I'd like to edit this comment but unfortunately it's probably too late to edit - it appears I was at least partially mistaken. LOS declined to integrate MicroG because of security concerns from spoofing signatures, as per the Wikipedia article of MicroG (https://en.wikipedia.org/wiki/MicroG)

Yes, but if it was with a toggle switch (and a default value on "off"), then the user could decide and take the risk (and/or only activate it when needed), which would alleviate the risk.

The spoofing can be locked down to only include microg, this is the approach calyxos has taken.

I think GrapheneOS does things completely differently, with actual Google Play Services in a sandbox, and doesn't need signature spoofing.

Perhaps I'm not understanding the issue - what legal standing does Google have to object? "Terms of service violation"?

Partly that, but also a lot of/all of Google Services Framework is proprietary Google code. Other implementations reverse-engineer and modify it afaik. Google probably doesn't go after them because they're small, but LOS is the largest such organization and would be an easy target if Google were to sue.

And also, even if it's technically legal, it's such lawsuits/slappsuits can entirely bring down an organization as legal fees can be very expensive. They probably want to err on the side of caution so that Google can't, and wouldn't care to, sue them.

microg replicates the API but contains no actual google code, right? Isn't that exactly what google argued was completely legal when they were sued by oracle over replicating the java API?

Yes MicroG is open source, but they probably had to reverse engineer something. However I don't know if that's the main reason, my initial comment was likely (partially?) wrong, here's an update: https://news.ycombinator.com/item?id=31171788

I responded to the other comment too, but:

> Yes MicroG is open source, but they probably had to reverse engineer something.

MicroG being open source is irrelevant. The relevant point is that google play services is not, so MicroG devs could not have copied source from it. Besides the fact that the API used by other programs to interact with play services is public and that the team had no access to the play services source code US law also has a specific carve out for "interoperability" which might (I'm guessing) apply here. Google has already spent many years and many millions in court arguing that an API is not copyrightable.

IANAL but it seems hard to argue that this would be an easy legal case.

Is this your speculation or is that their stated reasoning?

Nobody is talking about stated reasons, the question is what grounds Google would have to object on if they chose to. That means it's speculation.

Edit: I'm no longer trusting my memory lol. Apparently security was why LOS didn't integrate it (see https://news.ycombinator.com/item?id=31171788). I'm still leaving my original reply below.

The SafetyNet part is something I read from somewhere else, though unfortunately I don't remember if that was LOS or some random developer on reddit/XDA. You can treat most of this as (oft-repeated) speculation by users.