Well, he can do everything to your phone, software and data by pushing software updates. When there was a dispute in the former project copperhead he deleted the cryptographic keys, blocking software updates. Paranoia could result in just making the system more secure, but why not add a backdoor to find the spies in your userbases that communicate with the black suited men that secretly run our government? After all it is easy, they all play a specific game where they communicate via secret messages in chat.

You just don't know what will happen is what I'm saying.

The "he has root" is also a reference to ubuntus shuttleworth.

▲

gf000 2 days ago | parent | next [-]

> when there was a dispute in the former project copperhead

You mean who tried to hijack the project in a very questionable direction, harming their users, he rather lighted the project on fire then let the users' security be compromised?

If anything, that is the greatest compliment you could give him.

Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.

▲

bernoufakis 2 days ago | parent [-]

> You mean who tried to hijack the project in a very questionable direction, harming their users, he rather lighted the project on fire then let the users' security be compromised? > If anything, that is the greatest compliment you could give him.

On one hand, sure it can be a compliment. On the other hand, it only increases the perception that he is could enact significant harm if he ever comes after you.

> Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.

Who is "you" ? Neither Rossmann, neither me (software dev albeit not in cybersecurity), and even less so the average GOS user, and I would venture to guess that neither you can audit GOS code with enough confidence to declare that the risk of an exploit or backdoor being introduced is zero. Open-source is not a guarantee that code or software is secure (for e.g. CVE in xz utils and many such cases).

Edit: some clarifications.

▲

other8026 2 days ago | parent [-]

> On the other hand, it only increases the perception that he is could enact significant harm if he ever comes after you.

But that would be incorrect. It's not possible for anyone from the GrapheneOS project to target a GrapheneOS user that way. Look into how updates and the update servers work.

> neither you can audit GOS code with enough confidence to declare that the risk of an exploit or backdoor being introduced is zero.

The updater app is pretty easy to read through. I think a software developer would be able to understand it. The update servers' setups are also very easy to understand. It doesn't take a software developer genius to figure these things out.

▲

bernoufakis a day ago | parent [-]

> But that would be incorrect. It's not possible for anyone from the GrapheneOS project to target a GrapheneOS user that way. Look into how updates and the update servers work.

My point is that from Rossmann's perspective, being target of the lead GOS software dev hostile behavior as per his "Why I deleted Graphene OS" induces Rossmann's --> perception <-- that the GOS could go after him if he really wanted to. First, everyone is busy and has their life, suggesting that his spend hours going through code and documentation he is not familiar with to make sure he is not target is moot. Most people don't read TOS, and same goes for Licences and docs of OSS. Between doing that and stop using it as it's main device OS, the easier choice is the latter. As a software dev myself, your expectation of layman being able to navigate something like a code review, or even an investigating an exploit is hardly reasonable.

So it is not "incorrect". I am not even saying Rossmann could be targeted. I cannot even make this claim as I have not gone through the docs nor understand the build and update pipeline, which is kind of my point: I can't be bothered neither for GOS, nor for the most of the FOSS software I use. The majority of OSS user rely on the vague concept that motivated and honest people audit the code, but hardly anyone is going deep dive into how an arbitrary piece of software works.

The main issue is the attitude of that GOS developer, whether they like it or not, taints the confidence in the project. it does not matter if Rossmann can or cannot be targeted technically.

The issue here is not technical but a reputation issue.

> The updater app is pretty easy to read through. I think a software developer would be able to understand it. The update servers' setups are also very easy to understand. It doesn't take a software developer genius to figure these things out.

Even then, it could be argued that the rules in place could be changed to introduce malicious exploit if the lead dev(s) were motivated enough. Especially given GOS relatively top-down structure, relying essentially on a benevolent dictator. Even if I made the effort, then ascertain there was no vector attack, now I have to stay on alert every commit / release version and spend as much time looking for a targeted exploit ? etc... Update server setup might be clean, but an admin could SSH or gain access in some way or another and do rogue changes, were they determined enough. The probability is not zero.

Again, the problem is eroding the trust of the specific user (Rossmann in this case).

	▲	other8026 13 hours ago \| parent [-]
		There are a couple of comments in response to my own saying basically the same thing, so I'll do the same... Rossmann shouldn't be excused for making his harassment video about Daniel because he doesn't understand how things work. Anyone who bothers to think about it for a moment would understand that someone who had been swatted 3 times by a crazy person spamming community chat rooms with illegal content would be extremely upset. Someone tried to _murder him_ and was trying to destroy the project, and then this video comes out leaking a private chat, and Rossmann portrays him as crazy? Rossmann knew what was happening and then his first thought was to start recording? How is that justifiable? You confessed you are a Rossmann fan in another comment, but even a fan should be able to see what had gone on here... And you are defending the inaccuracy in his video saying he's afraid of being targeted when it's not even possible, and your excuse for him is that he doesn't understand. There is no excuse for his video in the first place, but to also add this falsehood that he even can be targeted is extremely damaging for a project prioritizing privacy and security. And yet even though I'm sure he knows this now, as far as I know he hasn't retracted what he said. I don't think he cares about accuracy. Among other things, he's a YouTuber and he got views and attention, so I guess he got what he wanted at the expense of someone else during an extremely trying time. I don't think that's justifiable, I think it's scummy.

▲

gf000 a day ago | parent | prev | next [-]

This is on a level of "5G causes autism" understanding of the topic. Maybe learn how reproducible builds and cryptographic signatures work.

	▲	Andromxda a day ago \| parent [-]
		> This is on a level of "5G causes autism" understanding of the topic That sums it up perfectly

▲

other8026 2 days ago | parent | prev [-]

Wow. Reading and responding to your comments in this thread, I can see you are very motivated to trash GrapheneOS and its founder.

> Well, he can do everything to your phone, software and data by pushing software updates.

Other developers are doing the bulk of development work these days, so this is nonsense.

> Paranoia could result in just making the system more secure, but why not add a backdoor to find the spies in your userbases that communicate with the black suited men that secretly run our government?

Again with the baseless claims that he's crazy. Your argument here is that "he is crazy, so maybe this happens too." It's nonsense. There are no backdoors, and if there ever were any backdoors, they would be found. GrapheneOS isn't some small project that nobody knows about. It's famous for being very secure, even famous people have said publicly that they use it or others should use it. Cellebrite cannot even hack into it. Backdoors wouldn't go unnoticed. This is also nonsense.

	▲	onli 2 days ago \| parent [-]
		[flagged]