[nosedief]

neither of the two are great. MicroG stands in conflict with Android's security model by spoofing Google app signatures and being a deeply privileged app compromising the whole system's security.

CalyX has is constantly harassing and bullying other privacy-focused projects, causing incredible harm to the privacy and security community. It also has been missing updates for 4 months recently, making it a terrible choice for anyone.

[toastal]

> Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?

> No. LineageOS' developers decided not to include this patch for various reasons. The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps. Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.

LineageOS for microG FAQs (https://lineage.microg.org/)

[h4waii]

This should be a show-stopper for anyone considering microg.

https://github.com/microg/GmsCore/issues/1567

Security is an afterthought for most Android distributions and most software built around them. I went from years of self building AOSP and LineageOS, and after a long hard look at why I was doing it, I stopped and installed GrapheneOS.

While it's an extremely opinionated project and borderline hostile, I trust the developers to do things correctly and will continue to use and recommend for security-conscious individuals.

[toastal]

I wish Pixel devices were easy to acquire in my country or I would have considered this. I was actually looking at it yesterday for my girlfriend's new phone.

[dmw_ng]

> deeply privileged app compromising the whole system's security

doesn't this also describe Google Play Services?

[jhoho]

> CalyX has is constantly harassing and bullying other privacy-focused projects, causing incredible harm to the privacy and security community. It also has been missing updates for 4 months recently, making it a terrible choice for anyone.

You actively harass and bully by not providing any sources for your claims. That's bad for an open, fact-based discussion and is opposed to how I percept the community. What are your claims based on? Can you provide any sources? As far as I know, CalyxOS tries to maintain a quite neutral temper: https://www.reddit.com/r/CalyxOS/comments/pmguwi/grapheneos_...

You can read the details of CalyxOS' implementation of microG here: https://calyxos.org/docs/tech/microg-details/

> Made the permission signature|privileged so only system apps signed with the right key, or privileged system apps with an explicit allowlist for this permission can use it.

> Hardcoded the signature to be spoofed instead of letting the application specify it.

> Only allowed the microG packages, GmsCore and Store to spoof signature. Both of these are included as system apps on CalyxOS so simply checking against the package name is enough.

That doesn't sound like that much of a risk to me. Esentially, it's a tradeoff between privacy and usability that microG tries to solve/soften. For example, it came in handy, when standalone Open-Source implementations of Google's contact tracing approach weren't available yet. microG quickly implemented it so official apps worked.

[kornhole]

Check out GrapheneOS.org. You can optionally install a sandboxed Google Play services. I want CalyxOS to survive, but they are falling behind security updates.

[jhoho]

Can you provide any sources of CalyxOS not implementing security patches?

This shouldn't be too hard as the OS is based on AOSP and there are employed Devs working on it as you can read in the Calyx institute's annual report: https://calyxinstitute.org/documents/2021-calyx-annual-repor...

[Wonderfall]

Stock OS ships security updates on the latest major version. It means that you can only get a given patch level on the same version for a given device. CalyxOS wasn't rebased on Android 12 until fairly recently. As of January 2022 (prior to the Android 12 release), their vendor patch level was 2021-10-01 which means that at the time the OS was roughly behind 3 months in updates.

They were also shipping an outdated version of Chromium (v94) during the same period (this is important since Chromium distributions for both CalyxOS/GrapheneOS are updated through OS updates - and Chromium is whitelisted by the OS to provide the WebView, even if you happen to use another browser). Considering their userbase is privacy/security-conscious, I think they should've been aware they were more vulnerable than stock OS for a while.

Looking at their source code it's also evident CalyxOS is increasingly relying on the LineageOS codebase. Not that it's a bad thing (LineageOS has its own goals but they're not necessarily aligned with security-focused projects), but it's worth noting.