(After discussing in their Matrix room) Calyx doesn’t seem to want to look into this, so I think I’ll just give up on this thread unless they respond. It’s clear that I’m the only one on the team advocating for them anyways, so I guess I’ll leave it up to public opinion and mark this thread as rejected for now.
I agree that their marketing that CalyxOS “cannot be tampered without your knowledge” creates a false sense of security for users, if the reality is that any partition could be overwritten with EDL mode and a special cable, regardless of whether they consider that a “realistic” threat or not.
That’s something I noticed a while ago, and it really annoyed me when I first saw it
I also think it’s dishonest to call something a donation when it’s not. Donation has a very specific meaning in a legal/financial sense and is often tax deductible.
Which products are allowed to carry the" Made in Germany "label?
When exporting Products from one country to another they often have to be labeled with the country of origin label. Nowadays, many products are the result of a large number of parts that come from many different countries and are ultimately assembled in a third country. In these cases it is not so easy to name the country of origin and there are different rules for determining the “right” country of origin. In general, articles only change their country of origin if the addition of a new material or work step represents a significant change (for example the processing from a wheel to a car). Nowadays most machines and products with the designation “Made in Germany” already have 40 to 50 percent foreign parts. In some industrial plants and systems, it is even 80 percent. Therefore, an increasing number of products are losing the right to officially carry the “Made in Germany” label. Many German companies are now demanding that the requirements for the “Made in Germany” label are lowered in order to be able to use the positive image of the label abroad. Only a few products continue to be 100% “Made in Germany”.
The other thing is the device has a fairly old Snapdragon 845 from 2018 and less security than a pixel, for example Secure Elements, Titan etc.
I can see what Fairphone/SHIFT6mq are trying to do, but it’s simply not possible to provide long term support to a phone beyond what the SoC will grant during their support period. These phones are not cheap either. The shiftmq starts at €577.00.
I think the best bet for sustainability is to just buy a pixel, and if you break it take it to a repair shop (or repair it yourself if you have the tools, want to take the risk). There are plenty of spare parts and documents around.
Best bet though is to buy a durable case though that will likely prevent any accidental damage.
The membership cost minus the fair market value of the products is tax deductible, and Calyx Institute is a 501(c)(3) non-profit, I don’t think we have to straight up misrepresent Calyx here to argue against them.
The Google Pixel 7 is available in a mere 17 countries total, so I do see the value in additional OS options for people.
I do not think the fairphone and SHIFT are available in more countries tho.
For other phones mode widely available we have DivestOS or iPhone. If none available I am not sure what is worse. I mean if you are in china is LinageOS worse than any backdoored OS?
Guessing isn’t really constructive here either. I am extremely tired of people in general saying random things on this forum without bothering to look anything up, just because they don’t like something.
Fairphone 4 is available in 34 countries (most of the EU), Shift ships to 26.
Pretty sure you can get it in most EU countries as well. It’s a bit strange that you call me out for this while you didn’t even link something up to date yourself in the first place. I happy that you updated it., but I still doubt it is complete, many people I know all acros the EU have Pixels. This issue I am not familar with.
My point is that we get messages all the time from people saying “I live in x and can’t get a Pixel” and I’m frustrated that the only solution we offer is a $300-$800 phone which has barely any worldwide availability.
Maybe we need to remark more in the recommended section that you could buy/use a phone that is supported by DivestOS in their golden devices section. Just to improve that situation a little bit
I think this suggestion of @anon43879818 is a good idea.
And i get your frustation with that @jonah it makes sense. I just don’t think these phones w/ calyxOS are the solution. They are not available either in countries in Asia f.x. where I think this problem is more significant.
For what’s it worth, I would like to see CalyxOS listed if it qualifies. @jonah’s point about referencing a qualifying OS as long as it’s not worse than the AOSP is a good rule of thumb. By not recommending an option, especially when so few options exist, the implication is that the one that’s mentioned is not private enough to be trusted. Instead of interpreting Privacy Guides as being the best options that exist, it can be interpreted as being the only options that one should consider.
To the argument of not wanting to bog down users with too many choices, that doesn’t seem to be bogging down other pages that may list several options to consider. Also, I don’t think increasing the number of options from two to three is going to add too much analysis paralysis.
But also it seems to hinge on whether the the security updates keeping coming at a good rate.
Would it help at all if there was a reseller that shipped to countries google doesn’t sell in with a minimal markup? That way we don’t have to compromise on what OSs we reccomend, and more people get to use Graphene OS.
Since this thread is still going, I’d like to point out that Chromium 112.0.5615.101 was released two days ago with a zero day fix and CalyxOS still hasn’t updated to it despite being a simple version bump.
The Privacy Guides website is well developed but I feel its current treatment of Calyxos is unfair.
It contributes towards pitting Open Source projects that respect and promote the privacy of the end user against each other and spreads information that is false about the operating system. I will be making a 3 pronged criticism of the Privacyguides.net stance on Calyxos.
First, the signature spoofing on Calyxos is more secure than any other implementation across all roms since it only works when using microg. No other android package other than microg and fakestore can enable signature spoofing making this feature safe and secure for the end user. This change is open sourced and can be verified on the Calyxos Gitlab.
Second, Calyxos has more user friendly privacy features than any other rom. During install the user is prompted to install a free VPN provided by Calyx, Tor and several other open source apps that add privacy to the operating system. Also, Calyxos is patched to allow the Hotspot to use the system VPN so connected devices can be secure. And lastly, Calyxos has a firewall app built in that links the system firewall settings into an easy to use application.
Third, unlike its other open source compatriots Calyxos only uses open source projects to provide its software support. Microg, Seedvault, even the browser are all open source unlike some of the compatibility features of other open source projects that offer the option to install closed sourced play services.
I hope Calyxos can be reconsidered as a suggested operating system for Privacyguides. While its not hardened like its compatriots it is more private in many ways and enables user privacy by not using Play services. It also, maintains the security model of android and is consistent with its monthly updates.
I guess the biggest issue that’s been mentioned on the forums before is microG - here’s a discussion from the DivestOS dev on why there’s issues to consider with microG vs GOS’ sandboxed google play.
Also I’m not entirely sure if they still use it (the calyx website says they do at least but if they no longer do this point is moot) but the Bromite browser hasn’t had an update since December last year (as per the bromite github repo) which is Not Good At All considering it’s what’d be used for the webview. Having an outdated browser is really bad and I hope that the site is just outdated and they’ve actually moved to e.g., Cromite.
Providing the provisions to “easily” install private applications is kinda moot when there are issues with that - I don’t have a source for this beyond remembering a discussion from the GOS matrix rooms, but if I’m remembering that discussion correctly, the included apps with Calyx are sometimes outdated. If you have to update the apps basically immediately after installing, then you might as well go to the up to date source anyway?
Blindy suggesting Tor usage without proper thought is not a good idea.
So does regular android. We think the ‘INTERNET’ permission, is more intuitive, and has had less issues in the past with by-passes. The main thing is that Calyx doesn’t really run anywhere GrapheneOS doesn’t (except for a couple barely supported devices anyway).
And yes, @pinkandwhite does point out, that you might as well install the other apps from their source where they are up to date.
Microg, is still google services, it’s just an open implementation that might be lacking at times it really has no bearing on privacy however. Also: Privileged eSIM Activation Application, is another reason we prefer the sandboxed play services approach.
The microg vs sandboxed google play services debate is moot because both rely on google binaries and communicate with google. But I the user trust microg’s open source implementation of those binaries more than I trust google’s closed source implementation because I can control which apps use microg via an in app toggle. I can also control whether my device is registered with google via a toggle. Microg also, doesn’t send device identifies afaik whereas sandboxed google play does.
Calyxos uses their own chromium fork with the patches from Bromite, now chromite, added ontop which means the base browser/webview was always secure even if bromite was no longer being updated.
Your final point about preinstalled apps is moot when considering that even on stock preshipped apps are out of date and require an update. But usually nowadays they ship the most up to date apps.
Privacy Guides is also not about listing “everything” it’s about listing the most compelling options, otherwise we would potentially have a list with hundreds of items.
At this point in time, we don’t see a reason to use CalyxOS over GrapheneOS, when GrapheneOS has things Calyx does not, and largely Calyx just has some pre-installed apps.