The remaining core developer working on CalyxOS (Tommy Webb) left the organization. That leaves almost no one working on the project. One of their core developers left prior to this being public, their lead developer left following that and then the leader of the organization left too. You can see from https://review.calyxos.org/q/status:open that they were the remaining active core developer. Their initial 4-6 month estimate for resuming updates on August 1st is looking overly optimistic.
CalyxOS users still don't have the 2025-06-05 patch level or above including being missing the Critical severity remote cellular radio vulnerability from June 2025, other driver/firmware patches from June 2025, driver/firmware patches from August 2025 or the massive set of September 2025 patches for both AOSP and Pixels. It's increasingly unsafe for remaining CalyxOS users to continue using it especially since 2 of the September 2025 vulnerabilities are marked in the bulletin as being known to be exploited in the wild.
It's worth noting they don't go back and update past bulletins with news about in the wild exploitation being discovered, that information is only provided when the issues are first patched and then it's assumed everyone is updated to them. The in the wild exploitation info is only provided for what Android considers 0 days in terms of the Android Security Bulletins, not N days after patches are officially disclosed. That's also based on very limited insight into exploitation, as far more issues are exploited in the wild prior to being patched in reality.
nostr:nevent1qqszc2vg7mva0ugcyd2dx39cq5c58a2uvgquzzahwxs5e322ncwtrncpzpmhxue69uhkummnw3ezumt0d5hsyg9e3hk5e6h2ypusm09ncv2qq6fqp8f5clueylpgdq66nxm5sxjuygpsgqqqqqqss2rpcz
