OK, definitely time to ditch stock Android again and get a custom OS like #grapheneOS or #CalyxOS. Calyx isn't listed in this hack review, so maybe it's compromised or maybe not. It was my preferred OS for a couple of years, and I liked it, but if it's vulnerable, then no.
Nach einer langen Phase des Abwägens bin ich wegen der #calyxosupdatepause nun doch bei Android geblieben und habe #GrapheneOS installiert. Neu für mich: das Flashen des Handys über einen WebInstaller im Browser. Das ist schon sehr einfach geworden. Das OS an sich fühlt sich sehr ähnlich, wenn nicht ein gutes Stück sicherer zu #CalyxOS an und macht einen sehr guten Eindruck. Natürlich bleibt die zu lange Phase bis alles wieder so läuft wie vorher. Ich bin aber zufrieden 
longpost about grapheneos, and then i'll shut up about it
since i know a lot of former #calyxos users are reasonably considering switching to #grapheneos (or already have), here are some tips for navigating their community:
* never question project leadership.
* never question security or privacy features or implementations.
* do not associate with any projects or individuals that they hate-stalk around the internet.
* no criticism, even constructive.
* make peace with the potential for baseless accusations and smears.
these tips also useful for oems. 
so, while there were other things that influenced my decision to resign from #calyx, in the end, the biggest were the on-going outrageous behavior coming out of the engineering department, and a failure of leadership to do anything meaningful about it. although i deeply respect the #calyxos team and the many great folks at the institute, unfortunately, until/unless something is done, i cannot support calyx, and i cannot recommend donating to them right now. (9/9)
none of this even delves into the #calyx engineering director's endless gaslighting, predictable derailing of discussions and decision-making, hoarding of access and information, attempts to delay / sabotage the revival of #calyxos, and apparent eagerness to direct $10,000's of member donations toward goods and services from the warmongering likes of AWS and thales. those would warrant threads of their own. (8/9)
some may think, "i don't mind if #calyx moves my name, email, address, etc to vultr. it's not like it's AWS" - or "this is why i never share any personal info that i can't afford to be leaked anyway". but in my mind, given that calyx has hosted its own services for years - VPN, tor exit nodes, #calyxos release server, etc - i think people have come to expect this and to hold them to a higher standard for data handling and transparency. it's your data. shouldn't you know who has it? (7/9)
"My reading of the privacy policy is different from yours."
i want to elaborate on why i left #calyx / #calyxos. (everything in this thread is my opinion or interpretation.)
while there were many factors, the breaking points for me were a non-consensual transfer of members' personal information to a third-party server, a total lack of notification, and a ridiculous defense. the following messy posts will continue my perspective and recollection of this particular event. (1/9)
allegedly, and from my perspective as a former calyxos employee (i do not represent them)...
the founder was the keeper of the signing keys, and has stated this publicly. when he separated from the institute (which is a whole other story), he didn't give the signing keys to the institute in a timely manner, if at all. although there was no evidence that the keys had been compromised or accessed from outside the organization, there *was* reason to believe that they had not always been handled in a secure manner (which is yet another whole other story). also, because these were key *files*, and probably not even protected by passphrases (but i don't know), copies were always *possible*.
the OS team decided to only release updates signed with *fully* trusted keys going forward, that were not subject to unauthorized copies. the OS team has been working on a hardware security module-based solution for signing. the exception to this was one last update to inform users about this situation, to the extent permitted by comms folks. this was facilitated by eventual cooperation from the founder.
that being said, i do not myself believe that there is any actual risk today associated with using a build signed with these older keys, apart from it not having the latest updates. but i also support switching to new keys that are better safeguarded, and i can't guarantee there wouldn't be a risk associated with these older keys in the future.
there is more to know as well, but too much to write here. still, it is false to say that the calyxos team doesn't want you to know this.
source: i worked on #calyxos while all this was happening. i no longer work for #calyx. and this is all just alleged, based on what i experienced and was told. i never signed an NDA 
@calyxinstitute The CalyxOS folks don't want you to know why they're recommending that you uninstall #CalyxOS from your phone.
on september 30, i stepped down as a developer for the #calyx institute.
i am proud of everyone on the OS team, who all pulled together and showed so much dedication to #calyxos and its users, despite the last few months' challenges.
still, in my opinion, calyx has a lot of work to do to rebuild trust, both inside and outside the org. i have a few starter ideas: listen to your workers. act swiftly on bad behavior. and don't shield the men who engage in it from consequences. ...repeatedly.
i'm so tired of it. people deserve better.
You can contribute to the #freesoftware movement even if you don't know how to write #code here's some practical examples:
1. @beacondb & #Neostumbler
BeaconDB is community-driven wireless geolocation database that serves as a replacement for Mozilla Location Services (MLS), which was discontinued in March 2024.
why this project is important?
because #Google collects extensive location data tied to user accounts for advertising and profiling (even if you turn off location history) Google doesn't understand consent, what a surprise! 
BeaconDB will provide privacy friendly geolocation, allowing #degoogled #android ROMs like #CalyxOS and #GrapheneOS to be used without relying on Google (Google's location services)
Neostumbler is an #opensource android app, that collects geolocation data from wireless signals such as Wi-Fi access points, cell towers, and Bluetooth beacons, NS does not collect personal identifying information, only anonymized wireless signal data and it can be turned off at any time. (can't say the same for Google)
you can start contributing to BeaconDB simply by downloading and installing NeoStumbler, enabling GPS, open NS and start a scan, start walking or driving, and after you cross a certain distance, you'll see some generated reports, press upload to upload them all (you can also go to settings and enable automatic uploading in the background)
If you want to volunteers and help us free our phones, laptops and smart watches from corporate ecosystems (like Google's location services) and achieve digital sovereignty in the aspect of geolocation, take a look at these links
- BeaconDB: https://beacondb.net/
- NeoStumbler: https://github.com/mjaakko/NeoStumbler
Ich frage mich wo da der EU-Gesetzgeber bleibt? Google hat mit Android ein System gebaut, um wirklich alles abzuschnorcheln. Das geht mir total auf die Nerven. 
Wenn Google jetzt noch das sideloading einschränken wird, dann muss ich wohl bald auf #postmarketOS wechseln. Ich habe auch so ein #CalyxOS mit „Damokles Schwert“ und weiß nicht was ich machen soll? Es war schon so ein riesengroßer Aufwand alles vom alten Telefon zu migrieren.
Good bye AOSP & FU!
@onlytina Du hast mitbekommen, dass #CalyxOS aktuell quasi tot ist (sie sagen "paused")?
https://calyxos.org/news/2025/08/01/a-letter-to-our-community/
Evtl. ist #iodé eine Alternative für dich: https://iode.tech/de/iodeos/
I was a happy user of #calyxos, given for now updates are stopped, I am looking at alternatives I discovered iodéOS it seems attractive, anyone has some experience with it to share? (Graphene is not an option here).
Just in case anyone out there is still on #CalyxOS and wondering what to do while they're on hiatus, #IodéOS has been treating me pretty good. I'm even paying the ~$3/mo for the enhanced features (basically like a nice firewall plus TrackerControl-type features for your phone, that still lets you use a VPN as well)
#CalyxOS #Apps #SecurityPatches
Tja, sieht so aus, als wenn auf meinem Handy für CalyxOS jetzt die Zeit des unsicheren Abwartens gekommen ist. Gestern hat die Banking App den Dienst beim Updaten versagt, weil mein System nicht mehr up to date ist und die App sich deswegen nicht installieren lässt. Und zwei weitere eher unwichtigere Apps haben schon angezeigt, dass das aktuelle Update nicht installiert werden kann. Mmpf.
Ich mein, die Banking App ist für mich nicht unbedingt notwendig und aktuell mach ich eh vieles über den Browser, aber die Situation mit CalyxOS macht mich echt traurig.
Ich will mein CalyxOS behalten!! 
