@Fritange France is taking state actions against GrapheneOS. They’re conflating us with companies which they’ve previously gone after and taken over their servers. We aren’t vulnerable to being attacked in the same way but we still don’t want accesses to our website/network services being logged or our website being hijacked. France isn’t a safe country for GrapheneOS to operate in anymore and we’re going to be protecting the project and our users by avoiding the country completely now.
From the official GrapheneOS Mastodon account.
An important aspect of software distributions (ranging from Linux distros to smartphone OSes to software development package repositories) is trust. I trust that the infrastructure hosted at gentoo.org is operated by the Gentoo Foundation. I trust that they trust the various repo mirrors listed there (either way, their authenticity can be verified). I know which IRC channels I can drop into, or where I can send an email to speak with them. From their website, I can verify that they are in control of those IRC channels, and I can obtain the public keys of various project members to verify any email I recieve from them is legitimate (and to encrypt my messages to them, should that be necessary). This is the foundation of an entire network of trust which prevents people from (convincingly) impersonating project contributors, or being able to distribute compromised packages or builds claiming them to be genuine.
Likewise, GrapheneOS has a reputation based in large part on their project infrastructure. It’s not just that the users know what they’re getting, but they know who they are getting it from. That they don’t have to worry about people impersonating the project or its contributors on official channels. When infrastructure like this fractures, this reputation evaporates. Trust breaks down. Sure, the mechanisms will still work if you swap out one URL for another, but you no longer know who is in control of what, where your packages are coming from, who’s reviewing them, who’s signing off on them, etc. If I want to install GrapheneOS, I would want to download it directly from the GrapheneOS project. An “archived” copy of the latest image for my device found on ThePirateBay is not a suitable replacement. If some other organization with no history shows up claiming to be the successor to the now (hypothetically) defunct GrapheneOS project, that’s hardly better.
There are other mechanisms like public key cryptography which can be (and are) used to establish the authenticity of a distribution, but there is a chicken and egg problem. Where do you obtain the public keys used to verify authenticity in the first place? Especially when there is no longer a canonical home for an organization and the infrastructure is constantly changing. It makes everything more confusing, unreliable, and risky. Developers and power-users will already have the public keys of important community members and project infrastructure, but for newcomers the whole thing becomes a lot more sketchy.
The GrapheneOS project appears to be taking reasonable precautions to ensure they remain in control of their infrastructure. It may be an exceptionally cautious measure, but that is supposed to be their raison d’être.