GrapheneOS calls out Google for their recent actions

This is the new capitalist MO. To say the right words while doing the exact opposite.

Everything is just optics now.

I can't run ssh on optics.
- WDYM, hard disk drives still exist.

yes, this deserves to be a shitshow.

Google is just another greedy tech company.

*Ad company
- Surveillance company.

So, all Android users are more vulnerable to commercial exploit companies and governments (especially those on custom ROMs like GrapheneOS)?

If these exploit companies continue to stay in business and thrive, it really says a lot about Google's security. In contrast to my perspective, there isn't a thread where people aren't talking up how good Google's security is, no matter how relevant it is to the discussion.

I don't really care how much Google spends on security, how many people they employ - if people are making a business out of exploiting their operating system... their security must really fucking suck.

wait, i have grapheneos. is my phone now at risk of corporate/government snooping in a way it wasn't before? i had understood it to mean that new phones would have a harder time being sideloaded. is that correct?
- https://i.imgur.com/mb8911t.png
  From the OP post image. It seems like things are vulnerable due to their update/patch frequency, and putting AOSP on the back-burner by skipping multiple scheduled updates (the latter of which directly affects custom ROMs).
  I did pose my question in good faith for people to answer, so I'm not an expert or anything, but 4 month delays for patches sounds awful - especially if partner previews are a thing. It almost seems like this is Google providing exploit windows...
  It's all very concerning.

I feel like every time I look at something on Twitter now, some idiot asks grok a stupid question to try dunking on whoever they're replying to and gets shat on instead.

https://nitter.privacyredirect.com/ascetic_tweeter/status/1964790038006464681

Delightful, it's like the Twitter equivalent of googling something right in front of your buddy and being proven wrong.... Except there's absolutely no reason they couldn't have googled it privately first, making their overconfidence even more obvious.
- Their attempted follow up to not look like an owned pissbaby is amusing.
  @cock is dis truuu

The tweet in the body makes me suspect this is some corpo speak for trying to crack down on piracy, more than malicious apps that would compromise security.

How much are you willing to bet that GrayJay will be blacklisted from the system?

How though they are going to blacklist the developer? The apps are not going to be approved just the developer. And what stops someone from paying 25 bucks and just signing ever apk they want to install.
Nobody in the right mind is going to take a losing bet. That's like betting that Manifest V3 was ever going to get equivalent ad blocking capabilities before Google killed Manifest V2.

After META and Yandex had their long established and trivial-to-implement cookie tracking abilities (Localhost->HTTP(S)/WebRTC) exposed a few months ago, I have been waiting for some changes to come along to try and lock out potential snoopers who might figure out how they are now de-anonymizing phone users and tracking their web habits.

Preventing sideloading, combined with moving some of the dev internal, both seem like moves toward this end to me. But what do I know, I have never even owned a smartphone.

Facebook's app is in Play Store. Google knew FB was violating ToS for months.
Blocking sideloaded apps would have done nothing against that.
Unless the take is: Google wants to know who, exactly, they are permitting to do crimes on your phone. They don't like the not-knowing part.

Could the community just fork AOSP?

No probably not. Big open source project require money since people like to eat.
They could, but it would be a herculean effort. Google has multiple thousands of developers working on Android (exact number undisclosed).
Every Android custom ROM is already a fork of AOSP that backports any new updates to AOSP into their project when source code is provided to AOSP. That is work enough already for a small team - if they were also writing those security patches for published CVEs and as well as patching bugs submitted by users and Android partners (app devs) as well as developing their own feature updates to keep similar parity to Google's Android, that would be several orders of magnitude more complex and require a large team working full time.
They'd also need to develop relationships with any Android hardware manufacturers that they wanted to support the devices of, to get current and new drivers and work with them over any problems - with no real reason for those businesses to work with them, especially if Google could turn around to them at any time and say something like, "if you want to continue partnering with us you'll have to sign this new exclusivity contract that stipulates you'll stop providing pre-release drivers and direct support to any AOSP fork project." So it could realistically be sabotaged at any time by Google (in this way or others) making it a fairly unattractive proposition for open source devs to pour their time into.
- I think the only feasible way a fork could work is if a consortium of phone manufacturers is backing it.
- Multiple thousands? Most software projects are truly ran by a handful of developers. Even considering the scope off several interrelated projects on Android, I'd be surprised if the number tops 200.
I think Linux would be better. As long as a phone has basic phone functionality and a browser and runs well I'd be happy with it. Interesting how gradually my expectations of phones has moved towards being more minimalistic.
Projects based on one where Google is the biggest influence seems like overtime there would be more and more road blocks to overcome now that they are moving towards restrictions.
- Who's going to finance it? One of the reasons it hasn't taken off is no company is paying anyone to do it.
- Cyberdeck time it is.
  At least our devices will have some visual personality again.
- I think it will have to go that direction. The mobile os space was killed off to get us here so it could be controlled.
  Sadly, as others have mentioned, you would need a hardware manufacturer that doesn't have current stakes with any of the major players nor the mobile carriers. The carriers could blacklist homebrew or small shop hardware by imei if google or apple wanted it.
  Maybe the future is a mobile hotspot in one pocket and a Linux phone in the other. Not super appealing and converging the hardware into something reasonable but still segregated would be pretty ugly.
  Things aren't looking good kids.
- honestly id be completely happy with a phone that just receives calls/text and only has a web browser. Almost every app i have on my phone i can do the same thing on a browser so whats the point. It seems like an invasive way to get access to your phone and its data
- Is the opensource community willing to fund a Linux phone? I highly doubt we could coral enough people within the community to care.
- That would work if there would be usable phones capable of running Linux.. But who would manufacture such a phone?
There are various ongoing forks, GrapheneOS, /e/-OS, LineageOS and all the ones the OEMs maintain to support proprietary drivers for their hardware in their versions, so in that sense, yes of course you can fork it.
But if upstream development stops, or is no longer released, then a fork project would have to start running their own security screening and patching, which is prohibitively expensive.

If it comes from those shit breathers just pretend worst case scenarios they've had really good streaks.

you folks claimed AOSP wasn’t going anywhere

It’s not though? AOSP is open source, it can’t really go anywhere.

Google are not required to keep updating AOSP, especially not at an arbitrarily decided upon timeframe by some other developers who piggyback off AOSP.

I dislike Google as a company and have basically moved away from every single Google service apart from Google photos and Waze, but that doesn’t mean I’m going to just demand they do what I want them to.

These devs are upset because their business is almost entirely dependant on Google giving them their work, and fair enough - but they should have known this would happen one day. When you make a business reliant on someone else’s business doing work for you for free, you should have a backup plan.

Google are not required to keep updating AOSP
But they are. At least because of Linux's GPL.
It's interesting how you make an argument about people leaching off of Google ignoring the various obvious fact that Google leached off of everyone else. Do you know why it's open source? ... And look, if you want to go on a rant, please do. But at least pay lip service to recent history.