All your points are true, yet still depend on Google in sandboxed form. That negates everything else for me, who wants a reasonably secure device that works out of the box and also respects my privacy.

Graphene doesn’t “depend” on Sandboxed Play services. In fact, it’s not installed by default, and it is totally optional. Also, Sandboxed Play services doesn’t make your device less secure in any way, it can be installed as a normal user app, you can fully control access to sensitive parts of your device like the microphone, camera, location, etc. through the Android permission manager, and Play services don’t have any special permissions, since it’s not installed as a system app. As far as I’m aware (correct me if I’m wrong) you can’t remove microG on Calyx, since it’s installed as a system app and even granted root privileges. microG is a cheap, hacked together workaround, which requires root to function correctly. This greatly expanded attack surface makes it inherently insecure. microG also requires proprietary Google code to be run, in order to work (most of microG is open source, but it still uses some Google blobs). As far as I’m aware, this Google code is not sandboxed, and simply executed as a child process of microG (which runs as root), meaning that this Google blob is also run as root. This makes microG much more insecure than Sandboxed Google Play services, and it potentially gives Google much greater access to your device compared to the sandboxed approach.

If a nation-state wants into my phone, it’s delusional to believe even graphene can hold them off

The GrapheneOS team never claims that their OS is “NSA-proof”, but they actually look at which parts of the OS are commonly exploited by (nation-state) hackers, and massively improve them. As you can see in this spreadsheet, created by Google’s Project Zero, most vulnerabilities in Android come from memory corruption. That’s why GrapheneOS’s biggest and most important feature is their custom hardened memory allocator. It protects against most memory-related exploits, and is even stronger when used on a device with hardware memory tagging, which is the reason why GrapheneOS currently only supports Google Pixel devices.
Another significant security feature is secure app spawning. Creating new processes via exec (instead of using the traditional Zygote model on Android) randomizes the initial memory layout, which also helps to defend against memory-related vulnerabilities. The aspects I just mentioned are important protections about malware/remote code execution.

GrapheneOS also protects your device against physical attacks, e.g. by implementing a driver-based control mechanism for the USB-C port, making it impossible to connect to the device while it’s locked. This protects against forensic data extraction, e.g. using Cellebrite or XRY hardware.

Graphene even has a feature that protects you, when you are forced to give up your password. The Duress feature let’s you set a second PIN/password, which will cause the device to entirely wipe all the encryption keys, which are used for unlocking the device, from the secure element. This process is irreversible, can’t be interrupted and happens instantaneously, making the data impossible to recover.

No one claims that GrapheneOS is 100% secure and will absolutely protect you against NSA hackers, but it is by far the best and most secure mobile OS that’s currently out there. It is easy to use for everyone, and secure enough to be used by high-profile targets like Edward Snowden.

you need real opsec for that

Good OPSEC includes a secure operating system. Calyx is not security focused whatsoever, it rolls back standard AOSP security features, significantly increases attack surface, and doesn’t release security patches regularly.

Happy cake day btw!

Calyx is unfortunately pretty slow to release security patches, uses privileged apps with root access like microG and the F-Droid privileged extension by default and doesn’t really provide any unique features. All of the privacy features of Calyx are either already present or can be easily replicated in a better form on GrapheneOS. Take Datura Firewall, it’s yet another privileged app with root access which adds unnecessary attack surface, and is less secure than the Graphene equivalent. GrapheneOS implements a network permission toggle, which is embedded in Android’s native permission manager and uses the INTERNET permission to restrict network access. It disables both direct and indirect network access, including the local device network (localhost). GrapheneOS also has a bunch of unique security features, that can’t be found on any other Android ROM, like for example a hardened memory allocator, hardened kernel, secure app spawning, improved SELInux policies, Duress PIN/Password, driver-level USB-C control, Storage Scopes, Contact Scopes and soon App Communication Scopes. GrapheneOS also includes Sandboxed Google Play services, a better GMS implementation than microG, which doesn’t require root and has better app compatibility.

I tried using Jerboa and found it to be incredibly buggy and poorly designed. Not sure what’s going on there, considering that it’s the official mobile app made by the Lemmy devs

Probably people who have been using Boost for Reddit before and now want the same experience but for Lemmy

That’s what you get for using a proprietary Lemmy app. Switch to Thunder, it doesn’t have ads, it’s open source and in my opinion has the best UI out of all Lemmy apps. Also support the development and join their community: !thunder_app@lemmy.world

I recommend NextDNS, it allows you to block ads, trackers and other unwanted stuff on the DNS level. Check out this video: https://neat.tube/w/19r4YnE6fpce6e2B9MepnB

No, they don’t have access to that

China has no IP

UpperBroccoli is right

Couldn’t you do that in a VM with GPU passthrough? I use that approach for all kinds of stuff, including Gaming (with Looking Glass and SSD passthrough)

Also, some Photoshop version from 2021 runs pretty well in Wine: https://github.com/LinSoftWin/Photoshop-CC2022-Linux

Another reason to use Linux

May you have a delightful meal.

Thanks ;)

You can find the full list of instances here, and the list shows whether a CAPTCHA is present on an instance or not

Thanks mate, this is really awesome! Will definitely try it out. Many people might find this useful, consider making a separate post about it. I created a community for UnifiedPush and related topics: !unifiedpush@lemmy.dbzer0.com, you’re welcome to post there.

The app is completely open source: https://github.com/LeanderBB/you-have-mail
Your login data is only stored locally on your device, and used to log in to your Proton account. It’s not sent to a third-party server. This is totally fine.

You can switch to the WYSIWYG Editor in the settings

As long as it stays FOSS, you don’t need to worry. You can even self-host Standard Notes if you don’t trust their cloud service: https://standardnotes.com/help/self-hosting/getting-started

RapidSeedbox they accept multiple crypto currencies but unfortunately no XMR, so I had to use Trocador to convert to BTC.

It’s not perfect, there are some conversion fees, but it should be ok. I use it from time to time to pay for my seedbox.

Obsidian is pretty good, it shouldn’t collect any data by default. But you can also check out Logseq, an open source Obsidian alternative.

Same, but you can always use Trocador to convert your XMR to other coins. Alternatively there are some ways to anonymously acquire BTC.