| > open-source means auditable privacy This is what that auditing actually reveals: * /e/OS sends user speech data to OpenAI without consent [1], and thought this was ok until they got caught [2]. * /e/OS massively delays security patches, and calls this a "standard industry practice" [3]. Meanwhile, GrapheneOS' opt-in security preview releases provide early access to security updates prior to official disclosure [4]. Also see [0] (Security update speed) and [7] (WebView being 40 security updates behind). * microG downloads and executes proprietary Google binaries in a privileged environment [5] [6]. You can obviously not audit these, nor should this count as "degoogled". * microG still phones home to Google by default (android.clients.google.com for device registration check-in, mtalk.google.com for FCM push, firebaseinstallations.googleapis.com for SIM activations) [7]. [0] has a comparison of popular privacy and security-focused Android-based OS, which paints the whole picture. Privacy-friendly does not necessarily mean secure, but in this case "privacy-friendly" is quite a stretch already. [0] https://eylenburg.github.io/android_comparison.htm [1] https://grapheneos.social/@GrapheneOS/114880528716479708 [2] https://community.e.foundation/t/clarification-about-voice-t... [3] https://community.e.foundation/t/e-os-and-security-updates/7... [4] https://discuss.grapheneos.org/d/27068-grapheneos-security-p... [5] https://github.com/microg/GmsCore/blob/e19a9985204ec8329c1d9... [6] https://github.com/microg/GmsCore/blob/e19a9985204ec8329c1d9... [7] https://www.kuketz-blog.de/e-datenschutzfreundlich-bedeutet-... |
https://gitlab.e.foundation/e/os/GmsCore/-/blob/a9e102567518...