Big day for GrapheneOS coming.

New change to #GrapheneOS website. You can now see which device has which releases in Alpha, Beta, and Stable channels. This let's you know what release you'll be on depending on the channel you used.

Releases | GrapheneOS

Facebook shipped buggy stack overflow detection in the Hermes JavaScript engine used by React Native:

GitHub

On Android pthread_attr_getstack() includes the guard pages in the returned stack size · Issue #1535 · facebook/hermes

Bug Description 64-bit ARM requires 64k as the minimum guard size since it uses this as the default stack probe size to reduce the overhead of -fst...

It breaks when the default stack guard is 64k instead of 4k. The standard 64-bit ARM Linux ABI requires 64k. So far only 1 person noticed a broken app. We're going to be temporarily reverting a change in today's release of #GrapheneOS before Facebook's broken code reaches more apps. We tried lying to apps about the stack layout to hide this change but that breaks compatibility much more. We'll have to detect the Facebook library instead. Not particularly important since we weren't planning on switching to standard 64k stack probes instead of 4k stack probes to avoid risk. However, it's nicer if it's larger to cover 3rd party code without stack probes. Very minor compared to other things blocked by app compat. The main feature that's blocked due to third party app bugs is enabling hardware memory tagging by default for all user installed apps. That works fine but catches many memory corruption bugs. We might put the toggle into the setup wizard so that most users end up enabling it. We want to disable the 32-bit ARM system call ABI in the kernel config on devices without 32-bit app support. Certain widespread anti-tampering frameworks use it even on devices like the Pixel 8 without CPU level support for 32-bit. We'll have to extend the seccomp filters. We want to disable the 32-bit ARM system call ABI in the kernel config on devices without 32-bit app support. Certain widespread anti-tampering frameworks use it even on devices like the Pixel 8 without CPU level support for 32-bit. We'll have to extend the seccomp filters. Enabling ShadowCallStack for Vanadium worked well but caused issues with WebView-based apps, likely due to anti-tampering code. This would be nice even on the recent devices with PAC and MTE until we have stack allocation MTE enabled... which is blocked due to app bugs for now.

GrapheneOS statement regarding a highly misleading and inaccurate article from Cybernews about the Pixel 9 'phoning home'

GrapheneOS Discussion Forum

Highly misleading and inaccurate article from Cybernews about the Pixel 9 - GrapheneOS Discussion Forum

GrapheneOS discussion forum

Tor Browser users, please update your browser.

New Release: Tor Browser 13.5.7 | Tor Project

Tor Browser 13.5.7 is now available from the Tor Browser download page and also from our distribution directory.

Latest update patches a remote code execution vulnerability confirmed to be exploited in the wild.

Top of Stacker News, thank you so much.

#GrapheneOS: The Purpose, The Strategy, and The Why [Article] This post explains a bit about the development approach, reasoning and strategy behind GrapheneOS security innovation and how power users protect themselves. On SN: https://stacker.news/items/705242

Using an app that locks with the OS credential like Phoenix Wallet in GrapheneOS allows you to trigger the device duress password when starting the app because the duress feature also extends to any OS credential input. This doesn't extend to apps exclusively doing their own implementation of a PIN though.

Every time a GrapheneOS post trends on SN I feel like delaying my big post I promised a year ago because I don't want to oversaturate the trending with the project. Suffering from success...