đŸŽ„ Video Link

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven’t had a chance to read through it yet.

So today I want to talk about CalyxOS and why it is no longer safe to use.

Earlier this month, on August 1st, 2025, the Calyx Institute published a letter to their community. I will link this down below, but I want to highlight a few important parts of it. I would still suggest reading the entire thing yourself for more details.

The first thing is that Nicholas, president and founder of the Calyx Institute, has left the organization to pursue other projects. Additionally, Sirayu, I think that’s how you say it, the CalyxOS tech lead, has also departed from the project. So basically, two high-level and important people at Calyx Institute have left recently.

In light of that, they have decided that they are going to define some priorities, which include upgrading the tech infrastructure, supporting CalyxOS development, stabilizing update release cycles for their 25+ supported devices, and revising and updating documentation, wikis, and other user guides. Overall that’s a good thing. It’s never a bad thing to do, but the main issue comes here.

After conducting a thorough inspection of the work required for successful completion of the above priorities, they determined that it may take up to four to six months for them to provide the level of security maintenance they aim to deliver. They also state they will be switching to new signing keys along with the overhaul of the signing and verification process. As a result, current CalyxOS users will not be able to receive further security software updates until this process is in place. Given the potential risk posed by the pause of maintenance and development, it is logical that they stop providing options to install CalyxOS for now, which I applaud them for. But they went back on that decision a little while later.

Just to go over this first: we have two high-level individuals that have left, and they have decided to pause updates for the next four to six months. That means that when the AOSP, the Android Open Source Project, puts out updates—which includes security fixes—CalyxOS will not be receiving those. As of the time of recording this, CalyxOS is stuck on the June 1st, 2025 patch level. That means there are already two remotely executable vulnerabilities present in the latest release of CalyxOS, and it may take four to six months for them to provide any updates. More and more vulnerabilities will be found in Android OS, and those will not be fixed or patched.

Now you might be saying, “I’m not an important individual, so I won’t be a target.” First of all, I want to say you are important, and thanks for being here. But besides that, it doesn’t matter if you are a target or not. Once these vulnerabilities are weaponized, they are launched at mass scale. Even if you aren’t a direct target, if your device is vulnerable, it could be compromised.

You see this all the time with routers people have in their homes. They’re compromised on a mass scale and used in DDoS attacks and things like that. So it doesn’t matter if you’re not a target—if your device is vulnerable, then you are not safe.

And even if CalyxOS does stick to the four-to-six-month timeline they’ve laid out, they are planning on rotating the security keys. For some reason they’re doing it in a manner that’s disruptive, which will require users to reinstall CalyxOS from scratch. That doesn’t make sense, because there are non-intrusive ways to do it, at least for most of the keys. You can read into that more or do your own research. Regardless, if they do come back, you’re still going to have to reinstall your device, which is not ideal.

Then, four days later on August 5th, the CalyxOS team posted another update to the article. They said, “First we want to assure you that we have no reason to believe the security of CalyxOS and its signing keys have been compromised.” They also mentioned that for the time being, current CalyxOS users will not be able to receive further software security updates until the new security protocols are in place. Good on them for being honest, but without security updates this does not guarantee the level of security they strive for—especially when global threats to privacy and human rights are at a critical moment.

The last thing is that, due to overwhelming feedback from the community, they decided to make the images publicly available once more. This is different from when they hid the “Get CalyxOS” button on their site originally. Now, while they do have a banner saying CalyxOS releases are paused, you can still install it on your device. It’s okay that they have a very obvious message there, but even they recommend that this is not a recommendation to migrate to CalyxOS now.

So to summarize: CalyxOS is no longer safe and secure to use. If you are using CalyxOS and you have a Google Pixel that is supported by GrapheneOS, then my recommendation is to install GrapheneOS and use that instead. Even when CalyxOS was being updated, that would still be my recommendation.

If you have a device that is not supported by GrapheneOS and you want to get one, check out the A versions of the Pixels. Those are usually more affordable, and you can find them significantly discounted when used on eBay or other sites. On my website, sideofburritos.com, I have a few options for people in the United States and also for international buyers.

If you want to hear more from me in the meantime, I have a podcast called In The Shell. You can find it at intheshellpodcast.com. I am planning on launching season three shortly, so stay tuned for that. I also have a monthly newsletter you can sign up for at sideofburritos.com.

And if you have any questions or comments, feel free to leave those down below, and I’ll see you next time.