I have used both and I think they both have there benefits. Graphene is super focused on Security, there google play compatibility works well you can use all google apps with them but not with Calyos. Calyxos focuses more on the open source community and sponsors a lot of other projects. Calyxos is nice for those that want nothing to do with google play services. I am biased though. I use CalyOSas my daily driver but to each their own. I can see this thread turning into a flame war.
i honestly dont know why anyone would use Calyx when GrapheneOS exists. The amount of engineering and attention that went to GrapheneOS, Calyx utterly pales in comparison. Is it not just a glorified LineageOS / AOSP fork with a few preinstalled apps and a firewall?
I use it on my both my daily and development devices, I understand why some people want to use CalyxOS or LineageOS forks for the flexibility they provide.
GrapheneOS is security focused and I hope it stays that way.
I prefer MicroG over sandboxed Google Play. I don't use either OS currently (I use lineage-microg as I don't own a Google pixel phone) but if I did I'd prefer Calyx for that reason alone.
Another reason is that the last time I mentioned this same reason someone apparently from grapheneos came here foaming at the mouth that I was part of a conspiracy spreading disinformation against them and that I was crazy for wanting MicroG. Ummm what??
Because I'm not. I just happen to like MicroG a lot, in particular the local and Mozilla location database options which avoid leaking my location to Google. And I like that I can inspect the code that communicates with Google, for push messages, which is the only thing I want Google services for. And microG can partially fake SafetyNet which Graphene doesn't do (they say they won't lie about security features but I think safetynet is more about DRM). Anyway, it's not even a reason directly related to Calyx.
But that heated reception cemented my opinion. I spoke to the Calyx guys on IRC when they were working on support for my OnePlus and they were very friendly. That matters a lot to me too. Unfortunately OnePlus changed something right then that made it infeasible, I don't remember what exactly. Some boot loader stuff. So it never happened.
But pixel phones are hard to get in my country so I don't own one. So either option is moot. LineageOS does ok anyway. Even though they also seem to hate MicroG for some reason. I don't know why FOSS people can't just get along...
Nice. This brings back some memories... I had a fun time with rolling my own builds of calyxos with Android auto stubs as system apks so it worked. I made the mistake of signing them myself, locking the boot loader, and having a failed update knock my phone into a bootloop. Somehow managed to fix it by breaking it even more but the whole experience involved a lot of learning and wishing calyxos had a variant with the stubs already included.
I have GrapheneOS on my Pixel because Snowden plugged it, but I was very disappointed with the (ex?) lead dev and founder after watching Louis Rossman's video of his experience with the guy. I really didn't want the gossip about the founder's eccentricities to be true.
With GrapheneOS targeting whatever Pixel as their only primary device (not going to go into whole GSI/DSU thing), there's a "lucky" coincidence of TWRP for all Pixel devices I had (3 to 7a) being broken (keymaster, userdata).
So, if you wanted to add GApps to pre-"Apps" Graphene, it involved either repacking system image, or building your own copy of OS with OpenGApps (had to do it once to get specific e-sim app working iirc). Can confirm that either way was fine, so it was possible to get GApps on Graphene back in 2021, nobody bothered with it though.. what happens next: someone decides that they want to make it nicer for users and goes there by making yet another appstore.
With CalyxOS, its possible to do the same thing:
- get the sources
- remove microg packages (pity. They really do maintain and test their own fork, meaning less login issues, etc)
- add OpenGApps (or Revanced's MicroG)
- run the build, wait 2 hours, flash it
Now.. there's no such thing as "GApps compatibility layer" in Calyx. Yet, there's no difference in user experience - none of my daily apps are/were broken on either Graphene+Play services from their store, stock CalyxOS+MicroG or on Calyx+GApps. (Except last time I've used Apps on multiple user profiles, there was a lot of trouble due to different versions being installed iirc)
Taking privacy concerns into account, there might be some difference.. but once more, going through gmscompat code, I see mainly hacks about letting this app pop up this activity this time, faking this permission that time, etc [1].
Yes there's a layer that isolates some calls, but I just cannot see how it's supposed to alter user experience. Now, spinning an isolated "sandbox" (which is likely impossible, as IPC/binder/shared data and services model is fundamentally broken anyway) with just a couple apps on a separate google account - all restricted from having access to sensors, etc, having device ID's spoofed and having separate network isolation - would be a real game changer, but its a niche need, with semi-available solutions (sandvxposed, vmos, waydroid on docker on android), and it would likely violate every line in Play Services' TOS meaning it won't happen on a public OS.
Calyx cares about their users in a kind of a quiet way, yet there's a ton of activity on their tracker.
GrapheneOS cares about giving privacy to more users I suppose, so that explains their marketing strategy and parts of their code being what they are (hardened libc? definitely cool. Yet I've not seen any public exploit that could bypass e.g. stock AOSP's libc with _FORTIFY_SOURCE since 2015).
End user experience though? No real difference, thus no superiority. And people in need of "hard" sandboxing would just buy a box of burner phones anyway.
Readit News
I use it on my both my daily and development devices, I understand why some people want to use CalyxOS or LineageOS forks for the flexibility they provide.
GrapheneOS is security focused and I hope it stays that way.
Another reason is that the last time I mentioned this same reason someone apparently from grapheneos came here foaming at the mouth that I was part of a conspiracy spreading disinformation against them and that I was crazy for wanting MicroG. Ummm what??
Because I'm not. I just happen to like MicroG a lot, in particular the local and Mozilla location database options which avoid leaking my location to Google. And I like that I can inspect the code that communicates with Google, for push messages, which is the only thing I want Google services for. And microG can partially fake SafetyNet which Graphene doesn't do (they say they won't lie about security features but I think safetynet is more about DRM). Anyway, it's not even a reason directly related to Calyx.
But that heated reception cemented my opinion. I spoke to the Calyx guys on IRC when they were working on support for my OnePlus and they were very friendly. That matters a lot to me too. Unfortunately OnePlus changed something right then that made it infeasible, I don't remember what exactly. Some boot loader stuff. So it never happened.
But pixel phones are hard to get in my country so I don't own one. So either option is moot. LineageOS does ok anyway. Even though they also seem to hate MicroG for some reason. I don't know why FOSS people can't just get along...
CalyxOS supports more models of phone than does GrapheneOS. Not a lot more, but more.
Dead Comment
So, if you wanted to add GApps to pre-"Apps" Graphene, it involved either repacking system image, or building your own copy of OS with OpenGApps (had to do it once to get specific e-sim app working iirc). Can confirm that either way was fine, so it was possible to get GApps on Graphene back in 2021, nobody bothered with it though.. what happens next: someone decides that they want to make it nicer for users and goes there by making yet another appstore.
With CalyxOS, its possible to do the same thing: - get the sources - remove microg packages (pity. They really do maintain and test their own fork, meaning less login issues, etc) - add OpenGApps (or Revanced's MicroG) - run the build, wait 2 hours, flash it
Now.. there's no such thing as "GApps compatibility layer" in Calyx. Yet, there's no difference in user experience - none of my daily apps are/were broken on either Graphene+Play services from their store, stock CalyxOS+MicroG or on Calyx+GApps. (Except last time I've used Apps on multiple user profiles, there was a lot of trouble due to different versions being installed iirc)
Taking privacy concerns into account, there might be some difference.. but once more, going through gmscompat code, I see mainly hacks about letting this app pop up this activity this time, faking this permission that time, etc [1].
Yes there's a layer that isolates some calls, but I just cannot see how it's supposed to alter user experience. Now, spinning an isolated "sandbox" (which is likely impossible, as IPC/binder/shared data and services model is fundamentally broken anyway) with just a couple apps on a separate google account - all restricted from having access to sensors, etc, having device ID's spoofed and having separate network isolation - would be a real game changer, but its a niche need, with semi-available solutions (sandvxposed, vmos, waydroid on docker on android), and it would likely violate every line in Play Services' TOS meaning it won't happen on a public OS.
Calyx cares about their users in a kind of a quiet way, yet there's a ton of activity on their tracker.
GrapheneOS cares about giving privacy to more users I suppose, so that explains their marketing strategy and parts of their code being what they are (hardened libc? definitely cool. Yet I've not seen any public exploit that could bypass e.g. stock AOSP's libc with _FORTIFY_SOURCE since 2015).
End user experience though? No real difference, thus no superiority. And people in need of "hard" sandboxing would just buy a box of burner phones anyway.
1. https://github.com/GrapheneOS/platform_frameworks_base/commi...
P.S. What about that SafetyNet certification on either OS?
There is a huge difference. You create work profile with gapps, route it through a vpn and everything just works.
On calyx with its microg even notifications aren't working reliably.