Please look at the comments being replied to from that user in this thread. They're spreading misinformation about GrapheneOS in order to promote CalyxOS. This isn't something isolated but rather than community is highly hostile towards our project and has been heavily involved in harassment of our developers, raids on our community and coordinated spreading of misinformation. Every time GrapheneOS or CalyxOS is mentioned, the CalyxOS community and project are there pretending GrapheneOS doesn't care about privacy and functionality/usability. We're only responding to the comments where this is being done. We didn't jump into this thread but rather they're choosing to attack us and bring us into it.
This looks like a messy dispute, so I'm not going to step in. The FOSS community is outnumbered by those who prefer closed source software, and it's a shame to see infighting between two projects that, despite their differences, both counter the Google/Apple duopoly on mobile device platforms. I hope the GrapheneOS and CalyxOS communities can find a way to reconcile.
> has been heavily involved in harassment of our developers, raids on our community and coordinated spreading of misinformation
I'd be interested to see how you draw this conclusion. I have been in the CalyxOS rooms for quite a long time and have never seen anything of the sort. In fact, when GrapheneOS is mentioned, users are told to change the topic.
People can see for themselves the misinformation being regularly spread about GrapheneOS by the CalyxOS community whenever either CalyxOS or GrapheneOS is brought up. The raids on our channels are a well known fact and those people are openly welcomed in the CalyxOS rooms, even those who have publicly told me to kill myself on multiple occasions. Nick himself has been heavily involved in this behavior. I don't think someone who is involved in the community perpetrating these attacks is a good source on what has been happening. He justifies his support for these people by saying they have an open channel with free speech.
> In fact, when GrapheneOS is mentioned, users are told to change the topic.
Yes, people get banned when they defend GrapheneOS from attacks. Nothing is done when they spread misinformation about it as long as they don't do it too blatantly. Action is quickly taken if someone there tries to counter it.
> The raids on our channels are a well known fact and those people are openly welcomed in the CalyxOS rooms
You've said this a number of times, but you've yet to provide any material evidence this has taken place.
From what I've seen as an impartial bystander, the CalyxOS community doesn't want anything to do with you or your (frankly hostile) community.
I've taken the liberty of doing a little digging and asking around, and it looks like you've even tied in CalyxOS to the recent Bromite impersonation incident. Judging by the chat log you shared on GitHub, it looks like the user was told to change the topic.
I really don't think it's appropriate to be downgrading and "attacking" (as you so vehemently protest) open-source projects like CalyxOS with similar goals. It's a shame such hostility is taking place, when both Calyx and Graphene are doing excellent work in the privacy sector.
I specifically avoided commenting on the comparison threads solely to not have to see this. You will not find me doing that anywhere, anytime (unless perhaps when we were on good terms)
I've done that all this time, the only time I comment on something is when somebody asks us to integrate it into CalyxOS, and that's only within our context.
You're the one here who're responding in a hostile manner, and doing exactly what you're accusing us of. Please stop.
Sorry if I misunderstood some of the differences, but I was trying to simplify it and trying to be helpful by explaining what I read about both.
I'm not trying to promote either, and I don't use either as I don't have any pixel phones. However I thought of buying one and as such I looked into the differences.
I didn't realise you now had sandboxed play services, but to be honest I would trust MicroG a lot more than Google, even if it's sandboxed :) The only way I'd want to interact with Firebase is for push notifications, I prefer MicroG's way of handling location by the way, with its location plugins pointing to really open sources. Play Services are still closed-source google components that I don't want on my phone.
I was not saying that you don't care about privacy. I just wanted to express that I generally see GrapheneOS pick the security side over privacy if there is a choice to be made between both (and only then). And with privacy I mainly mean big data tracking from the likes of Google.
I didn't mean to attack you at all. I have no side in this conflict and I'm sorry you feel that way. See also how I said in my original post that GrapheneOS has security as Priority #1. How is that a bad thing??
If you look at my other posts you will see I praised you for promoting security features that were incorporated into AOSP after you had initially developed them. I was just trying to present the situation as I understood it. I didn't realise it was so adversarial.
I'm sure you didn't do it intentionally, it's just that what you said is a common piece of misinformation spread about GrapheneOS. It's understandable that you'd think that given how much it's repeated and considering that many people got duped too.
>I would trust MicroG a lot more than Google, even if it's sandboxed :)
This is the reason that GrapheneOS sandboxes it. You can disable permissions however you'd like, nothing stops you. You don't want it to send certain data? Then don't give it that permission. Disabling INTERNET will prevent it from sending anything (it's used to privilege, so it likely won't use another app to bypass, but you can use a different profile anyway).
>Play Services are still closed-source google components that I don't want on my phone.
microG is just a reimplementation (a partial one) of Play Services. The privacy benefits are negligible.
>I just wanted to express that I generally see GrapheneOS pick the security side over privacy if there is a choice to be made between both (and only then). And with privacy I mainly mean big data tracking from the likes of Google.
I'm guessing you're referring mainly to microG.
Privacy is not just not sending data. It's far more than that. It needs to be able to blend in with others, and needs a certain decent level of security to avoid simply bypassing privacy features through vulnerabilities.
microG doesn't protect data in transit even close to the way Play Services does. How do you expect to have privacy when apps can simply intercept microG data?
Signature spoofing as microG needs, ruins the security model. It bypasses signature checks by apps. Even in CalyxOS's slightly less bad implementation, vulnerabilities in microG can be used to break out of the sandbox. How do you expect to build a security model on this? Vulnerabilities in microG are very likely, considering how the project disregards security.
How do you expect privacy with such little security? You'll not have any privacy if an app can bypass your privacy features.
It also only reimplements a portion of the APIs and breaks when apps need new ones. How is it supposed to keep up with the APIs anyway? It's tens of thousands of lines of code. It's certainly not a viable option.
Using Play Services as a sandboxed app, on the other hand, avoids this. It doesn't require the microG patch which erodes security, it protects data in transit, and it actually gets the majority of APIs and functionality working. The only functionality that doesn't work is SafetyNet attestation and functionality which depends on privilege. SafetyNet enforces using the stock OS, so you'll never get it with microG. Privileged functionality would need invasive OS integration.
It's clearly a much better solution that preserves the security model. It does it right.
GrapheneOS also optionally blends in with stock Android users. This isn't a bad thing and increases privacy. Connections made are just things like connectivity checks, nothing special.
Besides, CalyxOS isn't particularly good for this either. Their Netguard firewall that they bundle doesn't implement it properly and apps can still bypass it. They aggressively integrate Google services, and have Facebook integration as well.
Correction: because of CalyxOS' implementation of microG, signature spoofing can't easily be used to break out of the sandbox. Sorry to those whom I inadvertently misled. The fact remains that microG is still an insecure implementation that doesn't implement proper security or transit protection and disregards security.
