One thing that bothers me is the seeming lack of transparency about who is running GrapheneOS. Daniel Micay supposedly stepped down, so who is calling the shots now? Who runs the CI? Who owns the update servers and signing keys? Who am I trusting?
The directors of the the GrapheneOS Foundation and the other things you're talking about are public information. I stepped down as lead developer due to relentless harassment preventing me from being productive. The same people targeting me with harassment misrepresented what was happening.
You shouldn't get info about GrapheneOS from Hacker News comments especially when multiple regulars here are part of the attacks on GrapheneOS. Hacker News permits people to freely engage in libel and harassment towards me on nearly every post about GrapheneOS.
Thank you, to you and the rest of the team, for your work on GrapheneOS!
If I may make a suggestion: as GrapheneOS becomes more popular, perhaps it's time to better establish users' trust in the control over it.
When the project was primarily you, who was already known for technical prowess and a principled exit from a different project, that was enough for many enthusiasts.
But as both the team and the user base have grown (and, secondarily, the outside world has become less stable), a new infusion of confidence in trustworthiness would help.
I'm not sure how to do that, but it may include communicating who is involved (not just names, but why they should be trusted), and what safeguards there are against mistakes and compromised/rogue individuals.
I say this because GrapheneOS may be the best candidate for a trustworthy smartphone platform right now, and I hope for the best followthrough and success of that.
I don't think I said anything about an address. They've given some names, but that doesn't say why they should be trusted.
Two examples of people who have established some trust over the years: Linus Torvalds and RMS.
Joking scenario to illustrate...
Badguy: "This is it, Torvalds! Give us the Linux launch codes, or I shoot you!"
Torvalds: "Launch codes? I'm angry that you are wasting everyone's time, when clearly you don't know what you are doing, and are not bothering to get help to do it properly."
Badguy: "How about your friend! Give us the codes, or I shoot Stallman!"
Stallman: "Excuse me, but when you say Linux, I think you mean GNU/Linux, since Linux is a kernel, which is only one piece of the operating system, and used with--"
Badguy: "Argh! I can't take you nerds anymore!" shoots self in head
> When the project was primarily you, who was already known for technical prowess and a principled exit from a different project, that was enough for many enthusiasts.
There was no principled exit from a project but rather from a company. GrapheneOS started in 2014 and was previously called CopperheadOS. We still use multiple of the 2015 era GitHub repositories.
A company which I co-founded in 2015 where I still own 50% of the voting shares was taken over and many illegal actions were taken in an attempt to take over my open source project and then spent years trying to destroy it when that failed. The company was then used as a weapon to wage a war against myself and GrapheneOS for years. A large of donations were stolen and repurposed for attacks on the project people made those donations to. Meanwhile, the company entirely depended on repeatedly forking GrapheneOS to sell it as a project. We stopped them from doing it through legal action and it's essentially over. It took a very long time to rebuild GrapheneOS and the attacks they started never stopped.
I continued working on the same project after the failed takeover attempt and it turned into a much bigger project where I'm no longer anywhere close to the most active developer. I mostly do organization tasks including giving developers tasks and system administration, not development. It's quite hard to do development when you're harassed throughout the day, every day, to an extreme level. It took away my ability to do the kind of creative work involved in development for the most part. I leave that up to others now. I don't even do much code review anymore but rather delegated that to others too. I don't know why people continue claiming otherwise when it's plainly not the case.
> I'm not sure how to do that, but it may include communicating who is involved (not just names, but why they should be trusted), and what safeguards there are against mistakes and compromised/rogue individuals.
We have to protect our team from relentless harassment including swatting attacks. Our moderators aren't allowed to use accounts tied to their real name since otherwise they'd be heavily targeted. The same applies to our community manager. We generally recommend developers avoid using their real name unless they're able to tolerate being tolerated. We avoid having people's names tied to things when we can. It was a mistake to do it in the beginning and can't be undone for myself but others can avoid being targeted. I don't think many people would be willing to work as a community manager or any other public-facing role in GrapheneOS if they had to use their real name. That's especially true if they're part of around half of the people who are women or many other groups who would be targeted specifically for their identity alone.
> I say this because GrapheneOS may be the best candidate for a trustworthy smartphone platform right now, and I hope for the best followthrough and success of that.
Continued success unfortunately enrages people who have been trying to harm us for years as can be seen throughout this thread. It's not getting better and I don't think many people want to be exposed to it.
Yes, it's in good hands and the organization is actively being built out with the help of people from the Ethereum Foundation who know how to run a successful non-profit. We're making it into a serious organization and are hiring a bunch of full time developers.
Seems like you’re proving his point. From what I can tell he founded the project and was bullied into leaving on social media. Happy to update my view if there’s additional information.
I appreciate someone standing up to this. The particular account has been engaging in bullying towards me with endless lies since 2018. He posts personal attacks towards me in most threads about GrapheneOS. I don't understand why there hasn't been moderation yet.
Is that what I said? Or did I merely bring up that (I think) there's a thread about you on that site? I didn't exactly say they're a reputable source of information, but they certainly are known to glom onto internet ""personalities""....
I actually don't regret going in and turning "show dead" on so I could see it. Knowing that someone is considered a lolcow is legitimately useful information.
It might no be polite, you might not like it, but it is useful data to people who prefer their truths entirely unfettered by nosy busybodies who call themselves "moderators".
Our project account posted a thread about our recent migration of our mail server to using our ASN and IP space. They replied to the thread by attacking Postfix, DNSSEC and DANE. They promoted the insecure MTA-STS approach promoted by Google despite them not fully adopting it for Gmail similarly to how they don't even use an enforcing DMARC policy despite punishing others for not doing it. We explained Domain Validation depends on DNS security. We also explained MTS-STS isn't the same as browser WebPKI due to an insecure bootstrapping and refreshing system along with lack of mandatory Certificate Transparency. We talked about Google's anti-competitive practices when it comes to email. Here's the thread, read it for yourself:
The fact is that if you use the org TLD then you trust whoever runs it to issue certificates for your website and the same for your domain registrar. There's no point in pretending otherwise. It's very clearly how the system works. WebPKI does not truly add value over a TLSA record and DNSSEC beyond Certificate Transparency which is reactive and is NOT part of MTA-STS. MTA-STS also doesn't have mandatory encryption but rather opportunistic and can be stopped from using it. Gmail, the service which MTA-STS was created to be used with, has 1 day max-age for it.
Gmail has a lot of quite blatant security weaknesses and phishing weaknesses. People largely repeat the mantra of it being secure because Google account login security is decent including an option to make it harder to hijack accounts via customer support missing elsewhere.
Not really interested in a debate about it where someone repeats talking points often visible here and gets angry with us for not agreeing including getting angry because people like our replies.
You take it too personally and if anyone is angry it's you. Listing shortcomings of a project is not "attacking", it's juvenile to think so. Shortcomings you refused to admit and your "explanations" were fundamentally misguided and incorrect. You eventually just resorted to FUD and blocking instead of actually looking at DNSSEC and DANE and the issues it has.
DNSSEC is a *bad* PKI, with infallible roots of trust, terrible adoption rate and horrible transparency. If someone misbehaves, you will have no idea, there will be no recourse and absolutely nobody is enforcing any standards on how things should be ran.
Bringing DMARC and phishing into this topic is a desperate grasp at straws if I have ever seen one.
DNSSEC defenders should actually know what they're talking about first.
What I find particularity odd is that on their donation page [1], Daniel Micay's personal Github account is linked as a donation option (using Github sponsors).
(I opted to donate via bank transfer instead, because that is at least addressed at the GrapheneOS Foundation, not one specific member.)
The directors of the the GrapheneOS Foundation and the other things you're talking about are public information. I stepped down as lead developer due to relentless harassment preventing me from being productive. The same people targeting me with harassment misrepresented what was happening.
You shouldn't get info about GrapheneOS from Hacker News comments especially when multiple regulars here are part of the attacks on GrapheneOS. Hacker News permits people to freely engage in libel and harassment towards me on nearly every post about GrapheneOS.
I'm aware of what happened, and I'm getting GOS news directly, not from HN. However, you're still the biggest contributor of code to GOS (judging by commit history). That's what I meant.
I'm not anywhere close to the biggest contributor of code to GrapheneOS. Do you think the account listed as the committer is the one writing it? That's not the author of the code, it's the account used to approve it.
It's an outright fabrication with no basis. All you've done is posted a video filled with doctored content and fabricated claims from a serial harasser. Henry Fisher (Techlore) has been orchestrating harassment towards me for years. Basic research and critical thinking is all that's needed to debunk the content. The video shows someone engaging in blatant bullying through directing hate towards someone with lies while taking great pleasure in it.
It's a little ironic Daniel rails on and on about how he's being targeted in a mass-harassment conspiracy against him and the project (usually by "the CalyxOS community", or his old CopperheadOS business partner guy), then.... freely levies a group of his own to mass-flag/downvote critics with the intent to silence them?
"Every accusation is a confession" or something, I guess.
The ongoing lies, bullying and harassment towards me is very real and you're directly participating in it. The reality which can be found through looking through actual content which hasn't been doctored is that joemazerino has engaged in years of lies and bullying towards me on Hacker News without moderators stepping up to end it. Ending this bullying showing up in every thread about GrapheneOS from the same small group of perpetrators is long overdue.
So any criticism is "bullying" and you're justified in brigading threads to silence it?
Many of the people with minor criticisms even use the project (such as myself), and going full nuclear to silence any dissidents is rarely looked favorably upon in hindsight.
> The community deserves a response to the question.
You use GrapheneOS which we provide to you free of any cost but yet you're being nasty towards us throughout this thread. Why do you think you deserve anything from us?
Why should we participate on this platform at all when we have name calling, bullying and links to harassment content directed towards us with nothing being done about it?
You seem to have a persecution complex. Ironically, baseless accusations of nastiness and harassment and weaponising language is also bullying. I'm out. Best of luck to the project, and to you personally.
Without criticizing or implying any conspiracy theories, I did find it odd where the news release quoted "a spokesperson at GrapheneOS" without attributing it.
We badly need alternative(s) like GrapheneOS, and I want to see it succeed. I hope as the project matures, the sense of professionalism and stability it projects will strengthen. For what it's worth, I personally feel the business partnership is a step toward that end, and am really happy to see some manufacturer diversity.
The statement was put together collaboratively by our COO, community manager and moderation team which is the case with a lot of our written responses to journalists and others. People with their real name tied to GrapheneOS are targeted with conspiracy theorizing and harassment. You can see it throughout this Hacker News thread. People personally target myself and other members of the team in very vile ways.
What are donations being spent on, who makes those decisions, what's the roadmap, what's up with MobileCoin, why the hell do they put so much trust into Intel SGX when there are so many known vulnerabilities, …
I've been a Signal/TextSecure user since day one and have convinced many dozens of people to switch to Signal but, man, they don't exactly make it easy to be a fan.
Meredith Whittaker is not a techie AFAIK. Either way, I'd just like to know more about the thought process going into Signal's product and engineering decisions. The Signal team seems extraordinarily tight-lipped and that doesn't exactly inspire trust from where I stand.
