CalyxOS: The Pause That Wasn't
An Anonymous Coward writes Some turbulence at CalyxOS:
CalyxOS is an Android distribution that claims a focus on privacy and security. So when an announcement from the project begins by saying ""we want to assure you that we have no reason to believe the security of CalyxOS and its signing keys have been compromised"", chances are that good things are not happening.
In this case, it would appear that Nicholas Merrill, one of the founders of the project, has left for unclear reasons, and CalyxOS is responding by pausing all releases - and security updates - while its release process, signing keys, and security protocols are reworked. The result will be no updates for ""four to six months"". The project is recommending that its users ""should uninstall the OS"" and wait for an all-clear signal. CalyxOS may have its work cut out for it when the time comes to try to convince those users to come back.
As you know, we announced a recent leadership transition. When senior personnel have access to signing keys and leave a team, it is security best practice to update signing keys and conduct audits. So in accordance with that, we are using this transition period to update our security protocols, including updating the signing keys and taking other steps to further protect our users.
In the past, security audits have been conducted for parts of CalyxOS, such as the Seedvault project, but not for the entire project. As more and more people across the globe started using this tool, we intend to conduct a broader security audit and publish the reports for the public to review.
As mentioned in our community letter below, we estimate that this audit and the implementation of new security protocols and signing keys will take four to six months, but we will endeavor to complete this process as soon as possible. However, for the time being, current CalyxOS users will not be able to receive further security software updates until our new security protocols are in place.
Without security updates, we can only be honest that this does not guarantee the level of security we strive for, especially when global threats to privacy and human rights are at a critical moment. That is why in the meantime we have posted the recommendation that people who are running CalyxOS should uninstall the OS and follow our community channels for updates, including when the latest version of CalyxOS becomes available again.
[...] We also understand that many community members have expressed interest in having an installation option/images for CalyxOS available again. Due to the overwhelming feedback from our community, we've decided to make the images publicly available once more. Please be aware that this decision is not a recommendation to migrate to CalyxOS now.
[ED. note:] CalyxOS is an Android-based operating system for select smartphones, foldables and tablets with mostly free and open-source software. It is produced by the Calyx Institute as part of its mission to "defend online privacy, security and accessibility."
Read more of this story at SoylentNews.