this post was submitted on 19 Feb 2026
1188 points (99.3% liked)
Technology
81606 readers
4620 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Neither is true, that's not how forking works. But there is some truth to it in that it can start to become significantly more difficult to keep in sync as time goes on, depending on how obnoxious the security becomes and how many places they have to remove it.
Consider the trivially naive case where Google implements this feature in a single function: "function app_is_signed() -> bool" then the fork just adds "return true;" to the beginning of that function, and happily merges every other update Google makes from then on with zero issues. Even if the code for "app_is_signed" itself changes, nobody cares, because the first thing it does is return true and everything else Google ever tells it to check or do is ignored, the function can still be used everywhere throughout the code, it just no longer actually checks anything in Graphene, whereas it does check things in Google's Android.
Of course the reality is much more complicated than that, but the principle is the same. It's only a question of how obnoxious and difficult Google chooses to be about it. They could move the function around every update, or use many different functions, make a whole system out of it, make it do crazy cryptographic validations and checksums in various different places of the code, have watchdog tasks that are checking that the validation code is getting used. They could be really, really obnoxious about it, if they want to be, and they have more resources than the Graphene OS developers probably do to undo and keep undoing all these obstacles, so if they really want to devote that much time and energy to making Graphene's position untenable, they can. But they could also be doing that now, and they're not. Crackers have been fighting these sort of battles against copy-protected software for ages, it's the same principles, and much of the same economic choices go into it. How much does Google want Graphene OS to go away? How much is it worth to them? It has to have a dollar value to them, and that dollar value might be significantly higher than they're willing to bother with.
Worst case scenario where Google makes it extremely difficult going forward, what is the hard part about just never rebasing onto future work from Google?
From what I've seen there hasn't been significant core work on Android for a long time. It's been mostly changing from rounded corners to square corners to rounded corners, or shoving AI into every nook and cranny.
I'd think a small dev team like Graphene could maintain their AOSP fork moving forward.
I absolutely agree they can maintain an AOSP fork going forward, and I think that's completely realistic and I would be surprised if that is not the case.
But I was answering OP from a strictly technical perspective about the potential difficulties they could, theoretically face while doing that. Since you asked what is the hard part, I'll answer along those lines (again, with the caveat that I don't think these are going to pose realistic obstacles for the GrapheneOS team in the near term) My point is not to say it's impossible but I think it's important for people to be aware that this approach comes with risks, and those risks will grow over time especially when you're up against a non-cooperative upstream that is one of the largest and richest tech companies in the world.
For one thing you're never going to support any new phones without either pulling driver support from AOSP or reverse-engineering the hardware and drivers yourselves, or accepting that some parts will just... not work. So you get stuck on older and less capable hardware. Maybe you don't care about that too much, and that works fine for awhile, but eventually the cracks start to show. Now you have to either start figuring out how to get into the newer hardware, or you have to start getting custom newer hardware of your own, which is $$$.
Using closed hardware this way as leverage is a pretty common way of getting in the way of open source development, and Android hardware is very closed. Similar tactics are already even being used against x86 PCs now with things like TPM and Secure Boot. It doesn't completely brick your system on day one of course, but the erosion of support begins when they start writing software that intentionally relies on these features to say "oh, sorry, this software you want to use? it won't actually work on the open source OS/open source client because they don't have access to this hardware... what a shame." One or two pieces of software, no big deal. But they won't stop there, eventually it'll be like half the software, then over time it'll become 90% of the software, you won't be able to find alternatives. They can often afford to be more patient and relentless about this shit than we are. The battle will continue, and there's no sure path to victory. Forking is one tool we have, and that's great, but we also have to remember that it's not a flawless, unstoppable long-term solution that we can play as a trump card whenever corporate interests do something bad. They don't just give up. They have other means of getting their way.