I’m wondering what would be necessary to build GrapheneOS releases yourself, and regularly update your phone from your own servers, with your builds. The server for apps.grapheneos.org should also be replaced. Has anyone done this?
The documentation for GrapheneOS has a section about how to reproduce builds:
https://grapheneos.org/build#reproducible-builds
But it would be more involved than that.
I haven’t but I did built relatively large projects before (e.g. browsers) and basically it depends mostly on 2 things :
I think it’s interesting to do but honestly as someone else mentioned, builds are signed. In fact at the end of https://grapheneos.org/install/web#verified-boot-key-hash you get the verified boot hash. The goal is precisely to check that you actually get what you are supposed to have running. Basically the big picture of reproducible builds is that you do NOT have to do it and can STILL verify that you have exactly, up to a single bit, what should have.
The fact that devs sign the builds doesn’t protect you from a Jia Tan type of actor. Jia Tan had social-engineered they way to a maintainer and then dropped their backdoor in the .tar releases. If you had compiled from the tree you couldn’t be affected. It’s possible to fail to review malicious commits even in this case, but it is still more transparent than pre-packaged releases. And there’s no point to reproducible builds if no one actually reproduces them.
Yes, absolutely, yet the fact that we even know who they are proves that it’s definitely an odd case. It’s important to remember it but it’s definitely not a normal situation.
You don’t know anything about the lead developer.