Notices by GrapheneOS (grapheneos@grapheneos.social), page 2

France supposedly has a right to reply which we intend to exercise to respond at length to these articles containing libel from the French state.

We're going to be ending the small amount of operations we have in France as we don't feel the country is safe for open source privacy projects anymore.

Open source is why we can build GrapheneOS based on the Android Open Source Project. It doesn't make Linus Torvalds, IBM, Google, etc. responsible for what we do. Similarly, others can make their own software based on GrapheneOS. A fork of GrapheneOS contains a small portion of code written by us.

GrapheneOS doesn't host services storing sensitive user data. We have signature verification and downgrade protection for updates to the OS, apps and app store metadata. We're going move our website and discussion server away from OVH. Our update mirrors and authoritative DNS are already elsewhere.

We won't travel to France including avoiding conferences and will avoid having people working in the country too. A simple heuristic for the EU is avoiding countries supporting Chat Control. We genuinely believe we cannot safely operate in France anymore as an open source project privacy project.

Our discussion forum, Matrix, Mastodon, etc. in OVH Bearharnois can be moved to local or colocated servers in Toronto instead. We can use Netcup (owned by Anexia, both German) as one of the main providers for website/network service instances. The majority of our servers are already not on OVH.

@Fritange France is taking state actions against GrapheneOS. They're conflating us with companies which they've previously gone after and taken over their servers. We aren't vulnerable to being attacked in the same way but we still don't want accesses to our website/network services being logged or our website being hijacked. France isn't a safe country for GrapheneOS to operate in anymore and we're going to be protecting the project and our users by avoiding the country completely now.

@multimilliardaire @Fritange It's provided in the original thread which is linked to at https://grapheneos.social/@GrapheneOS/115575997104456188 and you should also read this thread from a French non-profit defending digital rights, similar to the Electronic Freedom Foundation: https://mamot.fr/@LaQuadrature/115581775965025042.

@multimilliardaire @Fritange The facts and evidence are fully provided in the newspaper articles which are linked. There are 2 articles from Le Parisien with the official position of federal law enforcement in France which is aligned with the French federal government's position. There's also a third article from Le Figaro. What those newspapers did or said themselves isn't important. French law enforcement is making libelous and inaccurate claims while threatening us. That's our sign to leave.

@multimilliardaire @Fritange Read what's written by the French digital rights non-profit.

@multimilliardaire @Fritange

https://archive.is/UrlvK
https://archive.is/AhMsj
https://archive.is/FBc1U

@multimilliardaire @Fritange We linked you to everything you need to read to see what's happening. If you expect us to give extremely detailed responses and arguments to thousands of people contacting us in a short period of time, that's just not a reasonable expectation. We do not have paid people to handle social media, press releases, etc. but rather it's mostly being handled by the development and moderation team which are both very busy with high priorities right now.

@multimilliardaire @Fritange Read these 3 articles and our responses to them:

https://archive.is/UrlvK
https://archive.is/AhMsj
https://archive.is/FBc1U

https://grapheneos.social/@GrapheneOS/115575997104456188

They're saying that having secure devices they can't break into is unacceptable and that backdoors are required. They're threatening to go after us with charges, etc. if we don't cooperate with unspecified demands. They're also making false claims about GrapheneOS. Why can't you understand why this seriously concerns us?

Here's another French journalist participating in fearmongering about GrapheneOS. That article is not measured. It provided a platform to make both unsubstantiated and provably false claims about GrapheneOS while providing no opportunity to see and respond to those claims.

https://bsky.app/profile/gabrielthierry.bsky.social/post/3m62ewf5mvs2q

We received an ASN and IPv6 space for GrapheneOS from ARIN: AS40806 and 2602:f4d9::/40.

We've deployed 2 anycast IPv6 networks for our authoritative DNS servers to replace our existing setup: 2602:f4d9::/48 for ns1 and 2602:f4d9:1::/48 for ns2. BGP/RPKI setup is propagating.

@jeffcliff @gcvsa

> They do not do this.

The hardware, firmware and software are a massive all around privacy and security downgrade. It lacks the most basic standard privacy and security protections on mobile. It lacks privacy and security patches not only for firmware but for a lot of the software, since Debian mostly only backports fixes which are assigned a CVE and most security fixes are in fact not assigned a CVE. The model of freezing the software for years isn't a good one.

@jeffcliff @gcvsa They're not shipping most of the security patches. They're only shipping a subset of the security patches with CVE assignments. Most open source projects that are used do not actively seek out CVE assignments. CVE assignments tend to mean issues were found by external security researchers or were very blatant. There are a huge number of memory corruption fixes and other fixes not getting CVE assignments, so they aren't backported as part of this model. It doesn't work well.

@jeffcliff @gcvsa Debian backports a subset of security patches which gets CVE assigned and barely anything else. There are no substantial backports of security patches beyond that. Most security patches to most projects do not get a CVE assigned and do not get backported. You haven't disproven any of this, you're just linking to irrelevant information while misrepresenting what we've said. What we've said about their approach is fully accurate. The approach is to give the semblance of security.

Pixel Camera recently added a hard dependency on Google Play services. It still works on GrapheneOS, but started requiring sandboxed Google Play services.

GmsCompatLib version 100 for GrapheneOS 2025102300 or later restores support for Pixel Camera without Play services:

https://grapheneos.social/@GrapheneOS/115431369734974446

@jeffcliff @gcvsa We haven't made any false claims. It's you doing that, including right here. If you want us to write a long form post about this for our website or forum, so be it.

@jeffcliff @gcvsa What we've said about it is completely correct. Librem 5 has closed source hardware with closed source firmware. It doesn't avoid the closed source firmware, they just chose components with it stored within the components to avoid the OS loading it. For the SoC, they locked it in place to prevent users changing or updating it. It's users they prevented doing that for their own devices. Users don't get a choice or the option to set up verified boot with their own keys.