GrapheneOS releases patches very quickly, often even faster than OEMs do. But patches are only useful for fixing individual known vulnerabilities. GrapheneOS additionally focuses on defending against whole classes of vulnerabilities. [1] For example, in addition to fixing memory corruption bugs in individual system components, GrapheneOS has deployed memory protections for the entire OS in the form of hardened_malloc [2] and by enabling the ARM memory tagging extension for the kernel, most system processes (with very few exceptions) and all user-installed apps.
The honeypot theories don't make sense, since GrapheneOS is fully open source, and very transparent about developers, funding, infrastructure, and other internal stuff.
> GrapheneOS is fully open source
Not really. There is a bunch of proprietary firmware running on those phones, which can be exploited with or without the help of the manufacturer.
Firmware is not OS.
Your machine is a distributed system. The firmware is what runs a specific node.
Yes they usually have DMA, shared busses, etc. That's an implementation detail.
An implementation detail where TLAs could theoretically get root remotely? Seems like a bit more than a detail to be glossed over.
Show me any device on earth that can run a browser that has no proprietary code whatsoever (including hardware) on it?
AFAIK older Talos Secure Workstation with Power CPUs was it. Everything open including CPU firmware.
Not sure about smartphones though - they mostly struggle with a fact there are no truly open source baseband.
There is no smartphone fully powered by open firmware. Also keep in mind that the hardware itself is proprietary too.
Reminds me of that one case a few weeks back where Graphene wasn't allowed to release a patch because Google wasn't planning on releasing a patch for it for a few more months.
GrapheneOS has a security preview release channel that is opt-in but includes patches from these embargoed vulns already. Again, it's opt-in but for those with a higher threat model use-case it's nice to have.
Would this not defeat the purpose of responsible disclosure? As a bad actor I could learn of secret vulnerabilities from this channel.
These patches are available to all vendors who chose not to protect their users yet.
Releasing binary patches is allowed, this is why GOS have added the security preview channel.
You have google to blame. GrapheneOS tried very hard to make sure they have those security patches as google delays publishing the source tree and it's only available to OEMs