de0u That's the point though, having the phone software somehow bound to a particular service instead of allowing the user of the device to bind it to their OWN service.
GrapheneOS network requests and privacy policy
865be553dc4f5b2b Hosting done elsewhere? Can you elaborate on that statement?
The servers are distributed in the USA and France.
OVH and Frantech/BuyVM are well known. If you spend time on the Internet, it is very likely that you come across OVH, Frantech, Hetzner and Online S.A.S. on a daily basis. Your IP is registered as soon as you enter these data centers. Therefore, you don't need to worry about the GrapheneOS admins the least.
bookreader That's the point though, having the phone software somehow bound to a particular service instead of allowing the user of the device to bind it to their OWN service.
For several services GrapheneOS provides the ability to choose between servers (often Google's vs. a GrapheneOS proxy), and in some cases AOSP allows configuring arbitrary servers.
It is true that the system updater and the Apps app are pointed at GrapheneOS servers, but pointing a GrapheneOS device at different update servers would require somebody to maintain those servers. If one wishes to do that, the GrapheneOS web site provides build directions for system images (including, if I recall, delta updates) and guidance on how to set up the update servers.
Overall I guess I am not yet understanding which enhancement(s) are wished for.
de0u I think its obvious that somebody would have to maintain those servers. Basically what is being asked for isn't just "google"/"grapheneos"/"disabled", but rather also add a "custom" option. From the top of my head, connectivity check, gps, updater.
Having it connect to grapheneos servers, in addition to making you vulnerable to the integrity of those servers, identifies you as using grapheneos, which is a possible risk in some scenarios, including exercising your freedoms while within surveillance states, and being able to blend in, or if authorities are looking for someone with a phone running grapheneos, its pretty easy to identify. Reboot it and see what the boot logo looks like.
Having it connect to google servers lets you blend in, but leaks tons of information about you to google, which is also undesirable.
But having it connect to a server that I physically control? That doesn't leak ANY information, because nobody can know what those connections mean.
bookreader why? There's nothing wrong with the servers. Apps and OS releases are signed so it's not like those can be tampered with.
bookreader there are instructions on how to build GrapheneOS yourself. Also, you can set up your own releases server as well as apps repository. Everything is open source so you can just copy everything. Anyone with time and the skills required can do it.
For the official builds, I think the options make sense. Most of the connections go through the owner VPN.
other8026 Perhaps nothing wrong with the servers now, from the point of view of being compromised, but how about tomorrow or 6 months from now.
I'm also not arguing for my needs, I'm trying to clarify the positions being presented in this thread.
bookreader I'm also not arguing for my needs, I'm trying to clarify the positions being presented in this thread.
I'm not replying to you in specifics, but I'm using your quote to bring up very important point (well from my point of view):
At some point in your privacy journey, whoever you may be, you will have to make some decisions based on trust. In this case GrapheneOS.
And then just let it be, and get on with your life.
Not saying I can't understand it, well in this case I really can't, but I have my own "braindamage" topics so in a certain way I can... 😅
bookreader I think its obvious that somebody would have to maintain those servers.
I suspect anybody who has the skills to set up the infrastructure and the funding to pay for the server(s) can also build GrapheneOS from source and change the built-in server selectors to the desired values. Signing the builds would mean that if, hypothetically, the GrapheneOS project were compromised, the devices running the custom build would get only system images built and signed by the entity doing the builds and signing, not the hypothetically compromised project.
bookreader Basically what is being asked for isn't just "google"/"grapheneos"/"disabled", but rather also add a "custom" option. From the top of my head, connectivity check, gps, updater.
That could be done, and it's possible that a pull request implementing that would be accepted. But the situation is not like the situation for a custom DNS resolver, where there are tens or hundreds of candidates that GrapheneOS users might wish to select among. At present there are not many SUPL proxies (maybe just Google's and GrapheneOS's?), and at present there is one GrapheneOS system image update server.
Meanwhile, if it is possible for users to plug in arbitrary values, some will plug in a wrong value, raising the support load. As long as there is only one "right answer" for 99.9% of users, a situation in which the 0.1% select a custom server by doing a build might be the right tradeoff for the project team.
Please note that I do not speak for the GrapheneOS project.
bookreader I'm also not arguing for my needs, I'm trying to clarify the positions being presented in this thread.
I'm not sure I follow here. OP's question was answered. Looking at the history, it was you who started talking about governments taking over servers and saying you were concerned about the location of GrapheneOS's servers. So, it seems that you're really trying to clarify your position, not the "positions being presented in this thread."
bookreader Perhaps nothing wrong with the servers now, from the point of view of being compromised, but how about tomorrow or 6 months from now.
I really don't see what the issue is here. I'd suggest you review what servers are hosted by GrapheneOS and what they do. The OS doesn't blindly trust the servers. Here are a couple quotes from the website:
The update client avoids trusting the data obtained from the update server via signature verification with downgrade protection. Verified boot provides another layer of signature verification with downgrade protection. GrapheneOS servers do not have access to GrapheneOS signing keys.
The update server isn't a trusted party since updates are signed and verified along with downgrade attacks being prevented.
Apps are also signed, so no reason to worry there either.
The remaining servers are mostly either proxies (so can't mess with those) or what are essentially headers returned from a web server.
bookreader The default connections FAQ explains that all of the connections other than connectivity checks go through the Owner user VPN. Use a VPN provider you trust and set the connectivity checks to Standard so that you won't appear as a GrapheneOS user on the local network or to your ISP.
bookreader OS releases along with app repository metadata and the apps themselves are signed with downgrade protection. An attacker who compromises the servers can't serve malicious updates to users. Every router along the way from your device to the servers can see the source IP and destination IP for each packet. If you want to hide this from your local network and ISP, you need a VPN. If your device connects to a self-hosted server, you'll be uniquely identifying yourself through that which is the opposite of obtaining more privacy. Self-hosting these servers or using an incredibly niche one hosted by someone else would be reducing your privacy not improving it. Use a VPN and stop trying to accomplish what a VPN provides through this.
865be553dc4f5b2b GrapheneOS is an international project. It currently has 7 full time developers and only 1 of those 7 developers is based in Canada. The project itself is not based in any specific place. GrapheneOS Foundation provides a legal entity to support and defend the project, but it is not the open source project itself. A main purpose of the GrapheneOS Foundation is to shield the project members from attacks and move legal liability to an organization. The project existed from late 2014 until March 2023 without this non-profit organization and would continue existing without it. We can form non-profits in other countries too if we decide that would provide value to us, but managing one of them is already going to be a lot of work so we aren't currently planning to do that.
GrapheneOS Use a VPN provider you trust and set the connectivity checks to Standard so that you won't appear as a GrapheneOS user on the local network or to your ISP
So besides privacy benefits, the project recommend a VPN to hide the fact that GrapheneOS is being used?🤔
bookreader Perhaps nothing wrong with the servers now, from the point of view of being compromised, but how about tomorrow or 6 months from now.
These servers are almost all KVM (virtual server). These large hosters have data centers in several continents. It only takes a few minutes to move a KVM (Backup image) to another server in a different data center.
FlipSid If you want to hide that GrapheneOS is being used, you should use a VPN and set connectivity checks to the Standard mode using Google servers. The Disabled mode will indicate that you're using a non-standard Android device, although not specifically that it's GrapheneOS. All of the default connections other than connectivity checks go through the VPN including app updates, OS updates, HTTPS network time, PSDS, SUPL, attestation key provisioning and widevine key provisioning. We recommend leaving all the other connections using GrapheneOS servers and instead using a VPN to mask that you're using it.
- Edited
GrapheneOS you'll be uniquely identifying yourself through that which is the opposite of obtaining more privacy
It doesn't matter if I can be identified, it matters if I can be CATEGORIZED. If GrapheneOS is deemed by some government to be a terrorist organization for providing protection against government monitoring, then users of GrapheneOS may be deemed terrorists.
VPNs can fall into the same category, so really aren't solving anything.
boldsuck These servers are almost all KVM (virtual server).
Who cares? If the person who would be moving them is thrown in PRISON, then they aren't moving anywhere.
7 days later
@GrapheneOS I understood your point about the non-profit entity, but are there any plans in the future to install an oversight board that would work like an independent arbiter over developers? That might put a lot of minds to ease in my view. The idea is that developers have all the technical expertise, but the project needs a human face as well that handles amongst other things situations where a certain developer (or half of them) goes rogue. So far the project is not that big, but when it grows later, it cannot just rely on developers to handle all the matters like trust, communications, PR.