I've actually installed CalyxOS on an older Pixel 2, and it seemed to work fine for the things I need to do with my phone. I haven't made the leap to use it as my primary device for one reason: Supply-chain integrity.
I don't know whether the maintainers have the bandwidth, tooling, processes and procedures, and vetting to ensure that an image doesn't get backdoored. Given the Venn diagram of "people who want to keep stuff private" and "people who will go through the trouble of installing and using CalyxOS" probably has significant overlap, I would assume some well-funded adversaries, including state actors, are motivated to sabotage it.
At least with the standard Google Pixel images, I have some degree of assurance from Google's robust source management and security infrastructure. The bar for backdooring an official Google product is much higher than the bar for backdooring a hobbyist project.
Albeit I agree with your post to a certain degree, CalyxOS is not a hobbyist project. The Calyx Institute has a working business plan and has five full time developers. Have a look at their Annual Report:
https://calyxinstitute.org/about/financials-and-annual-repor...
Yes, and IIRC it's a reasonably priced MVNO setup with (mostly?) unlimited data. A friend of mine uses her Pixel4 with CalyxOS on google Fi but keeps a Calyx hotspot thingo around for traveling and it's been solid throughout North America at least.
> At least with the standard Google Pixel images, I have some degree of assurance from Google's robust source management and security infrastructure. The bar for backdooring an official Google product is much higher than the bar for backdooring a hobbyist project.
google hasn't posted a new image or ota for pixel 6(pro) since november. last i read it was held up by some breakage of the google assistant.
i don't know how much patching gets done via google play, but this seems really disappointing. no rces but loads of eops which now means the phone is only as secure as the weakest app supply chain?
It doesn't matter which OS you use - you will not be immune to nation-state actors. In fact you will be more exposed to them using google, considering their history of providing data and access to governments.
With de-googled OSes that provide proper network controls, you can at least cut out commercial spying.
Does having the ability to compile and build it yourself allay any of those concerns?
It means you no longer need to trust the infrastructure or machines being used to create the images, just the developer through their source code which, yes, while it's a daunting task to review, it's "just" a fork of AOSP.
I've been building a modified LineageOS for a while, and these posts always have me circle back around and question if I should just go back to stock, Graphene or Calyx.
I don't know whether the maintainers have the bandwidth, tooling, processes and procedures, and vetting to ensure that an image doesn't get backdoored. Given the Venn diagram of "people who want to keep stuff private" and "people who will go through the trouble of installing and using CalyxOS" probably has significant overlap, I would assume some well-funded adversaries, including state actors, are motivated to sabotage it.
At least with the standard Google Pixel images, I have some degree of assurance from Google's robust source management and security infrastructure. The bar for backdooring an official Google product is much higher than the bar for backdooring a hobbyist project.