Hi, @MadhavSheth1 Just a question from my side:
If your @aiplus_official nxtOS is really built in India, release the entire source-code on github so developers like us can review it,
Also, please by due respect sir, don't cite that it's "proprietary", Linux kernel is under GPLv3 License and Android is under Apache License 2.0,
Nothing on your system(framework) & kernel side should be really under proprietary license if you built it on top of Android Open Source Project (AOSP) which is the baseline for all Android-based operating systems in world unless there is some Chinese ODM with their proprietary software suite involved.
Of course, manufacturers may have certain proprietary applications, branding assets, services, or commercially licensed components. However, the operating-system components derived from AOSP and GPL-covered software should generally remain subject to their respective license obligations and should be released to opensource.
As a developer, I would genuinely welcome the opportunity to review the source code if it is released. In fact, I would be happy to audit it for free and share my findings publicly for the benefit of both the company and the community.
I believe I am reasonably qualified to do so, as I have made alot of contributions to the opensource community as well as to AOSP development itself.
cc:
@TechWiser@GeekyRanjit@GyanTherapy@TrakinTech@Mrwhosetheboss@SavageAryan007@Cartidise@saaquib_neyazi@Gadgetsdata@r3dash@praaatiiik@8ap
Disclaimer:
Please don't serve me legal notice, I'm just a developer.
This post is not intended as defamation, harassment, or negative publicity against AI+, nxtOS, or Mr. Madhav Sheth personally. I am asking this purely as an individual Android developer interested in transparency, open-source compliance, and community auditing. This is a good-faith question regarding source-code availability and applicable open-source licensing obligations. The purpose of this post is to encourage a constructive technical discussion and to seek information that may be relevant to developers, researchers, and users. No allegations of wrongdoing are being made. Thankyou
It's kind of funny how @GrapheneOS wants to let everybody know about the "dangers" of "closed source operating systems" yet they themselves ship precompiled, presigned applications that are included in their OS and are NOT reproducible, the most you can do is compile them out of tree and include them manually.
And even then, this is still a MAJOR security risk as their precompiled apps have permissions that you really don't want apps to be granted implicitly.
I've attached a photo of all the permissions available to the Messaging app, which is included in GrapheneOS at build-time as a prebuilt application. I should mention this, the aforementioned Messaging application has no form of reproducible builds, meaning the only way to update these apps is for some developer to manually build this application on their build PC, sign it and then push it to a git repo. Imagine the security implications of that. (You can unzip the app yourself to check the manifest too.)
https://t.co/jkexmKeNz6
This is the module included into GrapheneOS. Meanwhile the actual messaging app is at https://t.co/1nwBxnWQx8. For reasons beyond me, GrapheneOS devs thought it fit to remove the Android blueprints from it, therefore making this app unbuildable inside the Android source itself.
https://t.co/T9INpRDHeZ
The inclusion of said prebuilt Messaging app.
It's not just this app either. The included App Store, the Camera app, hell, even the Auditor. All of these apps are presigned and precompiled, and granted implicit permissions to do whatever. Why not compile them in-tree? WHY go out of your way to make them unbuildable by removing the blueprints? It's not about adding one yourself and doing it yourself, that's completely besides the point. The point is, why is some OS claiming to be security focused, yet has the ability to infect devices with a theoretical malware spread with these prebuilt apps? Why are these apps not built in-tree in the first place!? There is literally no excuse, every other app is compiled in-tree except these GrapheneOS inclusions.
How does it feel to trust a random person with an app that can theoretically upload all your data to a remote server without your knowledge? Further more, besides doing such things, GrapheneOS devs have the _nerve_ to go forth and cement their beliefs on others? When they themselves don't commit to their standards? If this isn't an absolute form of hypocrisy, I really don't know what is.
Maybe this post will instill some form of awareness in die-hard GOS fans. Maybe I'll get to deal with insane backlash. Who knows. At least I'm putting it out there. Maybe one day we'll get to know that this entire project was a honeypot.