One thing that bugs me to no end with Android (don't know about iOS or various tweak android builds), is that it is sooooo hard to restrict basic things. I don't want random apps to start on bootup as an almost-invisible-service, instead I don't want anything to do with that app until I explicitly start it and use it.
Revoking permissions should be supereasy - like remove any and all network ability (eg camera or flashlight apps), start on bootup (don't need a service running for app X until I start it), clipboard snooping (ok to read clipboard if I tell the app to, but otherwise it's just creepy and a risk).
It's not the most fluid UX ( but then again it's not something you need every day so it makes sense to have it a few levels deep), but in Android, since many versions ago, you can go to Settings - Apps - app - Allow/Disallow auto-launch, background running, etc. From the same place you can also revoke permissions, and some Android skins have views with all apps that have access to X and Y.
Hm, I can't find that. It's slightly different, eg Settings -> Apps and notifications, then either go into individual apps or "App Permissions".
The former allows me to force stop apps, which indicates to me that they are running in the background (phone is power cycled every night so they shouldn't be). Nowhere to be seen is any auto-launch or background running.
In App permissions, I get a list of permissions (eg Microphone, or Location) and clicking on any of those gets me a list of apps that include that permission, and I can revoke permissions there. Same there, no auto-launch/background.
I can go to Battery -> Battery optimisation -> app -> and pick eg "optimise" that restricts background usage, but I guess doesn't disable it.
I'm on a Oneplus 7 pro phone, which has android 11, OxygenOS 11.0.6.1...
I would love to see all permission clearly outlined in a central location.
Could even be part of the Firewall application in CalyxOS for all I care (have run this on a Pixel 4a for a year now and very impressed with the update cycle and stability offered).
I just wanted to take a sec and say I've been using Calyx for eight or nine months now- sure, there was some pain that came in the first month from adjusting to a new phone OS (there always will be when being a Samsung lifer trying something new to me), but overall I've been very pleased with it. Thanks for all the work you and the team have put into it :).
You're claiming no mods were around when Nicolas Merrill was right there in the middle of the conversation? It's blatantly not true. Screenshot is here for everyone to see:
You shouldn't lie about things that are so easily disproven. The main thing you disallow in your rooms are people defending GrapheneOS against your misinformation and libel. Those are the people who get quickly banned. You're frequently the ones engaging and spearheading this. You only ban people when it's not going your way and then you clean things up after the fact just as you're doing here. The fact remains that you have NOT banned the people openly involved in highly abusive behavior, and you're directly part of it yourselves too.
Nick is frequently one of the people directly involved in bullying and libel targeting me along with pushing blatant misinformation about GrapheneOS. The incredibly toxic behavior directed towards us comes from the top. Nick, you and Techlore have orchestrated this. You're directly responsible for the highly abusive behavior directed towards me and you're going to be held accountable for it whether you like it or not. You act as if you're trying to stop it but you're more focused on removing the messages of people countering vicious attacks on us than you are on stopping the abuse you've regularly engaged it and encouraged. It did not become what it is now without the direct support of the Calyx organization and CalyxOS. Everyone tied to the organization is tainted by it and it will follow them.
I have plenty more screenshots to post on Twitter if you folks would like showing extremely abusive behavior from Nick. I can show both you and him supporting the abusive behavior and raids towards us. Most of these attacks come directly from the top and are heavily based on the libel and misinformation from you, Nick and Henry. The legacy of your project will be your abusive behavior. It's how you're going to be remembered. It's not as if you're doing anything beyond marketing and misleading users beyond that.
Eventually you folks are going to pay the cost of your nasty character assassination campaign and misinformation war both to promote your project and to harm GrapheneOS. You don't even do remotely the same kind of work. From the start, all you've done is try to take advantage of an unfortunate takeover attempt on our project. The attempt at undermining us was happening even in your early days when we were helping you and telling people about your project.
This is never going to go away and your continued escalation over the past year and especially the past few months is not going to go unanswered. You think you can get away with it because all we've done is talk about what's happening. It's not going to remain that way. Any project, conference or organization where you're involved and who you work with inherits all of this baggage going forward until you make any real attempt at reversing this and repairing the harm that has been caused. It will follow you around for the rest of your life. You will always be the people who engaged in extremely abusive behavior towards someone which a dozen people in your room who you have not banned have openly said is aimed at trying to drive me to kill myself. You were openly against even banning Kiwi Farms. There is nothing more that needs to be said.
Geez, it's one message, there was more after it, when no mods were around. I can't speak on behalf of Nick of course.
I woke up, saw it, and banned those people. We don't allow people to do this for any project, ever. What else can even be done, there's thousands of people on the channel, and moderation is hard and time consuming.
People on the internet say things, you can't keep attributing it to us always.
Somebody joins our channel, your channel, posts on twitter, etc - how are we responsible for what they say anywhere else, we don't control their speech.
Learn how the internet works - this has been the crux of the problem all along, you attributing things to us, and then using that as justification of your behaviour doing exactly what you're accusing us of doing. All those threats :(
Nick and you are both openly involved in bullying and libel targeting me along with spreading misinformation about your product and our project to benefit yourselves. This has been a consistent behavior from both of you for a long time.
You frequently make false accusations against us, and that is a major part of your contribution to the libel and harassment targeting us. You fabricate stories and pretend as if you're victims of some indescribable toxicity. Debunking your claims and telling people about your abuse is not itself abuse or toxic.
Moderators across a bunch of different communities are increasingly noticing that every post about GrapheneOS is brigaded by people spreading the inaccurate talking points you have largely come up with yourselves.
You've invested heavily in character assassination and libel against me including contributing to extreme harassment and bullying perpetrated by core members of your community that you openly talk to on a daily basis. You're doing it right here, falsely claiming you folks haven't been extensively involved in it and denying what people can plainly see from the logs.
> Geez, it's one message, there was more after it, when no mods were around. I can't speak on behalf of Nick of course.
It's not one message. I don't know why you continue lying about this. It was hours of discussion where Nick was frequently involved, and where he openly encouraged and talked to people who were at the same time harassing us and raiding our rooms.
You only care about getting your community members to bring their high level of abusive behavior and toxicity to our rooms and platforms like this instead of yours. You're more than happy to allow dozens of people involved in actively harassing us, waging a misinformation war and spamming our rooms to be members of your community. You're more than happy to regularly chat with folks who have repeatedly told me to kill myself and engaged in severe harassment and libel. We have archives of evidence to prove it, and we're actively contacting other organizations and conferences to share that evidence. Persistent abusers like yourself and Nick do not belong in this industry. Again, this is the path you chose working with the people you did in such an unscrupulous way where you built your project on misinformation, libel and harassment.
We are not attributing the actions of other people to you. These are your actions. This is the path you chose and continued to double down on. You've built a highly toxic community engaged in these attacks across platforms. You've built your community with partnerships with highly abusive people like Techlore. You're involved in these attacks yourself, and part of that is pretending that you aren't and that we are somehow the aggressors for being targeted by you in this way and talking to our community about this.
Now, i really like Graphene OS. I consider my Pixel 3a with Graphene OS one of my, if not my most secure device. And the work they do is great. But man, Daniel Mackay would be well advised to reorganize how he interacts with his community and perhaps take some mental health help, i don't think he's been in good place mentally for quite some time :(
> To be fair, the lead dev of graphene os has been crying wolf about stuff like this for ages.
We aren't crying wolf. The abusive behavior has been ongoing since 2018. It wasn't happening in any significant way from 2014 through 2018. It started with the events which led to the creation of CalyxOS in 2018. You're linking to a highly dishonest and abusive video where one of the most prominent abusers tied to CalyxOS spends an hour lying through their teeth and engaging in these highly abusive personal attacks. It's a character assassination campaign which you're participating in yourself
> Now, i really like Graphene OS. I consider my Pixel 3a with Graphene OS one of my, if not my most secure device. And the work they do is great. But man, Daniel Mackay would be well advised to reorganize how he interacts with his community and perhaps take some mental health help, i don't think he's been in good place mentally for quite some time :(
You're participating in a highly abusive harassment and bullying campaign targeting me. You're spreading fabricated claims and libel about me and are participating in the attempt by Nicolas Merrill (Calyx leader), Techlore and cdesai (CalyxOS lead developer) to portray the abusive behavior which you are yourself demonstration as the delusions of someone mentally ill and crazy.
> I consider my Pixel 3a with Graphene OS one of my, if not my most secure device
A common tactic from the CalyxOS and Techlore folks engaging in this abusive behavior is to pretend to use GrapheneOS and to do exactly what you're doing. Whether or not you use GrapheneOS does not justify this abusive behavior.
> You're participating in a highly abusive harassment and bullying campaign targeting me. You're spreading fabricated claims and libel about me and are participating in the attempt by Nicolas Merrill (Calyx leader), Techlore and cdesai (CalyxOS lead developer) to portray the abusive behavior which you are yourself demonstration as the delusions of someone mentally ill and crazy.
I'm participating in nothing, I barely care about this issue. But these kinds of comments and reactions are guaranteed to cause another storm of abusive behavior against you. I know you think you are 100% right and justified but they are just using your predictable responses to trigger you again and again for their amusement.
Enjoy the vicious cycle bro, if you want to escape it, change your reactions, if you don't want to escape it, become their eternal lol cow. I'll leave you with the words of Capatain Picard: "It is possible to commit no mistakes and still lose."
You're directly participating in the abusive behavior spreading a libellous video with a bunch of fabrications from a drama seeking sociopath on YouTube. You're even using Kiwi Farms language yourself. Try not being an asshole and targeting an open source developer with abuse because you think it's funny.
Sigh, and here is the problem. I literally do not know who or what "Kiwi Farms" is, if im using "their language" it's not on purpose.
Again, I'm not saying everyone else is the good guy and you are the bad guy, what i'm trying to say is that these kinds of responses and threads do not make this continuing issue either disappear or less likely in the future.
If your goal is to make Graphene OS more well known through continuing drama, you are successful and sure got me. Should your goal be to reduce further incidents like this, you will not be able to change other people, you can only change your responses to them.
This feels like a very DARVO type of comment. Trying to maintain vigilance against spammers and gore raids on their Matrix channel is grueling enough, then to have people say "you're doing it wrong" is just insult to injury.
What a laughable response. Daniels' Responses and Twitter Threads and the way he argues obviously invokes more and more flamewars, raids and stressful situations.
It's very obvious if you take a little time to look into it, especially the techlore video, that these continuing conflicts are not good for the well being of Daniel himself and the Graphene OS community as a whole.
I say this, with genuine respect for his work and with worry about his personal well being: The world isn't gonna change for him and if he want's to escape this situation and enjoy a better quality of life while doing what he obviously loves, he will need to find better ways to cope with these kinds of situations and interactions.
It doesn't matter if he is 100% right and he's the white knight fighting the evil matrix raiders and spammers. These Twitter Threads are not going to make these raids any less likely in the future. I worry he's going to end up like terry davis. brilliant programmer, eccentric in his own way and abused as a lol-cow for /g/ and that would be a shame, because graphene OS is pretty sweet.
A random joining a channel and exclaiming victory over a raid does not make Nick or CalyxOS guilty of anything. This looks more like subterfuge from the GrapheneOS side to place blame on Calyx.
CalyxOS is a victim of bullying here. I have seen both sides discuss and I have never seen Nick or cdesai tell the community to attack GrapheneOS.
Look at the new HN accounts and how strcat (Daniel Micay) responds in this thread. It is unprofessional at best, malevolent at worse.
Nick has repeatedly got involved in spreading libel and misinformation about GrapheneOS in the past few days and has encouraged the people raiding our rooms. At most he has asked them not to do this in their rooms, while making it clear that he does not disagree with the harassment and bullying.
There is no subterfuge going on here and CalyxOS community members repeatedly engaging in libel and bullying targeting us while trying to present themselves as the victims isn't going to work.
It's you folks being highly unprofessional and downright abusive. Moderators across multiple platforms have noticed the coordinated misinformation campaigns from CalyxOS and are beginning to crack down on it. It's not working out for you and you're destroying the reputation of your project and community in your continued attempts to harm us in any way possible.
There's a long video from Techlore which presents the CalyxOS side of the picture and places the blame with GrapheneOS leadership: https://www.youtube.com/watch?v=Dx7CZ-2Bajg .
It's a video pushing a whole bunch of clearly fabricated stories and libel about me. The leader of the Calyx Institute and multiple project members have also participated in this abusive behavior. They've tried to pretend as if their highly abusive behavior isn't real and is simply imagined. Techlore's video shows a series of doctored screenshots with him lying through his teeth about the history, context and content of the screenshots. He very openly gets pleasure out of directing his toxic community to harass me and teaching them to push these talking points about me being schizophrenic, crazy and delusional. You're spreading highly abusive and libellous content. The person claiming we're toxic is the one who is an abusive sociopath engaging in character assassination and running an abuse campaign against someone because they take great pleasure in abusing someone on the autism spectrum who gets extremely hurt by their behavior and this harassment campaign.
Nicolas Merrill and other Calyx Institute employees have extensive involvement in this. Nick has repeatedly tried to claim that I'm crazy and delusional. Today, Nick openly tolerated and showed his tacit support for ongoing raids on our rooms. Multiple people currently involved in massive raids on our room alternating between spamming extreme gore and libel were openly bragging about it in the Calyx room. He was there and perfectly happy to allow it. He has openly engaged with people repeatedly insulting me, harassing me and saying that I should kill myself. It's not the GrapheneOS community engaging in a misinformation / libel campaign across platforms and this highly toxic / abusive behavior.
I can link a whole bunch of other Twitter threads and archives about this but I currently need to deal with these ongoing raids on our room by CalyxOS.
It's a video pushing a whole bunch of clearly fabricated stories and libel about me. The leader of the Calyx Institute and multiple project members have also participated in this abusive behavior. They've tried to pretend as if their highly abusive behavior isn't real and is simply imagined. Techlore's video shows a series of doctored screenshots with him lying through his teeth about the history, context and content of the screenshots. He very openly gets pleasure out of directing his toxic community to harass me and teaching them to push these talking points about me being schizophrenic, crazy and delusional.
Nicolas Merrill and other Calyx Institute employees have extensive involvement in this. Nick has repeatedly tried to claim that I'm crazy and delusional. Today, Nick openly tolerated and showed his tacit support for ongoing raids on our rooms. Multiple people currently involved in massive raids on our room alternating between spamming extreme gore and libel were openly bragging about it in the Calyx room. He was there and perfectly happy to allow it. He has openly engaged with people repeatedly insulting me, harassing me and saying that I should kill myself. It's not the GrapheneOS community engaging in a misinformation / libel campaign across platforms and this highly toxic / abusive behavior.
I can link a whole bunch of other Twitter threads and archives about this but I currently need to deal with these ongoing raids on our room by CalyxOS.
After reading this thread I don't really want to get involved in either community. But I still hope the best for the software projects and wish the best for everybody that does actual development, I hope this situation can get better over time.
Maybe many people get this impression because he (rightfully! I want to be very clear here) defended his accomplishments against the attacks from his Copperhead OS business partner. Without context it's hard to understand
Nice development. Just yesterday I ordered a Pixel 6 to replace my ageing Ubuntu Phone — Google's Pixel smartphones are the only ones really well supported by privacy focussed Android forks like GrapheneOS and CalyxOS (I intend to install GrapheneOS on it). Currently, this seems like a decent middle ground between being able to run apps from one of the two app stores (Apple's and Google's) when needed without sacrificing too much control over your computing devices.
Having to buy the hardware from Google leaves a bit of bad aftertaste though. I really hope that in the future I can just get something like a Fairphone and be able to run a fully supported more user-aligned OS on it.
I have been a happy GOS user for years. Sadly, my Pixel 3a EOL is next month. I opted for an iPhone this time as they generally are supported for longer periods of time.
Maybe my next phone will be a phone designed for GOS :)
Interesting, but one issue with the monoculture of Android devices that impacts a non-insignificant amount of people is the fact 'top-tier' devices such as the Google Pixels that have reliable firmware support or security also have OLED displays with aggressive PWM flickering. That makes these devices a non-starter for many people with headache or some seizure disorders.
I really wish Google and other OEMs would do something about this at some point.
I got a 8T and they botched the android 12 Update . Overall it's a huge downgrade in usability . I dont want to downgrade and stay on an older version with no security updates .
So I'm taking a look at these roms and they are not as bad as the early days of roms
Good to have options. For me I won't be even testing this distribution when looking at their preference for signal, tor, their own VPN and duckduckgo.
Thanks but no thanks.
For those in Europe our preference tends to be with Telegram, ProtonVPN and Qwant. Please consider this configuration profile as default in future releases for those in the European continent. Thanks.
As someone from Europe I would much rather have it default to Signal than to Telegram. I prefer encryption over "jurisdiction-based protection" or whatever security shell game Telegram is playing to protect my plain text messages.
ProtonVPN (private, proprietary, trusted) can never be considered an alternative over Tor (open, FLOSS, untrusted).
While I'd prefer Matrix and/or XMPP over either: Telegram (single-device encryption for 1-to-1 chats only) is inherently less secure than Signal. Both require phone-number verification and thereby doxxing oneself to use.
If anything it would be Matrix and Mullvad. Telegram is not close to being secure and its Russian. Mullvad is more open and more trust worthy compared to ProtonVPN.
This question is weirdly worded so I want to be careful answering it. This is highly device dependent, and out of these devices I only have the 8T. Will it be the same as stock camera experience? Not unless the vendor blobs and camera frameworks are ported to these OS, which they almost never are. But camera drivers still used pulled from vendor image, just with an opensource camera app.
Status of the 8T's cameras: In the 8T's case 3 of the 4 back cameras are accessible in LineageOS (only 2mp monochrome is not), and only through Gcam or Opencamera, not the stock LineageOS app. The macro camera's access was only figured out in the past few weeks by the LOS maintainer. I use a modified version of GCam to access the other lenses. I believe Oneplus actually disabled the macro lens in their vendor rom, so this is a case where LineageOS and downstream roms from it like Calyx are adding back some functionality that was lost.
AOSP Camera can't use them but GrapheneOS ships with a Camera app that's able to use all the cameras and a lightweight variant of HDR+. Google Camera can also be used on GrapheneOS simply by installing GSF and Google Camera. Network permission can optionally be revoked for both, and neither has special privileges. It's different on CalyxOS where using Google Camera requires giving a high level of privileges to Google Camera itself and Google services (microG).
I'd pick Graphene over Calyx on privacy and security grounds, and Lineage over Calyx on device support or tweakability grounds.
Graphene is honestly ahead on the security and privacy front. MicroG requires very strong privileges and weakens the comprehensive privsep you'd otherwise have; GrapheneOS offers sandboxed play services with the standard SELinux policies for unprivileged Android software.
GrapheneOS also has hardened_malloc, which seems to have the best design for malloc hardening out of any alternatives I'm aware of.
On the userspace side, Graphene uses several of its own apps. One is Vanadium for its webview and browser; it's a hardened fork of Chromium. Check the patchset; it's got a bunch of security improvements and cross-pollenates with Bromite. The most interesting feature they've been working on is per-site JIT toggles.
The list goes on. Few other OSes come close.
Now, if you want to tinker with your phone at the expense of security, Lineage is actually a great option. It has a big community of tweakers and ricers who root their phones and come up with some cool experiments. It also supports a wider variety of devices, including devices abandoned by their manufacturers. Don't expect security updates, though.
For the binary blobs, but for the opensource components all supported builds are current on monthly android security patches. (well, in review for probably a few days on April: https://review.lineageos.org/q/topic:R_asb_2022-04 )
LineageOS maintainers also pull android servicing branch back to cm14.1 tree too if you wanted to try your hand at building on a previously supported device.
> I'd pick Graphene over Calyx on privacy and security grounds, and Lineage over Calyx on device support or tweakability grounds.
I'd pick Calyx over privacy grounds not Graphene. (I totally agree that Graphene beats anyone on security grounds by miles, and depending on your threat model, security could be related to your privacy)
> MicroG requires very strong privileges and weakens the comprehensive privsep you'd otherwise have
If we're speaking of FAKE_SIGNATURE.... No it doesn't? If implemented properly (I don't know how Calyx do it, but I know I do), only apps in firmware are allowed to use FAKE_SIGNATURE, and if you build your firmware with only microg that has FAKE_SIGNATURE, then only microg can fake signature. Also it can fake exactly one signature, which is Google's. It's probably possible to make that patch better, if some people gives us reasons it is a flaw.
Really, please tell me in which threat model does using microg hinders security, maybe we can find a fix. So far, I've never heard any.
> GrapheneOS offers sandboxed play services with the standard SELinux policies for unprivileged Android software.
With regards to privacy, I take unprotected opensource software over Google trackware no matter the sandboxes you put under it. Windows has a better sandboxing model than Linux, yet I feel much better doing random apt installs, than downloading random Windows apps.
How is Calyx more privacy respecting than GrapheneOS by default? Not sure about the defaults on Calyx, but AFAIK GrapheneOS has zero connections to Google. You choose to install sandboxed Play services only if you want to.
By default, Calyx is privacy-preserving, because it doesn't connect automatically to WiFi. You choose to connect to WiFi only if you want to.
Yes, I'm very exaggerating the comparison, but still. My point is that the comment I'm answering touts the sandboxed Google Play Services. You can't tout it *and* say it's privacy preserving, it's a XOR.
GrapheneOS doesn't automatically connect to Wi-Fi either unless you enable the option. It also has per-connection MAC randomization enabled by default so Wi-Fi is essentially anonymous when you use it anyway.
> you can't tout it *and say it's privacy preserving.
Why? Sandboxed Play Services has no special privileges on GrapheneOS and thus has the same level of access as any other app. How can it invade your privacy if you don't explicitly give it access to private information?
> By default, Calyx is privacy-preserving, because it doesn't connect automatically to WiFi. You choose to connect to WiFi only if you want to.
Going to simply interpret this as unhelpful sarcasm.
> My point is that the comment I'm answering touts the sandboxed Google Play Services.
Sandboxed Google Play isn't included in GrapheneOS. Users can choose to install apps which include Google's libraries and use the Google Play SDK. Regardless of whether people use sandboxed Google Play or microG, they're using the Google Play code inside each app using it. The whole point of sandboxed Google Play is that users can optionally choose to install Play services and the Play Store in the user/work profile(s) of their choice with it receiving ZERO additional access or privileges compared to the Google libraries / Play SDK within each app using it. GrapheneOS does not include Google Play and has no special sandbox for Google Play. It includes a compatibility layer for users to run it in the full, strictest API 32 app sandbox with all the standard GrapheneOS enhancements. It does not receive any special access or privileges. It can't do anything the Google libraries within apps can't already do themselves. The Sandboxed Google Play compatibility layer also includes the ability to redirect APIs like location services to the OS implementation. By default, location services are redirected to the OS implementation, so users don't need to give Location access to Play services. Of course, if users grant Location to apps using Google Play, they're trusting the app and all the included libraries, and any app using Google Play is using Google Play libraries.
You can see for yourself that the full featured Google Maps app completely works without Google Play, and that their Ads SDK and other libraries work without it. Their libraries can do everything that sandboxed Google Play can do on their own without it. That's the whole point. Google Play is not required to contact Google services. Apps can do that on their own, and Google's libraries within those apps are fully capable of doing it. They largely choose not to implement fallbacks for features, but in some cases they clearly do as you can see from Google Maps and the Ads SDK. Only apps using the Lite variant of the Ads SDK need Google Play services for it to work. And again, sandboxed Google Play is not included in GrapheneOS. CalyxOS includes microG as part of the OS and encourages using it through the setup wizard. That uses Google's proprietary services and code. The Play code in each app is not replaced. It has a bunch of serious privacy and security issues from not implementing all the expected security checks, in some cases because microG is ideologically against enforcing the security model for things like location services.
CalyxOS doesn't simply include microG with users encouraged to use it. They use Google services by default, with no way to turn them off. They significantly roll back the security model of the OS. They recently went almost 4 months without shipping the browser or Android security updates, including multiple vulnerabilities caught being exploited in the wild and announced as such in bulletins. How are users supposed to get privacy and security from an OS which lacks consistent security updates and has no problem rolling back or bypassing the standard OS privacy and security model? It isn't simply not a hardened OS. It's a dangerously insecure one.
> Going to simply interpret this as unhelpful sarcasm.
I think it is helpful to convey the emotion that goes through me when I read such a remark.
> It includes a compatibility layer for users to run it in the full, strictest API 32 app sandbox with all the standard GrapheneOS enhancements.
How does it handle Doze? In original Android, no app is allowed to keep a TCP connection open forever. And without that, FCM is useless. Also I believe that having Google Play Services running permanently has an impact (more on that later in this comment)
> You can see for yourself that the full featured Google Maps app completely works without Google Play, and that their Ads SDK and other libraries work without it.
That's an interesting point, thanks, I'll probably spend some time exploring those things. That Google garden does such things doesn't really surprise me.
> Only apps using the Lite variant of the Ads SDK need Google Play services for it to work.
From the description of Lite Ads SDK, it sounds like something that every app developer should want, yet it looks like Google is down-publicizing it a lot, so noone actually use it, nice workaround from Google, thanks for the info.
I see you're focusing your whole speech on Ads SDK. Does it mean only the ads SDK has this behavior?
My personal use of microg is for apps I trust (mostly opensource, or where I'm a paying customer), which work (much) better with cloud messaging. (I have to admit, I trust those apps enough to know they don't have ads, but not enough to trust they don't have ads sdk). So I do believe that for my usecase, microg gives me a much better privacy than Play Services, because most apps won't contain the infinite list of trackers Google Play Services include. But if you have proofs of otherwise, please do enlighten me, you're more knowledgable than me on SDKs.
FWIW, I have one metric (a rather stupid one, I agree) which is IMO showing that there is a huge difference: the data transferred and the battery usage. I have an order of magnitude difference in data transferred, and I get at least 3 times more battery life in suspend. Which IMO definitely highlights the fact that Google Play Services running permanently has its own privacy impacts, even when giving them minimal permissions.
> CalyxOS doesn't simply include microG with users encouraged to use it. They use Google services by default, with no way to turn them off.
"Google services" are 100MB+ proprietary code, sending god knows what to Google. CalyxOS doesn't have 100MB+ proprietary code, with microg you exactly know which data is sent. And actually if I'm not mistaken, microg doesn't do google registration or cloud messaging by default, so I don't think it does any Google connection by default? I'm not exactly sure there. I'm sure cloud messaging is disabled by default though, so no permanent connection
> They recently went almost 4 months without shipping the browser or Android security updates, including multiple vulnerabilities caught being exploited in the wild and announced as such in bulletins.
Just like the biggest (or maybe second or third, I don't really track that) corporation in the world on their flagship, while they are 50000 times smaller? But anyway, you're right: again, I said that on security grounds, I'd always pick GrapheneOS, and that the relation between privacy and security is pretty complicated, and I understand that some privacy threat models requires stronger security than trust.
----------------
Edit: Removed this part which is no longer relevant.
> They significantly roll back the security model of the OS.
I'm guessing you're speaking of microg implementation when you say "roll back the security model". I'm curious why you didn't answer to the comment where I ask to point out precisely how that roll backs the security model.
Play Services requires its battery optimization to be set to unrestricted for FCM to work reliably. Other apps keeping a persistent background connection (e.g. Signal w/out Play Services) require the same thing, so this is not specific to Play Services
> FWIW, I have one metric (a rather stupid one, I agree)
Why do you bring it up then? The amount or frequency of data transfer has zero indication of negative privacy impact. What private data could possibly be sent since Play Services doesn't have any privileged access on GrapheneOS?
> "Google services" are 100MB+ proprietary code, sending god knows what to Google
See my above comment.
> I'm guessing you're speaking of microg implementation when you say "roll back the security model".
He has already stated how microG allows signature spoofing which directly directly breaks the Android security model. But CalyxOS breaks the security model further: it also includes the F-Droid and Aurora privileged extensions which give the corresponding apps special privileges to install apps without user interaction. The proper way to do this (without breaking the security model) is to use the Android 12 API for unprivileged, unattended updates.
> Just like the biggest (or maybe second or third, I don't really track that) corporation in the world on their flagship, while they are 50000 times smaller?
It's not okay to stop shipping security updates for 4 months just because someone else is doing it. GrapheneOS shipped those updates with a team of only 5 developers. If CalyxOS cared at all about security and privacy, they would at a bare minimum meet the latest Android patch level and not break the Android security model.
> I'd pick Calyx over privacy grounds not Graphene. (I totally agree that Graphene beats anyone on security grounds by miles, and depending on your threat model, security could be related to your privacy)
CalyxOS is substantially less private than GrapheneOS, not just less secure. You seem to be claiming this entirely based on CalyxOS including microG rather than the sandboxed Google Play compatibility layer. Sandboxed Google Play is not part of GrapheneOS. It doesn't ship with it, and unlike on CalyxOS, there isn't a setup wizard page encouraging you to use Google services. CalyxOS uses Google services even without microG and you can't turn it off. Your claims really don't make sense. Sandboxed Google Play compatibility layer is an optional feature users can choose to use, and it uses exactly the same sandbox used for the apps themselves including the apps people want to use with it. Those apps include Google's libraries including the Play SDK. You're relying on exactly the same sandbox for the client-side part of Play services as Play services has containing it. That's actually not entirely the full story since Play services is API 32 and always has the best available sandbox, while many apps have a lower API level and get a somewhat weaken sandbox, like API < 28 not having a per-app instance of the untrusted_app domain.
GrapheneOS has a bunch of added privacy features, not simply security features. This page is a list of features added on top of AOSP 12.1: https://grapheneos.org/features. It does not list features implemented by GrapheneOS upstream that are present in AOSP 12.1 since those are no longer features differentiating it.
Privacy depends on security, and CalyxOS recently went 4 months without shipping the Chromium and Android security updates. How is that supposed to be private? They also covered up how bad it was and wouldn't admit to how much was missing. They've consistently done that. They've covered up security vulnerabilities in their code. They denied there were leaks in their "firewall" app toggles and are still pretending as if there aren't leaks even though those were explained to them in the past and they're well aware their approach doesn't work properly.
> If we're speaking of FAKE_SIGNATURE.... No it doesn't? If implemented properly (I don't know how Calyx do it, but I know I do), only apps in firmware are allowed to use FAKE_SIGNATURE, and if you build your firmware with only microg that has FAKE_SIGNATURE, then only microg can fake signature. Also it can fake exactly one signature, which is Google's. It's probably possible to make that patch better, if some people gives us reasons it is a flaw.
Except that microG is missing security checks and the full security model, and by doing this you're directly bypassing a security check.
> Really, please tell me in which threat model does using microg hinders security, maybe we can find a fix. So far, I've never heard any.
Projects spreading libel about security researchers lose the privilege of getting vulnerabilities reported to them and patches made for them. microG has a bunch of blatantly missing security checks and based on what you're saying it should be no problem for others to find and fix those. Also, how are you going to add all kinds of cross-app signature checks, pinning and parts of the missing security model to an app ideologically opposed to some of these things?
> With regards to privacy, I take unprotected opensource software over Google trackware no matter the sandboxes you put under it. Windows has a better sandboxing model than Linux, yet I feel much better doing random apt installs, than downloading random Windows apps.
microG still uses proprietary Google services and the proprietary Google libraries are still included and being used by every app using it. People can see for themselves that Google Maps entirely works without Play services other than compass calibration, and that the Ads SDK works fine without Play services. microG is open source middleware sitting between closed source libraries and services. CalyxOS includes the privileged Google eSIM apps by default which give Google your IMEI, with no warning about that.
GrapheneOS does not use Google services by default. CalyxOS uses Google services by default with no off switch even without microG and has privileged Google services in the OS.
There is no evidence to suggest this. GrapheneOS has multiple systemic privacy and security improvements over the stock OS (e.g. hardened_malloc, toggleable network permission, exec spawning), so it's a much harder target to develop a working exploit for when compared to devices running the stock OS.
I went through building LineageOS for my devices for years, then switched to Pixel + GrapheneOS and have been extremely happy with my decision.
Unfortunately as you can see from these posts, there's a lot of in-fighting between developers and users, it's detrimental to everyone involved and drives away users, supporters, and other developers who would contribute but don't want to get involved in it.
Regardless of all the garbage surrounding these projects, the technical work behind GrapheneOS speaks for itself and is how I ended up selecting it vs the other options.
Graphene is indeed a lot less fiddly than dealing with microg etc. Much easier to use (and install - oh the headache that is dealing with firmware updates my Samsung tablet running Lineage).
CalyxOS recently went almost 4 months without shipping Chromium (including WebView) and Android security updates. CalyxOS is not "degoogled" and uses multiple Google services by default without an opt-out. Look at their documentation. It also has privileged Google service integration enabled by default. If using Google services is considered "degoogled", what does it mean? Not having Google Play as part of the OS? They do have a reimplementation of a small subset of it using Google's services and it's specially privileged.
Yes, I'm aware that Calyx isn't degoogled and neither is Lineage, that's why I wrote "degoogled" in quotation marks. And I also know about lack of security updates in Calyx, but it's still better than Lineage lol
Calyx has been stealing code (and removing author) and raiding GrapheneOS chatrooms. GrapheneOS is a better option if your device supports it (like mine).
Revoking permissions should be supereasy - like remove any and all network ability (eg camera or flashlight apps), start on bootup (don't need a service running for app X until I start it), clipboard snooping (ok to read clipboard if I tell the app to, but otherwise it's just creepy and a risk).
slash-rant