security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

static: remove unused pages
All checks were successful
Static / Flake checks (push) Successful in 22s
Details
Static / Create distribution (push) Successful in 52s
Details

Browse Source 
There are more potentially unused pages, but these are unlikely to
become relevant or reusable in the near future, so remove them.
This commit is contained in:
Ophestra 2025-06-28 01:35:14 +09:00
parent 57a7aa4410
commit b9b6e3db16
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
27 changed files with 10 additions and 4271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
generate-donate-qr-codes
View File

@ -1,19 +0,0 @@
#!/bin/bash
set -o errexit -o nounset -o pipefail
generate() {
echo $1
qrencode -s 1 -o $1 $2
gm identify -format '%w×%h\n' $1
zopflipng -ym $1 $1
}
generate static/donate-bitcoin.png 'bitcoin:bc1q9qw3g8tdxf3dugkv2z8cahd3axehph0mhsqk96?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation'
generate static/donate-bitcoin-taproot.png 'bitcoin:bc1prqf5hks5dnd4j87wxw3djn20559yhj7wvvcv6fqxpwlg96udkzgqtamhry?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation'
generate static/donate-bitcoin-bip47.png 'bitcoin:PM8TJKmhJNQX6UTFagyuBk8UGmwKM6yDovEokpHBscPgP3Ac7WdK5zaQKh5XLSawyxiGYZS2a7HkAoeL6oHg7Ahn1VXX888yRG4PwF1dojouPtW7tEHT'
generate static/donate-monero.png 'monero:862CebHaBpFPgYoNC6zw4U8rsXrDjD8s5LMJNS7yVCRHMUKr9dDi7adMSLUMjkDYJ85xahQTCJHHyK5RCvvRJu9x7iSzN9D?recipient_name=GrapheneOS&tx_description=Donation%20to%20GrapheneOS'
generate static/donate-zcash-transparent.png 'zcash:t1SJABjX8rqgzqgrzLW5dUw7ikSDZ2snD8A?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation'
generate static/donate-ethereum.png 'ethereum:0xC822A62E5Ab443E0001f30cEB9B2336D0524fC61'
generate static/donate-cardano.png 'web+cardano:addr1q9v89vfwyfssveug5zf2w7leafz8ethq490gvq0ghag883atfnucytpnq2t38dj7cnyngs6ne05cdwu9gseevgmt3ggq2a2wt6'
generate static/donate-litecoin.png 'litecoin:ltc1qzssmqueth6zjzr95rkluy5xdx9q4lk8vyrvea9?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation'

18
generate-sitemap.py
View File

@ -2,27 +2,16 @@ from datetime import datetime, timezone
from os.path import getmtime
from pathlib import Path
base = "https://grapheneos.org"
base = "https://hakurei.app"
pages = [
["/", 0.5],
["/.well-known/security.txt", 0.0],
["/LICENSE.txt", 0.0],
["/articles/", 0.5],
["/articles/attestation-compatibility-guide", 0.5],
["/articles/grapheneos-servers", 0.1],
["/articles/positon-location-service", 0.5],
["/articles/server-traffic-shaping", 0.5],
["/articles/sitewide-advertising-industry-opt-out", 0.5],
["/build", 0.5],
["/camera-privacy-policy", 0.0],
["/contact", 0.5],
["/donate", 0.5],
["/faq", 1.0],
["/features", 1.0],
["/history/", 0.3],
["/history/copperheados", 0.1],
["/history/legacy-changelog", 0.1],
["/hiring", 0.2],
["/humans.txt", 0.0],
["/pdfviewer-privacy-policy", 0.0],
@ -38,12 +27,13 @@ entries = []
for page in pages:
path = page[0]
if path[-1] != '/' and "." not in path:
path += ".html"
loc = base + path
filepath = "static-production" + path
if path[-1] == '/':
filepath += "index.html"
elif "." not in path:
filepath += ".html"
mtime = getmtime(filepath)
if mtime > base_mtime:

1
static/.well-known/matrix/client
View File

@ -1 +0,0 @@
{"m.homeserver":{"base_url":"https://matrix.grapheneos.org"}}

1
static/.well-known/matrix/server
View File

@ -1 +0,0 @@
{"m.server":"matrix.grapheneos.org:443"}

24
static/.well-known/security.txt
View File

@ -1,24 +0,0 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Contact: mailto:security@grapheneos.org
Canonical: https://grapheneos.org/.well-known/security.txt
Encryption: data:application/x-age-public-key,age1dcftzgq00ykgwvxl5te6d5clqgx75h2g54c0u8gjc43mcnea7p7q3ma0yx
Expires: 2026-03-01T00:00:00Z
Preferred-Languages: en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmfDGl4ACgkQ+ecS5Zr1
8iquHQ//e/Wy0rv3YlGTzzE1bM+h45JKyd+vxYdRmUVM4ic0rLpx+v1vQdIDKUtZ
Bax7wE1dMRu02Tpo8vxoEB5QgilxgLtZIi0y3K68/lQJM1BIl20ieL0YfeB9YZt7
TZeAbuIMaq0YyzxexTE2GKQQI4qKAIJpMvEnvxmZ2c9dmOiP6T6TYVsYBmiSe7op
YUQZ1j6yElVXiBA9FJg1vpaWqPFeSEmi8X0c0ef5tdNKCai1c2/arhELK4msB3ih
0Wd7MIukudGvH7Xjfb+H8EZ53OTg/3pAhNdf5E7apwlgNPdp/XPK3Uen+8o0wV4r
cQRNBD0gGA8kyEtYfcgndFo5kVkptOZB4OLx7A9wxjDsfMYduknuTGyniZH2DBlH
S/H0aWaoLSO2FCFT7OIkXxYTjXdbKZwgtPf5ba6gCpDL/aXrjIPeqHtmo/l2ruhx
sc6TYiSHBQuFqQg+X2/49GxDap6k13an5ZiRPUw5CoJl3r3Ztg6ZKu4EiFmLjJ5K
AliaN0hjwqxH0AbMc95DLUZ1oRNpk17dlcXl/Fgk7ZI/6GWEqOhEkzf3je9GrZJR
53OTDvcarq+rS8kcZ/bSxoBLaZNcNes3kcinaCnGCTjFPgoy2f6CtuuA37KwMc0V
TMGaKqRMUCj+lJtdM2HuY0FvWMWjrDKdPrprUx8/umrAa0XPX2k=
=WcPV
-----END PGP SIGNATURE-----

1
static/allowed_signers
View File

@ -1 +0,0 @@
contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE

16
static/allowed_signers.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmXMmicACgkQ+ecS5Zr1
8iqOKw//WB9N2C+jT/WmMT4t0+aE/0uHvBqoU9KQFmzFWlixibqF70C3gcBkeZK9
tvWViI1UhQJktM0A4rwTn3r7T+MvIbwlOzHBKmoWyU2+PSwO3lIO9xbHSvu4/rbp
IVkIimgwi9WTvlDvXRhYdXtfJJyXl+qlfbk5sHCOavuR+/xPx3IUDpEZwPvi33VF
Z1Sl/3yJztLB96ngmhs29WBniTvxa3owYwjMhHNuTnxNf2m8bIavYA2Vraj9gE8O
eTNE5oXkGdv2YJnKW0gbMDV2/F7WBW2/kPZ6yvUxR9texHsFn1dofvf604W09PKP
QaIzCKGsJSAVKx/g9mSXm2Z/+hsXLWlJAVK0hmCEhn+Tnmff5KMG7R1WUes0R0rv
PK6sa0NbvRRNiwxM08PnZ14WrYBggOZdRBlseqHIdwu2UD2X2vTNK4VOhBbaQPYd
EwdIwZxqu0bpUtPIowJqppd/ZWxKOJ4OMcDF/2ENBTqp20RWQnTM1WEV1OoUQeh1
XfZDNFBRW7CP4zsbFTIK4DEobxbVXCEVtUK4rGRChX3WL8qhVCgxFf4W8Cwjco2y
u40luFdoNyrd2yTVevcX0w2W/4JvJ5reikepYOAbCwbLbWNJnKoRA+0ZgZ0IE1B4
+RDmB5iIefAPjpD/Do/TtlFjRcyh6g4kNWnS1fTzB9jGNP/PQWs=
=rnsE
-----END PGP SIGNATURE-----

2
static/allowed_signers.sig
View File

@ -1,2 +0,0 @@
untrusted comment: verify with factory.pub
RWQZW9NItOuQYMZY8ZMX9VX4hfy54df7Pt3Yh1qEWTyRlQKH4PdteqeKUk9jljywlcCl8nzKJAj75F70Y5FTsAK4cw2aV+CZcAA=

176
static/articles/attestation-compatibility-guide.html
View File

@ -1,176 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Attestation compatibility guide | Articles | GrapheneOS</title>
<meta name="description" content="Guide on using remote attestation in a way that's compatible with GrapheneOS."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS attestation compatibility guide"/>
<meta property="og:description" content="Guide on using remote attestation in a way that's compatible with GrapheneOS."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/articles/attestation-compatibility-guide"/>
<link rel="canonical" href="https://grapheneos.org/articles/attestation-compatibility-guide"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="attestation-compatibility-guide">
<h1><a href="#attestation-compatibility-guide">Attestation compatibility guide</a></h1>
<p>Apps using the Play Integrity API or
<a href="https://developer.android.com/training/safetynet/deprecation-timeline">obsolete</a>
SafetyNet Attestation API to check the authenticity/integrity of the OS can support
GrapheneOS by using the standard Android hardware attestation API instead and
permitting our official release signing keys. Android's
<a href="https://developer.android.com/training/articles/security-key-attestation">hardware
attestation API</a> provides a much stronger form of attestation than the Play
Integrity API with the ability to whitelist the keys of alternate operating systems.
It also avoids an unnecessary dependency on Google Play services and Google's
Play Integrity servers.</p>
<p>The standard hardware attestation API can be used to verify the authenticity/integrity
of the hardware, firmware, OS and the app running on it. It provides a verified boot key
fingerprint for the OS for permitting secure aftermarket operating systems. The app id,
signing key fingerprint(s) and version code of the app enabling hardware attestation are
included in the signed public key certificate for the generated key. This enables the
app's service to make sure the app is genuine and unmodified along with chaining trust
through the OS to the app which can sign messages with the attested hardware keystore
key to prove they come from their app running on top of a verified OS, firmware and
hardware. The only practical way to bypass hardware attestation is through exploiting
the hardware keystore to obtain attestation signing keys, which is protected against by
the ability to revoke keys that are being misused. Play Integrity API strong integrity
level is directly based on the hardware key attestation API, but apps using it directly
can support aftermarket operating systems, check the hardware attested OS patch level
and other provided information. The hardware attestation API also supports pinning-based
security instead of only root-based security where keys can be leaked and used to fake
attestations. Apps can use pinning to establish a much higher security pairing with a
specific device to obtain fresh attestations with a very high level security based on
the security of the device's own hardware keystore rather than the overall ecosystem.
Hardware attestation also doesn't require using any Google service beyond regularly
fetching the list of revoked keys for root-based attestation. The app's service doesn't
have to go down or start permitting anything if the Google services becomes unavailable
or blocks the app from using it for one reason or another. Using hardware attestation is
therefore more reliable and lower risk for apps.</p>
<p>Devices have been required to ship with hardware attestation support since Android
8. You can use hardware attestation on devices running Android 8 or later when the
<code>ro.product.first_api_level</code> system property isn't set to 25 or below,
which indicates they launched with Android 8 or later with hardware attestation
support as a mandatory feature. On older devices, you can continue using the Play
Integrity API. Some low quality devices shipped broken implementations of hardware
attestation despite the requirement to have it working for CDD/CTS certification and
the Play Integrity API currently still passes on those devices wrongly claiming them
to be CTS certified. If you don't want to fail on those devices, then you can start
with hardware attestation and fall back to the Play Integrity API or do both and
accept either passing as success.</p>
<p>Google provides a <a href="https://github.com/google/android-key-attestation">key
attestation library</a> with examples. Our <a href="https://github.com/GrapheneOS/Auditor">MIT
/ Apache 2 licensed Auditor app</a> can be used as a reference implementation for
verifying hardware-based attestations. There are some subtleties in the verification
process such as making sure only the 2nd certificate in the chain (the one signing the
certificate for the key generated by your app) has an attestation extension to prevent
making a fake attestation by extending the chain. You can reuse our code and simply
omit support for an app generated attestation signing key (attest key) and the other
pinning support.</p>
<p>After verifying the signature of the attestation certificate chain and extracting
the attestation metadata, you can enforce that <code>verifiedBootState</code> is
either <code>Verified</code> or <code>SelfSigned</code>. For the
<code>SelfSigned</code> case, you can check that <code>verifiedBootKey</code> matches
one of the official GrapheneOS verified boot keys. These are the base16-encoded
verified boot key fingerprints for the official GrapheneOS releases:</p>
<ul>
<li><code>0508de44ee00bfb49ece32c418af1896391abde0f05b64f41bc9a2dfb589445b</code>: Pixel 9a</li>
<li><code>af4d2c6e62be0fec54f0271b9776ff061dd8392d9f51cf6ab1551d346679e24c</code>: Pixel 9 Pro Fold</li>
<li><code>55d3c2323db91bb91f20d38d015e85112d038f6b6b5738fe352c1a80dba57023</code>: Pixel 9 Pro XL</li>
<li><code>f729cab861da1b83fdfab402fc9480758f2ae78ee0b61c1f2137dd1ab7076e86</code>: Pixel 9 Pro</li>
<li><code>9e6a8f3e0d761a780179f93acd5721ba1ab7c8c537c7761073c0a754b0e932de</code>: Pixel 9</li>
<li><code>096b8bd6d44527a24ac1564b308839f67e78202185cbff9cfdcb10e63250bc5e</code>: Pixel 8a</li>
<li><code>896db2d09d84e1d6bb747002b8a114950b946e5825772a9d48ba7eb01d118c1c</code>: Pixel 8 Pro</li>
<li><code>cd7479653aa88208f9f03034810ef9b7b0af8a9d41e2000e458ac403a2acb233</code>: Pixel 8</li>
<li><code>ee0c9dfef6f55a878538b0dbf7e78e3bc3f1a13c8c44839b095fe26dd5fe2842</code>: Pixel Fold</li>
<li><code>94df136e6c6aa08dc26580af46f36419b5f9baf46039db076f5295b91aaff230</code>: Pixel Tablet</li>
<li><code>508d75dea10c5cbc3e7632260fc0b59f6055a8a49dd84e693b6d8899edbb01e4</code>: Pixel 7a</li>
<li><code>bc1c0dd95664604382bb888412026422742eb333071ea0b2d19036217d49182f</code>: Pixel 7 Pro</li>
<li><code>3efe5392be3ac38afb894d13de639e521675e62571a8a9b3ef9fc8c44fd17fa1</code>: Pixel 7</li>
<li><code>08c860350a9600692d10c8512f7b8e80707757468e8fbfeea2a870c0a83d6031</code>: Pixel 6a</li>
<li><code>439b76524d94c40652ce1bf0d8243773c634d2f99ba3160d8d02aa5e29ff925c</code>: Pixel 6 Pro</li>
<li><code>f0a890375d1405e62ebfd87e8d3f475f948ef031bbf9ddd516d5f600a23677e8</code>: Pixel 6</li>
</ul>
<p>The <code>verifiedBootKey</code> field is binary data so you either need to encode
it as base16 to compare with these or convert these to binary. An easy approach is
storing the permitted key fingerprints in a set and enforcing that the verified boot
key is in the permitted set when <code>verifiedBootState</code> is
<code>SelfSigned</code>.</p>
<p>GrapheneOS regularly adds support for new devices so you should have a process for
regularly adding the new verified boot key fingerprints from this page.</p>
<p>The hardware attestation API also provides other useful information signed by the
hardware including the OS patch level, in a way that even an attacker exploiting the
OS after boot to gain root cannot trivially bypass. It's a better feature than the
Play Integrity API which has to be designed for the lowest common denominator.</p>
<p>GrapheneOS users are strongly encouraged to share this documentation with app
developers enforcing only being able to use the stock OS. Send an email to the
developers and leave a review of the app with a link to this information. Share it
with other users and create pressure to support GrapheneOS rather than locking users
into the stock OS without a valid security reason. GrapheneOS not only upholds the
app security model but substantially reinforces it, so it cannot be justified with
reasoning based on security, anti-fraud, etc.</p>
<article id="apps-banning-grapheneos">
<h2><a href="#apps-banning-grapheneos">Apps banning GrapheneOS</a></h2>
<p>This is a list of the apps banning GrapheneOS with the Play Integrity API with
links to their Play Store pages for leaving feedback:</p>
<ul>
<li><a href="https://play.google.com/store/apps/details?id=au.gov.mygov.mygovapp" rel="nofollow">myGov</a> (Australian government app)</li>
<li><a href="https://play.google.com/store/apps/details?id=br.gov.meugovbr" rel="nofollow">gov.br</a> (Brazilian government app)</li>
<li><a href="https://play.google.com/store/apps/details?id=ch.ticketcorner.mobile.app.Android" rel="nofollow">Ticketcorner</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.authy.authy" rel="nofollow">Authy</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.ebay.mobile" rel="nofollow">eBay</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.mcdonalds.mobileapp" rel="nofollow">McDonald's</a> (International app used for many but not all countries not including the US)</li>
<li><a href="https://play.google.com/store/apps/details?id=com.ridedott.rider" rel="nofollow">Dott</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.swissquote.android" rel="nofollow">Swissquote</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.swisssign.swissid.mobile" rel="nofollow">SwissID</a></li>
<li><a href="https://play.google.com/store/apps/details?id=de.tk.tkapp" rel="nofollow">TK-App</a> (German health insurance app which uses it for fingerprint login)</li>
<li><a href="https://play.google.com/store/apps/details?id=it.pagopa.io.app" rel="nofollow">IO</a> (Italian government app which uses it for the digital wallet feature)</li>
</ul>
<p>In addition to leaving feedback for these apps on the Play Store, file support
requests and leave feedback on third party review sites. Ask them to stop banning
GrapheneOS and explain that it's a much more secure OS than what they permit which
does not lose any of the standard security model. Explain that they can use the
hardware key attestation API to verify that a device is running GrapheneOS to permit
it alongside an OS licensing Google apps as they do with the Play Integrity API
already. Make sure to push back against false claims that it has something to do
with compatibility or security issues. The only reason they aren't permitting it is
because we do not license Google Mobile Services (GMS) and these apps are enforcing
Google's business interests rather than security.</p>
</article>
</main>
{% include "footer.html" %}
</body>
</html>

726
static/articles/grapheneos-servers.html
View File

@ -1,726 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>GrapheneOS servers | Articles | GrapheneOS</title>
<meta name="description" content="Documentation on GrapheneOS servers."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS servers"/>
<meta property="og:description" content="Documentation on GrapheneOS servers."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/articles/grapheneos-servers"/>
<link rel="canonical" href="https://grapheneos.org/articles/grapheneos-servers"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
[[js|/js/redirect.js]]
</head>
<body>
{% include "header.html" %}
<main id="grapheneos-servers">
<h1><a href="#grapheneos-servers">GrapheneOS servers</a></h1>
<p>This is a detailed list of the public GrapheneOS servers.</p>
<p>We use hardened local machines for building and signing rather than servers outside
our physical control, so information on that infrastructure is outside the scope of this
page but may be provided in the future elsewhere.</p>
<nav id="table-of-contents">
<h2><a href="#table-of-contents">Table of contents</a></h2>
<ul>
<li><a href="#grapheneos.org">GrapheneOS website</a></li>
<li><a href="#staging.grapheneos.org">Staging GrapheneOS website</a></li>
<li><a href="#releases.grapheneos.org">GrapheneOS release servers</a></li>
<li><a href="#grapheneos.network">GrapheneOS network servers</a></li>
<li><a href="#mail.grapheneos.org">GrapheneOS mail server</a></li>
<li><a href="#discuss.grapheneos.org">GrapheneOS discussion forum server</a></li>
<li><a href="#grapheneos.social">GrapheneOS Mastodon server</a></li>
<li><a href="#matrix.grapheneos.org">GrapheneOS Matrix server</a></li>
<li><a href="#ns1.grapheneos.org">GrapheneOS DNS servers</a></li>
<li><a href="#ns1.staging.grapheneos.org">Staging GrapheneOS DNS server</a></li>
<li><a href="#attestation.app">Attestation website and service</a></li>
<li><a href="#staging.attestation.app">Staging attestation website and service</a></li>
</ul>
</nav>
<section id="grapheneos.org">
<h2><a href="#grapheneos.org">GrapheneOS website</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>3x OVH VPS vps2023-le-2</li>
<li>2 core</li>
<li>2 GB memory</li>
<li>40 GB NVMe SSD storage</li>
<li>500 Mbit/s bandwidth</li>
</ul>
<ul>
<li>1x BuyVM Slice 1024</li>
<li>1 core</li>
<li>1 GB memory</li>
<li>20 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>grapheneos.org</li>
<li>www.grapheneos.org</li>
<li>grapheneos.app</li>
<li>www.grapheneos.app</li>
<li>grapheneos.ca</li>
<li>www.grapheneos.ca</li>
<li>grapheneos.com</li>
<li>www.grapheneos.com</li>
<li>grapheneos.dev</li>
<li>www.grapheneos.dev</li>
<li>grapheneos.foundation</li>
<li>www.grapheneos.foundation</li>
<li>grapheneos.info</li>
<li>www.grapheneos.info</li>
<li>grapheneos.net</li>
<li>www.grapheneos.net</li>
<li>grapheneos.ovh</li>
<li>www.grapheneos.ovh</li>
<li>grapheneos.page</li>
<li>www.grapheneos.page</li>
<li>vanadium.app</li>
<li>www.vanadium.app</li>
</ul>
<p>IPs:</p>
<ul>
<li>51.222.156.101 (0.grapheneos.org) — OVH bhs6</li>
<li>2607:5300:205:200::29c6 (0.grapheneos.org) — OVH bhs6</li>
<li>209.141.35.164 (1.grapheneos.org) — BuyVM Las Vegas</li>
<li>2605:6400:20:1131:8088:e08:84e6:632 (1.grapheneos.org) — BuyVM Las Vegas</li>
<li>54.37.41.189 (2.grapheneos.org) — OVH gra8</li>
<li>2001:41d0:304:200::b109 (2.grapheneos.org) — OVH gra8</li>
<li>51.79.160.50 (3.grapheneos.org) — OVH sgp2</li>
<li>2402:1f00:8000:800::16d6 (3.grapheneos.org) — OVH sgp2</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="staging.grapheneos.org">
<h2><a href="#staging.grapheneos.org">Staging GrapheneOS website</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>BuyVM Slice 1024</li>
<li>1 core</li>
<li>1 GB memory</li>
<li>20 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>staging.grapheneos.org</li>
</ul>
<p>IPs:</p>
<ul>
<li>199.195.250.78 — BuyVM New York</li>
<li>2605:6400:10:9d6:6d84:e183:acda:16d7 — BuyVM New York</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="releases.grapheneos.org">
<h2><a href="#releases.grapheneos.org">GrapheneOS release servers</a></h2>
<p>These are the static file servers for GrapheneOS releases and our app
repository. These are used by the releases page and web installer along with the
System Updater and App Store (app repository client) within the OS.</p>
<ul>
<li><a href="https://github.com/GrapheneOS/releases.grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/releases.grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>Macarne dedicated server (sponsored by <a href="https://macarne.com/">Macarne</a>)</li>
<li>Ryzen 9950X</li>
<li>128 GB DDR5</li>
<li>2x 2 TB NVMe SSD storage</li>
<li>25000 Mbit/s bandwidth</li>
</ul>
<ul>
<li>2x ReliableSite dedicated server (sponsored by <a href="https://www.reliablesite.net/">ReliableSite</a>)</li>
<li>Ryzen 9900X</li>
<li>192 GB DDR5</li>
<li>2x 4 TB NVMe SSD storage</li>
<li>10000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>releases.grapheneos.org</li>
<li>seamlessupdate.app</li>
<li>www.seamlessupdate.app</li>
<li>apps.grapheneos.org</li>
</ul>
<p>IPs:</p>
<ul>
<li>45.90.185.33 (4.releases.grapheneos.org) — Macarne Amsterdam</li>
<li>2a14:3f87:6920:250::100 (4.releases.grapheneos.org) — Macarne Amsterdam</li>
<li>172.96.172.37 (5.releases.grapheneos.org) — ReliableSite Miami</li>
<li>2605:9880:400:1100:15:1240:515:6e (5.releases.grapheneos.org) — ReliableSite Miami</li>
<li>104.194.8.203 (6.releases.grapheneos.org) — ReliableSite Los Angeles</li>
<li>2605:9880:200:20::113 (6.releases.grapheneos.org) — ReliableSite Los Angeles</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="grapheneos.network">
<h2><a href="#grapheneos.network">GrapheneOS network servers</a></h2>
<p>These are the default servers used by GrapheneOS for connectivity checks,
secure network time, attestation key provisioning and Predicted Satellite Data
Service (PSDS). These either serve empty responses or provide reverse proxies to
other services.</p>
<ul>
<li><a href="https://github.com/GrapheneOS/grapheneos.network">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/grapheneos.network/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>3x OVH VPS vps2023-le-2</li>
<li>2 core</li>
<li>2 GB memory</li>
<li>40 GB NVMe SSD storage</li>
<li>500 Mbit/s bandwidth</li>
</ul>
<ul>
<li>1x BuyVM Slice 1024</li>
<li>1 core</li>
<li>1 GB memory</li>
<li>20 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>grapheneos.network - HTTP/HTTPS connectivity checks</li>
<li>connectivitycheck.grapheneos.network - HTTP/HTTPS connectivity checks</li>
<li>www.grapheneos.network</li>
<li>grapheneos.online - HTTP/HTTPS connectivity checks</li>
<li>connectivitycheck.grapheneos.online - HTTP/HTTPS connectivity checks</li>
<li>www.grapheneos.online</li>
<li>broadcom.psds.grapheneos.org - HTTPS Broadcom PSDS data cache</li>
<li>samsung.psds.grapheneos.org - HTTPS Samsung PSDS data cache</li>
<li>qualcomm.psds.grapheneos.org - HTTPS Qualcomm PSDS data cache</li>
<li>remoteprovisioning.grapheneos.org - HTTPS reverse proxy to remoteprovisioning.google.com</li>
<li>widevineprovisioning.grapheneos.org - HTTPS reverse proxy for Widevine provisioning</li>
<li>time.grapheneos.org - HTTPS time server with millisecond precision X-Time header</li>
<li>supl.grapheneos.org - TLS reverse proxy to supl.google.com</li>
<li>nominatim.grapheneos.org - HTTPS reverse proxy to nominatim.openstreetmap.org, which will become our own instance of Nominatim instead of a proxy</li>
<li>gs-loc.apple.grapheneos.org - HTTPS reverse proxy to Apple's network location service, which will remain an option after we have our own location service</li>
<li>update.vanadium.app - HTTPS reverse proxy to update.googleapis.com for Chromium component updates (will be hosted directly in the future)</li>
<li>dl.vanadium.app - HTTPS reverse proxy to CDNs for Chromium component updates (will be hosted directly in the future)</li>
</ul>
<p>IPs:</p>
<ul>
<li>51.222.159.116 (0.grapheneos.network) — OVH bhs6</li>
<li>2607:5300:205:200::2584 (0.grapheneos.network) — OVH bhs6</li>
<li>209.141.37.35 (1.grapheneos.network) — BuyVM Las Vegas</li>
<li>2605:6400:20:387:72d4:dab9:a369:f351 (1.grapheneos.network) — BuyVM Las Vegas</li>
<li>54.37.41.188 (2.grapheneos.network) — OVH gra8</li>
<li>2001:41d0:304:200::902f (2.grapheneos.network) — OVH gra8</li>
<li>51.79.161.36 (3.grapheneos.network) — OVH sgp2</li>
<li>2402:1f00:8000:800::1949 (3.grapheneos.network) — OVH sgp2</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>UDP 123 ntp</li>
<li>TCP 443 https</li>
<li>TCP 7275 supl</li>
</ul>
</section>
<section id="mail.grapheneos.org">
<h2><a href="#mail.grapheneos.org">GrapheneOS mail server</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/mail.grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/mail.grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>OVH VPS vps2023-le-2</li>
<li>2 core</li>
<li>2 GB memory</li>
<li>40 GB NVMe SSD storage</li>
<li>500 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>mail.grapheneos.net</li>
<li>mail.grapheneos.org</li>
<li>mta-sts.attestation.app</li>
<li>mta-sts.discuss.grapheneos.org</li>
<li>mta-sts.grapheneos.app</li>
<li>mta-sts.grapheneos.ca</li>
<li>mta-sts.grapheneos.com</li>
<li>mta-sts.grapheneos.dev</li>
<li>mta-sts.grapheneos.foundation</li>
<li>mta-sts.grapheneos.info</li>
<li>mta-sts.grapheneos.net</li>
<li>mta-sts.grapheneos.network</li>
<li>mta-sts.grapheneos.online</li>
<li>mta-sts.grapheneos.org</li>
<li>mta-sts.grapheneos.ovh</li>
<li>mta-sts.grapheneos.page</li>
<li>mta-sts.grapheneos.social</li>
<li>mta-sts.mail.grapheneos.org</li>
<li>mta-sts.matrix.grapheneos.org</li>
<li>mta-sts.seamlessupdate.app</li>
<li>mta-sts.vanadium.app</li>
</ul>
<p>IPs:</p>
<ul>
<li>192.99.98.22 — OVH bhs6</li>
<li>2607:5300:205:200::472f — OVH bhs6</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 25 smtp</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
<li>TCP 465 submissions</li>
<li>TCP 993 imaps</li>
</ul>
</section>
<section id="discuss.grapheneos.org">
<h2><a href="#discuss.grapheneos.org">GrapheneOS discussion forum server</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/discuss.grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/discuss.grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>OVH VPS vps2023-le-4</li>
<li>4 core</li>
<li>4 GB memory</li>
<li>80 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>discuss.grapheneos.org</li>
</ul>
<p>IPs:</p>
<ul>
<li>51.222.14.6 — OVH bhs6</li>
<li>2607:5300:205:200::29e8 — OVH bhs6</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="grapheneos.social">
<h2><a href="#grapheneos.social">GrapheneOS Mastodon server</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/grapheneos.social">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/grapheneos.social/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>OVH VPS vps2023-le-4</li>
<li>4 core</li>
<li>4 GB memory</li>
<li>80 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>grapheneos.social</li>
<li>www.grapheneos.social</li>
</ul>
<p>IPs:</p>
<ul>
<li>51.222.159.14 — OVH bhs6</li>
<li>2607:5300:205:200::5e3f — OVH bhs6</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="matrix.grapheneos.org">
<h2><a href="#matrix.grapheneos.org">GrapheneOS Matrix server</a></h2>
<p>This server primarily runs the synapse Matrix server with PostgreSQL behind an
nginx web server. It also runs the mjolnir bot for moderation and matterbridge is
used to implement a bridge between Matrix, IRC and Telegram.</p>
<ul>
<li><a href="https://github.com/GrapheneOS/matrix.grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/matrix.grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>OVH VPS vps2020-comfort-4-8-160</li>
<li>4 core</li>
<li>8 GB memory</li>
<li>160 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>matrix.grapheneos.org</li>
<li>element.grapheneos.org</li>
</ul>
<p>IPs:</p>
<ul>
<li>51.79.51.42 — OVH bhs6</li>
<li>2607:5300:205:200::26e1 — OVH bhs6</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="ns1.grapheneos.org">
<h2><a href="#ns1.grapheneos.org">GrapheneOS DNS servers</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/ns1.grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/ns1.grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>4x OVH VPS vps2023-le-2</li>
<li>2 core</li>
<li>2 GB memory</li>
<li>40 GB NVMe SSD storage</li>
<li>500 Mbit/s bandwidth</li>
</ul>
<ul>
<li>3x BuyVM Slice 1024</li>
<li>1 core</li>
<li>1 GB memory</li>
<li>20 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>ns1.attestation.app</li>
<li>ns1.grapheneos.app</li>
<li>ns1.grapheneos.ca</li>
<li>ns1.grapheneos.com</li>
<li>ns1.grapheneos.dev</li>
<li>ns1.grapheneos.foundation</li>
<li>ns1.grapheneos.info</li>
<li>ns1.grapheneos.net</li>
<li>ns1.grapheneos.network</li>
<li>ns1.grapheneos.online</li>
<li>ns1.grapheneos.org</li>
<li>ns1.grapheneos.ovh</li>
<li>ns1.grapheneos.page</li>
<li>ns1.grapheneos.social</li>
<li>ns1.seamlessupdate.app</li>
<li>ns1.vanadium.app</li>
<li>ns2.attestation.app</li>
<li>ns2.grapheneos.app</li>
<li>ns2.grapheneos.ca</li>
<li>ns2.grapheneos.com</li>
<li>ns2.grapheneos.dev</li>
<li>ns2.grapheneos.foundation</li>
<li>ns2.grapheneos.info</li>
<li>ns2.grapheneos.net</li>
<li>ns2.grapheneos.network</li>
<li>ns2.grapheneos.online</li>
<li>ns2.grapheneos.org</li>
<li>ns2.grapheneos.ovh</li>
<li>ns2.grapheneos.page</li>
<li>ns2.grapheneos.social</li>
<li>ns2.seamlessupdate.app</li>
<li>ns2.vanadium.app</li>
</ul>
<p>IPs:</p>
<ul>
<li>185.187.152.9 (anycast), 51.161.34.158 (0.ns1.grapheneos.org) — OVH bhs6</li>
<li>2a05:b0c4:1::8 (anycast), 2607:5300:205:200::eaa (0.ns1.grapheneos.org) — OVH bhs6</li>
<li>185.187.152.9 (anycast), 15.204.8.153 (1.ns1.grapheneos.org) — OVH US us-west-or-2</li>
<li>2a05:b0c4:1::8 (anycast), 2604:2dc0:202:300::23a6 (1.ns1.grapheneos.org) — OVH us-west-or-2</li>
<li>185.187.152.9 (anycast) 57.129.65.223 (2.ns1.grapheneos.org) — OVH de2</li>
<li>2a05:b0c4:1::8 (anycast) 2001:41d0:701:1100::245b (2.ns1.grapheneos.org) — OVH de2</li>
<li>185.187.152.9 (anycast) 15.235.197.61 (3.ns1.grapheneos.org) — OVH sgp2</li>
<li>2a05:b0c4:1::8 (anycast) 2402:1f00:8000:800::3966 (3.ns1.grapheneos.org) — OVH sgp2</li>
<li>198.251.90.93 (anycast), 198.98.53.141 (0.ns2.grapheneos.org) — BuyVM New York</li>
<li>2605:6400:10:102e:95bc:89ef:2e7f:49bb (0.ns2.grapheneos.org) — BuyVM New York</li>
<li>198.251.90.93 (anycast), 205.185.124.155 (1.ns2.grapheneos.org) — BuyVM Las Vegas</li>
<li>2605:6400:20:1c8f:a0c9:372d:482e:945b (1.ns2.grapheneos.org) — BuyVM Las Vegas</li>
<li>198.251.90.93 (anycast), 107.189.3.168 (2.ns2.grapheneos.org) — BuyVM Luxembourg</li>
<li>2605:6400:30:ec25:102c:af6d:5be:1eb8 (2.ns2.grapheneos.org) — BuyVM Luxembourg</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 53 domain</li>
<li>UDP 53 domain</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
<li>TCP 853 domain-s</li>
</ul>
</section>
<section id="ns1.staging.grapheneos.org">
<h2><a href="#ns1.staging.grapheneos.org">Staging GrapheneOS DNS server</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/ns1.grapheneos.org">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/ns1.grapheneos.org/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>BuyVM Slice 1024</li>
<li>1 core</li>
<li>1 GB memory</li>
<li>20 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>ns1.staging.attestation.app</li>
<li>ns2.staging.attestation.app</li>
<li>ns1.staging.grapheneos.org</li>
<li>ns2.staging.grapheneos.org</li>
</ul>
<p>IPs:</p>
<ul>
<li>198.98.56.238 — BuyVM New York</li>
<li>2605:6400:10:c41:de92:c534:326a:711a — BuyVM New York</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 53 domain</li>
<li>UDP 53 domain</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
<li>TCP 853 domain-s</li>
</ul>
</section>
<section id="attestation.app">
<h2><a href="#attestation.app">Attestation website and service</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/AttestationServer">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/AttestationServer/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>OVH VPS vps2023-le-4</li>
<li>4 core</li>
<li>4 GB memory</li>
<li>80 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>attestation.app</li>
<li>www.attestation.app</li>
</ul>
<p>IPs:</p>
<ul>
<li>51.79.66.27 — OVH bhs6</li>
<li>2607:5300:205:200::7e9 — OVH bhs6</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
<section id="staging.attestation.app">
<h2><a href="#staging.attestation.app">Staging attestation website and service</a></h2>
<ul>
<li><a href="https://github.com/GrapheneOS/AttestationServer">Repository</a></li>
<li><a href="https://github.com/GrapheneOS/AttestationServer/issues">Issue tracker</a></li>
</ul>
<p>Specs:</p>
<ul>
<li>BuyVM Slice 1024</li>
<li>1 core</li>
<li>1 GB memory</li>
<li>20 GB NVMe SSD storage</li>
<li>1000 Mbit/s bandwidth</li>
</ul>
<p>Domains:</p>
<ul>
<li>staging.attestation.app</li>
</ul>
<p>IPs:</p>
<ul>
<li>198.98.57.157 — BuyVM New York</li>
<li>2605:6400:10:aa9:1c0f:44d3:da15:c0ec — BuyVM New York</li>
</ul>
<p>Ports:</p>
<ul>
<li>TCP 22 ssh</li>
<li>TCP 80 http</li>
<li>TCP 443 https</li>
</ul>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

66
static/articles/index.html
View File

@ -1,66 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Articles | GrapheneOS</title>
<meta name="description" content="Articles on assorted topics related to GrapheneOS."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="Articles | GrapheneOS"/>
<meta property="og:description" content="Articles on assorted topics related to GrapheneOS."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/articles/"/>
<link rel="canonical" href="https://grapheneos.org/articles/"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% with current_page="articles" %}
{% include "header.html" %}
{% endwith %}
<main id="articles">
<h1><a href="#articles">Articles</a></h1>
<p>The main documentation for GrapheneOS is at the top-level of the site:</p>
<ul>
<li><a href="/features">Features overview</a> — Overview of GrapheneOS features differentiating it from the Android Open Source Project.</li>
<li><a href="/install/">Install</a> — Installation instructions for GrapheneOS.</li>
<li><a href="/build">Build</a> — Building instructions for GrapheneOS.</li>
<li><a href="/usage">Usage guide</a> — Usage instructions for GrapheneOS.</li>
<li><a href="/faq">Frequently Asked Questions</a> — Answers to frequently asked questions about GrapheneOS.</li>
<li><a href="/releases#changelog">Releases changelog</a> — Changelog for official releases of GrapheneOS.</li>
<li><a href="/source">Source code</a> — Documenting all source code repositories for GrapheneOS.</li>
<li><a href="/history/">History</a> — History of the GrapheneOS project.</li>
</ul>
<p>Our attestation service has <a href="https://attestation.app/about">a page
explaining how the Auditor app and attestation service work</a>.</p>
<p>Other articles on assorted topics related to GrapheneOS:</p>
<ul>
<li><a href="/articles/attestation-compatibility-guide">Attestation compatibility guide</a> — Guide on using remote attestation in a way that's compatible with GrapheneOS</li>
<li><a href="/articles/grapheneos-servers">GrapheneOS servers</a> — Documentation on GrapheneOS servers.</li>
<li><a href="/articles/server-traffic-shaping">Server traffic shaping</a> — Implementing server traffic shaping on Linux with CAKE.</li>
<li><a href="/articles/sitewide-advertising-industry-opt-out">Sitewide advertising industry opt-out</a> — Using ads.txt / app-ads.txt to disallow buying or selling ads for a domain.</li>
</ul>
</main>
{% include "footer.html" %}
</body>
</html>

89
static/articles/positon-location-service.html
View File

@ -1,89 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Positon location service | Articles | GrapheneOS</title>
<meta name="description" content="Information about the Positon location service."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="Positon location service"/>
<meta property="og:description" content="Information about the Positon location service."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/articles/positon-location-service"/>
<link rel="canonical" href="https://grapheneos.org/articles/positon-location-service"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="positon-location-service">
<h1><a href="#positon-location-service">Positon location service</a></h1>
<p>The Positon location service is a proprietary and highly privacy invasive service
created by developers tied to /e/OS with their funding. There's a deliberate effort to
hide that it's tied to them in order to convince other projects to adopt it, as opposed
to using the similar service they host for /e/OS itself. Using the service requires
uploading sensitive location data to obtain location estimates, similar to the Apple and
Google location services. As with the Apple and Google services, it's a centralized
proprietary service with fully proprietary data. Unlike those services, the people
behind it have a history of publishing notoriously insecure software such as the /e/OS
operating system itself which massively rolls back standard security, lags years behind
on security updates and covers all of that up. They blatantly scam their users with
false privacy/security claims for /e/OS, and nothing different should be expected from a
location service from the same group of people. Multiple people involved in it are also
actively participating in harassment targeting privacy/security researchers and
engineers including but not limited to GrapheneOS team members.</p>
<p>The people behind the Positon location service have repeatedly talked about the
importance they see in centralizing the whole open source community around using their
service while locking out alternatives to it through proprietary data. They have spread
fear, uncertainty and doubt about making services using open mapping data through
claiming that it's a privacy hazard for people to have access to maps of Wi-Fi networks
publicly broadcasting their SSID despite that data already being available through many
commercial providers including publicly queryable databases such as Wigle. Anyone can
drive around building these maps and many companies have already built them, with the
data available for sale, as Positon shows with them obtaining access to it. The real
privacy hazard is sending your location in real time to a service, particularly a poorly
secured one from people known to cover up and downplay vulnerabilities. Positon has been
built to grab as much market share as possible early on before actual open options can
emerge and gather the necessary data.</p>
<p>The people involved in Positon have only ever cared about their careers, power and
influence. They've consistently been on a side against real privacy and security, but
rather focused on monetizing people's demand for it and grabbing as much market share as
they can as quickly as they can with endless false marketing and attacks on projects
like GrapheneOS. They see GrapheneOS as a huge threat to them due to us striving to
bring people real privacy and security at no cost, which is far easier to obtain and
use. This invalidates the business model of their companies like Murena. They
consistently use their non-profits mainly as a way to earn money and promote their
for-profit initiatives.</p>
<p>The service claims to be free of charge, but a core goal is turning it into a way to
get data from users to build their own database that's largely not going to be available
for use by others. Using it is helping them build a future business at the expense of
user privacy, little different from the Apple and Google services. This is not what the
open source community needs from a location service. The claims of no strings attached
and the implication that it's open are nonsense. Storing as little data as possible
would mean using local database for the region, not a network-based service. They're
opposed to doing a local service well rather than it being their long term goal. They
explicitly aim to lock out other alternatives and deter local location detection via
Wi-Fi.</p>
</main>
{% include "footer.html" %}
</body>
</html>

259
static/articles/server-traffic-shaping.html
View File

@ -1,259 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Server traffic shaping | Articles | GrapheneOS</title>
<meta name="description" content="Implementing server traffic shaping on Linux with CAKE."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="Server traffic shaping"/>
<meta property="og:description" content="Implementing server traffic shaping on Linux with CAKE."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/articles/server-traffic-shaping"/>
<link rel="canonical" href="https://grapheneos.org/articles/server-traffic-shaping"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="server-traffic-shaping">
<h1><a href="#server-traffic-shaping">Server traffic shaping</a></h1>
<p>This article covers implementing server traffic shaping on Linux with CAKE. The aim
is to provide fair usage of bandwidth between clients and consistently low latency
for dedicated and virtual servers provided by companies like OVH and others.</p>
<p>Traffic shaping is generally discussed in the context of a router shaping traffic
for a local network with assorted clients connected. It also has a lot to offer on a
server where you don't control the network. If you control your own infrastructure
from the server to the ISP, you probably want to do this on the routers instead.</p>
<p>This article was motivated by the serious lack of up-to-date information on this
topic elsewhere. It's very easy to implement on modern Linux kernels and the results
are impressive from extremely simple test cases to heavily loaded servers.</p>
<section id="problem">
<h2><a href="#problem">Problem</a></h2>
<p>A server will generally be provisioned with a specific amount of bandwidth
enforced by a router in close proximity. This router acts as the bottleneck and
ends up being in charge of most of the queuing and congestion decisions. Unless
that's under your control, the best you can hope for is that the router is
configured to use <code>fq_codel</code> as the queuing discipline (qdisc) to
provide fair queuing between streams and low latency by preventing a substantial
backlog of data.</p>
<p>Unfortunately, the Linux kernel still defaults to <code>pfifo_fast</code>
instead of the much saner <code>fq_codel</code> algorithm. This is changed by a
configuration file shipped with systemd, so <em>most</em> distributions using
systemd as init end up with a sane default. Debian removes that configuration and
doesn't set a sane default itself, and is widely used. Many server providers like
OVH do not appear to consistently use modern queue disciplines like
<code>fq_codel</code> within their networks, particularly at artificial
bottlenecks implementing rate limiting based on product tiers.</p>
<p>If the bottleneck doesn't use fair queuing, division of bandwidth across
streams is very arbitrary and latency suffers under congestion. These issues are
often referred to as bufferbloat, and <code>fq_codel</code> is quite good at
resolving it.</p>
<p>The <code>fq_codel</code> algorithm is far from perfect. It has issues with
hash collisions and more importantly only does fair queuing between streams.
Buffer bloat also isn't the only relevant issue. Clients with multiple connections
receive more bandwidth and a client can open a large number of connections to
maximize their bandwidth usage at the expense of others. Fair queuing is important
beyond as a solution to bufferbloat and there's more to fair queuing than doing it
only based on streams.</p>
<p>Traditionally, web browsers open a bunch of HTTP/1.1 connections to each server
which ends up giving them an unfair amount of bandwidth. HTTP/2 is much friendlier
since it uses a single connection to each server for the entire browser. Download
managers take this to the extreme and intentionally use many connections to bypass
server limits and game the division of resources between clients.</p>
</section>
<section id="solution">
<h2><a href="#solution">Solution</a></h2>
<p>Linux 4.19 and later makes it easy to solve all of these problems. The CAKE
queuing discipline provides sophisticated fair queuing based on destination and
source addresses with finer-grained fairness for individual streams.</p>
<p> Unfortunately, simply enabling it as your queuing discipline isn't enough
since it's highly unlikely that your server is the network bottleneck. You need to
configure it with a bandwidth limit based on the provisioned bandwidth to move the
bottleneck under your control where you can control how traffic is queued.</p>
</section>
<section id="results">
<h2><a href="#results">Results</a></h2>
<p>We've used an 100mbit OVH server for as a test platform for a case where
clients can easily max out the server bandwidth on their own. As a very simple
example, consider 2 clients with more than 100mbit of bandwidth each downloading a
large file. These are (rounded) real world results with CAKE:</p>
<ul>
<li>client A with 1 connection gets 50mbit</li>
<li>client B with 10 connections gets 5mbit each adding up to 50mbit</li>
</ul>
<p>CAKE with <code>flows</code> instead of the default <code>triple-isolate</code> to
mimic <code>fq_codel</code> at a bottleneck:</p>
<ul>
<li>client A with 1 connection gets 9mbit</li>
<li>client B with 10 connections gets 9mbit each adding up to 90mbit</li>
</ul>
<p>The situation without traffic shaping is a mess. Latency takes a serious hit
that's very noticeable via SSH. Bandwidth is consistently allocated very unevenly
and ends up fluctuating substantially between test runs. The connections tend to
settle near a rate, often significantly lower or higher than the fair 9mbit
amount. It's generally something like this, but the range varies a lot:</p>
<ul>
<li>client A with 1 connection gets ~6mbit to ~14mbit</li>
<li>client B with 10 connections gets ~6mbit to ~14mbit each adding up to ~86mbit
to ~94mbit</li>
</ul>
<p>CAKE continues working as expected with a far higher number of connections. It
technically has a higher CPU cost than <code>fq_codel</code>, but that's much more
of a concern for low end router hardware. It hardly matters on a server, even one
that's under heavy CPU load. The improvement in user experience is substantial and
it's very noticeable in web page load speeds when a server is under load.</p>
</section>
<section id="implementation">
<h2><a href="#implementation">Implementation</a></h2>
<p>For a server with 2000mbit of bandwidth provisioned, you could start by trying
it with 99.75% of the provisioned bandwidth:</p>
<pre>tc qdisc replace dev eth0 root cake bandwidth 1995mbit besteffort</pre>
<p>On a server, setting it to use 100% of the provisioned bandwidth may work fine
in practice. Unlike a local network connected to a consumer ISP, you shouldn't
need to sacrifice anywhere close to the typically recommended 5-10% of your
bandwidth for traffic shaping.</p>
<p>This also sets <code>besteffort</code> for the common case where the server
doesn't have appropriate Quality of Service markings set up via Diffserv. Fair
scheduling is already great at providing low latency by cycling through the hosts
and streams without needing this kind of configuration. The defaults for Diffserv
traffic classes like real-time video are set up to yield substantial bandwidth in
exchange for lower latency. It's easy to set this up wrong and it usually won't
make much sense on a server. You might want to set up marking low priority traffic
like system updates, but it will already get a tiny share of the overall traffic
on a loaded server due to fair scheduling between hosts and streams.</p>
<p>You can use the <code>tc -s qdisc</code> command to monitor CAKE:</p>
<pre>tc -s qdisc show dev eth0</pre>
<p>If you want to keep an eye on how it changes over time:</p>
<pre>watch -n 1 tc -s qdisc show dev eth0</pre>
<p>This is very helpful for figuring out if you've successfully moved the
bottleneck to the server. If the bandwidth is being fully used, it should
consistently have a backlog of data where it's applying the queuing discipline.
The backlog shouldn't be draining to near zero under full bandwidth usage as that
indicates the bottleneck is the server application itself or a different network
bottleneck.</p>
<p>If you use systemd-network, you can add a CAKE configuration section to the
network configuration file instead of manually running the <code>tc</code> command
with a <code>Type=oneshot</code> service on boot:</p>
<pre>[CAKE]
Bandwidth=1995M
PriorityQueueingPreset=besteffort</pre>
</section>
<section id="quicker-backpressure-propagation">
<h2><a href="#quicker-backpressure-propagation">Quicker backpressure propagation</a></h2>
<p>The Linux kernel can be tuned to more quickly propagate TCP backpressure up to
applications while still maximizing bandwidth usage. This is incredibly useful for
interactive applications aiming to send the freshest possible copy of data and for
protocols like HTTP/2 multiplexing streams/messages with different priorities over
the same TCP connection. This can also substantially reduce memory usage for TCP
by reducing buffer sizes closer to the optimal amount for maximizing bandwidth
use without wasting memory. The downside to quicker backpressure propagation is
increased CPU usage from additional system calls and context switches.</p>
<p>The Linux kernel automatically adjusts the size of the write queue to maximize
bandwidth usage. The write queue is divided into unacknowledged bytes (TCP window
size) and unsent bytes. As acknowledgements of transmitted data are received, it
frees up space for the application to queue more data. The queue of unsent bytes
provides the leeway needed to wake the application and obtain more data. This can
be reduced using <code>net.ipv4.tcp_notsent_lowat</code> to reduce the default and
the <code>TCP_NOTSENT_LOWAT</code> socket option to override it per-socket.</p>
<p>A reasonable choice for internet-based workloads concerned about latency and
particularly prioritization within TCP connections but unwilling to sacrifice
throughput is 128kiB. To configure this, set the following in
<code>/etc/sysctl.d/local.conf</code> or another sysctl configuration file and
load it with <code>sysctl --system</code>:</p>
<pre>net.ipv4.tcp_notsent_lowat = 131072</pre>
<p>Using values as low as 16384 can make sense to further improve latency and
prioritization. However, it's more likely to negatively impact throughput and will
further increase CPU usage. Use at least 128k or the default of not limiting the
automatic unsent buffer size unless you're going to do substantial testing to make
sure there's not a negative impact for the workload.</p>
<p>If you decide to use <code>tcp_notsent_lowat</code>, be aware that newer Linux
kernels (Linux 5.0+ with a further improvement for Linux 5.10+) are recommended to
substantially reduce system calls / context switches by not triggering the
application to provide more data until over half the unsent byte buffer is
empty.</p>
</section>
<section id="high-link-speed">
<h2><a href="#high-link-speed">High link speed</a></h2>
<p>By default, CAKE splits General Segmentation Offload (GSO) super-packets to
reduce latency at the expense of CPU efficiency and throughput. This can create a
bottleneck at high link speeds. We've had to disable this on the 2Gbit GrapheneOS
update servers.</p>
<pre>[CAKE]
Bandwidth=1995M
PriorityQueueingPreset=besteffort
SplitGSO=false</pre>
</section>
<section id="future">
<h2><a href="#future">Future</a></h2>
<p>Ideally, data centers would deploy CAKE throughout their networks with the
default <code>triple-isolate</code> flow isolation. This may mean they need to use
more powerful hardware for routing. If the natural bottlenecks used CAKE, setting
up traffic shaping on the server wouldn't be necessary. This doesn't seem likely
any time soon. Deploying <code>fq_codel</code> is much more realistic and tackles
buffer bloat but not the issue of fairness between hosts rather than only
streams.</p>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

65
static/articles/sitewide-advertising-industry-opt-out.html
View File

@ -1,65 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Sitewide advertising industry opt-out | Articles | GrapheneOS</title>
<meta name="description" content="Using ads.txt / app-ads.txt to disallow buying or selling ads for a domain."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="Sitewide advertising industry opt-out"/>
<meta property="og:description" content="Using ads.txt / app-ads.txt to disallow buying or selling ads for a domain."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/articles/sitewide-advertising-industry-opt-out"/>
<link rel="canonical" href="https://grapheneos.org/articles/sitewide-advertising-industry-opt-out"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="sitewide-advertising-industry-opt-out">
<h1><a href="#sitewide-advertising-industry-opt-out">Sitewide advertising industry opt-out</a></h1>
<p>The <a href="https://iabtechlab.com/wp-content/uploads/2021/03/ads.txt-1.0.3.pdf">ads.txt specification</a>
provides a way to list the authorized sellers of ads for a domain. The
<a href="https://iabtechlab.com/wp-content/uploads/2019/03/app-ads.txt-v1.0-final-.pdf">app-ads.txt specification</a>
extends this to cover apps tied to the domain. As a domain owner, this is a valuable
way to crack down on fraudulent usage of your domain including by adware.</p>
<p>For domains without any third party advertising including those without any ads at
all, you should serve both <code>/ads.txt</code> and <code>/app-ads.txt</code> from a
web server with the placeholder record defined by the specification:</p>
<pre>placeholder.example.com, placeholder, DIRECT, placeholder</pre>
<p>The placeholder record formally disallows buying and selling ads on behalf of the
domain including for any subdomains. This prevents fraudulently buying / selling ads
for your domain anywhere that ads.txt / app-ads.txt are enforced.</p>
<p>It's in the interest of most ad tech companies to enforce these standards due to
losses from ad fraud so adoption is increasingly widespread.</p>
<p>Browser extension malware injecting ads into sites is very common and this is a way
for sites to hurt those malware developers where it hurts: their pocketbook.</p>
<p>These standards have a limited scope and were primarily created to address the cost
of ad fraud for the advertising industry, but they do offer value for domain owners to
protect their reputation and discourage adware.</p>
</main>
{% include "footer.html" %}
</body>
</html>

BIN
static/donate-bitcoin-bip47.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 378 B

BIN
static/donate-bitcoin-taproot.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 419 B

BIN
static/donate-bitcoin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 372 B

BIN
static/donate-cardano.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 371 B

BIN
static/donate-ethereum.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 233 B

BIN
static/donate-litecoin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 378 B

BIN
static/donate-monero.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 483 B

BIN
static/donate-zcash-transparent.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 373 B

422
static/donate.html
View File

@ -1,422 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Donate | GrapheneOS</title>
<meta name="description" content="Donating to support development of GrapheneOS."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS donations"/>
<meta property="og:description" content="Donating to support development of GrapheneOS."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/donate"/>
<link rel="canonical" href="https://grapheneos.org/donate"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% with current_page="donate" %}
{% include "header.html" %}
{% endwith %}
<main id="donate">
<h1><a href="#donate">Donate</a></h1>
<p>GrapheneOS is an open source project supported via donations from individuals,
companies and other organizations. Donations are used for paying developers,
purchasing hardware (workstations, test devices, debugging cables/boards, etc.),
paying for infrastructure (domains, virtual/dedicated servers) and paying legal
fees.</p>
<p>The multiple ways to donate are listed in the sections on this page.</p>
<nav id="table-of-contents">
<h2><a href="#table-of-contents">Table of contents</a></h2>
<ul>
<li><a href="#github">GitHub Sponsors (credit card)</a></li>
<li><a href="#bitcoin">Bitcoin</a></li>
<li><a href="#monero">Monero</a></li>
<li><a href="#zcash">Zcash</a></li>
<li><a href="#ethereum">Ethereum</a></li>
<li><a href="#cardano">Cardano</a></li>
<li><a href="#litecoin">Litecoin</a></li>
<li><a href="#wise">Local Bank Transfer to Wise</a></li>
<li><a href="#paypal">PayPal</a></li>
<li><a href="#e-transfer">Interac e-Transfer</a></li>
</ul>
</nav>
<section id="github">
<h2><a href="#github">GitHub Sponsors (credit card)</a></h2>
<p>GrapheneOS can be sponsored with recurring or one-time donations via credit
cards through <a href="https://github.com/sponsors/thestinger">GitHub
Sponsors</a>. There are standard tiers from $5 to $5,000 or you can donate a custom
amount.</p>
</section>
<section id="bitcoin">
<h2><a href="#bitcoin">Bitcoin</a></h2>
<p>Bitcoin can be used to make donations to the non-profit GrapheneOS
Foundation.</p>
<p>You can send Bitcoin donations to the following Bech32 (Segwit) address:</p>
<div class="coin-address">
<a href="bitcoin:bc1q9qw3g8tdxf3dugkv2z8cahd3axehph0mhsqk96?label=GrapheneOS%20Foundation&amp;message=Donation%20to%20GrapheneOS%20Foundation" rel="nofollow">
<img src="/donate-bitcoin.png?1" alt="Bitcoin donation QR code"/>
<p>bc1q9qw3g8tdxf3dugkv2z8cahd3axehph0mhsqk96</p>
</a>
</div>
<p>Alternatively, you can donate to the following Bech32m (Taproot) address if
your wallet supports it (preferred):</p>
<div class="coin-address">
<a href="bitcoin:bc1prqf5hks5dnd4j87wxw3djn20559yhj7wvvcv6fqxpwlg96udkzgqtamhry?label=GrapheneOS%20Foundation&amp;message=Donation%20to%20GrapheneOS%20Foundation" rel="nofollow">
<img src="/donate-bitcoin-taproot.png?1" alt="Bitcoin Taproot donation QR code"/>
<p>bc1prqf5hks5dnd4j87wxw3djn20559yhj7wvvcv6fqxpwlg96udkzgqtamhry</p>
</a>
</div>
<p>You can donate to the following BIP47 payment code (stealth address) or PayNym
if your wallet supports it:</p>
<div class="coin-address">
<a href="bitcoin:PM8TJKmhJNQX6UTFagyuBk8UGmwKM6yDovEokpHBscPgP3Ac7WdK5zaQKh5XLSawyxiGYZS2a7HkAoeL6oHg7Ahn1VXX888yRG4PwF1dojouPtW7tEHT" rel="nofollow">
<img src="/donate-bitcoin-bip47.png" alt="Bitcoin BIP47 payment code QR code"/>
<p>PM8TJKmhJNQX6UTFagyuBk8UGmwKM6yDovEokpHBscPgP3Ac7WdK5zaQKh5XLSawyxiGYZS2a7HkAoeL6oHg7Ahn1VXX888yRG4PwF1dojouPtW7tEHT</p>
</a>
</div>
<p>PayNym: <var>+GrapheneOS</var></p>
</section>
<section id="monero">
<h2><a href="#monero">Monero</a></h2>
<p>Monero can be used to make donations to the non-profit GrapheneOS
Foundation.</p>
<p>You can send Monero donations to the following address:</p>
<div class="coin-address">
<a href="monero:862CebHaBpFPgYoNC6zw4U8rsXrDjD8s5LMJNS7yVCRHMUKr9dDi7adMSLUMjkDYJ85xahQTCJHHyK5RCvvRJu9x7iSzN9D?recipient_name=GrapheneOS%20Foundation&amp;tx_description=Donation%20to%20GrapheneOS%20Foundation" rel="nofollow">
<img src="/donate-monero.png?1" alt="Monero donation QR code"/>
<p>862CebHaBpFPgYoNC6zw4U8rsXrDjD8s5LMJNS7yVCRHMUKr9dDi7adMSLUMjkDYJ85xahQTCJHHyK5RCvvRJu9x7iSzN9D</p>
</a>
</div>
</section>
<section id="zcash">
<h2><a href="#zcash">Zcash</a></h2>
<p>Zcash can be used to make donations to the non-profit GrapheneOS
Foundation.</p>
<p>You can send Zcash donations to the following transparent address:</p>
<div class="coin-address">
<a href="zcash:t1SJABjX8rqgzqgrzLW5dUw7ikSDZ2snD8A?label=GrapheneOS%20Foundation&amp;message=Donation%20to%20GrapheneOS%20Foundation" rel="nofollow">
<img src="/donate-zcash-transparent.png?1" alt="Transparent Zcash donation QR code"/>
<p>t1SJABjX8rqgzqgrzLW5dUw7ikSDZ2snD8A</p>
</a>
</div>
</section>
<section id="ethereum">
<h2><a href="#ethereum">Ethereum</a></h2>
<p>Ethereum can be used to make donations to the non-profit GrapheneOS
Foundation.</p>
<p>You can send Ethereum donations to the following address:</p>
<div class="coin-address">
<a href="ethereum:0xC822A62E5Ab443E0001f30cEB9B2336D0524fC61" rel="nofollow">
<img src="/donate-ethereum.png?1" alt="Ethereum donation QR code"/>
<p>0xC822A62E5Ab443E0001f30cEB9B2336D0524fC61</p>
</a>
</div>
<p><strong>We aren't looking for donations of tokens, only Ethereum itself.</strong></p>
</section>
<section id="cardano">
<h2><a href="#cardano">Cardano</a></h2>
<p>Cardano can be used to make donations to the non-profit GrapheneOS
Foundation.</p>
<p>You can send Cardano donations to the following address:</p>
<div class="coin-address">
<a href="web+cardano:addr1q9v89vfwyfssveug5zf2w7leafz8ethq490gvq0ghag883atfnucytpnq2t38dj7cnyngs6ne05cdwu9gseevgmt3ggq2a2wt6" rel="nofollow">
<img src="/donate-cardano.png?1" alt="Cardano donation QR code"/>
<p>addr1q9v89vfwyfssveug5zf2w7leafz8ethq490gvq0ghag883atfnucytpnq2t38dj7cnyngs6ne05cdwu9gseevgmt3ggq2a2wt6</p>
</a>
</div>
<p>We own the <var>$grapheneos</var> handle with this address so you can also send to the handle.</p>
<p><strong>We aren't looking for donations of tokens, only Cardano itself.</strong></p>
</section>
<section id="litecoin">
<h2><a href="#litecoin">Litecoin</a></h2>
<p>Litecoin can be used to make donations to the non-profit GrapheneOS
Foundation.</p>
<p>You can send Litecoin donations to the following Bech32 (Segwit) address:</p>
<div class="coin-address">
<a href="litecoin:ltc1qzssmqueth6zjzr95rkluy5xdx9q4lk8vyrvea9?label=GrapheneOS%20Foundation&amp;message=Donation%20to%20GrapheneOS%20Foundation" rel="nofollow">
<img src="/donate-litecoin.png" alt="Litecoin donation QR code"/>
<p>ltc1qzssmqueth6zjzr95rkluy5xdx9q4lk8vyrvea9</p>
</a>
</div>
</section>
<section id="wise">
<h2><a href="#wise">Local Bank Transfer to Wise</a></h2>
<p>You can donate to the non-profit GrapheneOS Foundation via local bank transfers
to our Wise account in the EU/SEPA, UK, US, Australia, New Zealand, Canada,
Hungary and Turkey.</p>
<section id="wise-sepa">
<h2><a href="#wise-sepa">EU/SEPA (EUR)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>IBAN</dt>
<dd>BE20 9677 1140 7056</dd>
<dt>BIC</dt>
<dd>TRWIBEB1XXX</dd>
<dt>Bank name</dt>
<dd>Wise Europe SA</dd>
<dt>Wise and Bank address</dt>
<dd>Rue du Trône 100, 3rd floor<br/>Brussels<br/>1050<br/>Belgium</dd>
</dl>
</section>
<section id="wise-uk">
<h2><a href="#wise-uk">UK (GBP)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>Account number</dt>
<dd>49883070</dd>
<dt>IBAN</dt>
<dd>GB68 TRWI 2314 7049 8830 70</dd>
<dt>Sort code</dt>
<dd>23-14-70</dd>
<dt>Bank name</dt>
<dd>Wise Payments Limited</dd>
<dt>Wise and Bank address</dt>
<dd>56 Shoreditch High Street<br/>London<br/>E1 6JJ<br/>United Kingdom</dd>
</dl>
</section>
<section id="wise-us">
<h2><a href="#wise-us">US (USD)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>Account number</dt>
<dd>8313560023</dd>
<dt>Routing number</dt>
<dd>026073150</dd>
<dt>Account type</dt>
<dd>Checking</dd>
<dt>Wise address</dt>
<dd>30 W. 26th Street, Sixth Floor<br/>New York NY<br/>10010<br/>United States</dd>
<dt>Bank name</dt>
<dd>Community Federal Savings Bank</dd>
<dt>Bank address</dt>
<dd>89-16 Jamaica Ave<br/>Woodhaven NY<br/>11421<br/>United States</dd>
</dl>
</section>
<section id="wise-australia">
<h2><a href="#wise-australia">Australia (AUD)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>Account number</dt>
<dd>213524417</dd>
<dt>BSB code</dt>
<dd>774-001</dd>
<dt>Bank name</dt>
<dd>Wise Australia Pty Ltd</dd>
<dt>Wise address</dt>
<dd>Suite 1, Level 11, 66 Goulburn Street<br/>Sydney<br/>2000<br/>Australia</dd>
</dl>
</section>
<section id="wise-new-zealand">
<h2><a href="#wise-new-zealand">New Zealand (NZD)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>Account number</dt>
<dd>04-2021-0151878-36</dd>
<dt>Wise address</dt>
<dd>56 Shoreditch High Street<br/>London<br/>E1 6JJ<br/>United Kingdom</dd>
<dt>Bank name</dt>
<dd>JPMorgan Chase</dd>
<dt>Bank address</dt>
<dd>Head Office, Pwc Tower<br/>Auckland<br/>1010<br/>New Zealand</dd>
</dl>
</section>
<section id="wise-canada">
<h2><a href="#wise-canada">Canada (CAD)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>Account number</dt>
<dd>200110745303</dd>
<dt>Transit number</dt>
<dd>16001</dd>
<dt>Institution number</dt>
<dd>621</dd>
<dt>Wise address</dt>
<dd>99 Bank Street, Suite 1420<br/>Ottawa ON<br/>K1P 1H4<br/>Canada</dd>
<dt>Bank name</dt>
<dd>Peoples Trust</dd>
<dt>Bank address</dt>
<dd>595 Burrard Street<br/>Vancouver BC<br/>V7X 1L7<br/>Canada</dd>
</dl>
</section>
<section id="wise-hungary">
<h2><a href="#wise-hungary">Hungary (HUF)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>Account number</dt>
<dd>12600016-11020392-99827322</dd>
<dt>Bank name</dt>
<dd>Wise Europe SA</dd>
<dt>Wise and Bank address</dt>
<dd>Rue du Trône 100, 3rd floor<br/>Brussels<br/>1050<br/>Belgium</dd>
</dl>
</section>
<section id="wise-turkey">
<h2><a href="#wise-turkey">Turkey (TRY)</a></h2>
<dl>
<dt>Account holder</dt>
<dd>GrapheneOS Foundation</dd>
<dt>IBAN</dt>
<dd>TR43 0010 3000 0000 0057 4294 70</dd>
<dt>Wise address</dt>
<dd>56 Shoreditch High Street, London, E1 6JJ, United Kingdom</dd>
<dt>Bank name</dt>
<dd>Fibabanka A.Ş.</dd>
<dt>Bank address</dt>
<dd>Büyükdere Cad. 129<br/>Esentepe Mah.<br/>Sisli<br/>Istanbul<br/>Turkey</dd>
</dl>
</section>
</section>
<section id="paypal">
<h2><a href="#paypal">PayPal</a></h2>
<p>PayPal can be used to make one-time, monthly or yearly donations to the
non-profit GrapheneOS Foundation.</p>
<p>If possible, use the donation link for your currency. If it's not listed,
please use the CAD donation link.</p>
<p>Donation links:</p>
<ul>
<li><a href="https://www.paypal.com/donate/?hosted_button_id=T8KRPYKU5QVNE">Canadian dollar (CAD)</a></li>
<li><a href="https://www.paypal.com/donate/?hosted_button_id=2S2BP8V4E7PXU">United States dollar (USD)</a></li>
<li><a href="https://www.paypal.com/donate/?hosted_button_id=5SNPWEDS53HW4">Euro (EUR)</a></li>
<li><a href="https://www.paypal.com/donate/?hosted_button_id=N498QNB7NPKU8">British pound (GBP)</a></li>
</ul>
<p>PayPal charges a base fee of 30 cents and 2.9% of the donation amount within
Canada. There's an additional 0.8% fee for donations from the US and 1% for other
countries. Currency conversion adds an additional 4% fee as opposed to the usual
PayPal conversion fee of 3%.</p>
</section>
<section id="e-transfer">
<h2><a href="#e-transfer">Interac e-Transfer</a></h2>
<p>If you have a Canadian bank account, you can send Canadian dollar donations to
the non-profit GrapheneOS Foundation via Interac e-Transfer to
<var>contact@grapheneos.org</var>. The email address has Interac e-Transfer
Autodeposit support enabled so no security question is necessary. If your bank
doesn't support Autodeposit, set the answer to the security question to
GrapheneOS.</p>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

112
static/history/copperheados.html
View File

@ -1,112 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>CopperheadOS | History | GrapheneOS</title>
<meta name="description" content="GrapheneOS was previously known as CopperheadOS. It's the continuation of the original open source project."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="CopperheadOS is now GrapheneOS"/>
<meta property="og:description" content="GrapheneOS was previously known as CopperheadOS. It's the continuation of the original open source project."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/history/copperheados"/>
<link rel="canonical" href="https://grapheneos.org/history/copperheados"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% include "header.html" %}
<main id="copperheados">
<h1><a href="#copperheados">CopperheadOS is now GrapheneOS</a></h1>
<p>CopperheadOS was renamed to GrapheneOS in 2019. It was temporarily known as the
Android Hardening project in 2018 before a permanent name had been chosen. For more
details on why the project was renamed, see <a href="/history/">our history page</a>.
For the historical release notes of the original CopperheadOS, see
<a href="/history/legacy-changelog">our legacy changelog page</a>. The
<a href="https://reddit.com/r/CopperheadOS">/r/CopperheadOS subreddit</a> was
historically the central hub of the community along with a bridged IRC/Matrix channel
that's no longer available.</p>
<p>GrapheneOS is the continuation of the original open source project by the original
development team. Our <a href="/source">source code repositories</a> have been used
since CopperheadOS transitioned to being directly based on the Android Open Source
Project in 2015. The prior repositories predate the CopperheadOS branding and were
also owned by us. It can be confirmed that our repositories are the original ones from
the GitHub network graphs showing the forks over the years.</p>
<section id="ownership">
<h2><a href="#ownership">Ownership</a></h2>
<p>We own the historical CopperheadOS source code, documentation and accounts tied
to the open source project. Our legacy Twitter account still needs to be returned
to us so that it can be renamed and made into an archive.</p>
<p>Copperhead has no valid claim over the ownership of the source code. It was not
developed for them. They were involved as a sponsor for the work and had
permission to sell products based on it, similar to companies selling devices with
GrapheneOS. We've learned a lot of lessons from what happened and are being very
careful to avoid being strongly associated with any particular company in the
future.</p>
</section>
<section id="new-product">
<h2><a href="#new-product">New closed source product reusing the legacy branding</a></h2>
<p>The new product branded as CopperheadOS is closed source and not associated with
the original project. They took our project's previous name and copied our legacy
source code and documentation. Attribution to us has been stripped away and they
pretend to be the ones who created it.</p>
<p>They've essentially stolen the identity of our open source project and have
invested substantial resources into misrepresenting GrapheneOS as being a new
project. They've built a business based on taking credit for research and
development not done by them. Substantial damage has been done to GrapheneOS
through an organized campaign of misinformation and harassment.</p>
</section>
<section id="new-copperheados-vs-grapheneos">
<h2><a href="#new-copperheados-vs-grapheneos">New CopperheadOS vs. GrapheneOS</a></h2>
<p>The new CopperheadOS is a shadow of the historical GrapheneOS code. They've
continued copying portions of our newer generation code but haven't developed any
significant privacy or security improvements on their own. It's a poor imitation
of the original. It has a fraction of the privacy and security improvements and
lacks a team with an understanding of how they work. It often doesn't receive
timely security updates. It has made serious mistakes compromising user privacy
and security.</p>
<p>CopperheadOS is a paid product and has license enforcement compromising user
privacy and security through tracking devices to implement DRM. They use the
outrageous business model of charging users for security updates rather than
simply selling them the software or devices with it.</p>
<p>GrapheneOS devices can be purchased from a bunch of different companies,
organizations and individuals. Many of these offer customer support. Unlike
CopperheadOS, it's still open source software and you aren't being charged to
simply get the OS updates. Anyone can sell devices with GrapheneOS without
permission from the project due the open source licensing. Many of these sellers
voluntarily contribute back to the project.</p>
<p>GrapheneOS is far more actively developed than the new CopperheadOS and has
substantially more resources available, including significantly more funding.</p>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

99
static/history/index.html
View File

@ -1,99 +0,0 @@
<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>History | GrapheneOS</title>
<meta name="description" content="History of the GrapheneOS project."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS history"/>
<meta property="og:description" content="History of the GrapheneOS project."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/history/"/>
<link rel="canonical" href="https://grapheneos.org/history/"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
</head>
<body>
{% with current_page="history" %}
{% include "header.html" %}
{% endwith %}
<main id="history">
<h1><a href="#history">History</a></h1>
<p>GrapheneOS was founded by Daniel Micay in late 2014. It started as a solo project
incorporating his previous open source privacy/security work. The project initially
created a port of OpenBSD malloc to Android's Bionic libc and a port of the PaX kernel
patches to the kernels for the supported devices. It quickly expanded to having a
large set of homegrown privacy and security improvements, particularly low-level
hardening work on the compiler toolchain and Bionic. Work began on landing code
upstream in AOSP and other upstream projects. A substantial portion of these early
changes were either successfully landed upstream or heavily influenced the upstream
changes which replaced them. The project was able to move very quickly in these days
because there was so much low hanging fruit to address and it wasn't yet trying to
produce a highly robust, production quality OS.</p>
<p>In late 2015, a company was incorporated which became the primary sponsor of the
project. GrapheneOS was <a href="/history/copperheados">previously known as
CopperheadOS</a> while it was sponsored by this company. The intention was to use the
company to build a business around GrapheneOS selling support, contract work and
customized proprietary variants of the OS. The company was supposed to serve the needs
of the open source project, rather than vice versa. It was explicitly agreed that
GrapheneOS would remain independently owned and controlled by Daniel Micay. This
company failed to live up the promises and is no longer associated in any way with
GrapheneOS. The company ended up holding back the open source project and taking far
more from it than was provided to it.</p>
<p>In 2018, the company was hijacked by the CEO who attempted to take over the project
through coercion, but they were rebuked. They seized the infrastructure and stole the
donations, but the project successfully moved on without them and has been fully
revived. Since then, they've taken to fraudulently claiming ownership and authorship
of our work, which has no basis in fact. They've tried to retroactively change the
terms of their involvement and rewrite the history of the project. These claims are
easily disproven through the public record and by people involved with the open source
project and the former sponsor. This former sponsor has engaged in a campaign of
misinformation and harassment of contributors to the project. Be aware that they are
actively trying to sabotage GrapheneOS and are engaging in many forms of attacks
against the project, the developers, contributors and supporters. Meanwhile, they
continue profiting from our open source work which they falsely claim as their own
creation.</p>
<p>After splitting from the former sponsor, the project was rebranded to
AndroidHardening and then to GrapheneOS and it has continued down the original path of
being an independent open source project. It will never again be closely tied to any
particular sponsor or company.</p>
<p>GrapheneOS now has multiple full-time and part-time developers supported by
donations and multiple companies collaborating with the project.</p>
<p>GrapheneOS Foundation was created as a non-profit organization in Canada in March
2023 to handle the intake and distribution of donations.</p>
<section id="releases">
<h2><a href="#releases">Releases</a></h2>
<p>A history of releases for the current incarnation of GrapheneOS is available
via the <a href="/releases#changelog">releases changelog</a>.</p>
<p>An archive of changelogs for the earlier releases is available via the
<a href="/history/legacy-changelog">legacy changelog page</a>.</p>
</section>
</main>
{% include "footer.html" %}
</body>
</html>

2169
static/history/legacy-changelog.html
View File

File diff suppressed because it is too large Load Diff

16
templates/header.html
View File

@ -2,17 +2,13 @@
<nav id="site-menu">
<ul>
<li {% if current_page == "/" %}aria-current="page"{% endif %}><a href="/"><img src="[[path|/mask-icon.svg]]" alt=""/>GrapheneOS</a></li>
<li {% if current_page == "features" %}aria-current="page"{% endif %}><a href="/features">Features</a></li>
<li {% if current_page == "features" %}aria-current="page"{% endif %}><a href="/features.html">Features</a></li>
<li {% if current_page == "install" %}aria-current="page"{% endif %}><a href="/install/">Install</a></li>
<li {% if current_page == "build" %}aria-current="page"{% endif %}><a href="/build">Build</a></li>
<li {% if current_page == "usage" %}aria-current="page"{% endif %}><a href="/usage">Usage</a></li>
<li {% if current_page == "faq" %}aria-current="page"{% endif %}><a href="/faq">FAQ</a></li>
<li {% if current_page == "releases" %}aria-current="page"{% endif %}><a href="/releases">Releases</a></li>
<li {% if current_page == "source" %}aria-current="page"{% endif %}><a href="/source">Source</a></li>
<li {% if current_page == "history" %}aria-current="page"{% endif %}><a href="/history/">History</a></li>
<li {% if current_page == "articles" %}aria-current="page"{% endif %}><a href="/articles/">Articles</a></li>
<li {% if current_page == "donate" %}aria-current="page"{% endif %}><a href="/donate">Donate</a></li>
<li {% if current_page == "contact" %}aria-current="page"{% endif %}><a href="/contact">Contact</a></li>
<li {% if current_page == "build" %}aria-current="page"{% endif %}><a href="/build.html">Build</a></li>
<li {% if current_page == "usage" %}aria-current="page"{% endif %}><a href="/usage.html">Usage</a></li>
<li {% if current_page == "faq" %}aria-current="page"{% endif %}><a href="/faq.html">FAQ</a></li>
<li {% if current_page == "source" %}aria-current="page"{% endif %}><a href="/source.html">Source</a></li>
<li {% if current_page == "contact" %}aria-current="page"{% endif %}><a href="/contact.html">Contact</a></li>
</ul>
</nav>
</header>