What is going on with GrapheneOS?

Hello World!

So having, watched the Luis Rossman: Random Live video on GrapheneOS. Now I saw the recommendation “Why I deleted GrapheneOS”.

My questions/concerns are:

1. Is Graphene OS still viable as a privacy focused Android fork?

• Are there others?

2. What could be the future of Graphene OS

• Can this project still be saved from dissolution?

3. Is it finally time to go Pine Phone and Pine Time?

• I’ve been thinking as the important things I can still do as per Web App, banking, emails and whatnot.

I want to look at this project and situation completely objectively as the alternative is just opinions and are irrelevant to reality.

Alvast bedankt voor the civil discussion.

I can’t speak from a security/ privacy aspect.

I have a couple “Ubuntu Touch” devices, that do the limited tasks well, but can’t really install many apps. But good project.

My main driver is GrspheneOS. It could well be leaking all my data all day, but there is a Chance that is doesn’t, so I will keep using it…

Given that its still open source and can be verified I am personally not concerned about it yet and will continue to use it for now. I think there is a big enough security community around it that it would be pretty difficult to slip something nasty in and would likely be caught fairly quickly? One can always do traffic analysis and audit the logs and behaviors at the end of the day.

CalyxOS is another popular android privacy/security fork that might be worth looking at. As well as simply degoggled LineageOS and pay attention to permissions and don’t install garbage apps.

Check out XDA forums there’s tons of info there.

My hope is that even if GrapheneOS dies, the hardened kernel and memory allocater and all the security/privacy benefits can be carried forward to another rom. Again thanks to open source. Not all the work is lost from a technical standpoint.

Pinephone looks cool, might be my next device.

It also appears that Daniel Micay has stepped down: https://twitter.com/DanielMicay/status/1662212227561308160

Frankly the dev can be as unhinged and as crazy as he wants to be but if the product remains good, it will still be my daily driver until a more technically superior alternative comes along (there still isnt, btw).

If crazy boy Mikay completely jumps ship and makes a new project, who knows I may go with him.

If he is the golden goose that lays innovative eggs, Graphene may have killed it. I will move on as needed.

it looks like the leader has stepped down.

i abandoned graphene, i have as much trust in the project as i do in google (which is not much) so i’ll opt for the extra features until this blows over

From a code standpoint, there are others that work on Graphene, and many of the recent commits reflect this. I think the project will go on, although Daniel is quite the genius level programmer, so that is a loss in itself. I do hope that this is a good path forward for him. Developing Graphene (and Copperhead previously) seemed to take a toll on him, so I hope he can find some rest and balance.

As far as other projects go, there are several, such as CalyxOS and RattlesnakeOS. I think Calyx is fairly active, but I haven’t checked in on some of the other ones lately. I think they are all privacy minded to some degree, but make a few different choices along the way.

For myself, I build my own android rom and I have greatly benefited from Graphene and the work that they and Daniel have done. I consider Graphene to be a more ideal version of AOSP.

I do hope that linux phones are on the horizon. i have pixel 6/6a phones and I was hoping that linux phones would be mature enough to use after my pixel phone support is EOL.

My overall concern is that I would like to get a new phone because my front camera is broken and the screen is slowly turning into a void. I wanted to go Pixel so I could go graphene, I’d just don’t want to see another Cyanogen OS situation.

My issue goes down to another thread again regarding the multiple device conundrum. Laptop+Smartphone+Work phone+Camera+Desktop+Tablet, just feels like too much.

PIxel phones are always a trade off, regardless if you run the stock google OS or something like Graphene or Calyx.

They are generally well supported and get regular security updates. There is a robust ecosystem of tools and code to help with development.

I think some of the criticisms are that they are generally not premium/flagship phones. Some of the other manufacturers also add in their own unique features to enhance the rom.

I have a very utilitarian view of my phone, so I’m content to have a relatively cheap, unlockable, supported phone. I don’t put a high value on many flagship features or premium build quality. I usually use a case, no one would really see it anyway. I do wish the pixel 6 had a plastic case instead of glass. That being said, the glass does seem fairly robust, but it would certainly be lighter and cheaper with plastic.

Also, wouldn’t it make sense to make a security/oss ROM for the Fairphone 4, I do understand support Pixel because of the unlocked kernel but Fairphone is some 8 year support and repairability?

I do like the idea of fairphone, but I think it lacks the level of software support that I am looking for. The fairphone 4 was released in 2021, and after a diligent 5 minute search, I could only find the kernel source for the FP4. I didn’t find any device trees that would make it very easy to build. It’s possible that it’s just a mirror of a related phone, but there isn’t a “how to build” guide for FP4 that says, just copy the one plus 6 trees or something like that. It looks like lineage has a device tree for FP4 that they have built from scratch.

I do think that for most people, the FP4 would be a good choice, but it really depends on what you want your phone to do for you.

CalyxOS has support for the Fairphone 4. As far as I followed the conversation the decision of the GrapheneOS team for the Pixel fell not only because Google offers their version of Android but also because those Pixels features lot of security enhancements, some other phones do not have. The reason why they not support many phones is simply that it is a lot of work to port this and they do not currently have ressources for this.

I’m not really worried about GrapheneOS future, many people have been working on it besides Daniel Micay and it seems that his involvement in the software side have been very limited for quite some time anyway. The OS has never been that solid and usable so would be a massive loss if it were to disappear tomorrow.

Building a robust and secure android distribution in 2023 is a massive task, I would rather see him get back to the GrapheneOS team than to start a new project alone or with a reduced team to needlessly compete with his own previous creation. He does not seem to have anything against the team either so it would be a very weird move.
I could see him start a new project like a new lib or something but not an entire OS.

I hate to revive an old thread but i dont understand why nobody mentions going with Copperhead. Did Daniel really lead this many people to believe that copperhead was dead? He stabs his partner in the back, steals the work and makes his own from it and even as his lies finally destroy his facade of bullcrap publicly, after years of building off the back of whom he stabbed…the real Copperhead still moves forward trying to just focus on the original goals of the project despite being tortured by this douchebag and its in the hands of the same genuine guy who deserves all of the credit for Graphene

I would like to remind everyone that expressing different opinions is totally okay.

But if it veers from the topic its best directed ro the lounge thread for casual discussion

I do not wish to see this thread turn into project vs project as both are quite pleasant

For me this feels more like they worked together, they realized they did not get along for a plethora of reasons and then they parted way. Was there bad blood, sure, but that’s human. Both projects are very passionate about what they are doing. In regard to stealing the work, this is open source, that’s the whole idea that people can use it for their own ideas or if they feel like using it differently. See it like that, now you have two projects to choose from if you are not happy with the other.

I stopped using GrapheneOS and moved to DivestOS - which is a “soft” fork of LineageOS that takes inspiration from GrapheneOS. DivestOS works so much better for me, because IMO, GrapheneOS’s UI/UX is hot garbage. I didn’t actually expect it, but moving to DivestOS solved my two main pain points. GrapheneOS is probably more secure, but the project doesn’t listen to many users’ UX feedback “because it’s out of scope for the project”. This is a horrendous stance to take, especially for an open source project. Overall, I feel that it reflects a organizational culture that is in many ways just as toxic as Arch Linux users on Reddit. Plus they are very inflammatory towards other Open Source projects that they feel have less security - which isn’t constructive at all.

Why not just unlock the bootloader now before it is patched, and put LineageOS on the device and keep it until it completely stops working? This way you’ll get more settings to modify, no included google software, just basic plain android and a longer upgrade cycle.

Also, once the bootloader is unlocked on your pixel, you can swap to any Linux system that is compatible, so no real reasom to get a different device to run the same software.

I am already using my own custom rom. I unlocked my bootloader and then relocked it with my own key. Of course google’s key is hardcoded into the firmware.

The reason to not use a phone after they are EOL is because the security patches are no longer supported… things like CVEs that impact the proprietary drivers that only the OEM can patch. Think of using an OS after support has ended. There are no updates to patch bugs and vulnerabilities.

Sure, I could keep it around if I wanted to have a project phone to mess around with, but I barely have time for other things.

Security through… low userbase. There are how many different android brands, models? And how many of them share the same vulnerabilities? Is that data available or would be be too time-consuming to compile?

My point is, I highly doubt a malware developer will target specific bits of hardware that may or may not still be in use. I just don’t see it being worth someone’s time hoping they will find a device that is compatible with their malware.

I just think this is an over-reaction, and not remotely as serious as it may seem. Sure you COULD get some malware due to some hardware vulnerability that hasn’t been patched, but what are the odds?

You may say that is not wise to bet on the odds at all, but if it means keeping a device for five extra years and risk getting malware vs upgrading every five years, I’ll keep the device.

I’ll just back up all my pictures and messages and wipe the device and restore the android data folder. Is it life threatening to have a malware infected device? Has that or, is there a very strong possibility of that happening in the next ten years? Are there hardware vulnerabilities that exist currently that put cellular reception at risk, or GPS?

My device has a publicly disclosed wifi security bug in the hardware, guess how much I care. I am extremely confident that my device won’t get malware, and if somehow it does, I really could care less. I have my contacts file saved and data backed up already, it’s not much of an inconvenience to just wipe the data and restore.

At what point is a device considered too “obscolete” to stop targeting for malware? If 75% of android users all upgrade devices every four years because of security reasons, how much time would it take a malware developer to crunch the numbers on exactly what older android devices are out there, which ones have exploitable hardware and how many users of that exact device are out in the wild.

I bet zero malware developers will do that math because it is not worth their time, and that is what I’m betting on. How many malware developers are still targeting Android 2.3.3 or 3.x or 4.4.2 or 5.1 or 6.0 or even the 7 series? I bet zero. At some point, eventually, the device will ne “out of fashion” for long enough that not a single human being will care to develop malware for it, so why not just take the minor risk and help reduce electronic production by upgrading your device as little as possible?

Don’t do banking on your phone, encrypt your passwords with something such as bitwarden and use firefox browser extensions to block scripts and hope you don’t get a strange messags that infects your phone. Just wipe it and restore from a backup. It is the same with a desktop PC, if it gets infected, it is ideal to already have a backup, no reason to throw out the entire computer because of a data file.