Sailfish OS: Clarifying claims about open/closed source, security and privacy

Actually Jolla say that “Sailfish OS is partially open source, but not fully open source in the sense of “every part of the OS is free/open-source.”

After digging deeper and discussing I found GrapheneOS comments:

Jolla is a for-profit company misleading people about what they providing. Their OS has extraordinarily poor privacy and security compared to the Android Open Source Project or iOS. Their own OS code is mostly closed source and there isn’t an open source subset that’s usable. Jolla has spent years falsely claiming the Android Open Source Project isn’t Linux and misleading people into believing a largely closed source distribution is more open than an open source one.

They’ve mislead people about privacy and security to an extreme, convincing people that a device lacking a proper sandbox, permission model, exploit protections, widespread use of memory safe language and many modern security features is more private and secure. They have their own invasive services too.

Companies selling phony privacy products which do not provide basic privacy or security patches, do not have a modern privacy/security model and do not have modern exploit or privacy protections aren’t above being criticized due to portraying themselves as part of open source. They’ve put massive effort into misleading people about the Android Open Source Project and OSes

How secure my data will be using Jolla phones with SailfishOS?

Indeed, Sailfish OS is unfortunately not totally open-source. Most closed part are the UI, like the compositor (lipstick) the homescreen UI (lipstick-jolla-home), QML components (silica) and other apps still closed-source. Last weeks, Jolla started to open-source more and more components like the weather app, all components related to Netxcloud. Check their repository for more open-source components. I’m not sure there is a complete list of closed sourced components. Ther

For further information, I invite you to watch this presentation of Jolla by @abranson a Jolla employee: https://www.youtube.com/watch?v=OSNtmT_ITvc
The event was at the hackerspace FIXME in Lausanne, Switzerland.

At least part of the statements about security made is outdated or just untrue. There is a sandbox and permission model nowadays, and I have no idea what inversive services they might be talking about

Relating the security, Sailmates got a grant from NLnet to study various aspects of the OS. Check these pages for more information:

• October 2025 - Comparative Analysis of Sailfish OS | Sailmates
• NLnet; Security audit of Sailfish FOSS components

Edit: If you don’t have the time to read the audit, here is the conclusion.

Section 6 – Conclusion
Sailfish OS has encryption features, thanks to
its sailfish-secrets, to provide confidentiality and
integrity to it’s operating system. Although not
thoroughly tested by vulnerability researchers
the operating system has already built in
security methods that can prevent past
vulnerabilities that were discovered on other
operating systems.

I found this very old table from 2016 listing all closed-source components: SailfishOSS - Mer Wiki

There is a command listed in the upon link, here is an actualised list of proprietary components on Sailfish 5.0.0.72:

In addition to what has been said, please back up your claim that about someone

“mislead people about privacy and security to an extreme”.

This is, like almost all of that quote, is an opinion which is not backed up by arguments.
I know it’s not your claim, but you repeat it here, again without context or arguments.

claiming the Android Open Source Project isn’t Linux

What a load of bullshit. Again, sources please.

open source

privacy

security

How secure my data will be using Jolla phones with SailfishOS?

These are largely separate topics, one does neither go with, nor necessarily depend on the other.

Open Source guarantees neither security nor privacy.

One thing is true: there can be no privacy without security.

“This is the first time Zilvinas has posted — let’s welcome them to our community!”

Well with this kind of a post you are not getting a warm welcome
Please provide sources and links and evidence for your text …

The tone and your massive generalisation could use an improvement

Nice to see that the new phone has generated such a response that someone feel the need to write out such a toxic and FUD laden tirade. Must be doing something right.

Btw, lipstick is open source. It’s the homescreen UI on top that’s closed (lipstick-jolla-home)

It sounds like it comes from this thread: sailfish OS - GrapheneOS Discussion Forum

The graphene guys like to smear other distros/OSs to make themselves look better. I decided to stay away from their OS due to the incessant drama going on around it.

1. First they ignore you.
2. Then they laugh at you.
3. Then they attack you. we are here
4. Then you win.

Well, there is also some truth in it. Some flaws exists, we should not be blind about them. For instance one attack vector - all Sony phones with SFOS do not have a verified boot process (unlocked bootloader). Also, the encryption layer does not use LUKS2 with PBKDF2 iirc.

Zilvinas, who doesn’t know much about SailfishOS, had read these lines from the Graphene guys. He asks whether it is true. No need to attack him and demand him to reveal his sources. It was a question. Rather give him an answer.

I believe it is not me who has to refute (IMO largely baseless) claims, it it up to the one making them to support them with arguments and facts/sources.

I also do not believe it counts as an “attack” to say so.

People from GrapheneOS reacted to me on Bluesky several times after I posted something about alternatives to G and A. They quite aggressively try to turn you towards their view. Once they were stalking so I had to mute one of them. Their focus is privacy and there they shine with sandboxed apps. Yet Graphene is not an independent OS like Sailfish because it is entirely based on Android. Graphene exclusively makes use of Google Pixel devices because of certain chips in these devices. These devices are not conform the new European rules for sustainability: everything in it is glued.
The discussion about Android being linux is not relevant. Android is often called linux too but linux is a family tree. Since Google Almighty bought Android in 2005 it is part of the duopoly. Personally I find Android boring and not intuitive and sometimes even confusing. It’s not elegant either.
Open source in Sailfish is a mixed bag. I would like to see more sandboxing in apps, but I don’t know if this is possible. Until now we trusted Jolla and the developers. Yet, when the company grows more guarantees will be needed. Some of the linux adepts say linux always has to be open source. Others are more tolerant. It depends on how dogmatic you are. Jolla’s Sailfish is based on a license. This is Jolla’s ‘crown jewel’. A kind of copyright. GrapheneOS seems to be jealous but it is a fact that you never can be a serious alternative without creating your own OS and that is what Jolla did: Sailfish is different.

Hello Zilvinas,

A few days ago GrapheneOS reacted on me again. They want to lure you in a discussion about privacy and about open source. Subjects where they have strong opinions on. Yet being based on Google is not an advantage and Graphene was not able to create their own OS and their own devices. It’s obvious that they fear competition.

In case of graphene they go against each other (see their main dev promoting play store over fdroid), since they rely on google so much (hw, drivers, signing…) privacy took the backseat (they somehow advertise gapps sandboxing as a privacy feature, as meta has real problems linking your sandboxed fb/insta/whatsapp accounts), we’ll see what happens now that they will rely on an 3rd party oem, might be a funny Sony Open Devices like fiasco

It will be pretty secure, sfos has all the standard features like home partition encryption and sandboxing (sailjail), it’s not going crazy overboard though to treat enduser as an attack vector, you can get full root through a checkbox in settings, the OS is aimed at tinkerers, linux enthusiasts etc, the extra safety comes from being a niche linux phone using libhybris that breaks 99% of android malware, exploits aimed at aosp won’t work, the lxc container will take a sh*t in most cases as emulation adds an extra layer, you’d need to target sfos+appsupport specifically and with few K users it’s just not feasible (if russians bought appsupport that would be a totally different story, now you have a valuable target etc)

@emva I’ve putted it to quote because it’s not mine thoughts and in this case I don’t have backed up arguments. I took it from Graphenes Mastodon post and came here with question to hear another opinion, facts, trooth - not attacking and bulling.
Thanks @rhampf for understanding and support.

P.S. I don’t use GrapheneOS myself
P.S.S. made a pre-oder for new Jolla phone