I’m baffled. It’s almost as though they’re missing the point of attestation: which is to give “assurance” to application developers/companies that their applications run in “a certain way”.

“A certain way” can have many interpretations, but Googles interpretation means:

1. No root
2. No custom firmware
3. When a users “shares their contacts” with your app, your app gets all their contacts - free from being censored or modified.
4. When a user “shares their files” with your app, your apps gets access to **all their personal data ** - free from being censored, modified or sandboxed.

iodéOS will have their own definition of what “a certain way” is. Which will probably be identical to Google definition.

Heck, GrapheneOS’ attestation has it’s own definition of a “certain way” applications run:

1. No root

I know this, because I run Graphene and I run it rooted. I sign my rooted Graphene with keys, that only I carry and I have my phone setup to only allow OS updates with only my keys.

It does not and will not pass Graphene’s attestation, although from my perspective - it meets my security requirements while give me control over my data.

This discussion has nothing with security patches, but everything to do with the accuracy and how much information developers and companies can get off our devices.

So, I guess this means that f-droid can only be installed via Google Play. /s

I’m getting flashbacks to using Internet Explorer to install Firefox.

edit: made sarcasm more obvious.