Hello everyone, I want to preface this by disclosing that I am part of the GrapheneOS team. My account is not freshly created by the way, since that seems to be such a hot topic here. We asked our community for help with dealing with this mess since the self proclaimed open-source “enthusiast”, who is supposedly so eager to help, has gone out of his way to spread this literally all over the internet in order to harm an…open-source project. Here on Lemmy, Mastodon, Reddit, LinkedIn…even Facebook and elsewhere. That’s where the “suspicious” new accounts come from. That said, yes you can go ahead and verify they are in fact members of the community. And you can verify mine too if you wish, on the GrapheneOS forum, our reddit, discord, matrix, github. I don’t know what else I could tell you on this front honestly.

Now this person filed a duplicate feature request on the issue tracker regarding 3-button navigation. We closed it and provided an explanation on why it’s not wanted, primarily because 3-button navigation is really just a legacy mode and only kept around for compatibility reasons. Any feature that aims to provide a quicker way to force kill apps should be done in a way that’s not specific to it, but can be applied to all navigation modes. I hope this makes sense until here.

About a year later some people picked up on this feature request and started discussing it further. We have a rule where if you want to express your support for something you should react to it with a thumbs up emoji. That’s because each mention and reply sends an e-mail notification to multiple developers. We opted to delete the issue in order to stop the noise. In hindsight yeah that was a mistake, since apparently there are individuals around who are just waiting for an opportunity to act in bad faith as seen here.

This person kept insisting on it and continued to file more issues regarding this matter, even going as far as cloning our repository and continuing the spam there. We repeatedly asked them to stop and take it to dms instead but they didn’t do either of these things. Now what they did do is dig this up over a year after our last interaction with them and make a mountain out of a molehill.

There you go, that’s the gist of it.

The problem with this is that so many apps use Google Play Services. If I didn’t want a phone that used Google, I wouldn’t use an OS that bent backwards to make it work.

GrapheneOS doesn’t “bend backwards” to make apps relying on Play Services work. Sandboxed Google Play is highly compatible and all you need to do is install the apps, just like you would any other apps. The argument that since many apps require Google Play Services, you should use stock OS where they have privileged access rather than being sandboxed doesn’t make a lot of sense.

The sandbox model is OK in theory, except when your bank app asks for permissions for microphone, camera, contacts and files, and refuses to start without them.

The app model is a bit broken IMO and GrapheneOS both enables and perpetuates it.

Apps installed on operating systems that don’t have a sandbox and thus a permission model get access to straight up everything. Your scenario is exactly why GrapheneOS features contact and storage scopes; as an alternative to the regular permissions for more granular control. You can grant an app only a subset of contacts/files or nothing at all, the app won’t complain since on its end, everything’s been supposedly granted. There are more planned features to address other permissions in a similar way. Furthermore you could put it in its own little box via a secondary profile (you can have up to 32), and have that only run when you need it.

I might be being a bit naïve here, but Android 14 came out in October, 4 months prior to LOS 21, which is not particularly long. Android 13 is still supported by upstream. This sounds a bit like running RHEL or Debian vs bleeding edge Arch, no? It’s a common debate whether RHEL systems are constantly out of date, the counterargument being that vulnerabilities are often found in new software versions. Without real statistics about security vulnerabilities over time it’s difficult to make an informed decision about software version policies.

4 months without proper patches to known vulnerabilities is very long. Previous versions of Android aren’t properly supported; they only receive a subset of patches, not nearly everything. In fact, not even Android 14 is currently getting full patches. At the time of writing, for a device to be properly patched, it must be on Android 14 QPR3. It’s why we put great care in porting everything over as quickly as possible. You don’t have to make guesses about vulnerabilities, you can simply look at all of the known vulnerabilities that haven’t been patched yet, or will never be patched, in previous Android versions. It’s not a matter of “what if”, it’s what’s actually happening.

GrapheneOS ships with a sandboxed, FOSS Google Play Services which can optionally do a bunch of Google things (use their APIs, login to Google etc.) plus they have some hosted services that can substitute Google services (like geolocation).

GrapheneOS doesn’t ship with any Google services by default. We do provide an easy and safe way to install the Google Play components if desired, they are run under the same sandbox and constraints as any other ordinary app you install. Because they expect privileged access that they don’t get on GrapheneOS, we add a compatibility layer that essentially teaches them to work under the normal circumstances that is the sandbox. If you don’t want them you don’t have to do anything, they are not present in that case.

LineageOS basically doesn’t ship with any Google Play style API/frameworks at all. It’s a pure AOSP experience. Any apps on F-Droid work but third party apps (like ones found on Google Play) are hit and miss. If you can just use F-Droid for all of your apps then LineageOS is probably a much more private and secure offering.

LineageOS does make connections to Google by default, as does AOSP. GrapheneOS changes those connections while LineageOS doesn’t. They can be viewed here:

https://eylenburg.github.io/android_comparison.htm

Keep in mind, that table isn’t exhaustive. It lists the regular connections AOSP makes and how each OS handles them, but doesn’t include information on any additional connections that occur.

You can absolutely download apps from F-Droid on GrapheneOS, what makes you think you can’t, and how did you conclude that LineageOS is more private and secure?

Both GrapheneOS and LineageOS publish monthly updates with upstream security patches for all supported devices.

LineageOS is pretty commonly behind on updates. As an example, it seems that LineageOS 21 (based on Android 14 QPR1) came out in February of this year.

https://9to5google.com/2024/03/12/lineageos-21-review/

You cannot ship the full security patches without being on the latest version of Android, which is Android 14 QPR3 now. Of course, if the device is EOL, that’s doubtly the case, and no OS can fix that.

Apparently both GrapheneOS and LineageOS connect to connectivitytest.gstatic.com via http as a Captive Portal test by default,althoughh this was as of 2019-2020 and both might have changed since then.

I don’t know if this was the case in 2019, but it certainly isn’t the case now. On GrapheneOS, you have the choice of using the GrapheneOS server for the internet connectivity check, changing it to Google’s server or even disabling it altogether.