How does this increase security? The actual code is distributed over github and is digitally signed. Same goes for the installers/updates. Attempts to replace the contents would be easily detected, and would won't do much, aside from maybe compromising someone installing in that short time frame. Moreover darknet sites have an identity problem. It's easy to validate that "grapheneos.org" is the official site, not least because there's no grapheneos.com or similar. If you're using a hidden service you'll get an address like graphenenlhxh74dsi1kk1k8se0wutcc2v4f7bnohqe8zxbkfk8z3wp8.onion. How do you know whether that's the official site, or graphenenlhxr1uvl0i8oiuzx587fpgcesik0apij5axd1a0xbdvj5eg.onion?

We can only use technical solutions to this problem for so long.

The real issue is that the public wants a right to digital privacy.

The state would not like you to have that because they are lazy and want to be able to look at your messages.

Because they have convinced themselves that messages are a crime.

This is a political problem not a technical one.

It's a sad fact that there's just no way for GrapheneOS to win this fight. The intelligence agencies of every world government are on one side, and a relatively poor organization that produces less restricted cell phone software is on the other.

It's amazing to me that everyone even slightly disliked by the ruling class isn't doing this. Like remember when Nintendo took down a bunch of Switch emulators... from GitHub? Why were they primarily on GitHub?