Beyond that, the GraheneOS team still controls a single signing keychain for all phones in the wild, which we have to assume is still controlled by Daniel Micay (strcat) as it has not rotated as far as I can tell since he mostly stepped away from public view.
He is without question a brilliant security engineer, but we can't ignore his very public Terry-Davis-esqe history of mental illness. Making -anyone- a single point of failure for a ROM frequently recommended for journalists and dissidents is a bad plan, and especially not someone very prone to believing wild conspiracy theories.
I can't recommend GrapheneOS for any high risk use cases until:
1. they are able to find a device they can run 100% open source code on with no binary blobs
2. The ROM can be full source bootstrapped to mitigate trusting trust attacks.
3. The ROM builds 100% deterministically and is reproduced and signed by multiple team members publicly
4. Threshold signing or a quorum managed enclave issues the final signature only if multiple team members give it signed approvals of a hash to sign.
Until at least those points are covered, the centralized trust model of GrapheneOS is a liability and the central keyholder is at high risk of being targeted for manipulation or coercion.
Honestly there is no good solution to these problems right now, and as a security and privacy researcher my best advice today to potentially targeted individuals is don't carry a phone at all, or if you must carry one, keep it in airplane mode whenever possible and do not do anything sensitive on it. Consider QubesOS or AirgapOS for such things.
If you are fine with centralized control of a phone, and fine with binary blobs controlled by random corpos having God access to your device, but would prefer to eliminate as much proprietary corpotech bullshit as possible, then I would suggest considering CalyxOS which is at least run by a former LineageOS maintainer with a great reputation.
This does not make sense at all.
I run a b2b tech company in Silicon Valley and have not carried a smartphone in 5 years or had an LTE subscription in 6. I have a family and hang out with friends, mostly tech workers, at least once a week. I am online when I am at my desk or one of my family PCs, otherwise I am offline. It has been a massive productivity boost, attention span boost, and social improvement in every way.
I don't miss hours of doom scrolling a day and missing out on being present with friends and family. Took a few weeks to rewire my dopamine engine so the FOMO went away.
Phones -are- optional and if you think otherwise you might be an addict.
> CalyxOS, which not only suffers from the same "problems" you criticize in GrapheneOS, but is also inferior in every way when it comes to security and privacy?
It is better in one way: a reasonably stable person holds the keys to the kingdom. Personally I do not like having -any- central person controlling my devices, so I just opt out of Android entirely until that situation changes.
I am a supply chain security researcher and founded a Linux distro where no single computer or maintainer is trusted, so trust decentralization, freedom, and control in software are very important to me.
Smartphones are small portable computers. You're using a similar computer to make posts on social media platforms including Hacker News.
> It is better in one way: a reasonably stable person holds the keys to the kingdom.
Repeatedly claiming that I'm insane, schizophrenic, delusional, etc. is not a reasonable criticism of GrapheneOS. I'm clearly none of those things. I've been targeted with attacks including harassment and tons of fabricated stories for years beginning with my former business partner and his associates. You thoroughly discredit yourself by going as far as baselessly claiming that I'm schizophrenic because you don't like the way I've tried to defend myself from these attacks.
The lead developer of CalyxOS (cdesai) was a Copperhead employee directly involved in the 2018 takeover attempt on GrapheneOS. CalyxOS itself directly originates from the takeover attempt on GrapheneOS. The people involved demonstrated their lack of ethics through their participation in the attacks on GrapheneOS and partnerships with people involved in it. You've been attacking us for years alongside them. CalyxOS exists because of this takeover attempt. It's a non-hardened OS which was created by heavily using GrapheneOS source code and documentation without most of our privacy and security features.
The primary thing we disagree on in a pure objective security engineering capacity is you feel it reasonable that a single person, you, can be trusted to resist coercion or manipulation to hold the signing keys that would allow pushing any code to the phones of a lot of highly targeted and vulnerable individuals. Otherwise I actually normally agree GrapheneOS has made the best effort defense calls it can in a very broken and proprietary ecosystem. Use open stuff where you can and where you can't try to put up IOMMU walls. I get and respect the pragmatism here. I do similar in AirgapOS and other projects.
I however absolutely can never recommend trusting centralized/proprietary software supply chains in areas where dramatically more open and accountable solutions already exist, which is why I do not actually use or recommend CalyxOS or GrapheneOS for high risk use cases and instead full source bootstrapped a Linux distribution from scratch that avoids any trust in me as the founder by design.
For low risk use cases where users simply don't trust Google or the stock phone malware, LineageOS or CalyxOS is just fine as they remove this, and I am more inclined to support cdesia/CalyxOS which at least attempts basic signing, and trust cdesia as a keyholder when someone really wants to use Android purely because of his peace-keeping personality that is normally very receptive to criticism, and is never hostile to anyone that forks their code for use in other projects as you have a history of doing, but ultimately again, I don't actually use or recommend CalyxOS or GrapheneOS for most people for most use cases.
If forced to use a mobile device again I would probably fork GrapheneOS, remove all the proprietary bits I can, LTE, bluetooth, etc be damned, and sign it myself only for my own use, until I could develop an quorum enclave controlled signing scheme and then offer that.
If you were to agree to take on quorum controlled signing of reproducible builds, then there is no central trust in you, and all my primary arguments against GrapheneOS go away and GrahpheneOS would be leaps and bounds better than CalyxOS by any technical measure I am aware of.
If you put aside any dislike of me, objectively, removing trust in a single person makes you and the project and users safer, and make it much easier for people to separate your personal views from the stability of the project as a whole.
I could get dementia tomorrow and I am confident the StageX project would continue without me with signatures by other maintainers by design. The team already has made several releases without needing signatures from my key already. This is a proven strategy now, not just a theory I parrot to try to win arguments.
GrapheneOS, for all its high risk users, deserves to be protected from the failing of any one human or build machine.
I'll let you have the last reply as this will go on forever otherwise. You know how to contact me if you ever want to discuss any of this privately.