Here's another French journalist participating in fearmongering about GrapheneOS. That article is not measured. It provided a platform to make both unsubstantiated and provably false claims about GrapheneOS while providing no opportunity to see and respond to those claims.
https://bsky.app/profile/gabrielthierry.bsky.social/post/3m62ewf5mvs2q
The claims the article platforms are conflating closed source products from European companies infringing on our copyright and trademarks with GrapheneOS. GrapheneOS doesn't have the features they claim it does, isn't distributed in the ways they claim and they don't understand open source software.
GrapheneOS is obtained from https://grapheneos.org/install/web and https://grapheneos.org/releases. There are a bunch of legitimate companies in Europe selling devices with real GrapheneOS including NitroKey. We aren't partnered with those companies and don't get funding from it but there's nothing shady about it.
Products using operating systems partially based on our code are not GrapheneOS. There's no such thing as a fake Snapchat app wiping the device in GrapheneOS. It has no remote management or remote wiping built into it. It does not have a subscription fee / licensing system built into it either.
Vast majority of the code for those products comes from elsewhere: Android Open Source Project, Linux kernel, Chromium, LLVM and other projects. Of course the non-profit open source project writing a small portion of the code being used by those companies being targeted rather than IBM, Google, etc.
Both Android and iOS try to defend users from the same attack vectors we do. We developed far better protections against exploits which we release as open source code. Open source means anyone can freely use it for any purpose, exactly like the Android Open Source Project used by GrapheneOS itself.
Open source is why we can build GrapheneOS based on the Android Open Source Project. It doesn't make Linus Torvalds, IBM, Google, etc. responsible for what we do. Similarly, others can make their own software based on GrapheneOS. A fork of GrapheneOS contains a small portion of code written by us.
France supposedly has a right to reply which we intend to exercise to respond at length to these articles containing libel from the French state.
We're going to be ending the small amount of operations we have in France as we don't feel the country is safe for open source privacy projects anymore.
GrapheneOS doesn't host services storing sensitive user data. We have signature verification and downgrade protection for updates to the OS, apps and app store metadata. We're going move our website and discussion server away from OVH. Our update mirrors and authoritative DNS are already elsewhere.
Our discussion forum, Matrix, Mastodon, etc. in OVH Bearharnois can be moved to local or colocated servers in Toronto instead. We can use Netcup (owned by Anexia, both German) as one of the main providers for website/network service instances. The majority of our servers are already not on OVH.
We won't travel to France including avoiding conferences and will avoid having people working in the country too. A simple heuristic for the EU is avoiding countries supporting Chat Control. We genuinely believe we cannot safely operate in France anymore as an open source project privacy project.
Our pinned post on this platform shows a great example of why they're actually upset with us:
https://x.com/GrapheneOS/status/1887752970617454703
It almost makes us willing to contribute to AOSP again to try to wipe out their ability to exploit a subset of unon-GrapheneOS Android devices too. Google is welcome to reach out.
