Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tholdem 2 days ago

So you're saying don't use a smartphone at all, which isn't possible, or use CalyxOS, which not only suffers from the same "problems" you criticize in GrapheneOS, but is also inferior in every way when it comes to security and privacy?

This does not make sense at all.

lrvick a day ago | parent | next [-]

> don't use a smartphone at all, which isn't possible

I run a b2b tech company in Silicon Valley and have not carried a smartphone in 5 years or had an LTE subscription in 6. I have a family and hang out with friends, mostly tech workers, at least once a week. I am online when I am at my desk or one of my family PCs, otherwise I am offline. It has been a massive productivity boost, attention span boost, and social improvement in every way.

I don't miss hours of doom scrolling a day and missing out on being present with friends and family. Took a few weeks to rewire my dopamine engine so the FOMO went away.

Phones -are- optional and if you think otherwise you might be an addict.

> CalyxOS, which not only suffers from the same "problems" you criticize in GrapheneOS, but is also inferior in every way when it comes to security and privacy?

It is better in one way: a reasonably stable person holds the keys to the kingdom. Personally I do not like having -any- central person controlling my devices, so I just opt out of Android entirely until that situation changes.

I am a supply chain security researcher and founded a Linux distro where no single computer or maintainer is trusted, so trust decentralization, freedom, and control in software are very important to me.

strcat a day ago | parent [-]

> Phones -are- optional and if you think otherwise you might be an addict.

Smartphones are small portable computers. You're using a similar computer to make posts on social media platforms including Hacker News.

> It is better in one way: a reasonably stable person holds the keys to the kingdom.

Repeatedly claiming that I'm insane, schizophrenic, delusional, etc. is not a reasonable criticism of GrapheneOS. I'm clearly none of those things. I've been targeted with attacks including harassment and tons of fabricated stories for years beginning with my former business partner and his associates. You thoroughly discredit yourself by going as far as baselessly claiming that I'm schizophrenic because you don't like the way I've tried to defend myself from these attacks.

The lead developer of CalyxOS (cdesai) was a Copperhead employee directly involved in the 2018 takeover attempt on GrapheneOS. CalyxOS itself directly originates from the takeover attempt on GrapheneOS. The people involved demonstrated their lack of ethics through their participation in the attacks on GrapheneOS and partnerships with people involved in it. You've been attacking us for years alongside them. CalyxOS exists because of this takeover attempt. It's a non-hardened OS which was created by heavily using GrapheneOS source code and documentation without most of our privacy and security features.

lrvick a day ago | parent | next [-]

I am not qualified to actually diagnose you with anything, but I think you are brilliant with normally well reasoned threat modeling, yet also you seem stuck in a revisionist history narrative that people were trying to rip off or steal from GrapheneOS, when I was there for a lot of it, in frequent contact with all main parties involved. The other projects simply existed with different goals that sometimes referenced or forked code you chose to open source (which everyone appreciates). The Copperhead shady licensing situation as I understand was understandable to walk away from, but the constant citing of conspiracies and sock-puppet campaigns that never happened and your hostility to CalyxOS, F-Droid and others who are good community actors was where a lot of people including me felt you lost the plot and were not being rational. The "takeover attempt" narrative never happened and every time you say it did without evidence you hurt your credibility. It is an incredible conspiracy accusation that merits proof, or you will continue to be called delusional. I do always make an effort to separate these seemingly irrational views with otherwise well reasoned security engineering work.

The primary thing we disagree on in a pure objective security engineering capacity is you feel it reasonable that a single person, you, can be trusted to resist coercion or manipulation to hold the signing keys that would allow pushing any code to the phones of a lot of highly targeted and vulnerable individuals. Otherwise I actually normally agree GrapheneOS has made the best effort defense calls it can in a very broken and proprietary ecosystem. Use open stuff where you can and where you can't try to put up IOMMU walls. I get and respect the pragmatism here. I do similar in AirgapOS and other projects.

I however absolutely can never recommend trusting centralized/proprietary software supply chains in areas where dramatically more open and accountable solutions already exist, which is why I do not actually use or recommend CalyxOS or GrapheneOS for high risk use cases and instead full source bootstrapped a Linux distribution from scratch that avoids any trust in me as the founder by design.

For low risk use cases where users simply don't trust Google or the stock phone malware, LineageOS or CalyxOS is just fine as they remove this, and I am more inclined to support cdesia/CalyxOS which at least attempts basic signing, and trust cdesia as a keyholder when someone really wants to use Android purely because of his peace-keeping personality that is normally very receptive to criticism, and is never hostile to anyone that forks their code for use in other projects as you have a history of doing, but ultimately again, I don't actually use or recommend CalyxOS or GrapheneOS for most people for most use cases.

If forced to use a mobile device again I would probably fork GrapheneOS, remove all the proprietary bits I can, LTE, bluetooth, etc be damned, and sign it myself only for my own use, until I could develop an quorum enclave controlled signing scheme and then offer that.

If you were to agree to take on quorum controlled signing of reproducible builds, then there is no central trust in you, and all my primary arguments against GrapheneOS go away and GrahpheneOS would be leaps and bounds better than CalyxOS by any technical measure I am aware of.

If you put aside any dislike of me, objectively, removing trust in a single person makes you and the project and users safer, and make it much easier for people to separate your personal views from the stability of the project as a whole.

I could get dementia tomorrow and I am confident the StageX project would continue without me with signatures by other maintainers by design. The team already has made several releases without needing signatures from my key already. This is a proven strategy now, not just a theory I parrot to try to win arguments.

GrapheneOS, for all its high risk users, deserves to be protected from the failing of any one human or build machine.

I'll let you have the last reply as this will go on forever otherwise. You know how to contact me if you ever want to discuss any of this privately.

strcat 17 hours ago | parent [-]

> I am not qualified to actually diagnose you with anything

You should stop calling be insane, delusional, etc. It's quite easy to stop.

> yet also you seem stuck in a revisionist history narrative that people were trying to rip off or steal from GrapheneOS

No, I'm not doing that. The fact that they built on our code while trying to undermine us with misinformation and numerous forms of attacks is what makes it wrong. Calyx knowingly spread and supported misinformation about GrapheneOS and myself. They welcomed, tolerated and worked with people involved in harassment along with frequently participating in it. You do it yourself as you've demonstrated here so of course you don't see it for what it is or think it's wrong.

> but the constant citing of conspiracies and sock-puppet campaigns that never happened

The harassment and their involvement in it happened and continues to happen. Your involvement in it is real and continues too. There's no conspiracy. It's plain for all to see you repeatedly calling me insane, delusional, schizophrenic, etc. and personally targeting me in similar ways over and over. You're just one of many people doing it. That is the harassment, which clearly does exist and you participate in it including in this thread. Calyx and their community are heavily involved in it.

> your hostility to CalyxOS, F-Droid and others who are good community actors

CalyxOS and F-Droid both have multiple people who were involved in the takeover attempt and supported their attacks on us, including the lead developers of both projects.

> a lot of people including me felt you lost the plot and were not being rational

It's factual information, and it's you not being rational about it.

> The "takeover attempt" narrative never happened and every time you say it did without evidence you hurt your credibility

It is exactly what happened. My former business partner tried to take over my open source project against the terms of our agreements. The project was started prior to the company existing in late 2015 and was very clearly separate from it. This has been confirmed by other people involved and around at the time including the 3rd person involved in forming the company.

> It is an incredible conspiracy accusation that merits proof, or you will continue to be called delusional

My former business partner trying to take over my open source project is what happened and is not a conspiracy theory or delusion.

> I do always make an effort to separate these seemingly irrational views with otherwise well reasoned security engineering work.

My statements and views about this are not irrational.

> The primary thing we disagree on in a pure objective security engineering capacity is you feel it reasonable that a single person, you, can be trusted to resist coercion or manipulation to hold the signing keys that would allow pushing any code to the phones of a lot of highly targeted and vulnerable individuals.

We don't disagree on the concept that it would be nice to avoid trusting a single person with this. Where we disagree is that I do not think your proposed approaches are better or that they actually address the trust placed in many people.

> and I am more inclined to support cdesia/CalyxOS which at least attempts basic signing

Not clear how you think we do not do basic signing.

> and trust cdesia as a keyholder when someone really wants to use Android purely because of his peace-keeping personality

He was directly involved in the very real takeover attempt on the GrapheneOS project at Copperhead. He stood by as Nick repeatedly spread misinformation about GrapheneOS and personally attacked me including regularly covering it up. He has a long history of making false claims about GrapheneOS and myself himself. He's friends with many people participating in harassment towards me and clearly has no issue with it along with openly helping them do it.

> that is normally very receptive to criticism

In reality, no, and they'll quickly shut down conversations particularly involving any of this. You think they'd talk openly about this where someone raises actual things they've done and participated in? No.

> and is never hostile to anyone that forks their code for use in other projects as you have a history of doing

Calyx gained influence over Seedvault, a project written for GrapheneOS by a GrapheneOS user, and has since used that to be hostile towards our users reporting issues there and us for continuing to reluctantly use a project now hostile towards us. They've done the same with other projects. They're hostile towards our users, not only us.

A Calyx contractor recently closed a valid F-Droid bug filed by a GrapheneOS user causing it to wrongly show a warning on GrapheneOS every time it installs/updates an app. It's clearly an F-Droid bug since we use standard Android infrastructure to add our Sensors permission and their bug occurs with the POST_NOTIFICATIONS permission and multiple other past cases of added or split permissions in Android. It's a long term F-Droid bug which has existed for ages. Instead of fixing it, they're keeping incorrect code with no purpose and instead adding workarounds for specific cases found to occur with Android's added or split permissions. There's no reason for F-Droid to be checking that the requested permissions parsed from the APK by them match what the OS considers to be the requested permissions. The APK is verified before it's installed and F-Droid's understanding of permissions not matching Android's understanding is fully expected since it does not handle implementation details. It cannot properly handle it as the OS does because the OS adds and splits permissions this way in future releases, so adding all of the current ones still causes it to break in the future. This used to break automatic updates for GrapheneOS users, but at least now it only displays an incorrect warning. They may change it to break things again. Meanwhile, they falsely claimed we were avoiding doing something about this to hinder F-Droid's compatibility with GrapheneOS when they are blatantly doing that. This is one example of how they misuse their control over projects to cause harm to their own users to hurt GrapheneOS. They've done so repeatedly.

> If you were to agree to take on quorum controlled signing of reproducible builds, then there is no central trust in you, and all my primary arguments against GrapheneOS go away and GrahpheneOS would be leaps and bounds better than CalyxOS by any technical measure I am aware of.

The whole thing is a personal grudge and you hold us to a standard you don't hold other projects to based on it. A substantial amount of resources is required to simply make 1 set of builds. Blocking releases indefinitely any time there's a regression in determinism without any more resources to deal with that or early access to address issues prior to when a stable release comes out isn't going to work. When we're porting to a new release like Android 16, addressing some kind of new bug causing something to be non-deterministic cannot be our priority without early access to the release and resources to handle it. If you truly wanted us to do this then you could have helped us get what we needed to do it, make the required scripts and improve protection against non-determinism getting introduced. Instead you act as if this isn't something we want, when it is, but we aren't willing to break updates with an improper implementation.

It's not clear how you avoid trusting me or the developers doing nearly all of the actual development and code review on GrapheneOS through this though. Reproducible builds combined with checking it's reproducible from other parties does not truly accomplish that. Source code is being trusted either way.

There is someone actively reproducing each of our builds after we make releases. It's fully reproducible but AOSP and other projects do have upstream regressions for this we have to fix on a regular basis. It's not always easy to fix.

> If you put aside any dislike of me, objectively, removing trust in a single person makes you and the project and users safer, and make it much easier for people to separate your personal views from the stability of the project as a whole.

I dislike your false claims about me and your harassment towards me. Most of the few times I've interacted with you for several years have involved you making personal attacks on me and talking about us not providing a reproducible build verification feature which barely any projects provide and which is not practical for a project largely based on AOSP without early access or the resources to fix all reproducibility issues they introduce prior to stable releases.

> I'll let you have the last reply as this will go on forever otherwise. You know how to contact me if you ever want to discuss any of this privately.

I don't think we're ever going to come to an understanding. I simply want you to stop making public personal attacks on me. I'm not showing up in threads about your projects talking about what you've done towards me, but you keep showing up in discussions about GrapheneOS to claim that I'm crazy and delusional. You're doing the opposite of encouraging us to implement the signing feature you want.

lrvick 4 hours ago | parent [-]

I was referring to CalyxOS doing signing over LineageOS which does not (in any useful way), as the two popular operating systems that happen to share a lot of hardware compatibility overlay with GrapheneOS (but admittedly little else in common).

The one point I will take that is fair is to stop trying to diagnose you as that is not my background or place to do. We will likely continue to have wildly different accounting of the same events and the motivations of those involved, but it is on me to not lower my communication standards when dealing with people I find to be extra difficult or extra wrong. Point taken.

I apologize for any and all assumed medical diagnosis related comments about you and I commit to stop making these as I am not qualified to make them. I will also discourage those comments in my communities as I can. We should be better than that.

What I can and will repeatedly say is that you are obsessively defensive about GrapheneOS to the point that all criticism of it or your communication style or use of your code in related projects is regarded as a coordinated attack or harassment campaign when it is simply a lot of people who have independently found your personality impossible to work with in spite of making useful code. So much so that many have taken steps to actively fork things away from you so they do not have to deal with you because your approach puts -their- mental health and desire to work on related code at risk.

This is a real shame things went this way, because so few doing hard and important security work also have strong interpersonal skills.

I am going to try to do better here, and I hope you do the same. It is unlikely we ever be friends but I hope we reach a point where we can make use of ideas or code each other might have been involved in without drama. I am even considering adding hardened_malloc as an optional package in stagex because I still feel this is great work.

I will stay out of threads on your projects unless about something I am actively working on or working with, but I will continue to share my own view of shared events and my issues with trust structures in current Android efforts, including GrapheneOS and your leadership style, when they come up organically by others in my communities.

I hope you are able to take that for the win that it is.

cindyllm a day ago | parent | prev [-]

[dead]

strcat a day ago | parent | prev [-]

> CalyxOS, which not only suffers from the same "problems" you criticize in GrapheneOS, but is also inferior in every way when it comes to security and privacy?

CalyxOS lacks the current driver/firmware patches and isn't a hardened OS with similar privacy and security patches. There are plenty of worse options but people are better off using an iPhone.

Hardware and firmware is closed source in general and the complexity of that dwarfs a few dozen closed source driver libraries used on top of open source kernel drivers. Pixels have those libraries built with debug symbols and they're not hard to review. It's not obfuscated code and you're given the function names, etc.

Those few dozen mostly quite small libraries being open source instead of closed source with debug symbols would be nice and is something we want. With an OEM partnership, we can have access to the sources and build them with hardening even without those being open source yet. We can likely include debug symbols just as Google did for the most part on Snapdragon Pixels. Convincing a company like Qualcomm to open source those would be ideal, but it's far from being at the top of a rational list of privacy and security improvements which could be made.

> This does not make sense at all.

You can see he's once again making a baseless claim that I'm schizophrenic, delusional, etc. in his post here as he has done many times before. There's also the baseless claim that I believe wild conspiracy theories. It's not me making unsubstantiated claims about backdoors and proposing approaches to prevent it which disregard the hardware and firmware to focus on the OS having reproducible builds, which would not stop malicious changes hidden at a source code level. I don't think Hacker News should permit baselessly claiming someone is schizophrenic. It's not reasonable discourse, and neither is linking what's clearly harassment content from a Kiwi Farms as happens here regularly. I've never claimed GrapheneOS prevents hypothetical backdoors and certainly wouldn't claim reproducible builds (which we have) can somehow we used to prevent it for the OS.

We can make more use of the reproducible builds but enforcing anything based on it requires early access and more resources to fix reproducibility issues early to avoid delaying security updates. It will not avoid trust in the OS developers and the projects it uses itself. It can only reduce trust in the build infrastructure and people involved. Open source does not prevent backdoors. The small amount of closed source library code for supporting a modern smartphone SoC, etc. is also quite insignificant compared to the overall hardware and firmware complexity. Reviewing those libraries is also quite doable. Open source is not a hard requirement to review something, particularly with debug builds for most of it and no obfuscation. When we find bugs in this code with MTE, we get nice tracebacks with the function names due to the debug symbols. It's hard for us to make our own fixes for it, but not impossible. We would prefer if they were open source, but it's FAR from the most pressing issue and is something SoC vendors could quickly solve if convinced to do so.