Should we be concerned about Iode OS?

I recently heard about Graphine OS leaving France due to problems. As I understand it, Iode is also based in France and new laws are requiring back doors into devices. Should we be concerned?

Yes, never do anything suspicious when using technology no matter the device or the measures you have taken. The more precautions you can think of the more you get into the crosshairs as you are included in a very small group of people who take those precautions.

Isn’t that the point in open source?

Is Graphine open source?

Go get the source code, vet it, then build an OS.

No back doors.

How about it Rob?

Also Rob designed the hardware.

They can only play tricks through the phone side like your carrier or Stingray and then only to spy on phone calls and conversations and location by triangulation.

AFAIK

I wouldn’t put too much stock in anything Graphene says [with regard to this, yet]…

I’m always concerned.

From my understanding, the law affects phone manufacturers. Graphene was looking to partner with a “major oem” to sell their own phone. In which case, they would be subject to any laws that pertain to phone manufacturers (I’m being overly general here, no Graphene won’t physically make phones etc., but you get the gist).

Well, it looks like graphine is open source. But it isn’t that simple. The source code is spread around various repos and there are bound to be some drivers that are proprietary. There’s the vulnerability. I bet Rob had to use some propietary drivers in the Brax3, even though the team may have tested them as well as they could.

Just saw a video for an UP phone. I liked the battery disconect switch and built in VPN without logging. I think it would be easy to fit one on the Brax3 as the battery is replacable.

I am not advocating using Graphine OS. This is just an illustration of how difficult it is to make something really TLA proof. Or even big tech proof.

GrapheneOS describes itself as “a non-profit open source project” focused on privacy and security for Pixel devices. Its code is based on the Android Open Source Project and adds its own hardening and privacy features.

The project hosts its source across many repositories under the GrapheneOS organization on GitHub, including forks of AOSP components and GrapheneOS-specific code. The official site’s “Source code” page explicitly states that GrapheneOS is an open source project with an open development process.

GrapheneOS runs on Google Pixel devices, which rely on proprietary firmware and hardware support packages for components like the cellular modem, Wi‑Fi/Bluetooth, GPU, camera, and secure element. Those vendor blobs and firmware pieces are closed source and are required for the hardware to function, regardless of which Android-based OS is installed.

The GrapheneOS project focuses on hardening the open-source OS layer while compartmentalizing and restricting those proprietary components as much as possible through sandboxing, permission controls, and exploit mitigations. Project maintainers explicitly acknowledge that some proprietary code is unavoidable with current phone hardware and design the system to limit what those components can access and how much damage a compromise can cause.

Cellular modem and baseband (for calls, SMS, mobile data) use proprietary firmware and driver libraries supplied by Google/SoC vendors.

Some lower-level pieces (e.g., kernel portions under GPL) are available as source, but the critical firmware and many device-specific libraries remain closed, making full hardware operation dependent on vendor binaries.

So this was the challenge Rob faced. But being Rob, he worked to minimise the impact that badly behaved drivers have on the Brax3. The iode team are still working to improve the very specific circumstances of many varying combinations of user/carrier/country.

Privacy is the focus of the Brax3 and it does very well at that.

@Eric even Pinephone original uses a camera binary driver, a WiFi binary driver and the modem ADSP binary blob though the modem is connected through the USB and can’t access the main system. Commercial technology of such complexity is just for fun and to help you do some things especially if you are disabled or in some other difficult situation, it’s not some kind of revolution though the social media can act to some extent like that.

Mycenius, with all due respect, unless you can back up your assertion about the people behind GrapheneOS lacking credibility, I think your statement is kind of a cheap shot and unworthy of a person with your standing in this community.

How have you been directly harmed by GrapheneOS? Or are you choosing to side with those who have some sort of bone to pick with the GOS side of the custom ROM community but you yourself have had no direct interaction with them? In that case, you are simply spewing based on hearsay.

In my opinion, one does not need choose sides with one Google alternative against another. This tech is not a religion; it is a tool.

Yes, as Eric said above GrapheneOS is open source at least as much as can be when made for a google pixel phone. I hadn’t looked into/found details on the French laws that triggered them leaving so I don’t know if it is all open source development is threatened (as they mention/claim) or only phone manufacturers. Hence my asking. I am certain Rob has a swap strategy should it be required. He has mentioned the OS might change to LinuxTouch in the future anyway. Personally though, I am not going to do any Iode OS updates for now (and I like to wait anyway for larger numerical updates which usually have more bugs/issues in the short term).

Another interesting aspect was the IodeOS forums were down citing a security lockout when I originally posted this. Likely coincidence of a tech issue, but one that raised a eyebrow none the less.

As for comments about the GrapheneOS project, Rob has mentioned some aspects on his channel regarding it. I won’t go into them but there have been issues to the extent he had called it a ‘dead project’.

Google had delayed the release of Pixel source code for 2 months but now it’s all public I think, so for the time being Graphene can continue because it has some modifications in the kernel.

You can already run Ubuntu Touch on Brax3, I have used Linux distributions extensively for years on Pinephone and they’re just like your desktop. The only problem is that you can’t run Android apps directly so you’ll need the Waydroid emulator.

Of course any other distribution like LineageOS can be ported to Brax3 if you want to escape iodéOS, since itself is actually LineageOS it should be a matter of hours to port it.

Which law is that? There is no official law as far as I know.
Not that law enforcement haven’t bent the rules to pressure privacy focused projects before…

There are a few reasons why projects like iodeos, e/os/, lineageos, etc. aren’t getting pressured. There are some patterns that law enforcement looks for when targeting projects (related to the product, distribution, marketing, and governance of the project). When a project ticks those boxes, it becomes a target. It’s been widely documented over the years - there’s been quite a few projects getting shut down.

I won’t go into details as I don’t want to insinuate anything about other projects not part of our partners ecosystem.

Why does a project have to be more than a repository?

Something like pirate bay that just jumps from server to server without a legal entity behind it.

That wasn’t exactly what I was meaning, so fair enough I guess. I have slightly expanded the comment for better context. My point being the moving of servers and ‘claims’ by Graphene are just opinion on their part, with a touch of drama, and its just their interpretation of what may happen, there are insufficient hard facts that support that opinion… It’s still unclear IMO what that law will do and who it affects.

Nope. Don’t get me wrong, I have no issue with GrapheneOS ‘technically’ - I in fact had originally planned (way back at start of 2024) to be changing, or have changed, to Graphene and a Pixel device by now. However after much research, lurking, and monitoring, other matters eventually concerned me around doing that; so this is the reason I am here instead, with iodéOS running on a BraX3 (and also a Pixel).

Absolutely. But I suggest you are saying this to the wrong person; and should instead be doing so to a certain person(s) who regularly expresses the exact opposite of these values you espouse…

EDIT: P.S. case in point example:

…and just to reinforce the point (do note there is some satire in this thread along with actual facts and the serious discussion):

…and in particular:

Is it just me, or is there a lot of distrust and rumor mongering within and about the digital privacy community? I’ve heard a lot of bad things about the Brax3, for example, but haven’t encountered any of it myself as a customer. There seem to be ill reviews and rumors surrounding Proton, Graphene OS, now iodeOS, Firefox, Duckduckgo, and a ton of vicious rumors and reviews about Rob Braxman and his products. Not all of them are founded, and there’s plenty of counter info out there telling me that these things are just fine. It’s to the point where I am getting skeptical of the skeptics, if you know what I mean.

Where is the litmus test for telling who’s right, who’s wrong, who’s a shill, who’s repeating someone else’s shlock, who’s making stuff up, who’s a bad actor sewing distrust within the privacy community deliberately for big tech (I wouldn’t be surprised if this was actually happening, and suspect it is), and who’s actually selling “snake oil”? Just how much homework do we have to do here, how do we do it, and how do we make sure we’re not being lied to or lying to ourselves?

I ask these questions because it seems like there are no professional standards when reporting on digital privacy, information and counter-info feels like it’s coming out of a rumor mill rather than vetted sources, and I just about need to have a PhD in software coding AND a private investigator’s license (or degree in Investigative Reporting) with several years of experience just to get to the bottom of it all myself! I’m not just asking for a reliable source, but reliable methods of verification so that I can deal with the veritable fire-hose of misinformation that seems to be swirling around digital privacy.

As a Frenchman who left France over government intrusion, I have no comment on Graphene or Iode. My software experience was in another domain. But a large factor in my decision to get my family out of France was direct (amicable) contacts with high-level members of military and law enforcement. What I learned alarmed me.

France cannot be trusted. I tend therefore to agree with any organization which leaves.

The situation is very simple and you don’t need any expertise.

The whole technological and internet infrastructure has been built by secret agencies, governments, big clubs and trusts.

This means that they can intercept, they can infiltrate, they can bribe, they can confiscate, they can ban, they can jail, they can kill.

Under the above perspecitve the notion of “privacy” can be a funny toy to obscure the access of 3rd parties to your regular internet activities but if you’re thinking of something that can land you in jail then you should assume that they know it before you make the thought by yourself.

The most common of their tricks is to build a controlled opposition by themselves or buy it out when needed.

In conclusion consider technology and privacy as an interesting and funny hobby which offers an unlimited diversity of research areas from chip manufacturing up to high level programming but nothing more than that.

That’s not really what I was asking about. I’m aware we can’t hide from “Big Brother” once the eye of the panopticon is turned on us, and I wasn’t asking about anything illegal. I was asking about the trustworthiness of these smaller companies offering privacy tools, the trustworthiness of the people reviewing them, and how to verify what people are saying about themselves and each other.

You can’t verify anything, everything should be considered potentially compromised someway, use it for fun only.