LineageOS vs. CalyxOS vs. DivestOS

Aside from locked bootloader/integrated microG, does calyxos even do anything really special when compared to LineageOS?

It does do quite a bit more compared to LineageOS, yes. The real question is does it do much more than DivestOS? And the answer is no it doesn’t really, except for now it supports some devices which DOS/GOS don’t.

A good comparison list to get started on your research if you’re interested in digging into the differences:

I’ve seen that list, Let me try to go to the list 1 by 1

1. “Yes, Somewhat” to deblobbed, which confuses me. Because I’m quite sure LineageOS also is in their charter

All maintainers MUST NOT require a modified prebuilt vendor image either in their build tree, or on the Wiki

All devices MUST NOT ship a prebuilt kernel.

2. Network-based NLP: It’s just integrated microG

3. Idk what PSDS is so I’ll refrain from commenting on it, let’s just say this one is a win for calyx for simplicity sake

4. Google Play Services: #2

5. Screenshot metadata stripping: I don’t think it matters all that much, scrambled exif exists if you need it

6. verified boot, calyx supports nowhere near the amount of device lineage does

Which leads me back to my question, does calyx do anything special aside from integrated microG?

1. this means not modifiying/repacking a stock vendor image, but building the image from their own sourced blobs. it does NOT mean deblobbed or compiled from source.
2. Google and Qualcomm also have their own NLP: Play and IZat respectively.
3. I document SUPL and PSDS here: https://divestos.org/misc/gnss.txt
4. ?
5. The screenshot typically includes device software version, exact timestamp, timezone, and a UNIQUE ID, here is the patch CalyxOS made that DivestOS uses.
6. CalyxOS still doesn’t document the verified boot limitations of devices like FP4 or axolotl like DivestOS does: Faq - DivestOS Mobile

1. I know, but LineageOS is also at the very least partially deblobbed. From combing the lineage tree, comparing it to the original vendor blob, and also talking to the devs, the aim seems to be blob minimisation and not complete removal. They don’t just slap random blobs, but also compile from source whenever possible. Perhaps not as much as divest, but saying that they don’t do it is just disingenuous

2. UnifiedNLP is just what a typical microG installation use (eg. this), that’s why I lump it in as preinstalled microG

3. Thanks

4. The difference between Lineage and Calyx in this section is just preinstalled microG

5. That’s why I said Scrambled Exif, which also randomises the file name

6. That’s a point against calyx then

@KDEBacon
A ROM would be silly to use the stock vendor partition and this is why GSIs are bad.

Most ROMs do ship fewer blobs than stock, but both CalyxOS and GrapheneOS ship even less blobs than LineageOS.

One of the main examples of this is all the carrier junk that LineageOS will happily include.

Including spyware blobs from eg. Verizon isn’t deblobbed in my book: https://github.com/LineageOS/android_device_google_bluejay/blob/1155c594916d282ede59e75651e20c4374219abe/proprietary-files.txt#L147-L151

Including invasive analytics to Google that run every boot isn’t deblobbed either: https://github.com/LineageOS/android_device_google_bluejay/blob/1155c594916d282ede59e75651e20c4374219abe/proprietary-files.txt#L26

DivestOS takes it even further to the point of breaking features like DRM, HDCP, HDR, VoWiFi, tap to pay, audio processing effects, carrier multicast, regional specific NFC support (FeliCa), and tons of other junk.

See also how this started (basically Sprint/OMA-DM spyware): On removal of proprietary blobs · Issue #624 · AndroidHardeningArchive/legacy_bugtracker · GitHub

tl;dr the “deblobbing” done by LineageOS should be considered the absolute bare minimum, any system not doing that isn’t on the table

It probably depends on the specific maintainer then, I guess. but that’s a fair point

Not a criticism but I found it funny how you basically nuked 95+% of XDA with that statement alone

I linked bluejay to counter this directly, it is maintained by the same person as under CalyxOS which removes those blobs.

You must understand the bulk of CalyxOS is done by people who were already working on LineageOS for years.
There is considerable overlap, even if CalyxOS is no longer a direct fork of LineageOS.

I mention this, because it directly raises the question why Lineage would include it when the same maintainers remove it under CalyxOS.

Not all maintainer slaps 30+ prebuilt apks on lineage and just call it a day. ngl this is the first time I’ve seen that many

Here are rough blobs counts for LineageOS 14.1 through 20.0, for just the devices I build DivestOS for: gist:6d24901c92cee6f4bb4f11e0a26b0872 · GitHub

(20.0 won’t be accurate as it has been deblobbed as it is currently compiling the December ASB update)

older devices do have fewer blobs, as they typically had less in the first place, didn’t need 32+64-bit blobs, or were removed as they became incompatible with newer versions

some devices in there have few blobs because they rely on the stock vendor image like bullhead/angler, dragon, and hero*lte

some may look low, but only because they have a corresponding -common vendor tree

the count is also just a simple wc -l so it includes whitespace and comments

The gist changed partway through me reading it smh. That aside, is this the amount total, or the amount you removed? Because everybody knows a full open source stack is not possible. So a better comparison is blob count diffs between calyx/lineage/dos

It is total count. I changed it from counting lines in makefiles to lines of bloblists which is more accurate as the makefiles may contain extra or duplicate definitions for building.

Getting a truly accurate count is extremely tedious, comparing even more so.
I used to have a count of how many blobs DivestOS removed on the website, but it was an extreme hassle to maintain: Patch Levels - DivestOS Mobile

and that’s why absolute blob count doesn’t really tell the whole story. Even when you removed a lot of it, divest still also relies on hundreds if not thousands of blobs.

Then my question becomes, why is it when lineage does blob reduction, you call it “the absolute bare minimum”. But when you do it, it’s extensive? Especially when I’m quite sure that the diffs between lineage and stock vendor is far larger than the diffs of calyx/dos and lineage

I’d reframe it to overlooking counts and more so the impact of removing them.

Of the remainder blobs in use (by LineageOS), which are invading privacy or are a hazard to security?

Some examples:

• Qualcomm devices were sending off chipset serial numbers to Qualcomm for years which LineageOS (and others) were all doing until earlier this year, when DivestOS because of its deblobber hadn’t since 2017/2018.
• DivestOS removes Wi-Fi calling because it bypasses the VPN slot and lets your carrier know your true IP address for every access point you connect to.
• DivestOS removes DRM because they collect specific device identifiers and tie them to your identity (eg. credit card of Netflix account).
  • There have also been numerous Widevine security vulnerabilities of which many of the EOL Lineage devices are currently vulnerable to.
    • NVD - CVE-2022-48331
    • NVD - CVE-2022-48334
    • NVD - CVE-2021-0592
    • some added vendor ones
      • NVD - CVE-2023-20700
      • NVD - CVE-2021-25468
      • NVD - CVE-2022-32597
      • NVD - CVE-2018-6246
• DivestOS removes carrier blobs because they (even if they are or aren’t your carrier) don’t need access to your contacts or potentially your more precise location.

Also anything that can be removed should be removed in order to remove risk from known/unknown security issues.
As an example of this take a look at any Qualcomm security bulletin for the proprietary components section, here is a quote from a December one:

It is basically every single Qualcomm device in the past decade+ that is impacted.

So to answer your question of why Lineage is minimal and DivestOS is extensive, is because DivestOS will happily break “features” if necessary to meet its goals.

edit: also because this is going on a while, I hope this information is helpful, please don’t take it as arguing or anything

I feel like you are implying that the initial blob reduction made by lineage doesn’t have an impact. Because there’s a massive difference between “they did nothing” and “it could be better”.

You should probably just say that from the start. Then it’ll be more understandable. Now it’s closer to “Lineage have different goals compared to divest” (also I don’t think my device (gta4xl/vayu) have carrier blobs, that’s what I meant by it depends on the maintainer. I could be wrong on this and missed something though. I think vayu doesn’t include DRM while gta4xl does)

I guess we should go back a bit to the original topic (calyx vs lineage specifically), does calyx do what your examples mentioned? afaik calyx have wifi calling

@KDEBacon
CalyxOS doesn’t, that is why it is “somewhat”, which also answers your original question.

I’ve asked the table author to change the status for LineageOS and derivatives to minimal: Misc Android table updates · Issue #13 · eylenburg/eylenburg.github.io · GitHub

vayu may not have explicit carrier junk (it still has RCS) but it still has nasty blobs from Tencent in the form of Soter, blobs from Alibaba for Alipay, and blobs from Google for hotword triggering: https://github.com/LineageOS/android_device_xiaomi_sm8150-common/blob/3a357b9826d65c4c3497d24eb37e603468def5c3/proprietary-files.txt

Both vayu and gta4xl also include Widevine for DRM as well.

Thank you

Interesting, I checked vayu tree but forgot to check SM8150-common, that kinda sucks then.

Anyway, with calyx also having relatively minimal deblobbing (I guess a bit more on some device as you said, but both still not reaching divest). Back to my original original question

I personally think that if we are going to reconsider calyx on the ground of availability (which I think we are). Lineage would generally be a better fit for that role

(or maybe you could automate rebuilding every official lineage device to divest and we can just not consider calyx/lineage on PG) /halfjoke