pick for android ROMs. Some thoughts:
1. They're the only ROM project that actually focuses on improving application level safety. This is a bigger deal than a lot of people realise.
2. They offer installation remote attestation - again, worth using if you can.
3. Lots of drama with Calyx and GrapheneOS which is very hard to familiarise with. This is because the discourse is often deleted (this is the policy of the Graphene OS chatrooms) and so it is difficult to verify claims without pointing to another instance of deleted comments/purported harassment. If you can help it, I recommend to just try ignore the whole thing until they start screenshotting the actual harassment.
4. A lot of people talk about Graphene having worse performance than a lot of other ROMs but this is actually counter to my own experience. Graphene is consistently the fastest ROM I have used.
5. You may see people kick up a shit about how Graphene uses sandboxed play store and how that's a bad thing somehow. If you are worried, keep in mind you can still use Aurora if you want your install to be anonymised (but frankly I am not sure what the extent of the changes that Aurora makes). Similarly F-Droid is available, but is super weird about how they sign apps.
6. There are a LOT of updates. This is a good thing but it can throw you off if you're coming from another ROM.
Note: GrapheneOS is simply an OS. It's currently available as an aftermarket OS but will be available on devices built to run GrapheneOS eventually. It's not a ROM and we don't use that incorrect terminology. It's needlessly confusing to end users unfamiliar with that jargon from the Android modding community and it's also wrong. There are ROMs included on the supported devices such as the SoC boot ROM and other boot ROMs so it's important to use the terminology correctly due to the relevance to things we work on like verified boot and attestation.
> 3. Lots of drama with Calyx and GrapheneOS which is very hard to familiarise with. This is because the discourse is often deleted (this is the policy of the Graphene OS chatrooms) and so it is difficult to verify claims without pointing to another instance of deleted comments/purported harassment. If you can help it, I recommend to just try ignore the whole thing until they start screenshotting the actual harassment.
You can see the usual clearly inaccurate talking points from several of them in this thread including one of them making personal attacks and fabrications about me with their comment buried at the bottom. We've posted lots of information and proof including screenshots of harassment. Look at my personal @DanielMicay Twitter account where you can see blatant harassment from @maxtannahill, a Calyx reseller working with them and participating in their communities / private groups. He's openly a neo-nazi and I linked a post of his on Twitter where he openly engages in holocaust denial, but there's a lot more where that came from. You can look at what the Calyx devs/leadership were doing in their chat room yesterday, happily talking with someone who has repeatedly called for me to kill myself and spreading misinformation about myself and GrapheneOS with them. What proof is missing for you? We've posted screenshots / logs of their developers repeatedly calling me "crazy", "delusional", "schizophrenic", etc. as part of that consistent, pervasive bullying they've started across platforms.
> 5. You may see people kick up a shit about how Graphene uses sandboxed play store and how that's a bad thing somehow. If you are worried, keep in mind you can still use Aurora if you want your install to be anonymised (but frankly I am not sure what the extent of the changes that Aurora makes). Similarly F-Droid is available, but is super weird about how they sign apps.
It's an optional feature: the ability to run Google Play in the full standard app sandbox. It's the same sandbox used for every other user installed app and it's not clear why that would be concerned. The feature we provide is a compatibility layer which teaches Play services and the Play Store to work within the standard app sandbox by reimplementing all the privileged functionality they try to use with unprivileged implementations. Since they run as regular sandboxed apps, they simply get an exception / error if they try to use functionality that's not yet stubbed out or reimplemented. It's not a special sandbox, and we give them absolutely zero special access or privileges. People are running Google Play code inside apps like Tinder and Discord since those include the Google Play SDK / libraries, and those apps run in the same sandbox. No permissions need to be granted to sandboxed Google Play to have 99% of the functionality working well, which is more than can be said for most apps.
Re the use of "ROM", it seems like I used a bad colloquialism rather than a technical term but you make a good point that " aftermarket OS" is a clearer term. Thanks for the suggestion there, I'll do that moving forward.
Re: your response to point 3, I appreciate that engaging with trolls and other harassment is not fun for the person being targeted, so my comment here is not actually targeted at you specifically, but anyone in Graphene willing to help here. Here is what I mean specifically:
Your provided examples are definitely better than the chatlog situation but there is still something that I would like to see different if possible. In each of your examples in your text block, you potentially provide with something I would call documentation, but the format is transient. There is no direct quote and no link.
More explicitly, there is a verbal reference to posts by @maxtannahill (I quickly browsed his twitter but just saw crypto nonsense), but missing are a direct quote with link to the tweets he made. The direct quote means he cannot delete the tweet and delete the wrongdoing, and the link provides a way for third parties to verify claims.
For example, this might look like e.g. "strcat did so and so"[1]. Then in the references section - [1] - quote pulled from https://URLofSpecificTweetInQuestion. Again, it wouldn't be something I'd ask you to do because if it is targeting you in particular, that would be somewhat confronting.
The same issue exists for the harassment you mentioned in this thread. There is a deleted comment by joemazerino, whom I assume is the harasser you are mentioning, and his replies are vague as fuck and slightly hostile (which is suspicious) but his post is deleted so its hard to come into it "fresh". A preemptive direct quote and link in situations like this is ideal.
Re: 5 I think I may have made an error that I need to correct. Based on the sandbox model, does that mean that, other than install and updates, the sandboxed playstore apps are just as private as the Aurora offering? And is there any plans to provide anonymisation for installs and updates moving forward?
- some crapplications do not want to run on custom rom
- more than mere mobile privacy I'm MUCH worried about new cars (witch happen to be mobile crapware connected crap)...
As a small dumb example, I've got my new EV, formally already fitted by default of crappy surveillance contracts with some vendors "pre-payed" and I have to unsubscribe to them all one-by-one. Car itself is a mobile OS, connected to the vendor and who knows what PLUS Android Auto/Apple CarPlay. Being semi-autonomous and connected can potentially blocked or cracked from remote and I doubt we can even LEGALLY flash other firmware's.
To add a small anecdote I found the car already bound to the vendor phone, it's new but probably they have do some test being a vehicle in their exposition, he simply forget to unbind it. Witch means he potentially track, remote open, remote power on etc the car.
In such terms while I prize all FLOSS efforts we can't have privacy on mobile crapware and craphw: the sole option is IMPOSING with popular acclaim mandatory FLOSS for anything and all "connections" must be in the term "your device can expose, at your options as the real owner of the device, some services to the net. All we offer is a connection service, with a public IPv6 address and a (sub)domain name for you. You choose what to do with it". No "push-OTA" and other stuff allowed by laws, with sanctions severe enough no one would even try to.
> - some crapplications do not want to run on custom rom
If you need help getting apps working, please ask on https://discuss.grapheneos.org/ or #grapheneos:grapheneos.org on Matrix. We'll be happy to help you get them working and if they aren't working we'll fix the remaining rare compatibility issues. Nearly every application works on GrapheneOS if you install the sandboxed Google Play compatibility layer and make use of the per-app exploit protection compatibility toggle for apps with memory corruption bugs. The compatibility mode doesn't reduce OS security, it just disables certain features protecting the app itself against attackers. We may eventually maintain a list of apps requiring the compatibility mode to do this for major apps like Among Us automatically. Also, note some apps require dependencies like Google Play Games which aren't installed for you automatically.
I've used GrapheneOS for a while now and have been impressed by it. I'd recommend it to all those who value privacy and security. Battery life is way better now as well.
GrapheneOS is a hardened OS. It not only preserves the whole standard privacy and security model including all the hardware-based security features but also substantially improves it. https://grapheneos.org/features provides an overview of only the improvements made by GrapheneOS compared to Android 13 (specifically, the stock Pixel OS). We make a fair number of upstream contributions and those aren't listed on our features page once they're shipped by the stock Pixel OS.
GrapheneOS provides our sandboxed Google Play compatibility layer allowing using the Google Play apps as regular apps in the full standard app sandbox with no special access or privileges. We've made them work like any other apps, with absolutely no ability to do something a regular user installed app can't do. You also don't need to grant them permissions to use 95% of functionality and can revoke our added Sensors toggle (Network COULD be revoked and you can use GSF + Google Camera + Google Photos with Network revoked from each but most of Play services exists to provide Google services so it would somewhat defeat the purpose, but it's possible).
/e/ supports loads of random phones without a strong HSM. In my estimation this means it will be much easier to get into a locked phone with physical access. I imagine the phone would get imaged, and then the passcode bruteforced on another machine without rate limiting.
Calyx supports Pixel3 and Fairphone, but otherwise looks pretty similar. According to GOS's main developer's comments in this thread, Calyx:
- "isn't a hardened OS and isn't at all comparable to GrapheneOS. They recently didn't even ship half the baseline Android security patches for 2 months, let alone providing much better patching and substantially hardening the privacy and security of the OS"
My opinion is biased since I'm a GOS user, and I have a very positive opinion of the project, so take this with a pinch of salt.
I have been using GrapheneOS since April. I have not used any alternatives in a long time (my previous phone was the Galaxy S9):
First, let me preface this with the fact that, in my opinion, overall it's a pretty solid OS. After having done research several times, the only other mod I've considered is LineageOS, but last I checked, there were no builds for my Pixel 6 Pro.
My biggest two issues with it are that it doesn't have any usability improvements other mods have. It's not on them though, as it's an expectation I have of mods, but obviously this is like having an expectation of support for FLOSS. It's annoying, but it is what it is.
The default camera app is subpar compared to the stock camera app of Pixel phones. I use OpenCamera, but it's also not great (though that opinion might stem from me not knowing how to use it properly).
The bigger issue I have with it is that, while sandboxed Google services generally work pretty well, some apps don't work properly with the location requests proxy. I'd love to enable it, but, for example, Citymapper is unable to track me when I use it. Finding a location sometimes can take very long.
I would love to have LineageOS improved by having the hardening patches that are in GrapheneOS.
>The default camera app is subpar compared to the stock camera app of Pixel phones. I use OpenCamera, but it's also not great (though that opinion might stem from me not knowing how to use it properly).
I've personally found the GrapheneOS camera to be great, and it's what I use 995 of the time on GrapheneOS. I especially like that it has the ability to remove Exif data from photos without me having to run them through a metadata eraser app.
That said, Google Camera works great on GrapheneOS with Sandboxed Google Play. In fact, you currently only need GSF to use it (not Play Services or Play Store). You can even put GSF + Google Camera in its own user profile and deny the network permission to both of those apps. Doesn't get much better than that.
>The bigger issue I have with it is that, while sandboxed Google services generally work pretty well, some apps don't work properly with the location requests proxy. I'd love to enable it, but, for example, Citymapper is unable to track me when I use it. Finding a location sometimes can take very long.
It's important to understand that Sandboxed Google Play re-routing location to the OS is an option that can be changed. A lot of apps will expect the same kind of location accuracy present on Stock OS with regular Play Services, and so they may not work as expected. It's not really something that GrapheneOS can fix, but it does of course provide the ability to switch to the same kind of location services that are used on Stock for maximum compatibility. In general, with GrapheneOS, you get choices; that's the magic of it.
I am using Graphene on a Pixel 5 for some years now. It's a blast. I don't want to miss it. My battery runtime is much longer than with the stock OS. I am glad the folk at the GrapheneOS team made my value my privacy more by educating me about the implications, the current vendor operating systems inflicts on our privacy.
Graphene certainly looks impressive by all accounts, but are there any 3rd party audits? I can't find any.
I've learned to expect that from FOSS software that has any kind of security claims and purports to help me be more private or secure. Particularly since I don't have the necessary skills/knowledge to do so myself.
Grapheme OS is the best OS. I really like the sensor and network permissions they add. It is quite a clean and professional OS with hardening that just works under the hood without getting in your way. It looks amazing with the new material 3 theming. My only regret is that a supported (Pixel) tablet won't be released until 2023. I'll gladly wait for it though.
I love GrapheneOS. Before trying it one should consider that unlike some "sister" projects, it does not support signature spoofing, so if you need SafetyNet or something similar, you will likely be out of luck.
On one hand I like the no spoofing position the devs took, on the other hand my banking app.
They have a sandbox which can run google’s services. I read plenty of people saying that they could successfully run their banking app without spoofing.
I think it's a fair point that compatibility pain is low, but it does exist and people should consider it.
Then there's also play services. A lot of things do work without it, but a lot either won't start (Uber) or become annoying with pop-up errors (Robinhood). It really makes me appreciate software that was designed to work without all that stuff.
GrapheneOS has the sandboxed Google Play compatibility layer. Most banking apps work fine on GrapheneOS. Certain banking/financial services check for a Google certified OS via remote attestation. SafetyNet attestation is deprecated and being shut down and the Play Integrity API is the current way. Both of these support hardware-based attestation available on every device launched with Android 8 or later which cannot be spoofed.
We currently choose not to ship patches spoofing the traditional software-based SafetyNet attestation / Play Integrity API attestation. The reason for this is because we don't really want to ship a set of hacks which will stop working when they improve it and will permanently stop working when a service starts checking for strong verification. Having users start depending on Google Pay NFC payments working and then having it go away would be a problem for a production quality OS in a way that it wouldn't for a hobbyist project where expectations are different. We don't want to essentially commit to providing something we know is impossible to keep providing due to hardware attestation.
You can only spoof the weak basic verification, and whether it passed strong verification is always there in the result. It's only a matter of time before those services require it. It's based on when they're ready to start phasing out support for devices launched with Android 7.x and earlier along with a few phones that shipped with broken verified boot / attestation support even after it was required such as OnePlus. They can require it only for certain features if they want. Android 10+ is needed for security updates, so if they truly do care about security, nearly 100% of devices launched with Android 7.x and earlier are irrelevant now since only a small portion got upgraded to Android 10 (almost none beyond it) and those are now losing security support. Android 10 will be losing security support soon.
We may reconsider and ship spoofing for the legacy software-based attestation (known as non-strong verification by those APIs) if not shipping it becomes an adoption issue due to others shipping it. It doesn't mean we think it's a good idea but we'd rather have people using a more secure OS than a highly insecure one often without proper security patches and a fake patch level displayed...
First of all, thanks for the very detailed write up. Someone (maybe you) had explained this to me in a chat and it was convincing to me, but I didn't really do it justice in my comment.
> The reason for this is because we don't really want to ship a set of hacks which will stop working when they improve it and will permanently stop working when a service starts checking for strong verification.
This is what I really like about the project philosophy. I think you all are right even though the decision breaks some compatibility.
It doesn't. I requested a feature to software-wipe the phone after X incorrect password attempts, but was rejected on the basis that this would be security theatre if implemented in software not hardware. I would like to implement a set of features to this end, but have not found the time. I would like:
- wipe after X incorrect attempts
- configure a "kill" passcode instantly wipes phone
- configure arbitrary passcodes that are mapped to actions when entered
- there's a feature to make phone reboot every X hours, if not unlocked, add a parallel feature to wipe phone if not unlocked in X hours.
- something where the passcodes are use once, and using an already used passcode wipes the phone. So you can bait LE and say "last time I unlocked it with X" and if they're stupid enough to not question you further, and just try X, it'll wipe, and it'll be their fault
- something to set a chance of wipe on the correct passcode, so you can say "any passcode might wipe the device"
I had to switch back to iOS. My smartphone is my primary camera and I missed lots of important shots because the Graphene camera was so slow to double click launch from locked (on a flagship pixel $LATEST pro max whatever).
You can speed up app launching by turning off the optional exec-based spawning feature. Our camera app also has a Latency mode which recently became the default instead of Quality mode. Google and Apple camera apps essentially always use something resembling the Latency mode, but with lower JPEG quality by default.
What is the benefit of the "secure app spawning" toggle? Also, it would be great to be able to disable this for system apps or per-app (assuming it makes sense in the security model).
I was using whatever app launches when double clicking the lock button. I don’t think the issue was with the specific app launched, but with the system to launch it.
Please read https://grapheneos.org/usage#exec-spawning. You can choose not to use this feature if you can't tolerate up to a 200ms delay for cold start app spawning. Application spawning on GrapheneOS is as fast as the stock OS when using the standard Android app spawning system. We give users a choice.
GrapheneOS uses our own camera app, not Open Camera. Our camera app supports HDR+ for images and HDRnet for videos on Pixels along with zoom-based multi-camera on devices with support for it in 3rd party apps including Pixels and current generation Samsung phones. It has Night, Portrait and HDR modes on Samsung phones. Pixels don't provide those CameraX extensions yet, but they provide HDR+ / HDRnet for it in the normal Camera and Video modes. Our app also supports optional EIS. It's not as featureful as Google Camera or Samsung's camera app but it's getting better, and you don't have to use it.
Google Camera works fine as a sandboxed app on GrapheneOS. You can install GSF as a regular sandboxed app alongside Google Camera and use it. Google Photos works fine too. You can disable the Network toggle for all 3 apps if you'd like.
https://grapheneos.org/usage#camera has more information on these topics, although it needs to be updated for recent improvements in our Camera app.
You don't need Play services or the Play Store for Google Camera, but you can use those as part of our sandboxed Google Play feature on GrapheneOS to run nearly all apps from the Play Store.
Google Camera works perfectly on GrapheneOS, and unlike CalyxOS runs as a regular sandboxed app. It's as simple as following our instructions and installing GSF from our app repository followed by Google Camera:
You can revoke Network from Google Camera and GSF if you'd like. Google Photos works that way too. None of those need Play services and the Play Store, but you can use Play services and the Play Store as regular sandboxed apps on GrapheneOS. GrapheneOS has MUCH broader app compatibility than CalyxOS and without making the privacy/security sacrifices it does to integrate microG into the OS. CalyxOS has privileged Google services integration built into the OS so you don't need to install anything, but installing apps from our app repository and getting far broader app compatibility with fewer sacrifices isn't a problem for users.
CalyxOS isn't a hardened OS. It substantially reduces security rather than improving it. They roll back the security model and go months without shipping the baseline Android privacy/security updates. They shipped half the August and September security part of the way into October including multiple critical remote code execution vulnerabilities. This happens every year and throughout the year. It's not simply not hardened but not a safe option even for people not focused on privacy/security. Providing proper security updates is the bare minimum. There are still missing security patches with it today, and they're still downplaying and misleading users about it. Just check their recent news posts announcing the August and September updates while admitting they aren't providing half of them. Note: what they say about providing all the open source patches is wrong, since lots of what they skipped was open source, and the updates they skipped were mostly more important than the ones they shipped.
It works flawlessly on GrapheneOS, you can even isolate it from your main profile and run it in a second profile with just GSF. Never had any issues with it.
The reason (afaik) is that you can enroll a developer key and re-lock the bootloader on a pixel, so your phone will check OTA updates against the enrolled key to be sure you didn't get a compromised update. This is not possible on other hardware, I guess.
I also want to be as far away from Google as I can, but I felt as though the hardware was probably a loss leader for goog and worth it to me for what I would gain.
I use CalyxOs without any Google Apps (camera app blocked via firewall). I find GrapheneOS horrible. If I want to get away from Google, I don't want to run Google Apps in the sandbox either
So you are using a Google app (Google Camera) in an objectively much weaker sandbox than the one provided by GrapheneOS. You're giving it shared storage access since it requires it and CalyxOS doesn't have features like https://grapheneos.org/features#storage-scopes. The whole point of sandboxed Google Play on GrapheneOS is that it runs in the full standard app sandbox. It has absolutely no special access or privileges. It's not different than running another app. Same sandbox, same permission model, and all the same GrapheneOS improvements to those including user-facing ones like Storage Scopes, Sensors permission toggle and the Network permission toggle which blocks more forms of access than a firewall-based approach.
What I love about GrapheneOS is that it gives people a choice. It starts out slim, without any Google services. You have the choice to use them if you need them, and you can use them in the same way and with the same sandbox as you would any other app. But the most important thing is choice and options.
You can even use Sandboxed Google Play in a specific user profile, instead of options like MicroG where it has to be privileged for a lot of its features/functionality to function, and where it's ever-present in all of your profiles.
Furthermore, since we're talking about Google apps and services, I find the fact that CalyxOS ships with the privileged eSIM activation Google app which is enabled by default and to my understanding cannot be disabled very concerning...
On the other hand, (again) GrapheneOS has it disabled by default and you're given the choice to use it if you need it, instead of having it forced on you by default.
After looking at all options for alternative Android OSes, not matter which way you slice it, GrapheneOS takes the cake, so I don't really understand how someone who has actually looked at both options can call it "terrible".
Well, than don’t? How does allowing the option making it terrible? Also, CalyxOS also support it in an objectively worse way (microG and basically not caring about signatures)
They don't know much about it and haven't used it. CalyxOS isn't a hardened OS and isn't at all comparable to GrapheneOS. They recently didn't even ship half the baseline Android security patches for 2 months, let alone providing much better patching and substantially hardening the privacy and security of the OS. Unfortunately, they've chosen to promote it through inaccurate talking points about GrapheneOS and fabricated stories about our developers. They've heavily invested in this. You can see their developers doing it earlier today. You'll see it in every thread about GrapheneOS on this site from people promoting CalyxOS, which again, is a highly insecure non-hardened OS rolling back the Android security model substantially and not shipping full baseline Android patches on time. I don't understand why they come to pick this fight. GrapheneOS provides far better privacy, security and usability (much broader app compatibility).
(First, strcat, thank you so much for your work on GrapheneOS. I should have a little ETH to send to the project in a few weeks, to make this sentiment a bit more concrete.)
Regarding community among people valuing security and privacy...
On my most recent big phone/handheld switch, I tried CalyxOS first, but found that I personally preferred GrapheneOS.
I think CalyxOS also has its merits.
Users of CalyxOS and GrapheneOS are relatively small groups, with overlapping interests, and together are stronger, if the tone is friendly competition and mutual assistance.
I don't think a highly insecure OS not shipping privacy/security updates for months is even a reasonable choice for people who don't care much about privacy and security. Their site presents standard Android privacy/security features as their own and has news posts claiming to ship security updates where half the patches were skipped, so that's not a reliable source of information to use. They've heavily marketed CalyxOS based on false claims about privacy and security not only in CalyxOS but with a substantial focus on misleading people about GrapheneOS. Even as recent as today and yesterday, the leader of the Calyx Institute has been openly spreading misinformation and fabricated stories about GrapheneOS. Yesterday, he was openly doing it in their chat rooms with someone who has publicly, repeatedly called for me to kill myself and posted the usual Calyx claims that I'm "crazy", "delusional", "schizophrenic", "deranged", etc. Do you think this is appropriate behavior?
Check the recent screenshot I posted about a Calyx reseller who works with them (@maxtannahill) and is in several of their private Signal, Matrix and Discord chat rooms. I linked a thread where he openly states his neo-nazi views which he has done repeatedly. He's openly a holocaust denier who supports fascism, wants democracies turned into authoritarian dictatorships and overtly a white supremacist wanting the US as a white homeland. Calyx permits Kiwi Farms server in their room and has had no problem with the abuse targeted towards me. In fact, the leader of the organization has repeatedly participated in it when it happens, encouraging it while also steering it away from being done inside their rooms. These logs have been archived and while the lead CalyxOS developer has gone back and purged a lot of it from the Matrix history, much of it is still there. You can check for yourself what happened yesterday and can confirm the main person attacking me there and in other rooms is a Calyx community member friends with several of them and has openly told me to kill myself.
> Users of CalyxOS and GrapheneOS are relatively small groups, with overlapping interests, and together are stronger, if the tone is friendly competition and mutual assistance.
Calyx developers / leadership have repeatedly engaged in an extreme bullying/harassment campaign targeting me. They've heavily focused on spreading misinformation both about CalyxOS and GrapheneOS to mislead and scam users.
We're never going to work with people who have done these things. No one else should be working with them or tolerating them either, but unfortunately people don't do anything about the massive amount of charlatans and abusers in the privacy/security industries. It's sad. You should never expect that I'm going to tolerate it.
CalyxOS is not a hardened OS. It's also blatantly insecure by not shipping patches fully or on time while misleading users. I'm not sure how it's a competitor with GrapheneOS. Presenting it as a private and secure OS in their marketing doesn't make it one. Engaging in all kinds of abusive and underhanded behavior is not going to turn it into one either.
Commments like this are precisely why the "rivalry" continues to exist.
GrapheneOS handily beats out every other project on security and technical merit -- let the code and project speak for itself, because jumping in to every single convo between end users you can find, doesn't help quell any of it.
From a GrapheneOS user for many years who thanks you for your work and dedication
That is correct! I believe that these toggles were added in Android 12.
GrapheneOS takes great care to only list features that they add on top of AOSP, instead of marketing AOSP features as their own. You can check their features page here:
I used GrapheneOS for a year and it was not very smooth. But maybe it would have been different with this new google sandbox, which I will have a look. But I think I might go try Calyx this time
The phone bricked due to frequent updates. Which now I see happened to many people with Pixel phones, custom ROM or original. I did not find a easy way to delay or disable the updates.
And they immediately upgrade everything not just security updates, so something will probably break, apps stops working, and your workflow in general, because a lot of things change across android versions
Most people are not tying running away from the 3 letters agencies. We want as most privacy and security possible, but we also want a fast phone, usable, compatible with apps, and customizable. This OS looks more like a exercise in security, a good one, but clearly prioritized over privacy and usability
The developers, I am sure they are trying to do what they think is best, but they come across a bit arrogant
I don't care if root is an insecure vector, I will 100% root my phone. And use Google camera app. And use f-droid and whatever insecure app I wanna use
Especially in conflicts with other open source communities, like Bromite, F-droid, CalyxOS, ASOP, microg... deciding to just do as much alone as possible, which sounds unsustainable
Their built in browser still sends data to Google, privacy by blending in, but I would recommend install Bromite, with the model of blocking everything
GrapheneOS isn't any less 'smooth' than the stock OS. You should read https://grapheneos.org/usage#exec-spawning about the optional secure spawning feature which requires additional time for cold start application spawning.
It doesn't really sound like you've used GrapheneOS
> I used it for a year and it was not very smooth
CalyxOS isn't a hardened OS. It substantially reduces security rather than improving it. It recently didn't ship half of the August security patches until part of the way into October including critical remote code execution vulnerabilities. They currently have missing security patches. They roll back the security model. It sounds like you're coming here from that community. A typical pattern from their community is pretending to be GrapheneOS users unhappy with it and spreading misinformation about it, which is obvious to people who know about it and have used it themselves.
> Besides the phone bricked due to frequent updates. Which now I see happened to many people with Pixel phones, custom ROM or original.
> I did not find a easy way to delay or disable the updates.
This has been near the top of the usage guide for years and if someone asked on the discussion forum, Matrix chat room, Twitter community or elsewhere they'd almost always be told about it or linked to it.
There's absolutely no common issue with Pixels being bricked on updates. It definitely doesn't happen outside of extremely rare cases with GrapheneOS. It's unlikely that it happened here. Sometimes users do think their device isn't booting since it can take ~20 minutes after certain kinds of updates, but it does boot fine, and if they power it off it will just trigger rolling back.
> And they immediately upgrade everything not just security updates, so something will probably break, apps stops working, and your workflow in general, because a lot of things change across android versions.
We follow along with the stable releases of Android. These go through months of public betas. It's not possible to delay upgrading the major release on Pixels without going months without providing full security updates like LineageOS and LineageOS derivatives like CalyxOS. Not providing critical remote code execution patches for literally months as was the case this year from August until part of the way until October for CalyxOS is a serious problem. This occurs for them regularly with the browser engine and other patches too.
> Lets be real most people are not tying running away from the 3 letters agencies. We want as most privacy and security possible, but we also want a fast phone, usable, compatible with apps, and customizable. This OS looks more like a exercise in security, prioritized over privacy and usability
This is not at all accurate. GrapheneOS is highly usable and has broad app compatibility. It has far broader app compatibility than the OS you're trying to promote (CalyxOS). If you've used GrapheneOS, then you're aware it has the sandboxed Google Play compatibility layer (https://grapheneos.org/usage#sandboxed-google-play) allowing using nearly every app on the Play Store without giving any additional access to Google Play than it would have through the SDK / libraries included in those apps.
> The developers, I am sure they are trying to do what they think is best, but they come across a bit arrogant.
I think what comes across as arrogant is someone who is clearly unfamiliar with GrapheneOS and what it provides pretending they know all about it and other projects they haven't used or familiarized themselves with either. Typical for Hacker News though.
> I don't care if root is an insecure vector, I will 100% root my phone. And use Google camera app. And use f-droid and whatever insecure app I wanna use
Google Camera works fine on GrapheneOS without anything special. Google Play works fine on GrapheneOS as regular apps in the full standard app sandbox with all the GrapheneOS improvements to the app sandbox and permission model, and absolutely no special access or privileges. If you've used GrapheneOS or just read our features page and usage guide, then I'm sure you know all this already and don't need me to tell you here.
> Especially to other open source communities, like Bromite, F-droid, CalyxOS, deciding to just do everything alone, which sounds unsustainable
Unlike those projects, we do a substantial amount of collaboration with upstream projects. We do upstream work on AOSP, the Linux kernel, LLVM and other projects. We work with DivestOS, ProtonAOSP and other projects on areas where we have aligned goals. We won't work with people who engage in spreading misinformation about our project and targeting our developers with bullying/harassment like many of the people involved with Calyx.
> Their built in browser still sends data to Google to increase privacy, by blending in, but I think I prefer Bromite model of blocking everything.
This is not accurate. Vanadium doesn't send any user data to Google.
GrapheneOS instead went on to implement a whole sandbox which can run google services properly, without hacks like spoofing signatures (which is required for microG).
The thread you're linking explains why we developed sandboxed Google Play compatibility layer for better privacy, security and far broader app compatibility. On an OS using microG, you still have the Google Play code running in each of the apps you're using which depend on Google Play. You aren't avoiding the Google Play code. In fact, you're running it with more privileges than it has on GrapheneOS where there's a stronger sandbox and permission model. You're avoiding part of the Google Play code: the part sitting between the Google Play SDK / libraries and their services (but not quite, since microG downloads and runs droidsec/snet within the context of microG, which has significantly elevated privileges on CalyxOS).
GrapheneOS developed our sandboxed Google Play compatibility layer to provide support for running Google Play as regular apps in the full standard app sandbox. They work like any other apps and can't do anything that a regular user installed app can't do. Since they're regular apps, all our work on improving the app sandbox and permission model in a compatible way applies to them. For example, you can revoke our Sensors toggle from them (or even Network, but that would prevent using their services, which many apps depend on for real use) and can use Storage Scopes instead of granting any storage permissions, etc. In practice, you don't need to grant any permissions to Google Play when using sandboxed Google Play. Our location rerouting feature reimplements the Play services geolocation API based on the standard AOSP location API based on GNSS (GPS, GLONASS, etc.) + A-GNSS. If you really want to use Google Play network location, it's possible, by granting background location access to it, enabling their network location toggle and disabling our location request rerouting feature. We plan to provide more of these rerouting features in the future when it makes sense.
Thanks; if network and other permissions can be revoked from GApps, which otherwise have all possible device permissions, it eliminates the need for MicroG. I will try it out.
Have been using GrapheneOS for over a year now. With the Google compatibility layer I can use all my banking/credit card apps (4 different ones) and many more. I like the details available online and the frequent updates. Pretty smooth first installation too using their web installer and getting help on via their Matrix rooms or forum is usualy quick. I only have one government app where QR scanning doesn't work but not sure why. All other apps with QR scanning, including banking apps, work.
The background story of the project is quite sad, so it sort of makes sense that he is very defensive of it. (The project got some monetary support initially from a company, which later tried to hijack the whole open-source project (going by copperhead os nowadays, I believe). Fortunately thanks to Micay the original was unharmed (he revoked private keys, big kudos!), but they do throw shade at GrapheneOS promoting their shady fork in many relevant threads)
Nonetheless, he is an excellent security researcher who has an excellent track record of prioritizing the security of his userbase, even if he may (more or less validly) be a bit overly defensive over it.
In my understanding, it's CalyxOS throwing shade, not Copperhead, although the whole situation is murky. In my estimation, there do seem to be comments devoid of substance disparaging GOS every time it is promoted somewher like HN.
GrapheneOS was started in 2014 and was previously known as CopperheadOS. I co-founded the Copperhead company in 2015 and I still own half of the shares today, which gives me 50% control over the company. GrapheneOS (formerly CopperheadOS) remained an open source project under my control and ownership, not the company we founded to sell services and devices based on the project. Unfortunately, my former business partner decided to unilaterally take over the company and manage it in his interests. He tried and failed to take over the open source project. Edward Snowden was one of the CopperheadOS users who helped me defend the project against the takeover attempt and helped to fund the continuation of the project under the Android Hardening and then GrapheneOS brand names. He helped me get a lawyer via the EFF and is the reason I continued the project instead of giving up and moving on. You're spreading talking points from a scammer who chose a Raytheon contract requiring access to the signing keys for GrapheneOS (CopperheadOS) over fulfilling the company's commitments to the open source project it was supporting, and to me as a co-owner of the company with equal voting rights. Again, I still have those shares. I'm speaking as 50% owner of Copperhead and one of the 2 co-founders of the company, which was founded in late 2015, a year after the open source project was started. Note: there was a 3rd co-founder who my former business partner pushed out of the company early on and didn't give shares they were probably entitled to getting, and that person (Daniel McGrady) supports me.
Today, CopperheadOS is used as a brand by that company for a completely closed source fork of legacy GrapheneOS code. They don't develop anything of value and simply take our code months or years later. Anyone who looks into it can see that the Git repositories from 2014/2015 belong to the GrapheneOS organization and are the repositories we're using today. We still have the legacy issue tracker for mid-2018 and earlier too:
Ask Edward Snowden if he thinks I did the right thing by protecting him and other GrapheneOS (CopperheadOS) users from James Donaldson. The vast majority of users / customers supported me and continued supporting GrapheneOS afterwards. Only a tiny number of people supported Copperhead and most of the people they duped were people who discovered it post-2018 based on them pretending to have made my project and pretending to own the legacy code, which they don't, and they've already lost that battle. Why did the legal battle not go their way if they were in the right? ...
Interesting.. Why would Raytheon need signing keys? I have not heard or seen any OSS project in use by them ever complain about this.
Edward Snowden is a bad example. He is a SharePoint admin and traitor to the West. It makes sense that he would betray his country, hide under Putin and undermine Western companies.
You've repeatedly engaged in harassing me and spreading fabricated stories about me. Your community comes to most of these threads and does this. It's getting old.
Could you elaborate on what you consider personal attack? The bar is extremely low these days, and I have an experience of the opposite: One day I was inspecting the traffic from my GOS device with tcpdump, and I noticed lookups and traffic to the connectivity test servers going outside my VPN. I raised this in the IRC channel, and criticised the lack of option to turn them off or route them via the VPN on the basis that it leaked metadata. The main developer disagreed that it constituted a security issue. After considerable back and forth, I took it upon myself to implement the feature. Before I got round to it, I found it in the next update of GOS. GOS is the single most reliable android distro I have ever used by a considerable margin.
1. They're the only ROM project that actually focuses on improving application level safety. This is a bigger deal than a lot of people realise.
2. They offer installation remote attestation - again, worth using if you can.
3. Lots of drama with Calyx and GrapheneOS which is very hard to familiarise with. This is because the discourse is often deleted (this is the policy of the Graphene OS chatrooms) and so it is difficult to verify claims without pointing to another instance of deleted comments/purported harassment. If you can help it, I recommend to just try ignore the whole thing until they start screenshotting the actual harassment.
4. A lot of people talk about Graphene having worse performance than a lot of other ROMs but this is actually counter to my own experience. Graphene is consistently the fastest ROM I have used.
5. You may see people kick up a shit about how Graphene uses sandboxed play store and how that's a bad thing somehow. If you are worried, keep in mind you can still use Aurora if you want your install to be anonymised (but frankly I am not sure what the extent of the changes that Aurora makes). Similarly F-Droid is available, but is super weird about how they sign apps.
6. There are a LOT of updates. This is a good thing but it can throw you off if you're coming from another ROM.