Notices by GrapheneOS (grapheneos@grapheneos.social), page 2

Products using operating systems partially based on our code are not GrapheneOS. There's no such thing as a fake Snapchat app wiping the device in GrapheneOS. It has no remote management or remote wiping built into it. It does not have a subscription fee / licensing system built into it either.

GrapheneOS is obtained from https://grapheneos.org/install/web and https://grapheneos.org/releases. There are a bunch of legitimate companies in Europe selling devices with real GrapheneOS including NitroKey. We aren't partnered with those companies and don't get funding from it but there's nothing shady about it.

Vast majority of the code for those products comes from elsewhere: Android Open Source Project, Linux kernel, Chromium, LLVM and other projects. Of course the non-profit open source project writing a small portion of the code being used by those companies being targeted rather than IBM, Google, etc.

Both Android and iOS try to defend users from the same attack vectors we do. We developed far better protections against exploits which we release as open source code. Open source means anyone can freely use it for any purpose, exactly like the Android Open Source Project used by GrapheneOS itself.

France supposedly has a right to reply which we intend to exercise to respond at length to these articles containing libel from the French state.

We're going to be ending the small amount of operations we have in France as we don't feel the country is safe for open source privacy projects anymore.

Open source is why we can build GrapheneOS based on the Android Open Source Project. It doesn't make Linus Torvalds, IBM, Google, etc. responsible for what we do. Similarly, others can make their own software based on GrapheneOS. A fork of GrapheneOS contains a small portion of code written by us.

GrapheneOS doesn't host services storing sensitive user data. We have signature verification and downgrade protection for updates to the OS, apps and app store metadata. We're going move our website and discussion server away from OVH. Our update mirrors and authoritative DNS are already elsewhere.

We won't travel to France including avoiding conferences and will avoid having people working in the country too. A simple heuristic for the EU is avoiding countries supporting Chat Control. We genuinely believe we cannot safely operate in France anymore as an open source project privacy project.

Our discussion forum, Matrix, Mastodon, etc. in OVH Bearharnois can be moved to local or colocated servers in Toronto instead. We can use Netcup (owned by Anexia, both German) as one of the main providers for website/network service instances. The majority of our servers are already not on OVH.

@Fritange France is taking state actions against GrapheneOS. They're conflating us with companies which they've previously gone after and taken over their servers. We aren't vulnerable to being attacked in the same way but we still don't want accesses to our website/network services being logged or our website being hijacked. France isn't a safe country for GrapheneOS to operate in anymore and we're going to be protecting the project and our users by avoiding the country completely now.

@multimilliardaire @Fritange It's provided in the original thread which is linked to at https://grapheneos.social/@GrapheneOS/115575997104456188 and you should also read this thread from a French non-profit defending digital rights, similar to the Electronic Freedom Foundation: https://mamot.fr/@LaQuadrature/115581775965025042.

@multimilliardaire @Fritange The facts and evidence are fully provided in the newspaper articles which are linked. There are 2 articles from Le Parisien with the official position of federal law enforcement in France which is aligned with the French federal government's position. There's also a third article from Le Figaro. What those newspapers did or said themselves isn't important. French law enforcement is making libelous and inaccurate claims while threatening us. That's our sign to leave.

@multimilliardaire @Fritange Read what's written by the French digital rights non-profit.

@multimilliardaire @Fritange

https://archive.is/UrlvK
https://archive.is/AhMsj
https://archive.is/FBc1U

@multimilliardaire @Fritange We linked you to everything you need to read to see what's happening. If you expect us to give extremely detailed responses and arguments to thousands of people contacting us in a short period of time, that's just not a reasonable expectation. We do not have paid people to handle social media, press releases, etc. but rather it's mostly being handled by the development and moderation team which are both very busy with high priorities right now.

@multimilliardaire @Fritange Read these 3 articles and our responses to them:

https://archive.is/UrlvK
https://archive.is/AhMsj
https://archive.is/FBc1U

https://grapheneos.social/@GrapheneOS/115575997104456188

They're saying that having secure devices they can't break into is unacceptable and that backdoors are required. They're threatening to go after us with charges, etc. if we don't cooperate with unspecified demands. They're also making false claims about GrapheneOS. Why can't you understand why this seriously concerns us?

Here's another French journalist participating in fearmongering about GrapheneOS. That article is not measured. It provided a platform to make both unsubstantiated and provably false claims about GrapheneOS while providing no opportunity to see and respond to those claims.

https://bsky.app/profile/gabrielthierry.bsky.social/post/3m62ewf5mvs2q

We received an ASN and IPv6 space for GrapheneOS from ARIN: AS40806 and 2602:f4d9::/40.

We've deployed 2 anycast IPv6 networks for our authoritative DNS servers to replace our existing setup: 2602:f4d9::/48 for ns1 and 2602:f4d9:1::/48 for ns2. BGP/RPKI setup is propagating.

@jeffcliff @gcvsa

> They do not do this.

The hardware, firmware and software are a massive all around privacy and security downgrade. It lacks the most basic standard privacy and security protections on mobile. It lacks privacy and security patches not only for firmware but for a lot of the software, since Debian mostly only backports fixes which are assigned a CVE and most security fixes are in fact not assigned a CVE. The model of freezing the software for years isn't a good one.

@jeffcliff @gcvsa They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. Most open source projects that are used do not actively seek out CVE assignments. CVE assignments tend to mean issues were found by external security researchers or were very blatant. There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. It doesn't work well.