| I second this opinion, with some additional nuance. While I don't think the developers necessarily hallucinates being attacked (i.e. given the nature of the project, I would expect them to be persons of interest, be it from surveillance agencies, or even state actors), the main issue with Rossmann is their claim that he is either personally directing harassment against GOS, or colluding with and encouraging other communities to harass (mainly Kiwifarms, Techlore, CalyxOS, and other Android related FOSS projects).
This claim seems to originate then cascade from Rossmann leaving the comment "Informative, but unfortunate" on TechLore's video criticizing GOS's leadership.
This is taken as explicit support of TechLore community's / KiwiFarms alleged harrassement on the lead GOS developer, and this has somehow been cascaded and blown out of proportions, and considered by GOS developers as evidence of Rossmann's wrong doing against them. As mentioned somewhere else, I am using GrapheneOS since 2 or 3 years now, based on Rossmann recommendations.
The software is very good, pretty much native Android experience, but without the extra alleged Google snooping / root access.
Rossmann himself seemed to have stopped using it as his main device because of fear of retaliation given that the GOS devs could potentially target him. Better safe than sorry.
I still use it because I am not that high profile of a person, and generally will use throwaway when it comes to discussing anything GOS related at this point.
The overall leadership however, based on Rossmann's and later my personal interactions with them however, did leave a bad after taste. |
| |
| ▲ | bornfreddy a day ago | parent | next [-] | | > > Better safe than sorry. > People who are familiar with how GrapheneOS updates work wouldn't agree. No identifiers are sent to the update server, so targeted updates aren't possible that way. Also, update servers only host static files... We are literally talking about an OS here. It has an almost total control over your phone - what does it matter if the updates can be targeted? The GOS could snoop on their users and turn into malware only if it figures out that this is Rossmann's phone. This is what is keeping me from installing GOS too. Interaction from the developers seems very aggressive towards the competing OSs, which doesn't inspire much trust. Who is reviewing the GOS changes? Are they really all benign? In the end you need to trust someone, but I'm not sure GOS is more trustworthy than LineageOS (which has a bigger community, more developers and /e/os building on top of them). Happy to be convinced otherwise. | | |
| ▲ | other8026 13 hours ago | parent [-] | | > The GOS could snoop on their users and turn into malware only if it figures out that this is Rossmann's phone. Well, yes, but not really. What you're saying could be true if the OS wasn't open source. It's not some small OS that nobody knows about. There are forks of the OS, there are other projects that selectively copy code/commits from GrapheneOS, there are security researchers who pay attention to its development. There are also people who reproduce and verify builds. It's just not possible for that kind of code to be snuck in there. This section of the website about whether GrapheneOS is audited is also helpful https://grapheneos.org/faq#audit > This is what is keeping me from installing GOS too. Interaction from the developers seems very aggressive towards the competing OSs, which doesn't inspire much trust. If you pay attention to what they're responding to, you'll find that a lot of that is in response to something they said, clarification about inaccuracies in news articles, etc. The official accounts are also followed by many of the OSes' users, so some posts are for them too if certain things are being talked about in the community. > In the end you need to trust someone, but I'm not sure GOS is more trustworthy than LineageOS (which has a bigger community, more developers and /e/os building on top of them). I personally prefer quality over quantity. GrapheneOS developers take a long time to develop new features, test them, rewrite them, and it goes on and on until they have a resulting feature that is very high quality. They also have to keep in mind how much they're adding/changing so features and changes can be ported quickly when there are new upstream releases. Updating quickly is very important for security. Leaving vulnerabilities unpatched for months is not acceptable for a project and users who value security. The same can't be said of LineageOS or /e/OS. They're slow to update, roll back security, etc. |
| |
| ▲ | bernoufakis a day ago | parent | prev [-] | | > But he didn't. It's clear in his later videos that he was still using Graphene OS, I believe even for months after the video. Emphasis on "seemed to have stopped using it as his main device". For all we know, he kept it as secondary device (its just that good) after removing anything he deemed critical.
Again, he never said "don't use GOS", or "GOS is not secure".
He said he was did not feel safe enough because of the hostility from the lead dev. > People who are familiar with how GrapheneOS updates work wouldn't agree. No identifiers are sent to the update server, so targeted updates aren't possible that way. Also, update servers only host static files. If Rossmann was really that worried, all he'd have to do is use a VPN. But that was all just a huge dramatic act so his video would get more views, and possibly to entertain his fellow Kiwi Farms members. Does it matter ? Rossmann is a layman when it comes to software.
What he perceives is that "lead GOS dev is hostile against me and has essentially full control over the project".
First, he is under no obligation to spend hours learning how GOS updates work and audit the code every release, whether or not some identifier is being tracked or not (and by the way, you can still get identified and tracked even if you use a VPN).
The damage was done once that lead GOS dev persist in toxic behavior, for the lack of a better word. > But that was all just a huge dramatic act so his video would get more views, and possibly to entertain his fellow Kiwi Farms members. Unsubstantiated claims. We cannot read his mind, and I have yet to see any evidence that would support these. | | |
| ▲ | Andromxda a day ago | parent [-] | | > you can still get identified and tracked even if you use a VPN Sure, but that requires additional data about the user, which the GrapheneOS update server doesn't get. Both the update client and the update server are open source, so you can verify any of what I'm saying. The server only sees the user's IP address, which device model they're requesting an update for, and which update channel (alpha/beta/stable) they are using. The HTTP headers, etc. for the request would be identical across any GrapheneOS device, as they use the exact same updater app. https://github.com/GrapheneOS/releases.grapheneos.org
https://github.com/GrapheneOS/platform_packages_apps_Updater > First, he is under no obligation to spend hours learning how GOS updates That literally takes a few minutes to look up, it's all really well documented on the official website. https://grapheneos.org/faq#default-connections But yes, I do believe that he's obliged to do some research before putting out such absurd claims entirely based on speculation with no technical knowledge or understanding. | | |
| ▲ | bernoufakis a day ago | parent [-] | | > That literally takes a few minutes to look up, it's all really well documented on the official website. https://grapheneos.org/faq#default-connections Again, that is beyond the point. The developer going rogue (for arbitrary reason) and turning the code malicious is not impossible. > That literally takes a few minutes to look up, it's all really well documented on the official website. https://grapheneos.org/faq#default-connections All of you who keep commenting "But it's so easy, just look it up" are lacking consideration and empathy. Other people don't think like you, they don't have to think like you. Just the documentation you have linked has so many technical terms, someone not familiar with networking and system design will barely make any sense of it. It is a also a matter of trust. After the developer express their hostility multiple time, even if someone was willing to go through it, what if the documentation is not forth coming ? It is within the devs control after all.
How does one even make sure that the software does what the documentation says it does ? etc... > But yes, I do believe that he's obliged to do some research before putting out such absurd claims entirely based on speculation with no technical knowledge or understanding. What "absurd" claim did he put out exactly ? His issue was never about the technical aspects of GOS. It was about the broken trust and the perception that using software from a hostile developer was a risk factor, hence his stopping using it (at least on his devices with sensitive info). | | |
| ▲ | Andromxda a day ago | parent [-] | | > Other people don't think like you, they don't have to think like you. I'm quite certain that there are more people than just me, who think that someone with close to two million subscribers on YouTube should fulfill due diligence by doing some basic research and at least read the extensive official documentation that's provided, before putting out a video with serious allegations and a very high potential of harming someone's reputation. I would go further and say that it was his intention of harming the project's reputation, but that's just my personal opinion. It's objectively clear though, that this is a very low quality video full of baseless speculation, and severely lacking any technical understanding and knowledge. > What "absurd" claim did he put out exactly ? His speculation about targeted malware in the OS. This is exactly the same as going to a restaurant, having an argument with the owner, and then claiming that they might be putting poison in the food, even though there's absolutely zero evidence or anything that might indicate that, solely because you had a disagreement with someone and now want to harm their reputation. | | |
| ▲ | bernoufakis a day ago | parent [-] | | > It's objectively clear though, that this is a very low quality video full of baseless speculation, and severely lacking any technical understanding and knowledge. "Baseless" could not be further away from the truth. You literally have the GOS developer messages coming in live while he rehashes frivolous accusations and threatening to exposing him.
To claim objectivity, when you seem to cherry pick the parts of the video that would (loosely) fit your narrative. Where is your evidence that Rossmann is in anyway associated to harassment campaign against the project ? > This is exactly the same as going to a restaurant, having an argument with the owner, and then claiming that they might be putting poison in the food, even though there's absolutely zero evidence or anything that might indicate that, solely because you had a disagreement with someone and now want to harm their reputation. Damn, so close, you were almost there. A more accurate analogy you could have come up with, had you actually critically listened to Rossmann's argument in his video.
Yes, it's like going to a restaurant and having a disagreement with the cook, for the latter to explicitly threaten to harm onto you.
At that point, is it that far fetched to think he might poison the food ? When you know he has full control over the kitchen ? You can disagree with Rossmann perception of the actual threat, but you should at least admit that it is not absurd for Rossmann to think that someone who demonstrated such irrational behavior might attempt to harm in through the means at their disposal, among which introducing malicious code. It might be unlikely given what we know about software dev, but it is not impossible, and for Rossmann, that is the only thing that matters at the end of the day. Moreover, the GOS dev himself clearly stated he would "publicly expose him" (At 2:14 in https://youtu.be/4To-F6W1NT0?t=134 "and there will be information published about your (Rossmann) attacks on me in support of an abusive person).
Why the double standard ? That GOS dev can go around dishing out "reputational harm" but his targets doing the same is not fair game ? At this point, Rossmann did him a service by publishing everything himself.
As far as any reputational harm is concerned, the GOS developer essentially brought it on himself. Could have dropped back when they had the fallout in September 2022, as per the chat logs (<https://www.swisstransfer.com/d/d75ff782-4a7d-4497-b04e-edd1...>) ... > I would go further and say that it was his intention of harming the project's reputation, but that's just my personal opinion. Sure, "harm the reputation of the project" when he was proactively giving them no string attached grants, spreading the word, and giving them an opportunities to tell their side of the story ... > I'm quite certain that there are more people than just me, who think that someone with close to two million subscribers on YouTube should fulfill due diligence by doing some basic research and at least read the extensive official documentation that's provided, before putting out a video with serious allegations and a very high potential of harming someone's reputation. Then in the first place, perhaps the cyber security geniuses who built a privacy and security oriented OS for smartphone could do the due diligence of gathering and presenting actual evidence of Rossmann implication in the alleged harassment campaign before before posting multiple accusatory statements across their socials media "with serious allegations and a very high potential of harming someone's reputation" ? | | |
| ▲ | other8026 13 hours ago | parent [-] | | >> It's objectively clear though, that this is a very low quality video full of baseless speculation, and severely lacking any technical understanding and knowledge.
>"Baseless" could not be further away from the truth. You yourself have even admitted that while it may not be true that he can be targeted, you make excuses for Rossmann saying he's a "layman when it comes to software". So, yes, it is baseless. > it's like going to a restaurant and having a disagreement with the cook, for the latter to explicitly threaten to harm onto you. At that point, is it that far fetched to think he might poison the food ? When you know he has full control over the kitchen ? This is a horrible metaphor because an open source project and the resulting OS is nothing like that. Better analogy would be that all the customers can watch the chef while they work, they all share the same food, and there are even cameras there for the world to see what the chef is doing in real time. > You can disagree with Rossmann perception of the actual threat, but you should at least admit that it is not absurd for Rossmann to think that someone who demonstrated such irrational behavior might attempt to harm in through the means at their disposal, among which introducing malicious code. If he had any integrity, he would have retracted that part of his video _at least_ when people pointed out that it wasn't true that he could be targeted. But as far as I know, he hasn't. > Then in the first place, perhaps the cyber security geniuses who built a privacy and security oriented OS for smartphone could do the due diligence of gathering and presenting actual evidence of Rossmann implication in the alleged harassment campaign before before posting multiple accusatory statements across their socials media "with serious allegations and a very high potential of harming someone's reputation" ? Anyone who thinks for even a moment can see what happened here. Someone tried to murder Daniel 3 times, he was upset about that and with Rossmann, he talked to Rossmann, Rossmann _records_ it as it's happening knowing full well what he was doing (which I'd argue is quite scummy), and releases the video complete with inaccuracies about the potential of being targeted. Not to mention he has a verified Kiwi Farms account, which anyone who knows the history of that site can draw their own conclusions. It's very easy to see what's all right out there in the open. | | |
| ▲ | Andromxda 13 hours ago | parent [-] | | Btw I reread all the emails exchanged by Rossmann and Micay (I had already read them back when they were released, but that was over 2 years ago), and I don't see how anything Daniel Micay said would be incorrect.
Moreover, I found it quite alarming, how Rossmann addressed exactly zero of Micay's actual points, and then tried to distract from the entire situation with manipulative tactics and by trying to discredit him through his baseless assumptions about Micay's mental health.
These leaked emails don't prove anything, other than Louis Rossmann being ignorant and manipulative. |
|
|
|
|
|
|
|
