GrapheneOS (like any other AOSP fork) is technically a Linux based OS. They run a modified version of the Linux Kernel. What matters is the changes they have made to the kernel, as well as enforcing AVB, SELinux, etc. etc.
“Linux” phones that run modified desktop Linux distros are hugely insecure devices that lack many basic security and hardening features.
It’s not a matter of being paranoid and the GrapheneOS project members are not paranoid. It is simply a matter of Murena/eOS/Gael Duval making claims about their products that are misleading, false, and harmful to users.
CalyxOS is not hardened in any way and is in some ways less secure than stock AOSP. They are also on a hiatus and have discontinued updates: https://discuss.grapheneos.org/d/24791-departure-of-calyx-calyxos-leadership-and-discontinuation-of-calyxos-updates
There is no “hole”. It has nothing to do specifically with being from Google, only that no one else but Google is manufacturing devices that meet the hardware requirements and have full support for alternate OSes.
It is an isolated component without networking. This is not evidence that unknown data collection is occurring. You need to provide actual evidence that it is.
He lied about stopping use of GrapheneOS. He can be seen in videos long after still using GrapheneOS on his Pixel. Also, the reasons he stated for not using/trusting it were nonsense. There was not, and is not, a technical way to target a user with malicious OTA updates.
He was also one of 3 owners of a for-profit telecom that included Nick Merrill (Founder of Calyx). https://sec.gov/Archives/edgar/data/2009536/000200953624000001/xslFormDX01/primary_doc.xml is the SEC filing for shares issued in February 2024 .
This is definitely not true. GrapheneOS is focused on privacy, security, and usability. It has many features that are solely for increasing privacy and control and implemented in very robust ways. For a couple of examples, see the Contacts and Storage Scopes features.
This is a common misconception people have as a result of misinformation being spread.
They have officially stated that they can support the 10 now, but it will have to wait until after the port to QPR1. https://xcancel.com/GrapheneOS/status/1960792610114511190#m
That device didn’t meet the requirements for GrapheneOS even when it was supported by the OEM. As of now, it is an EOL device and is highly insecure. https://grapheneos.org/faq#future-devices
LineageOS also significantly regresses security compared to barebones AOSP.
The blog post is false. You can verify it by looking at the repos. This person was being childish in their attempts to get GrapheneOS and other projects to accept the feature request. They were told “No”. Now whether they or anyone else feels the reason behind that decision is valid or not is separate from the fact that this person then went out of their way to make noise and trouble for the project (by opening the repo, pinging the developers, etc.). We’ll call it “entitlement”. When they were blocked, instead of moving on and accepting that the feature wouldn’t be implemented, they wrote up this blog post and spread it around the internet so that it would stir up drama, and direct more attacks towards the project. I’d call that a vendetta.
Other companies and projects have a tendency to take criticisms coming from the project as directed attacks. I take less issue with the project making objective criticisms. To respond to that criticism by pointing a finger back calling the founder “delusional”, “insane”, etc., doesn’t seem appropriate. Even if it were true (which no one has evidence to claim), it would still be completely unacceptable to talk about someone like that. Your comments about them or the community “needing therapy” perpetuates that sentiment.
Intensity is one thing. That is arguably true and the OS may not be the leading AOSP fork in terms of security and privacy (see: Capabilities against forensic extraction) if it weren’t the case. It is the projects unwillingness to compromise in this area that makes it stand out in that regard.
Other projects and companies make claims about and market their projects/devices/services. Not that I’m arguing that GrapheneOS should be the only ones able to comment on or evaluate those claims, but they are certainly some of the most qualified to. We shouldn’t give them a pass because they claim to protect us against “big tech”. Those things should be critically evaluated because it matters so much.
GrapheneOS evaluates other’s primarily based on their technical merits and against their claims they make. How many of those who oppose do the same? Or do they just call them divisive, crazy, and incendiary?
Thank you for the civil discussion. I hope it can continue.
I am going to use the excellent response from tranquil_cassowary here:
Your blogpost is highly inaccurate and a heavy misportrayal of the events that occurred. The title is completely wrong already. You did not get banned from GrapheneOS. GrapheneOS is a free and open source operating system, you can’t be banned from using it and the developers would also not wish to do so. You were instead banned from the OS issue tracker on GitHub because of spam and inappropriate behavior. You were also blocked by multiple GrapheneOS developers on GitHub, not solely Daniel Micay, for continuing to mention them and sending notifications their way even via other repositories than the official GrapheneOS issue tracker. Also, you are not a contributor at all. You have never contributed to GrapheneOS, not a single line of code. Unless you will call issue tracker spam a contribution, but that’s a very big stretch.
Now, as to what actually happened. You wanted GrapheneOS to implement a certain feature, they did not deem it desirable. Instead of accepting this, you kept spamming the issue tracker. The issue got deleted because it caused too much spam from other accounts as well who kept saying they also wanted the feature instead of following the rules of the issue tracker that you should upvote a post if you agree. After getting banned, you forked the issue tracker and started pinging a bunch of GrapheneOS developers. This behavior is insanely inappropriate in the FOSS world. GrapheneOS is free, yet you act insanely entitled, as if the GrapheneOS developers owe you anything. They also clearly explained to you on multiple occasions why the feature you proposed is undesirable.
If you disagree, the solution in open source is to fork GrapheneOS and make your own changes to the source code instead of endlessly complaining to the developers of the original project, who can’t be forced to follow your opinion. They had every right to ban you because you kept making a scene out of something minor like a non-accepted feature request. Many feature requests get rejected, yet you make this whole drama about it and continue to do so.
On top of all that, you link misinformation and harassment about the GrapheneOS project in your blog post. The videos you link from content creator contain bullying and fabrications about the project and the founder. They are also entirely unrelated to how they dealt with your issue on the issue tracker.
Hi, I’m a community member which can easily be verified, not Micay. Feel free to visit the chatrooms and look for my name.
This blog post is verifiably false. All it takes is looking at the actual GitHub repos to see it. This person wasn’t “banned from GrapheneOS”. They were blocked on the repo because they were repeatedly pinging the developers and acting in an immature way because they didn’t get the feature request fulfilled.
It was posted across as many socials as they could to stir up drama and harassment towards the project. It’s completely transparent.
Here is the information about Spender and GRsecurity copied from my other post:
It was after GRsecurity became private that they had an issue with people making upstream security contributions, particularly upstreaming anything from the GRsecurity patches. They had disagreements about that, and then moved past it and are on good terms now.
It’s absolutely ridiculous to claim that Micay has anything to do with them making things private.
https://grsecurity.net/announce
https://news.ycombinator.com/item?id=10126319
It was Wind River, owned by Intel, which was the main offender for upstreaming the patches. Micay was the one who introduced GRsecurity in Arch Linux and did all the integration it had for PaX exceptions and the start of RBAC support (systemd was an issue at the time). It was afterwards once it became private that it was awkward because they didn’t want people upstreaming or maintaining ports of their work but at the time Micay was maintaining GRsecurity in Arch Linux and GrapheneOS (then called CopperheadOS) was using the PaX subset for kernel hardening, so there were existing uses of it to try to keep going in some way.
So, you’re not taking issue with the obviously fabricated things in this blog post, which this person shared across over a dozen Lemmy communities, Reddit, LinkedIn, Mastadon, etc., but you are taking offense that community members might come to where this is being posted to address/correct/refute it?
You seem to feel comfortable lobbing statements that GrapheneOS community members or even just people that might disagree with lies and targeted drama being posted aren’t well adjusted, but not the person who posted the lies across the fediverse?
This all seems backwards.
This is a blatant and complete fabrication that you are spreading. The project is on good terms with Spender and you have no evidence to support what you are claiming.
It was after GRsecurity became private that they had an issue with people making upstream security contributions, particularly upstreaming anything from the GRsecurity patches. They had disagreements about that, and then moved past it and are on good terms now.
It’s absolutely ridiculous to claim that Micay has anything to do with them making things private.
https://grsecurity.net/announce https://news.ycombinator.com/item?id=10126319
It was Wind River, owned by Intel, which was the main offender for upstreaming the patches. Micay was the one who introduced GRsecurity in Arch Linux and did all the integration it had for PaX exceptions and the start of RBAC support (systemd was an issue at the time). It was afterwards once it became private that it was awkward because they didn’t want people upstreaming or maintaining ports of their work but at the time Micay was maintaining GRsecurity in Arch Linux and GrapheneOS (then called CopperheadOS) was using the PaX subset for kernel hardening, so there were existing uses of it to try to keep going in some way.
This is a huge mischaracterization of what the project account does across socials. They are on the receiving end of misinformation like that being spread in this blog post, designed to stir up drama and provoke harassment towards the project. Anyone who has looked at the actual evidence (not the blog post), has found the claims in the blog post to be baseless.
People ask genuine questions about the differences between Android forks and the project account is available to provide factual information on those differences…and you’re mad about it?
That information you posted about Spender and GRsecurity is false. That isn’t why the patches were removed. The project is in good standing and contact with Spender.
Also, your comment about crashing and burning the Copperhead project is blatantly false as well. The other business partner attempted a hostile takeover that was rebuffed.
This blog post that they have posted across the fediverse, and multiple other platforms is a near complete fabrication of the timeline and what actually occurred. Anyone who has gone to GitHub to look at it has found that maltfield’s claims are baseless and they are acting inappropriate childish and unacceptable manner.
You are just saying things without a shred of proof and no one is asking for any. So here I am: Please provide proof of all of these claims.
Open source or source availability is not a requirement for auditing a system. There would be evidence that would have almost certainly been found by now if this was the case. It is up to you, or the claimant, to prove their claims. I can say that there has not been any evidence of data collection by hardware components found, despite years of Pixel devices being tested by security researchers and mobile forensics companies. Not only that, the actual technical capabilities of the hardware (isolated component without networking capabilities) backs that up.
What do you have except fearmongering?