this post was submitted on 10 Nov 2023
32 points (100.0% liked)

Free and Open Source Software

18021 readers
8 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
32
Feedback on CalyxOS (lemmy.today)
submitted 1 year ago* (last edited 1 year ago) by heygooberman to c/foss@beehaw.org
 

UPDATE Thank you for your feedback! Based on what you all provided, I'm going to postpone installing any de-Googled Android OS for the time. It seems there's still a lot that needs to be worked on in terms of device and application support, and I don't have the time to work out the kinks and issues that might show up here and there.

That being said, it seems CalyxOS and GrapheneOS are both very good options. Maybe when Google ends support for the Pixel 6, I'll make the jump over to one of them.

ORIGINAL Hi folks! I'm interested in trying out a de-Googled Android OS, and CalyxOS seems like a good one to start. I decided upon CalyxOS because it supports my current Pixel device, and it comes with MicroG, which allows some download of Google Play apps. However, before I make the jump, I'd like to hear if anyone else in this community has tried CalyxOS and how it has worked out for them, especially when it comes to Google Play apps.

For example, I need to have Android Auto because my car supports that app, and I use that for navigation when driving. I also need to have some of Microsoft's apps, like Outlook and Teams. And finally, although I don't game much on my phone, there is one game that I play a lot (Romancing SaGa Re;univerSe), and I want to be able to continue with that game after moving to CalyxOS.

Greatly appreciate your feedback on this topic!

all 30 comments
sorted by: hot top controversial new old
[–] Penguincoder@beehaw.org 8 points 1 year ago (1 children)

There really is no reason to use CalyxOS vs Graphene these days. GrapheneOS offers sandboxed play services with the standard SELinux policies for unprivileged Android software.

GrapheneOS also has hardened_malloc, which seems to have the best design for malloc hardening out of any alternatives I'm aware of.

MicroG requires very strong privileges and weakens the comprehensive privsep you'd otherwise have. Calyx shouldn't be considered much more secure than Android Open Source Project (AOSP).

i will take you're comment with no care

[–] smeg@feddit.uk 7 points 1 year ago (3 children)

If you've got a pixel why would you use calyx rather than GrapheneOS?

[–] heygooberman 14 points 1 year ago (1 children)

Perhaps you can tell me why you recommend GrapheneOS over Calyx.

[–] smeg@feddit.uk 8 points 1 year ago (1 children)

There was a good discussion in the degoogle community last week which can give much more specific details, but the short version is that GrapheneOS's main focus is security (and you get a lot of privacy stuff too), whereas CalyxOS's main focus seems to be privacy but it lacks on the security side. For instance CalyxOS uses MicroG instead of Google Play Services, which keeps you private from Google but is still a black box that you have to give privileged access, whereas GrapheneOS has nothing by default (and that can work fine for some users), but you can install real Google Play Services within a sandbox where it has no privileged access.

[–] mnglw@beehaw.org 2 points 1 year ago (1 children)

I'm looking to buy a new phone soon, can you use GrapheneOS without a google account? because playservices is generally account locked right?

[–] smeg@feddit.uk 3 points 1 year ago (1 children)

Yes, by default it has no Google stuff in it at all. Adding in a sandboxed (i.e. without the normal privileged access to everything) version of Google Play Services is covered in the Features section on their website.

[–] mnglw@beehaw.org 2 points 1 year ago* (last edited 1 year ago) (1 children)

so in other words you need the sandbox if you want access to what microg would normally provide for you, with the caveat that an account is "optional" for things that "require" one, which in a normal google environment is almost everything and with mirog is pretty much nothing

sounds like microg is the better deal then, if I want to avoid google accounts and Google's snooping

[–] smeg@feddit.uk 2 points 1 year ago (1 children)

It depends entirely what you use your phone for, there's no one-size-fits-all answer for everyone's threat model. The sandbox means Google Pay Services can't do most of the things we'd normally be worried about it doing, MicroG still has the power to do all those things it's just not Google doing them.

[–] mnglw@beehaw.org 2 points 1 year ago

this is useful and good to know, thank you

will help me decide what to go for

[–] EddyBot@feddit.de 9 points 1 year ago (1 children)

CalyxOS supports Pixel devices far longer than GrapheneOS does (they drop them once Google drops support too)

[–] smeg@feddit.uk 2 points 1 year ago (1 children)

GrapheneOS aims to provide reasonably private and secure devices. It cannot do that once device support code like firmware, kernel and vendor code is no longer actively maintained. Even if the community was prepared to take over maintenance of the open source code and to replace the rest, firmware would present a major issue, and the community has never been active or interested enough in device support to consider attempting this. Unlike many other platforms, GrapheneOS has a much higher minimum standard than simply having devices fully functional, as they also need to provide the expected level of security. It would start to become realistic to provide substantially longer device support once GrapheneOS controls the hardware and firmware via custom hardware manufactured for it. Until then, the lifetime of devices will remain based on manufacturer support.

From https://grapheneos.org/faq#legacy-devices

Basically they don't want to support devices if they can't make them secure, which is something that requires at least some input from the manufacturer. I imagine a GrapheneOS dev would say that CalyxOS's updates to a device where the manufacturer isn't providing kernel updates isn't a worthwhile update.

[–] EddyBot@feddit.de 3 points 1 year ago (1 children)

for someones who values security above everything else thats totally fine
but for someone who wants to reduce e-waste by prolonging the life of a phone with at least some updates this might be not the best solution

[–] smeg@feddit.uk 2 points 1 year ago

True, different use cases, that said GrapheneOS does still provide security updates for a year longer than they claimed they would on my last phone. I think DivestOS is the best choice otherwise, I've not got round to actually installing it on anything though so I can't really offer much more on it.

[–] cooopsspace@infosec.pub 5 points 1 year ago

The other issue with Calyx is that MicroG has had an open bug report for years that when a Google Work account checks for a passcode lock it can't. Thus you can't use Google Work addresses on your phone.

I get that you shouldn't be using google at all, but I have a job and need money. I don't have the ability to not use work Gmail.

[–] FlareHeart@lemmy.ca 5 points 1 year ago (1 children)

Android auto definitely doesn't work (I tried Calyx briefly earlier this year).

What also doesn't work without a lot of finicky tricks is Google Calendar. I myself haven't quite gotten rid of Gmail and my calendar in Gmail yet, and that was a big headache I was not willing to live without just yet.

Outside of those two things it served my needs but I did not try any of the Microsoft products so I can't speak to those.

Outlook, Teams, and Authenticator all work flawlessly on CalyxOS with microG. Don't use Android Auto or other google services, so I can't talk to those.

[–] H3wastooshort@lemmy.blahaj.zone 5 points 1 year ago (1 children)

I dont think Andoid Auto works on MicroG, but the other apps will probably work or can atleast be made to with some prodding

[–] heygooberman 1 points 1 year ago (3 children)

Why does it not work? And, is there an alternative?

[–] PleasantAura@lemmy.one 11 points 1 year ago* (last edited 1 year ago)

Android Auto is a proprietary standard that's basically glorified spyware - if one thing isn't being fed to it 24/7 exactly as Google wants it so they can sell it, it breaks. It's basically just that there are a lot of dependencies that it would need that are fundamentally incompatible with privacy.

[–] bbbhltz@beehaw.org 5 points 1 year ago

It has to do with Google Services Framework I believe. That isn't a great answer, but the gist of it is there are apps that need more than the alternatives in order to function or even install.

its part of the google services that microg does not replicate. there is a reason why there is a 100x-ish difference between microg and gapps packages

[–] beezkneez@beehaw.org 5 points 1 year ago

I run Calyx on a Fairphone 4. I am very satisfied with it. I have a single app that breaks (a banking app - doesn't pass SafetyNet I presume, but I don't get any help understanding the problem other than a generic "Something went wrong" error). All other Google Play apps I have installed has worked, and have been installed through Aurora Store. This has had some ups and downs in terms of performance - there was an issue some time back where their accounts were rate limited to the point the store was unusable for some time. So if you are very dependent on accessing Google Play store, you should keep that in mind. I try to find FOSS apps I get through F-Droid when I can and only use apps from Google Play when I have no other choice. Mind you, I have not logged in to a Google account to access any paid apps through the Play Store, so I don't know how well that works.

Android Auto I don't think you will get to work though.

[–] sic_semper_tyrannis@feddit.ch 5 points 1 year ago (1 children)

Calyx always had issues for me. I pretty quickly switched to Graphene and enabling the Google sandbox works near flawlessly

[–] 01189998819991197253@infosec.pub 3 points 1 year ago (1 children)
[–] sic_semper_tyrannis@feddit.ch 2 points 1 year ago

Can't remember anymore. It was a while ago and I haven't looked back

[–] paradox2011@lemmy.ml 3 points 1 year ago* (last edited 1 year ago)

I'm not totally sure on the gaming aspect, but I really liked CalyxOS when I was using it. It has good support for most Play store apps, and most Microsoft apps don't even need MicroG to operate. The things that don't work (on any non Google ROM) are casting to chromecast, Android Auto, and Google pay. RCS didn't work on CalyxOS, so I switched to GrapheneOS to get RCS functionality, but if I ever decide I don't want that anymore I'd go back to CalyxOS. There's some things I don't like much about the user space Google play stuff on Graphene and there is a ton of reliance on grapheneOS servers for low level system checks that I don't know how I feel about.

You won't be able to download paid apps unless you log in to Aurora store with your Google account, and some people have reported getting there accounts deactivated for doing that. Never happened to me though.

[–] unix_joe@lemmy.sdf.org 2 points 1 year ago

I use CalyxOS on my Fairphone since 2022. It is better than the stock OS and allows re-locking the bootloader. It also provides timelier updates than Fairphone OS. It is absolutely fine and has zero issues.

I have one banking app that doesn't work. Another one that does work. Also, I have paid purchases through the Google Play Store that do not see the subscription. I was going to let them expire anyway. I also have a Google One that doesn't see the subscription, so none of the advanced editing features in Photos works. I assume all of these would be problematic on GrapheneOS as well.

I would run GrapheneOS if I had a Pixel, or if it supported the Fairphone.

[–] Pantherina@feddit.de 2 points 1 year ago

I use GrapheneOS and unless other Distros directly fork from it, I would not use anything else.

I would love GUI network ping analysis like in iodeOS, a better (simply a good) interface like in /e/OS, or seperated Internet buttons and a long-press-for-flashlight feature like LineageOS.

But these fancy things are not as important as basic well done security.