Those articles touch on some things we could do better, but also get some essential facts wrong. F-Droid contributors are aware of those articles but they do not point out any critical security issues. You don’t have to take our word for it, you can read the code and audits. We’ll be publishing the results of another one soon. It is important to note that those articles all come from the same small group of people that are involved with GrapheneOS. They also seem to put a lot of trust in Google, where a central goal of F-Droid is to reduce the amount of trust needed to run our service. For example:
- Free software and inspection are key to software we can trust | F-Droid - Free and Open Source Android App Repository
- No user accounts, by design | F-Droid - Free and Open Source Android App Repository
GrapheneOS do good hardening work, but don’t seem to understand other key parts of building secure ecosystem. For example, Danial Micay deliberately burned the signing keys for CopperheadOS when we was lead dev, thereby locking all users out of ever getting updates again. That is especially bad if the private key was compromised. That means only the person who stole the private key can provide updates. He now controls the official signing keys of GrapheneOS, so keep that in mind. It could be worthwhile to find another source of signed builds. I think GrapheneOS is technically interesting for very specific use cases where there is no app store, e.g. a device that includes Signal and DeltaChat, with no additional apps or method for installing other apps.
I have nothing against their project or work, but they have not treated F-Droid contributors respectfully. I’ve heard from a number of other Android ROM developers that they also have been treated badly by GrapheneOS contributors.