Do there exist any good comparisons between Calyx and Graphene? From an outsider's point of view, they both seem broadly similar, in that they're privacy and security focused de-Googled OSes that run on unlocked Android devices, but they're different. Somehow.
I've spent some time in the corresponding IRC channels and... asking about the other OS and how things compare seems rather frowned on in both of them.
The biggest difference I've found is which apps you can use from the Google Play Store. Calyx supports microG, which allows you to access the Play store via front-ends like Aurora. It also works with F-Droid, as mentioned below.
I also notice things like push notifications work just fine with Calyx, and not on Graphene, which I think is due to microG and/or Firebase.
I think there is some additional hardening that Graphene does as well.
If your goal is the most possible privacy and security, I'd go with Graphene. For a much-improved privacy, mostly non-Google experience, where you can still use Maps or your bank's app, I'd go with Calyx.
With graphene you can install sandboxed play services. Which allow you to run google play services without any system/root privileges, in the sane application sandbox as normal applications.
This is definitely superior to the mircog approach which means enabling signature spoofing for applications.
Why should I be concerned with the specific type of signature spoofing used by microg? AIUI it only enables signature spoofing for their specific keys, not applications/publishers generally.
What if I do not want to run Google Play Services at all (or any proprietary code from Google)? Can Graphene sandbox microg instead?
> What if I do not want to run Google Play Services at all (or any proprietary code from Google)? Can Graphene sandbox microg instead?
It might be able to, but AFAIK microg works by pretending to actually be google services, so it's possible it depends on the system privileges that google services usually has?
Calyx's governance vs Graphene is incomparable. Calyx is run by a nonprofit with open books and a helpful, albeit small, community. Graphene is run by a replyguy that speaks harshly about other Android projects. Graphene's technology is interesting as I've been following it since it was the original CopperheadOS. For most users without high threat models Calyx would suffice.
Graphene also has many developers, so you are just spreading FUD. And is it really harsh speak when there are plenty of entities (copperhead os) selling other people works rebranded? Especially to a target group which seem to be way more gullible than they supposed to be, running away from google into the hands of scammers.
Which isn't quite unfounded since the CopperheadOS guy literally booted him out of their first company and has since then AFAIK simply copied from GrapheneOS while running sleazy marketing. May be wrong on the copying part - please correct me if so, but that was my impression a while back.
He may be slightly more paranoid than what is healthy (which may be inherent in the security domain he is an expert in), but I would not call him crazy.
Also, it is not as black and white, copperhead os did try to backstab him by selling his own work. Also, a secure OS is very much the same as cryto — you don’t roll your own. And while the enthusiasm is welcome in this space, it is simply a ridiculously hard domain which should not be done by novices.
I used to be a hobbyist dev of a ROM back from Android L-O, and left to start a professional software engineering career. I recently re-joined the hobby with the release of Android 12, and Calyx OS was new to me, so I ended up taking a look at their code repos.
Tl;Dr: If you want a privacy-focused no-compromises fork of Lineage OS, and the default hardening Google performs on their platform is enough for your personal threshold of safety (this is where most custom ROMs settle), Calyx is probably a good choice. If you're concerned about novel security vulnerabilities (read: more paranoid/vulnerable than most) affecting your device, choose Graphene.
Privacy-wise, Calyx is basically Lineage with most of it's headline features being provided via LOS or third-party apps available on F-Droid. It does a good job at de-Googling your experience and has good privacy-focused default settings and apps. I like the custom location provider. Their egress firewall feature is a nifty improvement on top of LOS's original implementation of a similar feature.
Security- and hardening-wise, it's not much better than Lineage, which isn't much better than AOSP. Zero to little runtime or kernel hardening to be found. Graphene, on the other hand, puts the effort into hardening as many aspects of Android and the kernel as possible. Graphene has a custom hardened `malloc` for helping prevent memory safety exploits, a hardened libc, toolchain, and app runtime, among all sorts of other difficult but valuable security changes. Functionality-wise: almost anything Calyx can do, Graphene can do with some F-Droid apps to help.
This might seem a bit harsh, but the reality is that Graphene has some a large number of deep security changes upon AOSP that Calyx isn't yet up to par with. As we've all seen, security in 2021 is difficult, and it takes decades or a lot of specialized experience to be a security expert. It's difficult enough for large companies to hire and retain security talent, and for hobbyist projects/small organizations even more so.
Does everyone need a hardened runtime? Probably not. Are there people who do and/or want one? Definitely
Edit: one concern of mine about Calyx is their bundled VPN serviced by Sprint (as per https://calyxinstitute.org/legal/terms-of-service). Third-party VPNs are always to be taken with a grain of salt for privacy depending on your activities online and the VPN's owners themselves. I suppose it's better to have a VPN than not, but you must also trust that party and their security with your highly valuable network traffic, which should be a very high bar. Obviously, nothing limits you from loading up OpenVPN, IPSec, Wireguard, etc and going your own route.
Some of them are separate projects (eg. hardened malloc), also many of the implemented features later got merged by upstream AOSP itself. I think some independent audit also happened, but not sure about the details.
Nonetheless, the project has an absolutely stellar track record, where the main guy behind it even revoked the signing keys of the OS upon a failed for-profit company overtake attempt. The project doesn’t accept any for-profit company offers since then and is independent and open-source.
For the readers: the aforementioned "takeover attempt" has never been substantiated or validated. Using the past (and rather trite) CopperheadOS dispute to justify present misgivings is disingenuous.
I've spent some time in the corresponding IRC channels and... asking about the other OS and how things compare seems rather frowned on in both of them.