Notices by GrapheneOS (grapheneos@grapheneos.social), page 2

@jeffcliff @gcvsa

> They do not do this.

The hardware, firmware and software are a massive all around privacy and security downgrade. It lacks the most basic standard privacy and security protections on mobile. It lacks privacy and security patches not only for firmware but for a lot of the software, since Debian mostly only backports fixes which are assigned a CVE and most security fixes are in fact not assigned a CVE. The model of freezing the software for years isn't a good one.

@jeffcliff @gcvsa They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. Most open source projects that are used do not actively seek out CVE assignments. CVE assignments tend to mean issues were found by external security researchers or were very blatant. There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. It doesn't work well.

@jeffcliff @gcvsa Debian backports a subset of security patches which gets CVE assigned and barely anything else. There are no substantial backports of security patches beyond that. Most security patches to most projects do not get a CVE assigned and do not get backported. You haven't disproven any of this, you're just linking to irrelevant information while misrepresenting what we've said. What we've said about their approach is fully accurate. The approach is to give the semblance of security.

Pixel Camera recently added a hard dependency on Google Play services. It still works on GrapheneOS, but started requiring sandboxed Google Play services.

GmsCompatLib version 100 for GrapheneOS 2025102300 or later restores support for Pixel Camera without Play services:

https://grapheneos.social/@GrapheneOS/115431369734974446

@jeffcliff @gcvsa We haven't made any false claims. It's you doing that, including right here. If you want us to write a long form post about this for our website or forum, so be it.

@jeffcliff @gcvsa What we've said about it is completely correct. Librem 5 has closed source hardware with closed source firmware. It doesn't avoid the closed source firmware, they just chose components with it stored within the components to avoid the OS loading it. For the SoC, they locked it in place to prevent users changing or updating it. It's users they prevented doing that for their own devices. Users don't get a choice or the option to set up verified boot with their own keys.

@jeffcliff @gcvsa Purism went out of the way to lock down parts of the device to stop users replacing or updating the software/firmware. They even set up a special closed source core on the main SoC for the sole purpose of engaging in scamming through pretending the device doesn't have closed source firmware on the SoC. You're redefining the word freedom to a nonsense definition where taking away privacy, security and choices from people somehow makes them more free. It's still closed source.

@jeffcliff @gcvsa

> This is a lie. You can replace the software and I have.

They locked down certain components to prevent updating them in order to claim that it doesn't count, as you're doing. It's closed source hardware with closed source firmware, and they've locked that down more rather than less to block users modifying or inspecting it.

> Installing proprietary firmware

It's already installed. Not loading it or updating it from the OS doesn't make it not exist. It's a lie.

@jeffcliff @gcvsa

> It's not 'redefining' freedom to avoid proprietary firmware blobs no matter how many times you lie and claim otherwise.

You aren't avoiding proprietary firmware blobs with the Librem 5. It has a huge amount of proprietary firmware, the OS just isn't loading or updating it. That doesn't mean it's not there. It has known, verifiable vulnerabilities which are unpatched due to not being updated and the fact that some components are already effectively end-of-life.

@jeffcliff @gcvsa You're misinterpreting what we said. Purism's devices have closed source, proprietary hardware with closed source, proprietary firmware. The firmware is stored on the hardware components and loaded each boot from that storage. The OS not being involved in loading it doesn't make it somehow not exist. It doesn't make it any less important. It does mean the closed source firmware on Purism's devices is harder to inspect and the approach has lower security than the OS loading it.

@jeffcliff @gcvsa We're using the term end-of-life to refer to components no longer receiving firmware updates including for serious vulnerabilities either known to the company or publicly known. Purism does still have the closed source firmware on their devices. It's stored on the hardware components such as the SoC, cellular radio, Wi-FI radio, etc. and gets loaded from there. This is a much less transparent approach than not having firmware storage in components and the OS having to load it.

@jeffcliff @gcvsa These are extraordinarily insecure devices with bottom of the barrel components. They're not open as they claim to be and still use entirely closed source components from large companies around the world. How is massively downgrading the security of the hardware, firmware and software progress? It's still closed source hardware, but with many year old outdated components with much worse security and software on top with much worse privacy and security. What's the point of it?

@jeffcliff @gcvsa This is the GrapheneOS project account, not e a personal account.

Librem 5 is an insecure device with ancient components with ludicrous pricing for what it provides. It doesn't avoid components made in China, is not open and it's not compatible with providing basic privacy and security patches or protections. It's also lacking very basic functionality and compatibility with the apps most people want.

You didn't recommend GrapheneOS but rather you tried to fearmonger about it.

@jeffcliff @gcvsa Librem 5 has closed source hardware and firmware. It's priced as a high end flagship but has very old components with awful security at a hardware, firmware and software level. Purism markets the device with extremely false claims about privacy, security and openness. It's objectively a scam. Purism's hardware is not freedom respecting, not private, not secure and not a safe option. Providing basic privacy/security updates and protections is the bare minimum, and they don't.

@jeffcliff @gcvsa PureOS is lacking the most basic privacy and security protections. It's a fork of an OS with atrocious privacy and security including a history of introducing many vulnerabilities and only backporting a small portion of security patches which are assigned CVEs. Purism chooses not to ship firmware updates and goes out of the way to block them in some cases. They do not provide a working app sandbox, permission model, modern exploit protections or many other basic protections.

@jeffcliff @gcvsa

> Again: this is a good thing. They aren't shipping proprietary firmware.

Purism is shipping proprietary hardware and proprietary firmware with the device. They're leaving it non-updated without fixes for known, verifiable vulnerabilities both due to the end-of-life components and lack of OS updates for it. Not updating it doesn't mean there isn't proprietary firmware. It's still there. They blocked updating some of the firmware, not all of it, but they don't update it.

@jeffcliff @gcvsa Purism deploys proprietary hardware and firmware. That's what their devices provide. Selling people devices with proprietary firmware but not providing patches for known, verifiable vulnerabilities is their approach.

What we're going to do is respond to your massive flood of false claims to promote these insecure products by making a long form post and sharing it across platforms. It's a waste of time responding to you pushing false claims about it, so we won't keep doing it.

The new security update Android is using provides around 3 months of early access to OEMs with permission to make binary-only releases from the beginning. As far as we know, GrapheneOS is the first to take advantage of this and ship the patches early. Even the stock Pixel OS isn't doing this yet.

We're maintaining the upcoming Android security patches in a private repository where we've resolved the conflicts. Each of our security preview releases is tagged in this private repository. Our plan is to publish what we used once the embargo ends, so it will still be open source, but delayed.

Our security preview releases provide early access to Android Security Bulletin patches prior to the official disclosure. Our current security preview releases provide the current revision of the November 2025 and December 2025 patches for the Android Open Source Project. We recommend enabling this.