Departure of Calyx / CalyxOS leadership and discontinuation of CalyxOS updates

Byteang3l

Pocketstar agreed, I have 3 devices running Graphene now and it's my favorite open source project.

Pocketstar

Byteang3l Me too, we finally have a reasonably secure operating system rather than an exploitable mess and a privacy nightmare, for me it is hard to imagine that projects like GrapheneOS are not the norm rather than the exception, after all, it is by far the best option when it comes to a secure and private solution to mobile operating systems.
It undoubtedly saved alot of lives of whistleblowers, dissidents, journalists and kept alot of people safe from abuse or worse.
In my opnion the developers are truly like a digital equivalent of superheroes, saving people left and right, I cannot praise them enough for their hard work honestly.
It makes it even more sad when you think about the developers being attacked while they are protecting people, I hope it does not affect their spirit and cause burnouts and spread apathy, which is possibly the goal of some bad actors in order to stop the project, it is a well-known tactic.
But I am merely speculating here though, I am sure bad actors don't make their intensions clear, so it is hard to guess.

Xtreix

Byteang3l

If you would like to learn more about the origins of the attacks against GrapheneOS and how it all began, here is a link.

Byteang3l

Xtreix I'm just getting started but I've already learned enough to be happy calyx is declining. Thanks for the link, it's fascinating how much lore there is surrounding this.

Xtreix

Byteang3l This link have more to do with Copperhead than with Calyx, but yes, they do provide more information about the origins of the attacks. It is likely that a number of users are unaware that GrapheneOS was previously known as CopperheadOS. I have read a number of posts online where people believe that GrapheneOS was created in 2019. Copperhead has contributed greatly to this by making people believe that GrapheneOS is a fork when it is actually the original project that changed its name. When I discovered Daniel Micay's work around 2018-2019, I was not yet aware of Copperhead, Calyx, and the harassment they created. I discovered this later, and it was while doing research that I one day found the link that I published.

user20583982

Just a theoretical question here: how would the same situation be handled by GrapheneOS leadership? Would it impact GOS users in any way?

fph

user20583982 Just a theoretical question here: how would the same situation be handled by GrapheneOS leadership? Would it impact GOS users in any way?

No one is answering this question, apparently. I'm also curious to know if there are safeguards, and who has access to the signing keys.

MarSOnEarth

@GrapheneOS I went into this rabid hole and emerged to days later through the other side with a question; what is the current status of the lawsuit and counter lawsuit between GOS and Coperhead? Also, is David Micay still part owner of Coperhead Limited?
BTW, what a story, and now Calyx Institute.

GrapheneOS

MarSOnEarth Daniel still owns 50% of Copperhead Limited. Note you got his first name wrong. Copperhead has no actual grounds to file a lawsuit but is still pretending as if they do. Nothing has really happened as part of that since we have little reason to go after a failing company with nearly no assets or revenue. We could likely win a lawsuit against them and recover legal costs in theory but in practice they would go bankrupt and we would get close to nothing.

MarSOnEarth

GrapheneOS Thanks. Much appreciated, and my bad re: first name.

MarSOnEarth

GrapheneOS The redit compilation has couple of mentions about Copperhead Ltd (CL) filing a lawsuit against GOS, and then about GOS countersuing. On the GitHub compilation there's "STATEMENT OF DEFENCE AND COUNTERCLAIM" with this, "We're also filing a federal lawsuit against Copperhead over their fraudulent copyright claims and may take further action" with a dead link to a PDF file. Could you elaborate? Have those lawsuits been filed and adjudicated?

GrapheneOS

MarSOnEarth None of it has gone to court. Copperhead has been using stalling tactics and we've chosen not to move ahead with our lawsuit as long as they aren't doing anything. We're going to try to force them to pay our substantial legal fees for wasting our time and money for years.

MarSOnEarth

Got it, but like you said, what's the point.

GrapheneOS

@LGgos Portraying Rossmann as if he's anti-bullying when he went out of the way to engage in bullying towards our founder followed by trying to ruin his life with a video targeting him with harassment is ridiculous. Rossmann uses Kiwi Farms because he's seeking their support for himself. He's very friendly with people who engage in serial harassment and he regularly brings up people he has issues with including us to direct harassment towards us from that platform. He's the one who directly involved them in the harassment towards us. Their thread targeting us was posted days after his extraordinarily dishonest character assassination video with the clear aim of directing harassment towards our founder.

de0u

fph I have access to the signing keys! Well, sort of! And so do you!

The GrapheneOS build instructions include instructions for generating keys and signing builds. Over the summer I did a couple of builds and updates on a debug device as part of an experiment, using my signing keys.

So anybody who wishes they knew exactly who has the signing keys for GrapheneOS on their device can be 100% sure by building GrapheneOS themselves with their own keys (as long as they're kept out of the hands of visiting glowies). And people who don't yet know how to build it, or don't yet have access to a sufficiently powerful machine to build it, could choose builds done by anybody else.

Independent of who signs the builds there is a big question, which is who examines how many of the changes from upstream and/or from the GrapheneOS team. That part is hard! Clearly Google from time to time ships security flaws (I honestly think it's by accident), and empirically there aren't enough eyes on their commit stream to uncover all of them before they make it into builds signed by Google, builds signed by Samsung, and builds signed by the GrapheneOS project.

Hypothetically speaking, what if I knew how many people can sign GrapheneOS builds, and what if I knew their names, and what if I posted them? Likewise, what if, hypothetically speaking, I knew how many people can sign Google's Android builds, what if I knew their names, and what if I posted them? What would be different?

fph

de0u fph I have access to the signing keys! Well, sort of! And so do you!

The GrapheneOS build instructions include instructions for generating keys and signing builds. Over the summer I did a couple of builds and updates on a debug device as part of an experiment, using my signing keys.

That does not really answer our question. If I understand correctly, the Graphene OS build we all have installed (apart from the very small minority that builds and updates the system themselves) is signed with keys from the Graphene OS team. In order to continue receiving OTA updates, those updates need to be signed with the same key, or the bootloader complains.

If only one person has access to this signing key, and that person goes rogue, then we all need to reinstall the system from scratch in order to continue receiving updates. This is precisely what happened to Calyx OS, if I understand correctly.

Also, and more importantly, if someone who has access to that key goes rogue, they are in a position to push a malicious update. Essentially, they have root on our systems.

So I believe that "who has the Graphene OS signing key" is an important question. And I mean the key that signs the official install, not the key for a custom build as in your answer.

LGgos

I'd never support the harassment of anyone and honestly feel bad for Micay. It's just that I'd blame that on KF and am struggling to see why Rossmann is facing accusations that serious, up to and including attempted murder?

Not looking for a fight here, you're within your rights to say it's not to be questioned and I'll leave it if need be. I've stopped using GOS for other reasons unrelated to the project or and am reading here for the other privacy respecting app discussions etc. It's just a bit odd to me. I am a neutral observer other than enjoying most of Rossmann's content (I'm not keen on his more right wing stuff).

GrapheneOS

LGgos You're repeating Rossmann's extraordinarily false claim that he was accused of attempted murder. What he was accused of doing is engaging in many months of bullying towards our founder both in private and in public which included him openly supporting harassment content. The harassment content he supported and helped to amplify resulted in repeated swatting attacks, which were quite objectively an attempt at killing the founder of GrapheneOS via law enforcement. Rossmann then went on to confirm exactly how complicit he was in this by publishing his own content based on blatant fabrications and spin with the clear goal of creating a massive increase in harassment. He's responsible for the subsequent massive increase in harassment including violent actions by his supporters. You're taking Rossmann's blatant lies at face value and basing your understanding of the situation on content clearly aimed at directing harassment towards someone with a series of blatant lies and misrepresentations. Even the title of the video being an outright lie since he provably continued using GrapheneOS for many months afterwards as a daily driver and clearly lied about not feeling safe using it to justify targeting someone the way he did. He indirectly acknowledged this multiple times and eventually did move to using something long afterwards, seemingly just to avoid continuing to be criticized about it.

LGgos

GrapheneOS I see... I accept that I'm probably commenting with subconscious bias having followed him for a while and enjoyed his content, and that I haven't done enough research to be commenting. I didn't realise that the most serious accusation was fabricated by him, which shows my ignorance really.

Apologies if my questioning of your side of it has come across as loaded, which looking back, it probably has (and maybe in part to be honest I did want to believe his side more - familiarity etc). Like anyone else I just want to hear both sides of a story but have not come to any conclusions. I withdraw and apologise for any remarks that may have come across as accusatory.

Will be a lot more cautious of his content from now on...

GrapheneOS

@LGgos You're referring to a video where Rossmann leaks private conversations, blatantly lies about them and pushes many fabrications about what the person said and about them more generally with the clear goal of directing harassment towards them. He was very clearly solely motivated to publish the video based on trying to personally harm the person he targeted. You can try to justify it as much as you want but in the end it all you're doing it trying to defend serial harassment by a far right Kiwi Farmer.

Rossmann's excuses about why he uses Kiwi Farms and why he Kiwi Farms style content targeting someone with harassment based on blatant fabrications and baseless claims don't add up. The Kiwi Farms thread was created following Rossmann's harassment content and served as the primary basis for it. Rossmann created most of the current ongoing harassment and continues to spearhead it with that content.

Why do you think support for someone targeting our team with harassment including repeating their self-evidently false claims about us would be welcome here?

If you support this, then perhaps you should be using Kiwi Farms rather than this forum.

LGgos

GrapheneOS I don't support such a thing, no worries. I'm happy to drop the matter and won't be voicing any more support (well it was more questioning rather than support, but I suppose on self reflection there might have been my hope that he wasn't quite so nasty as all that, effectively being like a form of support)

For sure I do not support any of the harassment against any of your team past or present

GrapheneOS

LGgos

I didn't realise that the most serious accusation was fabricated by him

He's misrepresenting referring to someone else doing swatting because of Techlore's content, which he was supporting, as accusing him of attempted murder. It doesn't make any sense whatsoever. It was not what was said at all. What was said is that he shares responsibility for it due to participating in what led to people engaging in that harassment. He then went on to publish a video where he tried to cause a massive increase in harassment through fabrications, spin and bullying. The video he published proved he was far worse than what he was privately criticized for doing over the past many months. He leaked private information and private messages along with heavily misrepresenting those in order to target someone with harassment. He used his platform to mislead people and encourage harassment towards someone. Why? He was angry that he was privately criticized for his existing involvement, so he massively ramped it up to try to ruin someone's life with his large platform.

« Previous Page Next Page »