As some basic background: GrapheneOS is a FOSS Android fork aiming to improve privacy and security. CalxyOS is another such project. Strangely there has been a long history of drama between GrapheneOS and CalyxOS, despite both sharing similar goals. I won't get into it here because it's not relevant or very interesting. The gist of it is: the GrapheneOS and CalyxOS projects/communities don't get along very well.
Recently there was a controversy where the founder of GrapheneOS told the Bromite project (another FOSS project I'm a fan of) that they could no longer use any GrapheneOS code simply because they were planning to accept a single contribution from a CalyxOS project member. The Bromite developer responding to the PR didn't even know the person who opened it was involved with CalyxOS and was unaware of any animosity towards CalyxOS on the GrapheneOS side. I understand refusing to work directly with members of a community you despise, but this is blatantly ridiculous. The GrapheneOS project is setting a standard where, if you associate with any members of any "blacklisted" projects in any way, you are at risk of being cast out of the GrapheneOS community and denied access to GrapheneOS code. This is completely against the nature of free and open source software.
https://github.com/bromite/bromite/issues/2141
This obviously attracted attention in lots of places, but notably not on HN for some reason [1], despite GrapheneOS being a popular topic here [2].
In general I'm no fan of drama, but I think this reflects poorly on the GrapheneOS project and I think all GrapheneOS users should be aware of it.
[0] https://grapheneos.org
[1] https://news.ycombinator.com/item?id=31769696
[2] https://hn.algolia.com/?q=grapheneos
GPLv2 is an open source license. We continued allowing them to take our code and continued contributing to their project ourselves despite the general inability to use Bromite's code. We already didn't find the situation to be fair. There are also issues with proper attribution not being given for our code and the downplaying of the impact of our contributions. For example, a contributor to Vanadium wrote a new ad-blocking implementation which was adopted by Bromite before it was ready for Vanadium, which led to a negative impact on development of the feature for Vanadium. Almost no credit is given for the stuff submitted by GrapheneOS project members / contributors to Bromite. It's actively downplayed.
Bromite began working with people involved in a severe misinformation and harassment campaign directed at GrapheneOS developers. Combined with the inability to use their code due to GPLv3, we chose to change our licensing. This was done in advance of substantial work that's going to be done on Vanadium. Having our code taking by a project not giving us proper credit and not allowing us to use their work in return was having an actively negative effect on Vanadium development.
Personally, I think engaging in spreading misinformation about open source projects across platforms including via sockpuppet accounts like this one along with harassment and libel targeting our project members is extremely anti-open-source. GrapheneOS does not spread misinformation about other projects this way, and we don't tolerate our community members doing it either, and similarly don't tolerate them engaging in harassment or libel.
https://grapheneos.org/articles/attestation-compatibility-gu... (https://archive.ph/ZqCqA)
TLDR: Rather than encouraging app developers to abandon the plainly anti-FOSS/anti-user technology that is SafetyNet hardware attestation, GrapheneOS instead encourages developers to continue locking down their apps such that they only work on specific operating systems, but also kindly asks them to add the official releases of GrapheneOS to the list of "approved" Android builds (in addition to proprietary "Google-approved" Android, of course). The above link is a handy implementation guide for developers that GrapheneOS has published to their website and actively encourages its users to share with developers.
SafetyNet hardware attestation is an anti-FOSS/anti-user technology that has no legitimate use case. It allows apps to arbitrarily refuse to run on "un-approved" versions of Android. Apps have absolutely no business policing the operating systems that users are allowed to run on their device. If this technology is adopted by a large number of applications that people rely upon, we are left with no option other than to use an "approved" OS. We cannot fork GrapheneOS if the project goes in a certain direction that we disagree with, because then we would be unable to run the apps we need.
Strcat's response to anyone ideologically opposed to this is "don't use GrapheneOS":
> If you have an ideological issue with GrapheneOS providing working attestation and preserving the app security model, i.e. allowing apps can perform checks that cannot be faked without an exploit, my recommendation is using something else. If you consider this capability to make it a "walled garden" then GrapheneOS is happily a "walled garden"
https://old.reddit.com/r/GrapheneOS/comments/du23la/rooted_o...
Tragically GrapheneOS doesn't tend to view any Google decisions through a critical lens, which would allow them to see through some of Google's "security features" for what they really are: user-control features implemented solely to ensure that most people do not switch away from the stock OS and continue to consume Google services, handing over their user data in the process.