Dear tech media, could we please stop using GrapheneOS as the judge on what's secure? I respect very much what GrapheneOS has built, but their stance that free software is not important to security is very short sighted. They literally are willing to call binary blobs secure because someone told them they are? They have no other standard to go on, since they can't inspect them.
https://www.theregister.com/2025/10/15/fsf_librphone_vs_proprietary_binary_blog/
@eighthave One of the biggest tells of security isn’t in the codebase, its behavior. You could write malware into an open-source piece of software and have it be so obtuse that it goes unnoticed for years, as with what happened with the XZ utils. That was only caught because a program BEHAVED oddly, and a Microsoft employee noticed.
Whatever proprietary software Graphene is using, I’m sure they’ve ensured its behavior matches the security standard they uphold.
@moshimotsu there is a very good reason why security audits are done on source code. Yes, observing behavior is important. Then when one has the source code, one can follow up and confirm the exact behavior. With a binary blob, that is not feasible.
