Full disclosure I am the sole developer of DivestOS. Take everything I say below with a grain of salt, I don’t care to devote enough time to extensively research projects like /e/ enough.
- /e/ includes a proprietary maps app.
- /e/ has a weather app that performs requests over HTTP, despite simply being a fork of Good Weather which I myself added HTTPS support to… in 2017: Switch OpenWeatherMap API URLs to HTTPS by SkewedZeppelin · Pull Request #41 · qqq3/good-weather · GitHub
- /e/ ships
userdebugbuilds - /e/ only provides verified boot on 1 device (fp3) as far as I am aware
- /e/ provides signature spoofing without any additional restrictions/hardening
- /e/ uses the same signing keys for all builds. this can allow an old outdated vulnerable app to potentially be sideloaded onto another of their devices and trusted with more permissions then usual.
- /e/ often does not provided the latest supported LineageOS version for their devices. eg. mako is stuck on 7, when 10 is stable
- /e/ app store is extremely questionable
- /e/ does not provide any sort of verification for initially downloaded builds (GPG)
I wouldn’t be surprised if just like UBports some of their older devices are still vulnerable to DirtyCOW: UBports actively shipping devices with critical vulnerabilities such as CVE-2015-1805, CVE-2016-5195, and CVE-2020-29661. See https://github.com/ubports/ubuntu-touch/issues/1566 · GitHub
In my (biased) opinion:
For any devices that are no longer supported by their manufacturer, DivestOS is the most secure option available for them.
In the interest of user awareness, here are some other alternatives:
- https://grapheneos.org/ - maximum security, at cost of limited device support
- https://calyxos.org/ - focus on user friendliness, but makes some questionable inclusions (DuckDuckGo Browser, Signal)
- https://lineageos.org/ - the old king, supports many devices, disables many security features in name of supporting user customization (gapps, root)
- https://replicant.us/ - “fully free”, limited device support, imo not daily drivable, severely out-of-date security patch wise