GrapheneOSPositon (https://positon.xyz/) is a geolocation service closely tied to a group of people targeting our team with harassment. We urge people to avoid submitting their sensitive location data to this service. People involved in it have supported doxxing and swatting attacks.
They intend to lock people in to the service by keeping a lot of the data proprietary. They've repeatedly talked about locking people into it and avoiding having alternatives to it. Their priority is having control and ownership of data while sabotaging decentralized approaches.
rock eater@GrapheneOS do you have a source for these doxxing, swatting, or lock in plans….?
@GrapheneOS or the security claims about eOS either? i cant find any information about it online
Look at the DivestOS site and particularly the posts by SkewedZeppelin (security researcher and lead developer of DivestOS) about /e/OS on their forum and elsewhere.
You can find lots of information about it online beyond that. You can easily confirm that they're consistently way behind on security patches for the OS and browser, set an inaccurate security patch level, downplay it / mislead users about it and massively roll back security beyond how much LineageOS already does.
@GrapheneOS yeah, no, sorry. This is not a source. I asked for a source and you basically responded with “look it up”.
Just because you’ve given me more instructions on what exactly to look up (in this case the security researcher) that doesn’t mean you’ve provided a source. That’s like if someone comes up to you and starts parroting some random political talking point and when you ask where they heard this they just say ‘Biden said it in 2023’.
That’s not a source, it’s a guide to find more information.
@kali We're speaking about it as a privacy and security research/development project with a long history of discovering vulnerabilities and working with upstream projects. Our statements are based on the /e/OS source code and their public statements including marketing. You can confirm which Android version it's based on which patch level is provided for different components, and how they present that to users. It's completely verifiable information. Do you want us to link to a bunch of it?
@kali This shows how quickly operating systems ship the Android Security Bulletin patches for the Android Open Source Project, which is a small portion of the overall security patches. Around half of the important patches are for firmware, drivers, HALs and the Linux kernel which are not automatically obtained by applying these patches:
https://divestos.org/pages/patch_history
This shows /e/OS consistently lags behind around 1.5 to 2 months on this easiest portion of the patches. That's one part of it.
@GrapheneOS This is useful. Thank you.
@kali There are also the firmware, driver, HAL and Linux kernel patches. This is where /e/OS lags far more behind even on devices where these are available. They're often quite literally years behind on these patches. They claim to have patch levels requiring these patches which are not included, misleading users. They downplay the impact of what's missing. They largely support end-of-life or badly maintained devices where patches are unavailable, but are bad at shipping them when they are.
@kali The full Android Open Source Project security patches require being on the latest release, which /e/OS is not. They lag at least a year behind on yearly OS updates, and the monthly/quarterly updates are only for the latest major yearly branch so they can't provide them in practice. Moderate and lower severity patches including most privacy patches are part of these releases. You can see the Android Security Bulletins only list High/Critical, which is what gets backported, not all of them.
@GrapheneOS my apologies if it wasn’t clear, but my previous post asking for sources was also referencing to your claims of doxxing and harassment- which would have required it’s own link.
It seems unnecessary to provide links to their source code because, as you said, it is already verifiable. Graphene and e/OS/ seem to share different visions. I am ending this conversation now, it’s late in the evening for me.
@kali They were just creating sockpuppet accounts on our forum today engaging in libel targeting our team and spreading misinformation in response to our post about this location service which they don't want people to know is tied to them. It's likely verifiable that it's Gael Duval himself doing it if mastodon.social cooperated and confirmed if the IP address used on our forum matches, if you can convince them to check that.
We have previous posts about their past attacks on our team members.