GrapheneOSJul 23, 2025

Information from the privacy and security researcher who founded the divested projects on the insecurity of /e/OS including hard data on update delays and skipped updates:

Issues with /e/OS: https://codeberg.org/divested-mobile/divestos-website/raw/commit/c7447de50bc8fadd20a30d4cbf1dcd8cf14805a0/static/misc/e.txt

ASB update history: https://web.archive.org/web/20241231003546/https://divestos.org/pages/patch_history

Chromium update history: https://web.archive.org/web/20250119212018/https://divestos.org/misc/ch-dates.txt

Chromium update summary: https://infosec.exchange/@divested/112815308307602739

For the Chromium update summary from July 2024, note 128/135 was shipping each update on a given update path. /e/OS only shipped 12/135.

Show threadsuomynona1405
@GrapheneOS I wish the people would realise that privacy ≠ security. If they want both they need a Pixel phone with your custom rom.
Jul 23, 2025 at 5:14amMastodon for Android
Show threadBatiste ⁂Jul 23, 2025
@suomynona1405 @GrapheneOS well, security is a superset of privacy. I guess you really could call privacy "information security". You can't have your information secured (spoiler: the best way to secure information is to have no information to secure) unless you have broader robust security.
So saying "we secure your information (as in privacy) but also we're not security focused" makes no sense.
Privacy is not a secret third thing, it's applied security.
Show threadGrapheneOSJul 23, 2025

@batist3 @suomynona1405 The purpose of security for an end user is to protect their privacy. It's a huge part of providing privacy.

The delayed and skipped patches along with many other issues covered in the documents above are both privacy and security issues. The patches are fixing both privacy and security issues. Many directly fix privacy issues while the rest are protecting privacy through fixing security issues. There's no clean line between them. Security is not a separate topic.

Show threadGrapheneOSJul 23, 2025

@suomynona1405

> I wish the people would realise that privacy ≠ security.

/e/OS is severely lacking in both privacy and security. Many privacy issues are documented in the linked list of issues with /e/OS. The patches which are regularly delayed for long periods of time for both the OS and browser engine are privacy and security patches, not specifically security patches. Privacy also depends on security. Security vulnerabilities are important because they're privacy vulnerabilities too.

Show threadGrapheneOSJul 23, 2025
@suomynona1405 GrapheneOS is an operating system, not a custom ROM. It's an inaccurate and misleading term which has never been how we refer to GrapheneOS since we started in 2014. The correct terminology of OS is what should be used. GrapheneOS is a fork of the Android Open Source Project and is software running on the device. It ships firmware updates but is not firmware itself. GrapheneOS and the firmware it ships are installed on an SSD. It's verified cryptographically but not read-only.
Show threadsuomynona1405Jul 23, 2025
@GrapheneOS ah alright, OS then, not custom ROM. My bad^^
Show threadGrapheneOSJul 23, 2025
@suomynona1405 It's fine, we're just providing information. There are ROMs on the devices but those are much lower level components than GrapheneOS. Aside from that, GrapheneOS is not inherently an aftermarket OS (custom) but rather can be the stock OS on a device. It's an aftermarket OS for Pixels but we're working with an OEM towards them selling it on their devices and we've been in contact with multiple other OEMs about it. It's just most couldn't meet our security and update requirements.
Show threadsuomynona1405Jul 23, 2025
@GrapheneOS thanks for the explanation, that makes is clear for me - So I can accurate talk about GrapheneOS when providing informations to other people:)