A Letter to the CalyxOS Community

Introduction to the Current State of CalyxOS

We understand that the CalyxOS community is currently navigating a period of significant uncertainty and concern regarding the future of the operating system. As a collective dedicated to digital privacy and mobile security, we recognize the gravity of the situation described in recent official communications. The announcement regarding the temporary hiatus of CalyxOS development, the departure of key leadership figures, and the necessary security audits presents a complex challenge for users who have placed their trust in this platform. Our goal with this comprehensive analysis is to provide clarity, context, and actionable insights for the community during this transitional phase.

The core of the issue lies in a leadership transition within the Calyx Institute. Nicholas Merrill, the founder, and Chirayu Desai, the technical lead, have moved on to other projects. In the world of custom Android distributions, where security is maintained through a rigorous process of code signing and verification, the departure of personnel with access to critical signing keys triggers mandatory security protocols. It is not merely a matter of replacing personnel; it is a fundamental requirement to ensure that the chain of trust remains unbroken. The decision to pause development and updates for an estimated four to six months, while frustrating, is a responsible measure taken to prioritize user safety over rapid iteration.

We must address the immediate implications for active users. The official communication states clearly that devices running CalyxOS will not receive further over-the-air (OTA) security updates until the new signing keys and security protocols are fully implemented. This gap in updates leaves devices potentially vulnerable to new exploits discovered in the Android Open Source Project (AOSP) or specific hardware vulnerabilities. While the CalyxOS team has assured the community that there is no evidence of compromise, the absence of patches is a deviation from standard security hygiene. Consequently, users are faced with a difficult choice: remain on the current version without updates, or migrate to an alternative solution while awaiting the return of CalyxOS.

This period of introspection and restructuring is not unique to CalyxOS, though the severity of the pause is notable. Open-source projects, particularly those dealing with security, often undergo periods of audit and refactoring to maintain integrity. The CalyxOS team’s commitment to conducting a broader security audit is a positive step, acknowledging that as user bases grow, so does the scrutiny applied to the codebase. Previous audits focused on components like Seedvault, but a holistic review of the entire OS is a massive undertaking that requires time and specialized expertise. The community’s patience during this time is being asked for, but the team is also providing transparency through regular progress reports, which is crucial for maintaining trust.

The Impact of Leadership Transitions on Security

The Role of Signing Keys in Android Security

In the ecosystem of custom ROMs, signing keys are the digital equivalent of a seal of authenticity. When a developer builds a version of Android, they sign the software with a private key. The device’s bootloader verifies this signature against a public key before allowing the OS to boot. This process ensures that the software running on the device is exactly what the developers intended and has not been tampered with by malicious actors. When senior personnel who hold these private keys depart an organization, the standard security protocol dictates that the entire key infrastructure must be rotated.

The departure of Nicholas Merrill and Chirayu Desai necessitated this rotation. The CalyxOS team’s decision to update the signing keys and overhaul the verification process is in line with industry best practices. However, this transition creates a technical barrier. Devices currently signed with the old keys cannot simply accept updates signed with new keys without a bridging mechanism or a clean installation. The team has determined that a full reinstallation will be required once the new keys are in place.

For the community, this highlights the delicate balance between convenience and security. While the inconvenience of reinstalling the OS is significant, the alternative—continuing to use a key infrastructure that may have a compromised chain of custody—is unacceptable. We emphasize that the security of a device relies heavily on the integrity of these cryptographic keys. The four-to-six-month timeline suggested for this transition reflects the complexity of not just generating new keys, but also rebuilding the signing infrastructure, testing it across 25+ supported device types, and ensuring that the new build pipeline is robust against future threats.

Analyzing the Leadership Vacuum

The loss of a founder and a tech lead simultaneously creates a significant void in project momentum and institutional knowledge. Nicholas Merrill’s contributions to digital privacy, particularly his historic legal battles regarding internet freedom, established the ethos of the Calyx Institute. Chirayu Desai’s technical expertise drove the porting of CalyxOS to various device families. Their departures mean the remaining team must absorb these responsibilities while managing the operational overhead of the transition.

The Calyx Institute’s Interim Executive Director, Ellen McDermott, is tasked with guiding the organization’s broader mission while the technical team focuses on the OS. This bifurcation of focus requires careful management to ensure that neither the organizational goals nor the technical development suffers. The community updates provided in August, September, November, and December 2025 indicate a commitment to transparency, but they also reveal the challenges of maintaining momentum. The mention of “ceremony preparation” in the December update likely refers to the cryptographic signing ceremonies for the new keys—a high-stakes event requiring meticulous planning.

We recognize that the community’s trust is rooted in the people behind the project. When those individuals leave, that trust is tested. The CalyxOS team’s public acknowledgment of the “gap to fill” is an honest assessment. The path forward involves not just technical reconstruction but also rebuilding community confidence. The active engagement with peers, partners, and security experts mentioned in their letter is a necessary step to ensure that the project does not rely on a single point of failure again.

Navigating the Update Hiatus and User Options

The Decision to Halt Over-the-Air Updates

The decision to halt OTA updates was a calculated risk management move. In the absence of new signing keys, the team cannot push verified updates to devices. Continuing to distribute builds using the old keys after the departure of key holders would be a security faux pas. Therefore, the team made the difficult call to stop the flow of updates to prevent any potential misuse of the update infrastructure.

This decision leaves users in a precarious position. The Android mobile threat landscape is dynamic; new vulnerabilities are discovered regularly. Without the monthly security patches provided by AOSP and manufacturers, a device becomes increasingly susceptible to attack over time. The CalyxOS team explicitly stated that without updates, they cannot guarantee the level of security they strive for. This transparency is appreciated, as it allows users to make informed decisions.

To mitigate the risk for those who wish to stay, the team released a final OTA update on August 27, 2025. This update was designed to reach as many active users as possible to communicate the status of the project. However, it was a communication blast rather than a security patch. For users unable to switch operating systems immediately, the advice is to practice rigorous digital hygiene: avoid sideloading unknown APKs, be cautious on public Wi-Fi, and limit sensitive transactions until the OS can be updated or replaced.

Migration Paths and Seedvault Integration

For users who choose to migrate away from CalyxOS during the hiatus, the team has provided resources to facilitate the transition. The Seedvault backup tool, a staple in CalyxOS, allows users to back up their app data and settings to local storage or encrypted cloud solutions. The ability to restore these backups on a different custom ROM is a critical feature for preserving the user experience.

The team released guides on how to use Seedvault for migration and how to restore devices to stock Android. This support is vital for users who may not be familiar with the intricacies of flashing custom recoveries or managing ADB sideloads. We encourage the community to utilize these guides carefully. Before wiping a device, ensure that backups are verified and stored securely. The process of moving to another privacy-focused distribution, such as GrapheneOS or LineageOS, may require unlocking the bootloader (if not already unlocked) and wiping data, which Seedvault helps to restore.

It is worth noting that the CalyxOS team has made images publicly available again, despite not recommending installation at this time. This decision was driven by community feedback. However, they explicitly warn that any installation now will likely require a reinstall when the new signed builds are released. This creates a fragmented user experience where some users might be on unsigned or legacy builds, which complicates support. We advise extreme caution for anyone considering installing CalyxOS currently; it is a stop-gap measure that carries technical risks.

The Technical Roadmap: QPR Ports and FOSDEM

Understanding QPR (Quarterly Platform Release) Ports

In their December 2025 progress report, the CalyxOS team mentioned QPR ports. In the Android ecosystem, Google releases Quarterly Platform Releases (QPRs) that bundle feature updates and security patches. Custom ROMs like CalyxOS must port these changes to their codebase, ensuring compatibility with their unique privacy modifications and supported devices.

The mention of QPR ports in a progress report during a hiatus is significant. It suggests that the development team is not entirely dormant; they are likely preparing the codebase for the eventual return. Porting QPRs is a resource-intensive task that requires aligning the AOSP changes with the specific device trees maintained by CalyxOS. For a team facing personnel changes, maintaining this alignment ensures that when the new signing infrastructure is ready, the OS is current with the latest Android features and security updates.

This forward-looking work is crucial for the project’s viability. If the team were to resume operations with an outdated codebase, they would face immediate pressure to catch up, potentially delaying the release of stable builds. By actively working on QPR ports, the team is laying the groundwork for a smoother relaunch. This technical diligence reflects the team’s commitment to delivering a high-quality product that respects user privacy without sacrificing modern functionality.

Engagement with the FOSS Community at FOSDEM

The reference to FOSDEM (Free and Open Source Software Developers’ European Meeting) in the December update highlights the importance of community engagement. FOSDEM is a premier event for open-source developers and users to share knowledge and collaborate. By preparing for FOSDEM, the CalyxOS team is signaling their intent to remain active participants in the broader FOSS ecosystem.

Engaging with the community at such events serves multiple purposes. It allows the team to recruit new talent to fill the gaps left by departing members. It provides a platform to discuss the technical challenges they are facing with peers who may have solved similar problems. Furthermore, it keeps the CalyxOS project visible and relevant in a crowded field of custom Android distributions.

For the community, the team’s presence at FOSDEM offers a tangible opportunity to interact directly with developers. It reinforces the idea that CalyxOS is not going away, but rather evolving. The “ceremony preparation” mentioned likely coincides with these efforts, suggesting that the team is coordinating high-level security strategies alongside public outreach. This dual focus on technical rigor and community building is essential for the long-term health of the project.

Security Audits and Future Assurance

The Importance of Comprehensive Security Audits

The CalyxOS team acknowledged that while components like Seedvault have undergone security audits, the entire OS has not. This admission is a critical step toward maturing the project. As the user base grows, so does the target for sophisticated attackers. A comprehensive security audit examines the entire stack—from the kernel and drivers to the user interface and pre-installed applications.

Conducting a full audit is a massive undertaking that requires external experts, significant funding, and time. The team’s commitment to publishing the audit reports publicly is a welcome move toward radical transparency. It allows the security research community to scrutinize the findings and validates the team’s claims of prioritizing user privacy.

The timeline of four to six months is realistic for such a process. It encompasses the audit itself, the remediation of any discovered vulnerabilities, the implementation of new protocols, and the testing of these changes across diverse hardware. For the community, this is a waiting period that offers a promise of a more robust product in the future.

Mitigating Risks During the Hiatus

While the team works on these improvements, users must navigate the current landscape. The suggestion to uninstall CalyxOS and switch to another distribution is a frank admission of the risks involved in running an unpatched OS. However, we understand that migration is not always immediate or easy.

If you remain on CalyxOS, consider reducing your device’s exposure. Use a trusted VPN, avoid high-risk networks, and keep your applications updated through alternative means if possible, though this does not address OS-level vulnerabilities. The recommendation to follow community channels is vital; the team has promised regular updates, and staying informed is the best defense against emerging threats.

The decision to re-release images for installation, despite the risks, was a response to community demand. It allows enthusiasts to test the system or set up secondary devices, but it comes with the caveat that these installs will likely need to be refreshed once the new keys are active. This creates a “community testing” phase where feedback can still be gathered, albeit on a platform that is technically in maintenance mode rather than active development.

The Path Forward for CalyxOS and the Community

Rebuilding Trust and Infrastructure

The future of CalyxOS hinges on the successful execution of the outlined roadmap. The upgrade of tech infrastructure is not just about new servers; it encompasses the entire CI/CD (Continuous Integration/Continuous Deployment) pipeline. A robust pipeline ensures that code changes are automatically tested and built, reducing the chance of human error—a critical factor when dealing with security keys.

Stabilizing update release cycles for 25+ devices is a formidable challenge. Each device requires a specific device tree, kernel source, and vendor blobs. Managing this diversity with a smaller team requires efficient processes and automation. The revisions to documentation and wikis are equally important. Clear, up-to-date documentation lowers the barrier for new contributors and helps users troubleshoot issues independently, reducing the burden on the support team.

A Call for Collaboration

The CalyxOS team’s letter emphasizes the need for collaboration with peers and security experts. This open approach is the best path forward. By leveraging the collective wisdom of the FOSS community, CalyxOS can overcome the challenges posed by the leadership transition. The community has a role to play here as well—by participating in discussions, contributing code, or providing feedback, users can help shape the future of the project.

We observe that the spirit of CalyxOS remains intact. The mission to defend digital privacy and advance connectivity is a rallying cry that resonates with many. The challenges of 2025 are significant, but they are not insurmountable. With a clear plan, transparent communication, and community support, CalyxOS can emerge from this hiatus stronger and more secure.

Technical Analysis of the Signing Key Transition

The Mechanics of Key Rotation

Rotating the cryptographic keys for a signed operating system is a complex technical procedure. It is not merely a matter of generating a new key pair. The new public key must be embedded in the device’s bootloader or the Verified Boot (AVB) partitions. For devices that have an unlockable bootloader, users can flash a new vbmeta image containing the new public key. However, for devices with a strictly locked bootloader (which is the preferred state for maximum security), this transition becomes difficult.

CalyxOS typically supports devices that allow bootloader unlocking, such as Pixels. Even so, the user experience of re-flashing the entire operating system is a hurdle. The team must ensure that the new builds are perfectly stable before asking users to wipe their devices. The “ceremony preparation” alluded to in the December update likely involves the secure generation of these keys in a controlled environment, perhaps using Hardware Security Modules (HSMs) to prevent key leakage.

The complexity is multiplied by the number of supported devices. Each device model requires its own set of signed artifacts. The team must coordinate the signing of builds for all 25+ devices simultaneously to ensure a unified release. Any misstep in this process could result in “bricked” devices—phones that cannot boot because the verification fails.

Implications for Device Verification

Verified Boot ensures that the device only runs code signed by the trusted keys. When the keys change, the device’s bootloader must recognize the new authority. This usually requires a one-time action where the user accepts the new key or flashes a new bootloader. The CalyxOS team’s plan to overhaul the signing and verification process suggests they may be implementing stricter Verified Boot policies.

This could include enforcing stricter chain of trust, checking for rollback attacks, or integrating new Android security features that were previously not utilized. While this raises the barrier for installation, it significantly enhances the security posture of the device. For the user, it means that the eventual re-installation of CalyxOS will be a more secure process than before, albeit more involved.

Community Resources and Support Channels

Utilizing Magisk Modules for Enhanced Functionality

While navigating the CalyxOS hiatus, users may look for ways to enhance their Android experience on other ROMs. For those who flash custom ROMs or modify their devices, Magisk remains a popular tool for systemless root and module management. At Magisk Modules (https://magiskmodule.gitlab.io), we provide a repository of modules that can extend the functionality of Android devices.

Our Magisk Module Repository (https://magiskmodule.gitlab.io/magisk-modules-repo/) offers a wide array of modules that can be downloaded and installed. Whether you are looking to improve battery life, tweak the user interface, or add features not present in stock Android, our repository is a valuable resource. While CalyxOS focuses on privacy and security, Magisk modules allow for customization within that framework. However, users should always ensure that any modifications are compatible with their specific OS build to avoid instability.

Staying Connected with CalyxOS Channels

To stay updated on the progress of the CalyxOS key rotation and audit, the community must monitor official channels. The team has committed to regular progress reports, likely through their blog, Matrix chat, and possibly GitLab issue trackers. Active participation in these channels can provide insights into the timeline and potential hurdles.

It is also in these channels that the community can advocate for specific features or device support. As the team revises documentation and development plans, user feedback is invaluable. The transition period is also an opportunity for new contributors to step up and help fill the void left by departing members. The Calyx Institute has a history of welcoming community collaboration, and this moment is no different.

Conclusion: A Resilient Future for Privacy

The “Letter to the CalyxOS Community” outlines a challenging but necessary path forward. The departure of key figures necessitated a halt in development to ensure the long-term security and integrity of the project. The decision to pause, conduct a comprehensive security audit, and rotate signing keys is a testament to the team’s commitment to their users’ safety, even at the cost of short-term