I've actually installed CalyxOS on an older Pixel 2, and it seemed to work fine for the things I need to do with my phone. I haven't made the leap to use it as my primary device for one reason: Supply-chain integrity.
I don't know whether the maintainers have the bandwidth, tooling, processes and procedures, and vetting to ensure that an image doesn't get backdoored. Given the Venn diagram of "people who want to keep stuff private" and "people who will go through the trouble of installing and using CalyxOS" probably has significant overlap, I would assume some well-funded adversaries, including state actors, are motivated to sabotage it.
At least with the standard Google Pixel images, I have some degree of assurance from Google's robust source management and security infrastructure. The bar for backdooring an official Google product is much higher than the bar for backdooring a hobbyist project.
Albeit I agree with your post to a certain degree, CalyxOS is not a hobbyist project. The Calyx Institute has a working business plan and has five full time developers. Have a look at their Annual Report:
https://calyxinstitute.org/about/financials-and-annual-repor...
Yes, and IIRC it's a reasonably priced MVNO setup with (mostly?) unlimited data. A friend of mine uses her Pixel4 with CalyxOS on google Fi but keeps a Calyx hotspot thingo around for traveling and it's been solid throughout North America at least.
> At least with the standard Google Pixel images, I have some degree of assurance from Google's robust source management and security infrastructure. The bar for backdooring an official Google product is much higher than the bar for backdooring a hobbyist project.
google hasn't posted a new image or ota for pixel 6(pro) since november. last i read it was held up by some breakage of the google assistant.
i don't know how much patching gets done via google play, but this seems really disappointing. no rces but loads of eops which now means the phone is only as secure as the weakest app supply chain?
It doesn't matter which OS you use - you will not be immune to nation-state actors. In fact you will be more exposed to them using google, considering their history of providing data and access to governments.
With de-googled OSes that provide proper network controls, you can at least cut out commercial spying.
Does having the ability to compile and build it yourself allay any of those concerns?
It means you no longer need to trust the infrastructure or machines being used to create the images, just the developer through their source code which, yes, while it's a daunting task to review, it's "just" a fork of AOSP.
I've been building a modified LineageOS for a while, and these posts always have me circle back around and question if I should just go back to stock, Graphene or Calyx.
Do there exist any good comparisons between Calyx and Graphene? From an outsider's point of view, they both seem broadly similar, in that they're privacy and security focused de-Googled OSes that run on unlocked Android devices, but they're different. Somehow.
I've spent some time in the corresponding IRC channels and... asking about the other OS and how things compare seems rather frowned on in both of them.
The biggest difference I've found is which apps you can use from the Google Play Store. Calyx supports microG, which allows you to access the Play store via front-ends like Aurora. It also works with F-Droid, as mentioned below.
I also notice things like push notifications work just fine with Calyx, and not on Graphene, which I think is due to microG and/or Firebase.
I think there is some additional hardening that Graphene does as well.
If your goal is the most possible privacy and security, I'd go with Graphene. For a much-improved privacy, mostly non-Google experience, where you can still use Maps or your bank's app, I'd go with Calyx.
With graphene you can install sandboxed play services. Which allow you to run google play services without any system/root privileges, in the sane application sandbox as normal applications.
This is definitely superior to the mircog approach which means enabling signature spoofing for applications.
Why should I be concerned with the specific type of signature spoofing used by microg? AIUI it only enables signature spoofing for their specific keys, not applications/publishers generally.
What if I do not want to run Google Play Services at all (or any proprietary code from Google)? Can Graphene sandbox microg instead?
> What if I do not want to run Google Play Services at all (or any proprietary code from Google)? Can Graphene sandbox microg instead?
It might be able to, but AFAIK microg works by pretending to actually be google services, so it's possible it depends on the system privileges that google services usually has?
Calyx's governance vs Graphene is incomparable. Calyx is run by a nonprofit with open books and a helpful, albeit small, community. Graphene is run by a replyguy that speaks harshly about other Android projects. Graphene's technology is interesting as I've been following it since it was the original CopperheadOS. For most users without high threat models Calyx would suffice.
Graphene also has many developers, so you are just spreading FUD. And is it really harsh speak when there are plenty of entities (copperhead os) selling other people works rebranded? Especially to a target group which seem to be way more gullible than they supposed to be, running away from google into the hands of scammers.
Which isn't quite unfounded since the CopperheadOS guy literally booted him out of their first company and has since then AFAIK simply copied from GrapheneOS while running sleazy marketing. May be wrong on the copying part - please correct me if so, but that was my impression a while back.
He may be slightly more paranoid than what is healthy (which may be inherent in the security domain he is an expert in), but I would not call him crazy.
Also, it is not as black and white, copperhead os did try to backstab him by selling his own work. Also, a secure OS is very much the same as cryto — you don’t roll your own. And while the enthusiasm is welcome in this space, it is simply a ridiculously hard domain which should not be done by novices.
I used to be a hobbyist dev of a ROM back from Android L-O, and left to start a professional software engineering career. I recently re-joined the hobby with the release of Android 12, and Calyx OS was new to me, so I ended up taking a look at their code repos.
Tl;Dr: If you want a privacy-focused no-compromises fork of Lineage OS, and the default hardening Google performs on their platform is enough for your personal threshold of safety (this is where most custom ROMs settle), Calyx is probably a good choice. If you're concerned about novel security vulnerabilities (read: more paranoid/vulnerable than most) affecting your device, choose Graphene.
Privacy-wise, Calyx is basically Lineage with most of it's headline features being provided via LOS or third-party apps available on F-Droid. It does a good job at de-Googling your experience and has good privacy-focused default settings and apps. I like the custom location provider. Their egress firewall feature is a nifty improvement on top of LOS's original implementation of a similar feature.
Security- and hardening-wise, it's not much better than Lineage, which isn't much better than AOSP. Zero to little runtime or kernel hardening to be found. Graphene, on the other hand, puts the effort into hardening as many aspects of Android and the kernel as possible. Graphene has a custom hardened `malloc` for helping prevent memory safety exploits, a hardened libc, toolchain, and app runtime, among all sorts of other difficult but valuable security changes. Functionality-wise: almost anything Calyx can do, Graphene can do with some F-Droid apps to help.
This might seem a bit harsh, but the reality is that Graphene has some a large number of deep security changes upon AOSP that Calyx isn't yet up to par with. As we've all seen, security in 2021 is difficult, and it takes decades or a lot of specialized experience to be a security expert. It's difficult enough for large companies to hire and retain security talent, and for hobbyist projects/small organizations even more so.
Does everyone need a hardened runtime? Probably not. Are there people who do and/or want one? Definitely
Edit: one concern of mine about Calyx is their bundled VPN serviced by Sprint (as per https://calyxinstitute.org/legal/terms-of-service). Third-party VPNs are always to be taken with a grain of salt for privacy depending on your activities online and the VPN's owners themselves. I suppose it's better to have a VPN than not, but you must also trust that party and their security with your highly valuable network traffic, which should be a very high bar. Obviously, nothing limits you from loading up OpenVPN, IPSec, Wireguard, etc and going your own route.
Some of them are separate projects (eg. hardened malloc), also many of the implemented features later got merged by upstream AOSP itself. I think some independent audit also happened, but not sure about the details.
Nonetheless, the project has an absolutely stellar track record, where the main guy behind it even revoked the signing keys of the OS upon a failed for-profit company overtake attempt. The project doesn’t accept any for-profit company offers since then and is independent and open-source.
For the readers: the aforementioned "takeover attempt" has never been substantiated or validated. Using the past (and rather trite) CopperheadOS dispute to justify present misgivings is disingenuous.
> We will also be starting to look at potentially support other devices this month - we’ve always wanted to support more and more devices, stay tuned for updates!
The possibility of expanded device support is encouraging. Pixel devices have always been the most accommodating of alternative Android distros, but as many people have noticed, it's unfortunate that a software project that tries to distance the user from Google services has a dependency on Google hardware.
Google mobile hardware has a long history of shoddiness. It absolutely shines in the components useful to marketing and completely falls down in the ones which aren't. The Nexus 4 had screen tint issues and a defective speaker that emitted a high pitched buzzing noise. The Nexus 5 overheated often and sometimes the camera just stopped connecting. The Nexus 5X had boot loop issues so bad there was a class action lawsuit. The Nexus 6P had the same boot loop issues as well as faulty battery sensors and poorly-designed frame that bent and snapped in the middle. Pixel 1 had faulty microphones that Google knew about and still sold, resulting in another class action lawsuit. The Pixel 2 emitted weird clicking and scratching noises from its speaker at all times. The Pixel 2 XL had a godawful POLED display with colors so uneven it looked like someone stomped on the panels before installing them. Oh and both their USB-C ports would spontaneously break and prevent charging the phone. Pixel 3XL included two wildly disparate speakers with no way to balance them, so the audio always feels like it's coming from one side.
Trust me, some wild-ass Pixel 6 hardware fault will emerge in the next twelve months.
It's unfortunate for the users who want to use CalyxOS to achieve a degree of separation from Google. If you purchase Google hardware, you're still financially supporting the company to some extent.
Also, while the Pixel 6 (non-Pro) is competitively priced for its hardware features, I don't think the Pixel 1-5 (excluding the A-series phones) were the best-value products on the market at their launch prices. CalyxOS users would benefit from having support for high-end devices that are a better value for the money, and for entry-level devices for users with limited budgets.
CalyxOS does support the Xiaomi Mi A2, but the device's 4G band coverage is limited in some parts of the world, and the support seems to be expiring immediately after this update: https://calyxos.org/docs/guide/device-support/
That's right. High-end Pixel phones (especially Pixel 1-3) have tended to depreciate quickly and become good secondhand buys after the first year. This is more valuable for LineageOS, which sometimes supports devices long after the manufacturers drop support, than for CalyxOS, which ends support within a year after the manufacturer support period ends. The Pixel 6's 5 years of vendor security updates might make it more attractive for CalyxOS as a secondhand device, if it depreciates at a similar rate.
I don't think so, because a lot of the magic is in the software itself, not the camera. There's an excellent article about what these software do to the image to make it look better, or make it seem like having properties it doesn't have, with post-processing.
GrapheneOS is working on a new camera application. While it is still under heavy development and based on alpha Android APIs, it's already very usable with much better image quality than any other camera.
As I understand it, Pixel phones do image processing in hardware instead of in software so CameraX can provide the same level of image quality as Google Camera.
I have not run CalyxOS, but on my pixel (in my opinion), Open Camera using DRO already provides much better quality images than the stock camera app for most conditions.
Can OpenCamera take a photo of a flickering sign? it seemed to me that it would wait forever for an image to stabilize before taking a picture. It's a great app for a classic way of taking a photo, but all modern smartphone camera applications capture everything 100% of the time and only apply some ML and pick the best shit out of a samples collected aroumd the time shoot button was pressed. I tried to live with OpenCamera for ages, but it's very slow to operate and doesn't support my wide angle camera at all. It's low light performance is poor and it is very slow even in the best of conditions. And it was buggy very often. 3/10, sometimes pictures were made, most often in a frustrating manner.
It is definitely slow in DRO mode. I have not had it act buggy on me. When I could use it from intent on android 10, it was far less buggy than the google camera app, which does not work well with intents - reopening without sending picture back on confirmation often, etc (although there have been some improvements on that end in recent updates).
I am talking about google camera app that came out of the box on my pixel. I take a few hundred pictures a day for work, I am forced to use it due to their stupid intent policy on Android 12, and I frankly hate it.
Yes, it should (as much as you can expect apps to behave correctly between phones - there are still quirks in some more hardware dependant APIs). I don't think they actually do anything that would break their compatibility.
I can see a lot of comments all asking to explain what some see as an incitation or inflammatory or what led me to label the previous discussion as "scary". I'll respond here.
What's scary is when a developer becomes convinced that a conspiracy has been concocted to brigade and attack their project. I was accused of being an agent of the other side, as were a number of others. All of that happened within that thread. You need only scroll through.
After the lead developer's response, I investigated for myself and found GrapheneOS' own Matrix channels hotbeds of this same conspiratorial thinking. Regular purges were done to eliminate anyone remotely critical of the project. It got so bad that the member lists of both projects' Matrix channels were compared and anyone found to be a member of both sent a warning to pick a side or be permabanned.
That behavior inside a community is not healthy. I don't think that discourse is healthy.
I am all for technical, compassionate criticism of a project. One that allows or leaves a door open to further, good-faith, discussion. USA-RedDragon's critical analysis in this very thread [1] is a great example.
No one should use particularly high stakes as an excuse to treat other human beings poorly. Linus Torvalds, once infamous for this sort of behavior, realized it for himself and the rest of us can too.
These two projects would be so much stronger if they discussed technical disagreements without going nuclear. I hope that can be done someday but until then these arguments are best done outside Hacker News threads, which are encouraged to foster thoughtful and substantive discussions, not cater to delusory fantasies of paranoia.
Please link to the comment where you were accused of being an agent. To be blunt, your comment [1] was the start of any personal attacks in that thread and derailed a conversation that reads as very reasonable technical clarification/critique. The parent comment [2] is in no way "nuclear" and describes important features that should be considered when making an informed decision around security/privacy-oriented OSes.
IMO, the fact that your original comment here was flagged while RedDragon's was not should suggest what constitutes good-faith and healthy discussion.
I felt it was important to get ahead of what was a really awful experience last time so I did. I don't know if it was the right move because I don't have an alternate reality to compare against. But I'm glad good comments surfaced!
You are missing a lot of dead comments from that thread, one of which [1] even speaks to those dead comments accusing people of being in cahoots with an invented enemy. I'd say the most damning of comments preserved is [2] where the lead developer of GrapheneOS names Calyx's Nick as leading what amounts to a brigade of death threats against him personally.
This reads to me as if you want to start a flame war, despite the kumbaya sentiment.
Your citation is accusing the lead developer of GrapheneOS as acting in bad faith. While I agree they’re opinionated (based on this and other observations), I don’t believe they’ve ever acted in bad faith.
PS: for what it’s worth, I’ve supported Calyx namely for their services, whereas I support GrapheneOS as an Android replacement.
I was just thinking about how public disagreements and arguments are a really effective way of actually moving knowledge forward.
There is more interesting and useful info in the comment thread in your link than this page. You call it a flame war. I don't. They could have been a bit more "good faith" but it was extremely valuable and not very "flamey"
I followed your link, which parts of that discussion there count as a "flamewar"?. Your post reads more like an incitation/provocation to me and not like a desire to encourage good faith discussions.
Valid critique and explanation of crucial technical differences between commonly compared projects is neither scary nor the start of a flamewar. This comment is far more inflammatory than anything that Micay wrote in the linked thread.
It's important to be highly critical of and precise when talking about security and privacy oriented projects since the stakes are particularly high. Any discussion around technical choices and their impact on security and/or privacy does not diminish the work of project developers or call into question their effort and abilities.
I think the issue is ClayxOS has gone so hard on shitting on and harrasing Graphene that they feel the need to defend themselves every time it's mentioned. And its my understanding that calyxOS people have been gaslit into thinking it's the other way around - either way, it does seem to usually lead to flame wars... And that should probably stop.
I don't know whether the maintainers have the bandwidth, tooling, processes and procedures, and vetting to ensure that an image doesn't get backdoored. Given the Venn diagram of "people who want to keep stuff private" and "people who will go through the trouble of installing and using CalyxOS" probably has significant overlap, I would assume some well-funded adversaries, including state actors, are motivated to sabotage it.
At least with the standard Google Pixel images, I have some degree of assurance from Google's robust source management and security infrastructure. The bar for backdooring an official Google product is much higher than the bar for backdooring a hobbyist project.