What does GrapheneOS do against a compromised developer situation?

cumsucker

For example, they could require multiple people to review the code and sign the builds before they can be uploaded to the website or sent as an update. Does anything like this happen?

matchboxbananasynergy

I've removed some prior posts and will be leaving a reply instead as I think it's a thread that should get a good answer.

GrapheneOS is open source, and the builds are reproducible (that is inherited by AOSP, and is maintained downstream by GrapheneOS).

Code is reviewed and PRs are very selectively merged (which is why external contributions might not be accepted if they can't be adequately reviewed or don't meet the project's standards etc.)

Of course, GrapheneOS does not trust the servers, and someone who compromises the update servers cannot send malicious updates, as all updates are signed.

People are also of course welcome to make their own builds of GrapheneOS (guide at https://grapheneos.org/build) if they wish to.