To fulfill our community pledge and foster collaboration, information sharing, and inclusivity, we are engaging with our peers, partners, and security experts to ensure the delivery and integrity of all changes made during this process. After conducting a thorough inspection of the work required for successful completion of the above priorities, we have determined that it may take up to four to six months for us to provide the level of security maintenance we aim to deliver.
We will be switching to new signing keys along with the overhaul of the signing and verification process. As a result, current CalyxOS users will not be able to receive further security software updates until this process is in place.
Very bad news for everyone who is currently using CalyxOS, I hope the community adapts quickly and stops recommending CalyxOS as an option for the time.
That is unfortunate. Though, they seem dedicated to follow up on this half year promise so I’m optimistic.
Therefore, depending on how you feel about half a year of not having the latest security updates, you can pivot. I’d say for anyone with a mid to high threat model should definitely consider migrating and low threat model people are probably fine to make their own choices.
I’ll personally be considering it a bit to migrate to a different custom ROM for the coming half year, though not sure yet if I truly need to. This graph is really useful for comparing popular custom ROMs, so anyone reading this, do check it out.
As a non technical user of Calyx Pixel 6a AND hotspot, I am very concerned about this suspension of service. What is the smoothest way for me to move to Graphene (I am not comfortable installing Graphene on my 6a)?
Is there a best source of Graphene installed phones?
How about a privacy focused hotspot to replace Calyx hotspot?
Before you make any conclusions about what is necessary for your safety, does your threat model argue in favour of migrating?
Figuring out a simple threat model for yourself might give some more clarity on whether this migrating thing should even be considered to this extend, and what will most likely happen if you didn’t do it.
On way to do it is that you give yourself a number from 1 till 3:
When you are part of the 90% of casual civilians who are extremely low risk for targeted attacks, because they aren’t in any kind of high-stakes position or have a certain identity you need to safekeep from the public eye. They only need to be wary of whole-scale attacks like scamcalls, phishing links etc.
When there is some form of known threat actor that has reasons to target you, and/or you are handling high-stakes sensitive operations on your phone, that also affect others if you were to be compromised by a targeted or non-targeted attack.
You are on major blacklists and intelligence agencies, gangs, or whatever organised group(s) are actively looking for your whereabouts to stop your operations, (think major activists & whistleblowers) and therefore you need fully secure and anonymous environments with whatever you do on your devices.
This is why I think number 2s and 3s should consider but number 1s doesn’t have any significant urgency for it to impact their future safety.
Honestly this move makes me think that the whole project needs to be reconsidered by the community. If OS support needs to be suspended as part of a restructure where two people leave, I would not immediately trust CalyxOS again until they come back with months or maybe a year renewed support.
To be clear, I don’t think this means that their past support was bad, but I would be hesitant to use CalyxOS once it returns. For me they’re in the bucket of neutral and untested until they return. It’s a big deal to drop support for an operating system.
I think I’m starting to feel similar to you in this regard. For example, when someone gets in an accident and needs to be in the hospital for half a year, you don’t put them immediately back on the high performing soccer team. You give them time to regain their skills again, build up muscle, and after another half year they might be able to go back into the A-team, you know?
Therefore I think it’s kind of normal to be wary of pointing new user towards using CalyxOS when they are back making their security updates. So some time after that is needed to make us regain trust in their abilities.
Thank you, makes sense to me…. and a relief. I’ll continue to use the Calyx hotspot, but move to install Graphene on my Pixel 6a using WebUSB installer. Does that make sense to you?
This is terribly sad news. If you are using CalyxOS at the moment, you will have to reflash the relevant image for your device, if and when updates are made available in 4-6 months time. I feel that this is the end of CalyxOS. If they were to shut it down permanently, I don’t think they would have done anything differently than they did with their announcement on Friday. Losing their founder and lead dev so soon after Google made such harmful changes to AOSP and developing custom ROMs on Pixels, it is very hard to see Calyx recovering from so much adversity. I fervently hope I am proven completely wrong.