| With GrapheneOS targeting whatever Pixel as their only primary device (not going to go into whole GSI/DSU thing), there's a "lucky" coincidence of TWRP for all Pixel devices I had (3 to 7a) being broken (keymaster, userdata). So, if you wanted to add GApps to pre-"Apps" Graphene, it involved either repacking system image, or building your own copy of OS with OpenGApps (had to do it once to get specific e-sim app working iirc). Can confirm that either way was fine, so it was possible to get GApps on Graphene back in 2021, nobody bothered with it though.. what happens next: someone decides that they want to make it nicer for users and goes there by making yet another appstore. With CalyxOS, its possible to do the same thing:
- get the sources
- remove microg packages (pity. They really do maintain and test their own fork, meaning less login issues, etc)
- add OpenGApps (or Revanced's MicroG)
- run the build, wait 2 hours, flash it Now.. there's no such thing as "GApps compatibility layer" in Calyx. Yet, there's no difference in user experience - none of my daily apps are/were broken on either Graphene+Play services from their store, stock CalyxOS+MicroG or on Calyx+GApps. (Except last time I've used Apps on multiple user profiles, there was a lot of trouble due to different versions being installed iirc) Taking privacy concerns into account, there might be some difference.. but once more, going through gmscompat code, I see mainly hacks about letting this app pop up this activity this time, faking this permission that time, etc [1]. Yes there's a layer that isolates some calls, but I just cannot see how it's supposed to alter user experience. Now, spinning an isolated "sandbox" (which is likely impossible, as IPC/binder/shared data and services model is fundamentally broken anyway) with just a couple apps on a separate google account - all restricted from having access to sensors, etc, having device ID's spoofed and having separate network isolation - would be a real game changer, but its a niche need, with semi-available solutions (sandvxposed, vmos, waydroid on docker on android), and it would likely violate every line in Play Services' TOS meaning it won't happen on a public OS. Calyx cares about their users in a kind of a quiet way, yet there's a ton of activity on their tracker. GrapheneOS cares about giving privacy to more users I suppose, so that explains their marketing strategy and parts of their code being what they are (hardened libc? definitely cool. Yet I've not seen any public exploit that could bypass e.g. stock AOSP's libc with _FORTIFY_SOURCE since 2015). End user experience though? No real difference, thus no superiority. And people in need of "hard" sandboxing would just buy a box of burner phones anyway. 1. https://github.com/GrapheneOS/platform_frameworks_base/commi... P.S. What about that SafetyNet certification on either OS? |
There is a huge difference. You create work profile with gapps, route it through a vpn and everything just works.
On calyx with its microg even notifications aren't working reliably.