> Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.”
> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product
It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?
> They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50.
As a response, Micay decided to destroy the update signing keys for all the CopperheadOS devices out in the wild. Resulting in financial damages to Donaldson.
Hardly a level-headed response, even if you disagree about the financial share of something.
That is a perfectly level-headed response. Signing keys must be protected. In the event of a hostile takeover, where a malicious party seeks to compromise the privacy and security of your userbase, destroying the keys is a sensible decision. Failure to do so, and successful compromise of the keys, will let the malicious party push whatever update they want, and it will be accepted due to being signed correctly.
It was not a disagreement about shares, it was a hostile takeover. Someone who never owned the project sought to steal it.
> Hardly a level-headed response, even if you disagree about the financial share of something
According to the linked responses, the keys were not deleted because of disagreement over financial share, but over how the keys were to be used (in particular, in potentially dangerous security-wise ways), for which he did not want personal responsibility over (the keys belonged and used by him even before that project)
> in particular, in potentially dangerous security-wise ways
The claims by him are very vague. As I said in my other reply, I find a personal disagreement and some value conflict much more likely. Especially if the person has personally repeatedly demonstrated how disgruntled they can get with things. I find that immensely more likely without any real evidence of some hinted intelligence agency involvement.
The claims arent vague, they are quite specific in what happened. This wasnt spiteful and this wasnt disgruntled. It was the logical choice given the circumstances.
> The claims arent vague, they are quite specific in what happened.
So what are they? List them for all of us here. I see multiple conflicting claims under this post, with only small pieces of information being available. Yet somehow you are making very strong statements.
Phantom Secure is directly named as one of the parties Donaldson was dealing with, with others being suspected:
>Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward.
IMO its a lovely paradox that no one can argue against such a deletion. Either the party choosing deletion is reasonable so there are grounds for deletion or unreasonable and they are the grounds for deletion.
> We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.
> Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?
So what? Causing someone financial damages isn't illegal. Your boss causes you financial damages when they fire you. Your competitor causes you financial damages when they offer a discount.
If Micay was a 50% owner, sounds like he didn't do anything illegal. Immature maybe, which simply puts him at parity with the other party involved.
Micay owns the whole project. Ownership of the project was not exchanged or divided, part of the explicit terms of the agreement were that Micay would hold the keys and ownership of the project just as they always have.
That's a terrible characteristic for an OS to have. That there's someone that can render it useless, someone that might do that, someone who has done that - all just because "they can".
Thats a characteristic all modern OSs and modern apps have. You need to trust the key holders, always. Some people make their own builds for this reason. Depends on tge threat model.
Yeah, that’s the issue. I don’t want people who behave immaturely, impulsively, or vindictively, having a key role in something as important as my phone os. I want stability, maturity, and thoughtfulness.
That is what CopperheadOS, and now GrapheneOS, provides. Its a level of "battle tested" that most OS and app devs never have the opportunity to have. Deleting the signing keys during a hostile takeover attempt rather than submitting to pressure or greed is an amazing quality that is rare to find. Nobody behaved or is behaving immaturely, impulsively, or vindictively.
Understandable wishes, but you might have to put something from yourself into it if this is a pressing concern. Or you will be left to your own corporate devices.
The GOS (GrapheneOS) lead had responded to criticisms like yours that he gladly retreats inside his tech role if others would take it upon them to refute the claims from rivals. So if you are that balanced, normal person, you could take that work out of his hands. Or help fund a full time PR person.
«In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.»
Micay is rightfully paranoia, just having a GOS phone makes some government agencies quite mad. There are many ways a project like GOS could die, disinformation could certainly kill it. Other projects don't help the case if they throw mud at it. Rather, they should focus on their real technical shortcomings, but such articles aren't written somehow. https://eylenburg.github.io/android_comparison.htm
EDIT
> Should I make my own fork?
You could contact him to offer your help where he falls short.
Micay is not paranoid. Paranoia implies unsubstantiated fear. But they acted responsibly under pressure and the project is upfront with what happened to the public and to journalists alike.
Mental health and wellness issues in high tech research and development are everywhere. I would suggest that you focus on the product and what it can/cannot do for you.
Suggest away. It’s still a factor in my decision making, because if I can’t trust the developers to behave well, i can’t trust the product to continue to do what it says it can do for me.
They have proven to "behave well" for years. Destroying the signing keys in the midst of a hostile takeover is the responsible thing to do. Its for the safety of their users. Thats a commendable trait to have.
Things aren't only bad if they're illegal. There's plenty of bad things one can do that are perfectly legal, and plenty of good things one can do that are totally illegal.
I love GrapheneOS and I use it daily for more than 2 years. However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication. Even when they are 99% right most of the time, they sometimes don't come as mature and professional.
My gut feel is that Micay is genuine, and obviously also very defensive.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.
With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.
In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.
I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?
All of the defensiveness is warranted. They speak neutrally and objectively.
The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.
The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.
Personally, I like that they come across as a little paranoid. That's exactly the attitude I want in the people protecting my privacy and security. I hope the developers lie awake at night, unable to fall asleep because terrified that someone somewhere is plotting to attack and exploit them
There's healthy paranoia and there's treating even casual commentary/criticism from anyone as an existential threat & coordinated attack...and responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
This is false. Commentary and criticism is not treated as a coordinated attack. Coordinated attacks are treated as coordinated attacks. Criticism is often used as an excuse to try and hide attacks, and many people unfortunately cannot tell the difference. Kind of like this reply, which attacks Micay under the guise of criticism.
Well, they have had to deal with multiple swattings, constant misinformation from some competitors (e.g. Murena's CEO doing interviews with various media where they insinuate that security-hardened systems like GrapheneOS are only for criminals and secret agents, complete with 'think of the children'-style arguments), and some local/national governments boosting the narrative that GrapheneOS is for criminals.
So I can understand why they are as defensive as they are.
> ...responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
For the rest, in general, I'm tempted to give grapheneOS the benefit of the doubt. Running any FOSS project is hard, running it against the (implicit) wishes of OEMs/Google (who throw in things like Play Integrity) is even harder, and doing it when 3 letter agencies at the US govt actively hate you is harder still.
Being paranoid in responses to FUD campaigns isn't ideal, but save coordinated attacks, I'd say fairly understandable.
Based on how discourse in the US has been perverted by inches and millions of mosquito bites they may not be wrong. Stamping out bad information fast and hard seems to be the only way to combat mass coordinated disinformation. Being polite just lets people play the "both sides have merit" game.
Rossmann is a way bigger ranter than GrapheneOS people. Have you seen some of his videos lol.
Rossmann wanted to work with GOS and they didn't want him. So Rossmann made that video to make Daniel look bad for revenge probably. Saying he was leaving GOS was a lie, not that GOS can push malicious updates which was also a huge lie. Even after pointing that out that part wasn't corrected because Louis doesn't care about accuracy, he only cares about making Daniel/GOS look bad. He used his big following to punish Daniel. Now he works with Nick from Calyx after he got pushed out and are doing business together.
The more you learn about the story, the more you see the Copperhead stuff was just the beginning and those involved held grudges and pushed their grudges onto more people who bought their lies and it continued. Privacy-focused OSes that pretend to compete with GrapheneOS suck. GrapheneOS is led by someone with integrity, unlike some other projects.
Anyone who participates in a website that exists to coordinate the doxxing and harassment of people into committing suicide is the absolute lowest kind of bottomfeeder in society, no better than a common murderer, and anything they say is completely worthless. The open source emulation community lost an unbelievably talented individual because of people like you. In a just society you should be completely ostracized for admitting this, if not outright put in a cage on conspiracy charges.
Rossmann publicly blasted a private discussion, twisting what was going on, and then lied to his own viewers. Such a claim from an identity verified kiwifarms account holder holds no weight.
GrapheneOSs posts are made to combat misinformation. Drawing public attention from those who may be misled and put at risk is how one combats misinfo. Its not ranting and its not somehow unreasonable to defend oneself.
Have you considered that the smooth-talking "mature" and "professional" people are more likely to sell your data to advertisers at the first opportunity?
Louis Rossmann caused a lot of harm to GOS and blasted them publicly for trying to raise issues privately. That is disgusting behaviour. He then lied to his own viewers about no longer using GrapheneOS, lied about fears of a targeted update despite that not being possible, among a lot of other things. Note he also has an identity verified kiwifarms account.
GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.
There is no bad behaviour. Defending oneself isnt an unreasonable thing to do. GrapheneOS is entirely funded by donations and receives a lot of donations to this day. Them defending themselves is not an existential risk, the attacks against them are.
It's a personality type / disorder (pick your poison). There's no hope for change. Programming seems to attract such people, because they are fixated on being right and proving that they are right. I know a few more examples. My common sense policy is - if the software these types produce works for me, I will be using it, but I will never allow myself to be dependent on it. That kind of person will gladly burn their own house to the ground, with everyone in it, if that's what's required to prove their truths or maintain some kind of intellectual purity.
Nobody on the GrapheneOS team is mentally ill or unwell. There is no personality issue. Defending themselves is not an ubquenchable drive to be right, it is the right of anyone to be able to defend themselves.
One common personality disorder I see a lot is psychologizing your interlocutors to invalidate them, thus insulating you from having to think you're wrong about something
One common personality disorder I see is being extremely defensive when encountering any discussion of human psychology. This comes from a deep psychological fragility.
Ok, but what I'd be wrong about here? I'm not even claiming that the person in the article is that way. I don't know enough about them. I have noticed a certain trend, however, and that's what I was noting.
Durov is about as anti-Putin and russia in general as one can get. He go fucked hard in russia and has been going extremely hard against the censorship in russia. TG is one of the few chat apps that can avoid russia's suppression measures, when everything else working over internet fails.
Durov has been going hard against censorship because the pressure on Russians to switch to MAX might consign his own app to oblivion. But to call Durov “anti-Russia” when Telegram development and servers remained in Russia, is to ascribe to him a dissident status that he doesn’t actually deserve.
(Durov himself is known to regularly visit Russia, while denying he ever visits Russia. Telegram opened a Dubai office claiming that it was now a Dubai-headquartered company, but that was a mere legal formality; no one was actually there at that office, and journalists visiting it found that not even the building staff knew anything about Telegram. In practice, the company continues to exist out of Russia.)
Half of Russian military uses it in the field. I do not care what story that guy is spreading around about his affiliations or lack of with Russia. Zero trust. Never touching Telegram.
Fascinating read. I know nothing about any of this neither the parties involved nor Copperhead though I had heard of Graphene. To that end, I wish the response included a pre-amble for those like me who were not familiar with what was going on. I guess I could probably read the Wired article though. Still. good read and I loved the Q and A at the end.
(I know one historical connection that looks suspicious, but it could be explained by the fact that prestigious social network graphs in the US tend to be incestuous, and a closely-connected world.)
I know that GrapheneOS has almost a cult following on HN, but I'll make two comments.
1- GrapheneOS has a long history of long rants attacking people and projects. The leads will tell you that they're just correcting falsehoods etc, but a lot of companies/brands are target of falsehoods and don't bother to respond. I don't claim that GrapheneOS is wrong on anything they say, I'm just saying that these rants are a choice, and I see them as a red flag.
2- I once interacted with GrapheneOS on mastodon and I said something like the above. Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image". Within 2 or 3 exchanged tweets they were threatening me with legal action. To me being a litigious project/person is an even bigger red flag than above. I have never in my life met someone who both lightly threatens legal action AND is an upstanding person.
Just my opinion, don't get upset over it.
EDIT: I just want to spell it out AGAIN - I don't claim that anything on their post is factually wrong, I have no idea.
Graphene is not a consumer brand and they do not intend to be a consumer brand. They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do. That will absolutely limit their scope and reach, but it also allows them to focus on the one thing they’re trying to do without making compromises.
For contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.
Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.
> They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do.
These things are not mutually exclusive:
You can make a great technical product while being friendly. You can make a great technical product while not being friendly.
You can make a compromised or flawed technical product while being friendly. You can make a compromised or flawed technical product while being unfriendly.
This comes up pretty often in other HN threads, unrelated to Graphene. There's this weird personality type who insists that they aren't legally obligated to be friendly or nice or pleasant, therefore it's fine for them to be unfriendly or jerks or unpleasant.
As a community organizer for systems programmers: welcome to my world! I've finally made some headway after a decade, helped by the mass layoff apocalypse. (Turns out social skills help you stay solvent.)
Actually, you can't make a great product if you've alienated your allies, because all successes are intrinsically social, from the iPhone to Python to even the processor itself.
Going it alone is that nineties libertarian romanticism, a persistent self-destructive tendency that in present market conditions is unsustainable
It's not just about being friendly. If they have a bubble around them of employees, true believers, and people just afraid of speaking out that chills free expression of criticism, the truth has trouble getting out, which hurts trust.
If they were doing that one thing, they would not have posted this. It's fine not to market to consumers, but this raises additional concerns about the founder's judgement. Someone else claimed that they deleted update signing keys for copperhead devices. That's seriously concerning if true; possibly bad enough to switch away from grapheneOS.
He deleted the signing keys because it looked like the other owner of Copperhead OS wanted to make the signing keys available to government agencies and/or criminal organizations. He deleted the signing keys to protect their users against malicious updates, which is the right thing to do and should increase trust in him and the project.
It's worth actually reading the linked post. Relevant segment:
In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
> Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image"
Sometimes they aren't even factually correct and get a bit upset about it when called out.
Anyways, I have gotten the same impression and these seem like red flags to me as well.
Which is why I'd take everything in that response with a mountain of salt (and I'd pay attention to what they're not saying).
Yes, I don't like when anybody spreads falsehoods about any important free software. Do you?
However your example is unrelated. Their arguments were rather reasonable and informative in the discussion you linked to. So I don't complain about that anymore.
More context on experiences with Micay[1]. Also went on long rant at Louis Rossmann[2] in an very knee-jerk tone, which led Rossmann to stop using it despite being a long-term advocate for GOS, due to trust issues. Likewise I don't doubt they're talented.
One of the main criteria to differentiate "rants" from "correcting falsehoods" is proper citing of sources. In the case of Grapheneos, unfortunately I often see very few sources in what they post online.
(But, if you ignore the rants, that's a fantastic OS.)
Do you have a link to the mastodon interaction where they threatened you with legal action?
I ask because I'd be pretty disappointed in GrapheneOS over that kind of thing and it'd probably at least partially change my opinion of them, but it's better to validate these types of serious accusations and get the full context.
I'm a former Copperhead customer and GrapheneOS user.
Daniel Micay has a history of absolutely unhinged behavior online to the point that 2.5 years ago community backlash to his public behavior basically forced him to step down from leading the project.
Great project. It's hard for me to say if things have gotten better or worse since the change, but at the very least things had been quiet and drama-free for a few years. Finally.
i think a lot of attention is rightly attributed to like, i dunno say tiktok/ig "influencing" and how that can send people who gain a lot of notoriety off the deep end. it absolutely has. but so do software projects.
not enough people talk about how software projects also offer up a similar kind of atmosphere: you're suddenly hyperconnected with a whole bunch of humans you don't know and are receiving feedback from people outside of your immediate community. "hackers" for all the interesting ways they've contributed to computer science over the decades also have branches spawned from the original chronically-online, highly-opinionated and sort of antisocial and poorly adjusted sects of civilization. being the face of a project is like pouring rocket fuel on whatever predispositions you might have, and on more than one occasion we've seen people go from occasionally unhinged person to seriously unhinged.
this comes with a lot of bad outcomes for quite a few people, primarily it always has some serious amplification qualities to egos and narcissism. and for genuinely good and kind people who are just trying to share their value/contributions and are suddenly jettisoned into spotlights, we often see them suddenly step back and discontinue work on a project entirely.
we often see these departures and think solely "must be burn out" and don't put much more thought into what that means. but we don't do enough to frame how software projects just elevate people into a position that most people don't do a good job in mentally and socially, and how it deteriorates the pieces of them that make them feel like they're valuable members of a community/tribe. some have luck making their project communities their tribe, but that's obviously a risky step to take. for many who have a successful project, sometimes it starts as the most validation they've ever received and then they don't know how to reconcile with the exponentially-widened audience when negative reception starts pouring in.
daniel micay is just one of like.. many in these sorts of projects i've seen who are simply unfit for the role. for many reasons, i don't think he's a pleasant person at all. i don't have any answers here. i also see this in homebrew scenes for gaming, it's like my least-favorite human petri dish of software development enjoyers. lot of oddball developers in that space and quite a lot of incredibly dramatic fallouts and theatrics that seem to come with the anonymous nature of not tacking your real name / identity to a project, and a consuming audience that has zero idea what goes into development so the negative feedback/demands that come in are in their own way unhinged.
#1 imo is the fact that some orgs are resilient to libel, and some are heavily affected. If someone is lying about your security protect in order to harm your reputation, I don't find it odd to respond with some zeal.
#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.
Many people don't understand the degree to which you have to be a socially awkward weirdo to muck around with custom Android ROMs. It takes that level of dedication.
> Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.”
> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product
It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?
> They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50.
As a response, Micay decided to destroy the update signing keys for all the CopperheadOS devices out in the wild. Resulting in financial damages to Donaldson.
Hardly a level-headed response, even if you disagree about the financial share of something.
That is a perfectly level-headed response. Signing keys must be protected. In the event of a hostile takeover, where a malicious party seeks to compromise the privacy and security of your userbase, destroying the keys is a sensible decision. Failure to do so, and successful compromise of the keys, will let the malicious party push whatever update they want, and it will be accepted due to being signed correctly.
It was not a disagreement about shares, it was a hostile takeover. Someone who never owned the project sought to steal it.
> Hardly a level-headed response, even if you disagree about the financial share of something
According to the linked responses, the keys were not deleted because of disagreement over financial share, but over how the keys were to be used (in particular, in potentially dangerous security-wise ways), for which he did not want personal responsibility over (the keys belonged and used by him even before that project)
> in particular, in potentially dangerous security-wise ways
The claims by him are very vague. As I said in my other reply, I find a personal disagreement and some value conflict much more likely. Especially if the person has personally repeatedly demonstrated how disgruntled they can get with things. I find that immensely more likely without any real evidence of some hinted intelligence agency involvement.
The claims arent vague, they are quite specific in what happened. This wasnt spiteful and this wasnt disgruntled. It was the logical choice given the circumstances.
> The claims arent vague, they are quite specific in what happened.
So what are they? List them for all of us here. I see multiple conflicting claims under this post, with only small pieces of information being available. Yet somehow you are making very strong statements.
Phantom Secure is directly named as one of the parties Donaldson was dealing with, with others being suspected:
>Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward.
https://discuss.grapheneos.org/d/34369-original-grapheneos-r...
Sometimes deleting it all is the only principled action https://www.theguardian.com/technology/2013/aug/08/lavabit-e...
IMO its a lovely paradox that no one can argue against such a deletion. Either the party choosing deletion is reasonable so there are grounds for deletion or unreasonable and they are the grounds for deletion.
The keys got wiped for way spookier reasons than Micay wanting money.
Intelligence wanted in, and Donaldson seemingly would have been happy to oblige.
Are there any articles about that?
From the story you’re commenting on:
> From Wired:
> We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.
> Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?
> Yes and yes.
What is your source for this?
TFA.
Reddit and IRC/etc logs from the period are illuminating, too.
"Financial damages".
So what? Causing someone financial damages isn't illegal. Your boss causes you financial damages when they fire you. Your competitor causes you financial damages when they offer a discount.
If Micay was a 50% owner, sounds like he didn't do anything illegal. Immature maybe, which simply puts him at parity with the other party involved.
> Causing someone financial damages isn't illegal. [...] If Micay was a 50% owner, sounds like he didn't do anything illegal.
IANAL but that does sound illegal to me.
> Immature maybe, which simply puts him at parity with the other party involved.
How is that parity, equal amount of immaturity? It's like burning down a house to prove some ideological point about real estate.
More like the coordinates of a home were burned to protect its occupants. It was a practical choice, not an ideological one.
If you own something you can do what you want with it including rendering it useless
If you own all of it, yes. If you only own most of it, the minority owners do have some rights -- just fewer than you do.
Micay owns the whole project. Ownership of the project was not exchanged or divided, part of the explicit terms of the agreement were that Micay would hold the keys and ownership of the project just as they always have.
Sure!
That's a terrible characteristic for an OS to have. That there's someone that can render it useless, someone that might do that, someone who has done that - all just because "they can".
Thats a characteristic all modern OSs and modern apps have. You need to trust the key holders, always. Some people make their own builds for this reason. Depends on tge threat model.
> Thats a characteristic all modern OSs and modern apps have.
It is not. There isn't a single mainstream distro where a single person can break updates for its entire userbase.
> Immature maybe
Yeah, that’s the issue. I don’t want people who behave immaturely, impulsively, or vindictively, having a key role in something as important as my phone os. I want stability, maturity, and thoughtfulness.
That is what CopperheadOS, and now GrapheneOS, provides. Its a level of "battle tested" that most OS and app devs never have the opportunity to have. Deleting the signing keys during a hostile takeover attempt rather than submitting to pressure or greed is an amazing quality that is rare to find. Nobody behaved or is behaving immaturely, impulsively, or vindictively.
Understandable wishes, but you might have to put something from yourself into it if this is a pressing concern. Or you will be left to your own corporate devices.
What exactly are you suggesting? If i go help out at the graphene os project, that won’t change their leadership. Should I make my own fork?
The GOS (GrapheneOS) lead had responded to criticisms like yours that he gladly retreats inside his tech role if others would take it upon them to refute the claims from rivals. So if you are that balanced, normal person, you could take that work out of his hands. Or help fund a full time PR person.
«In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.»
Micay is rightfully paranoia, just having a GOS phone makes some government agencies quite mad. There are many ways a project like GOS could die, disinformation could certainly kill it. Other projects don't help the case if they throw mud at it. Rather, they should focus on their real technical shortcomings, but such articles aren't written somehow. https://eylenburg.github.io/android_comparison.htm
EDIT
You could contact him to offer your help where he falls short.Micay is not paranoid. Paranoia implies unsubstantiated fear. But they acted responsibly under pressure and the project is upfront with what happened to the public and to journalists alike.
Then avoid GrapheneOS
Mental health and wellness issues in high tech research and development are everywhere. I would suggest that you focus on the product and what it can/cannot do for you.
Suggest away. It’s still a factor in my decision making, because if I can’t trust the developers to behave well, i can’t trust the product to continue to do what it says it can do for me.
They have proven to "behave well" for years. Destroying the signing keys in the midst of a hostile takeover is the responsible thing to do. Its for the safety of their users. Thats a commendable trait to have.
None of the GraoheneOS development team is mentally ill or unwell.
When you have to trust the OS images generated by the authors it becomes a massive issue.
You always trust the developers of software. The only way to stop that is to not use the software.
The path to maturity requires immaturity.
Deleting the signing keys for the sake of protecting ones users is the mature and responsible thing to do.
Things aren't only bad if they're illegal. There's plenty of bad things one can do that are perfectly legal, and plenty of good things one can do that are totally illegal.
And there are legal remedies to create deterrents without a court. Boycotts, journalism or new competition.
I love GrapheneOS and I use it daily for more than 2 years. However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication. Even when they are 99% right most of the time, they sometimes don't come as mature and professional.
My gut feel is that Micay is genuine, and obviously also very defensive.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.
With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.
In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.
I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?
All of the defensiveness is warranted. They speak neutrally and objectively.
The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.
The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.
Personally, I like that they come across as a little paranoid. That's exactly the attitude I want in the people protecting my privacy and security. I hope the developers lie awake at night, unable to fall asleep because terrified that someone somewhere is plotting to attack and exploit them
Thats... a horrible thing to want for someone. No one on the GrapheneOS team is paranoid or mentally ill.
There's healthy paranoia and there's treating even casual commentary/criticism from anyone as an existential threat & coordinated attack...and responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
That's not healthy for any project.
This is false. Commentary and criticism is not treated as a coordinated attack. Coordinated attacks are treated as coordinated attacks. Criticism is often used as an excuse to try and hide attacks, and many people unfortunately cannot tell the difference. Kind of like this reply, which attacks Micay under the guise of criticism.
Well, they have had to deal with multiple swattings, constant misinformation from some competitors (e.g. Murena's CEO doing interviews with various media where they insinuate that security-hardened systems like GrapheneOS are only for criminals and secret agents, complete with 'think of the children'-style arguments), and some local/national governments boosting the narrative that GrapheneOS is for criminals.
So I can understand why they are as defensive as they are.
Could you share a link or something about this?
> ...responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.
For the rest, in general, I'm tempted to give grapheneOS the benefit of the doubt. Running any FOSS project is hard, running it against the (implicit) wishes of OEMs/Google (who throw in things like Play Integrity) is even harder, and doing it when 3 letter agencies at the US govt actively hate you is harder still.
Being paranoid in responses to FUD campaigns isn't ideal, but save coordinated attacks, I'd say fairly understandable.
No one on the GrapheneOS team is paranoid.
Recently, the socials have been more moderate and level-headed, imo.
Based on how discourse in the US has been perverted by inches and millions of mosquito bites they may not be wrong. Stamping out bad information fast and hard seems to be the only way to combat mass coordinated disinformation. Being polite just lets people play the "both sides have merit" game.
https://xkcd.com/225/
That's hilarious thanks for sharing.
Realistically Stallman would start lecturing them on how his licenses are not open source.
Richard Stallman would most certainly not use the term open source to lecture somebody about free software.
When Louis Rossmann thinks your communication has a problem with going on rants, it must be pretty out there.
Rossmann is a way bigger ranter than GrapheneOS people. Have you seen some of his videos lol.
Rossmann wanted to work with GOS and they didn't want him. So Rossmann made that video to make Daniel look bad for revenge probably. Saying he was leaving GOS was a lie, not that GOS can push malicious updates which was also a huge lie. Even after pointing that out that part wasn't corrected because Louis doesn't care about accuracy, he only cares about making Daniel/GOS look bad. He used his big following to punish Daniel. Now he works with Nick from Calyx after he got pushed out and are doing business together.
The more you learn about the story, the more you see the Copperhead stuff was just the beginning and those involved held grudges and pushed their grudges onto more people who bought their lies and it continued. Privacy-focused OSes that pretend to compete with GrapheneOS suck. GrapheneOS is led by someone with integrity, unlike some other projects.
Louis has a Kiwifarms[1] account.
[1] https://en.wikipedia.org/wiki/Kiwi_Farms
So do I. What's your point?
The point is, you are a terrible human if you subscribe to that trash. Wake the fuck up man, that shit is awful.
Anyone who participates in a website that exists to coordinate the doxxing and harassment of people into committing suicide is the absolute lowest kind of bottomfeeder in society, no better than a common murderer, and anything they say is completely worthless. The open source emulation community lost an unbelievably talented individual because of people like you. In a just society you should be completely ostracized for admitting this, if not outright put in a cage on conspiracy charges.
Rossmann publicly blasted a private discussion, twisting what was going on, and then lied to his own viewers. Such a claim from an identity verified kiwifarms account holder holds no weight.
> However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication
Not that I disagree but Louis Rossmann giving someone advice to tone down the rants is ironic.
The difference is that Louis' rants are contained to his channel and largely only paid attention to by his fanbase.
Micay rants are most often on other peoples' platforms and he deliberately tries to draw as much public attention as he can muster.
GrapheneOSs posts are made to combat misinformation. Drawing public attention from those who may be misled and put at risk is how one combats misinfo. Its not ranting and its not somehow unreasonable to defend oneself.
Have you considered that the smooth-talking "mature" and "professional" people are more likely to sell your data to advertisers at the first opportunity?
Louis Rossmann caused a lot of harm to GOS and blasted them publicly for trying to raise issues privately. That is disgusting behaviour. He then lied to his own viewers about no longer using GrapheneOS, lied about fears of a targeted update despite that not being possible, among a lot of other things. Note he also has an identity verified kiwifarms account.
GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.
It would be interesting if there were a state sponsored effort to discredit a project that helps some people keep their communications private.
There might be one, in France.
Being "right" shouldn't excuse bad behavior, especially if you depend entirely on a community to survive, which we all do.
There is no bad behaviour. Defending oneself isnt an unreasonable thing to do. GrapheneOS is entirely funded by donations and receives a lot of donations to this day. Them defending themselves is not an existential risk, the attacks against them are.
It's a personality type / disorder (pick your poison). There's no hope for change. Programming seems to attract such people, because they are fixated on being right and proving that they are right. I know a few more examples. My common sense policy is - if the software these types produce works for me, I will be using it, but I will never allow myself to be dependent on it. That kind of person will gladly burn their own house to the ground, with everyone in it, if that's what's required to prove their truths or maintain some kind of intellectual purity.
Nobody on the GrapheneOS team is mentally ill or unwell. There is no personality issue. Defending themselves is not an ubquenchable drive to be right, it is the right of anyone to be able to defend themselves.
One common personality disorder I see a lot is psychologizing your interlocutors to invalidate them, thus insulating you from having to think you're wrong about something
Classic OCPD behaviour
One common personality disorder I see is being extremely defensive when encountering any discussion of human psychology. This comes from a deep psychological fragility.
Classic OAD (Obvious Asshole Disorder)
You couldn't even bother to google an actual disorder! Bah, you insult me :)
Ok, but what I'd be wrong about here? I'm not even claiming that the person in the article is that way. I don't know enough about them. I have noticed a certain trend, however, and that's what I was noting.
I personally can't understand why anyone bothers doing open source anything.
This Micay guy spends so much time and does something hugely beneficial and we're arguing about how he responds to criticism?
I'd rather direct and blunt rather than the weasel words and lies most companies put out.
The GrapheneOS team does find corporate speak/slop to be undesirable. I appreciate that a lot.
The fact that graphane is getting attacked speaks enough for it's relability. First in france now in Wired.
I'm more concerned that Signal incorporated in US is having easy life.
> I'm more concerned that Signal incorporated in US is having easy life.
To add - ironically, it was Durov (Telegram founder) who got arrested in Paris.
I don't find it ironic at all. Zero trust for anything Russia related.
Durov is about as anti-Putin and russia in general as one can get. He go fucked hard in russia and has been going extremely hard against the censorship in russia. TG is one of the few chat apps that can avoid russia's suppression measures, when everything else working over internet fails.
Durov has been going hard against censorship because the pressure on Russians to switch to MAX might consign his own app to oblivion. But to call Durov “anti-Russia” when Telegram development and servers remained in Russia, is to ascribe to him a dissident status that he doesn’t actually deserve.
(Durov himself is known to regularly visit Russia, while denying he ever visits Russia. Telegram opened a Dubai office claiming that it was now a Dubai-headquartered company, but that was a mere legal formality; no one was actually there at that office, and journalists visiting it found that not even the building staff knew anything about Telegram. In practice, the company continues to exist out of Russia.)
Half of Russian military uses it in the field. I do not care what story that guy is spreading around about his affiliations or lack of with Russia. Zero trust. Never touching Telegram.
he is not pro-Putin, the Telegram team was forced to leave and it has been blocked several times in Russia.
Not being pro-Putin doesn’t really matter to Putin. If he tells Durov to sit and be a good dog, Durov will sit and be a good dog.
https://www.youtube.com/watch?v=48Kk7kobMQY
Fascinating read. I know nothing about any of this neither the parties involved nor Copperhead though I had heard of Graphene. To that end, I wish the response included a pre-amble for those like me who were not familiar with what was going on. I guess I could probably read the Wired article though. Still. good read and I loved the Q and A at the end.
The WIRED article may as well have been written by an unhinged AI as it hasn't been properly fact checked before being published.
WIRED magazine is essentially one of the strongest extensions of the CIA's "great Wurlitzer" so I am not surprised to read this one bit.
Evidence?
(I know one historical connection that looks suspicious, but it could be explained by the fact that prestigious social network graphs in the US tend to be incestuous, and a closely-connected world.)
Citation needed
Wired article:
They Built a Legendary Privacy Tool. Now They're Sworn Enemies https://www.wired.com/story/they-built-privacy-tool-graphene... (https://archive.ph/pbJu9)
That archive.ph link has a nasty captcha I can't seem to pass with regular Chrome nor Firefox. Is there a mirror of that mirror?
https://removepaywalls.com/https://www.wired.com/story/they-...
I think this micay guy is a little paranoid
Context: https://archive.is/pbJu9
I know that GrapheneOS has almost a cult following on HN, but I'll make two comments.
1- GrapheneOS has a long history of long rants attacking people and projects. The leads will tell you that they're just correcting falsehoods etc, but a lot of companies/brands are target of falsehoods and don't bother to respond. I don't claim that GrapheneOS is wrong on anything they say, I'm just saying that these rants are a choice, and I see them as a red flag.
2- I once interacted with GrapheneOS on mastodon and I said something like the above. Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image". Within 2 or 3 exchanged tweets they were threatening me with legal action. To me being a litigious project/person is an even bigger red flag than above. I have never in my life met someone who both lightly threatens legal action AND is an upstanding person.
Just my opinion, don't get upset over it.
EDIT: I just want to spell it out AGAIN - I don't claim that anything on their post is factually wrong, I have no idea.
Graphene is not a consumer brand and they do not intend to be a consumer brand. They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do. That will absolutely limit their scope and reach, but it also allows them to focus on the one thing they’re trying to do without making compromises.
For contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.
Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.
> They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do.
These things are not mutually exclusive:
You can make a great technical product while being friendly. You can make a great technical product while not being friendly.
You can make a compromised or flawed technical product while being friendly. You can make a compromised or flawed technical product while being unfriendly.
This comes up pretty often in other HN threads, unrelated to Graphene. There's this weird personality type who insists that they aren't legally obligated to be friendly or nice or pleasant, therefore it's fine for them to be unfriendly or jerks or unpleasant.
As a community organizer for systems programmers: welcome to my world! I've finally made some headway after a decade, helped by the mass layoff apocalypse. (Turns out social skills help you stay solvent.)
Actually, you can't make a great product if you've alienated your allies, because all successes are intrinsically social, from the iPhone to Python to even the processor itself.
Going it alone is that nineties libertarian romanticism, a persistent self-destructive tendency that in present market conditions is unsustainable
It's not just about being friendly. If they have a bubble around them of employees, true believers, and people just afraid of speaking out that chills free expression of criticism, the truth has trouble getting out, which hurts trust.
Still a user though.
If they were doing that one thing, they would not have posted this. It's fine not to market to consumers, but this raises additional concerns about the founder's judgement. Someone else claimed that they deleted update signing keys for copperhead devices. That's seriously concerning if true; possibly bad enough to switch away from grapheneOS.
He deleted the signing keys because it looked like the other owner of Copperhead OS wanted to make the signing keys available to government agencies and/or criminal organizations. He deleted the signing keys to protect their users against malicious updates, which is the right thing to do and should increase trust in him and the project.
It's worth actually reading the linked post. Relevant segment:
In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
I’d prefer that the people behind an OS I’m using on important devices be stable, for hopefully obvious reasons.
Stable people don't do crazy things like make a new OS in their spare time.
Stable people can do even more crazy and secure things like, e.g., Qubes OS.
> Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image"
Sometimes they aren't even factually correct and get a bit upset about it when called out.
Anyways, I have gotten the same impression and these seem like red flags to me as well.
Which is why I'd take everything in that response with a mountain of salt (and I'd pay attention to what they're not saying).
> Sometimes they aren't even factually correct and get a bit upset about it when called out.
Example: https://news.ycombinator.com/item?id=47248521
There you go again.
Example: https://news.ycombinator.com/item?id=47247016
Yes, I don't like when anybody spreads falsehoods about any important free software. Do you?
However your example is unrelated. Their arguments were rather reasonable and informative in the discussion you linked to. So I don't complain about that anymore.
More context on experiences with Micay[1]. Also went on long rant at Louis Rossmann[2] in an very knee-jerk tone, which led Rossmann to stop using it despite being a long-term advocate for GOS, due to trust issues. Likewise I don't doubt they're talented.
[1] https://news.ycombinator.com/item?id=36089104
[2] https://www.youtube.com/watch?v=4To-F6W1NT0
One of the main criteria to differentiate "rants" from "correcting falsehoods" is proper citing of sources. In the case of Grapheneos, unfortunately I often see very few sources in what they post online.
(But, if you ignore the rants, that's a fantastic OS.)
"They have a long history of long rants attacking people and projects" in response to a long post...
You are very much saying that OP is an attack post.
Or at least implying the point that it is tonally dissonant to claim otherwise.
If you didn't believe it was wrong you would comment on the post but you are explicitly avoiding doing that.
Do you have a link to the mastodon interaction where they threatened you with legal action?
I ask because I'd be pretty disappointed in GrapheneOS over that kind of thing and it'd probably at least partially change my opinion of them, but it's better to validate these types of serious accusations and get the full context.
Do you have links to #2
Is there a similarly bombastic take on Motorola somewhere?
I'm a former Copperhead customer and GrapheneOS user.
Daniel Micay has a history of absolutely unhinged behavior online to the point that 2.5 years ago community backlash to his public behavior basically forced him to step down from leading the project.
Great project. It's hard for me to say if things have gotten better or worse since the change, but at the very least things had been quiet and drama-free for a few years. Finally.
Until today that is.
i think a lot of attention is rightly attributed to like, i dunno say tiktok/ig "influencing" and how that can send people who gain a lot of notoriety off the deep end. it absolutely has. but so do software projects.
not enough people talk about how software projects also offer up a similar kind of atmosphere: you're suddenly hyperconnected with a whole bunch of humans you don't know and are receiving feedback from people outside of your immediate community. "hackers" for all the interesting ways they've contributed to computer science over the decades also have branches spawned from the original chronically-online, highly-opinionated and sort of antisocial and poorly adjusted sects of civilization. being the face of a project is like pouring rocket fuel on whatever predispositions you might have, and on more than one occasion we've seen people go from occasionally unhinged person to seriously unhinged.
this comes with a lot of bad outcomes for quite a few people, primarily it always has some serious amplification qualities to egos and narcissism. and for genuinely good and kind people who are just trying to share their value/contributions and are suddenly jettisoned into spotlights, we often see them suddenly step back and discontinue work on a project entirely.
we often see these departures and think solely "must be burn out" and don't put much more thought into what that means. but we don't do enough to frame how software projects just elevate people into a position that most people don't do a good job in mentally and socially, and how it deteriorates the pieces of them that make them feel like they're valuable members of a community/tribe. some have luck making their project communities their tribe, but that's obviously a risky step to take. for many who have a successful project, sometimes it starts as the most validation they've ever received and then they don't know how to reconcile with the exponentially-widened audience when negative reception starts pouring in.
daniel micay is just one of like.. many in these sorts of projects i've seen who are simply unfit for the role. for many reasons, i don't think he's a pleasant person at all. i don't have any answers here. i also see this in homebrew scenes for gaming, it's like my least-favorite human petri dish of software development enjoyers. lot of oddball developers in that space and quite a lot of incredibly dramatic fallouts and theatrics that seem to come with the anonymous nature of not tacking your real name / identity to a project, and a consuming audience that has zero idea what goes into development so the negative feedback/demands that come in are in their own way unhinged.
I'm well familiar with what you're talking about. I see it in the emulation space as well. Famously so with byuu/near.
We have all of the parasocial behavior from bystanders as well. Cult mentalities and hero-worship. It's quite a strange phenomenon.
oh god yeah the emulation space is absurd.
Welcome to the artworld. 19th century European artist culture resurfaces. Don't cut off your ear :)
#1 imo is the fact that some orgs are resilient to libel, and some are heavily affected. If someone is lying about your security protect in order to harm your reputation, I don't find it odd to respond with some zeal.
#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.
I just realized that Lineage and Graphene are two separate projects.
Many people don't understand the degree to which you have to be a socially awkward weirdo to muck around with custom Android ROMs. It takes that level of dedication.