
CopperheadOS update: Developer suspended from Reddit - petethomas
https://www.reddit.com/r/privacy/comments/8r9yyg/update_on_copperheados_situation_developer_being/
======
magissima
I can't believe anyone who goes by a name as trustworthy as "darknetj" could
be involved in shady business.

------
lainga
How did the CEO do this? What strings do you pull to get someone banned for
Reddit whistleblowing? Who on the Reddit staff might "fence" his request?

~~~
adjkant
[https://old.reddit.com/r/redditrequest/comments/8ra5b5/reque...](https://old.reddit.com/r/redditrequest/comments/8ra5b5/requesting_rcopperheados_only_mod_is_suspended/e0ppz8o/)

------
djsumdog
I don't think it's over for CopperheadOS, but it is over for that name. Like
Cyanogen changing to LineageOS, the dev who deleted his signing keys will
probably just foke a new code base with a new name.

Obviously it won't be as peaceful a transition Cyanogen->Lineage, but that's
my prediction for this Android variant in the next few months.

~~~
milcron
Daniel sounds rather burnt out, and also needs to find a new job. I wouldn't
expect updates at the same pace.

~~~
nextos
Yes, which is quite sad both because of the amount of effort put into this and
because there's nothing quite similar to migrate to. CopperheadOS was a bit
unique.

------
adjkant
Looks like more than just the two looped in now:

[https://old.reddit.com/r/redditrequest/comments/8ra5b5/reque...](https://old.reddit.com/r/redditrequest/comments/8ra5b5/requesting_rcopperheados_only_mod_is_suspended/)

Edit: The repo is also private now

[https://github.com/CopperheadOS](https://github.com/CopperheadOS)

[http://archive.is/rOnWi](http://archive.is/rOnWi)

~~~
adjkant
Update - A community member tried to document the happenings of the events and
the CEO of CopperheadOS sent a DMCA request to take it down.

[https://raw.githubusercontent.com/yegortimoshenko/copperhead...](https://raw.githubusercontent.com/yegortimoshenko/copperhead-
takeover/master/0e8ab5e5-ac2f-4a73-80a0-77652162e15f.png)

~~~
DanBC
Wow, that surely meets the very high bar DMCA sets for false reports, right?

~~~
yegortimoshenko
This is not a valid DMCA claim, point one doesn't even mention copyright. I
sent a counter-claim, then tried to republish the repo. GitLab said me I will
only be able to republish in 10 days if I don't receive a response, and also
that they might ban me if I try to republish it again without waiting for due
process.

------
evadne

        $ curl -s "https://api.github.com/orgs/AndroidHardening/repos?per_page=200" | ruby -rubygems -e "require 'json'; JSON.load(STDIN.read).each { |repo| puts \"git clone #{repo['ssh_url']} android-hardening-#{repo['name'].gsub(/(.)([A-Z])/,'\1-\2').downcase.gsub(/[^a-zA-Z0-9]/, '-').gsub(/-(-+)/, '-')}\" }" | parallel -j 8 '{}'

~~~
asdsa5325
What is this?

~~~
bribroder
They want you to clone all of the repos belonging to
[https://github.com/androidhardening](https://github.com/androidhardening),
for some reason... I suppose they think it will be taken down by GitHub
lawyers?

------
diehunde
can anyone give the short version of what happened? I'm not familiarized with
CopperheadOS and I like this kind of drama

------
mindslight
Well I do have to thank them for blowing this up now, as I'm in the market for
a new pocket tracker.

It seems like the least-worst option is Samsung Exynos -> Lineage -> No
GoogleCrutches -> F-droid.

Still a fucking dumpster fire. Alas, here's to hoping pmOS (or the like)
actually goes somewhere.

~~~
seba_dos1
If you want to use Android, don't forget about microG. There's even their
Lineage fork: [https://lineage.microg.org/](https://lineage.microg.org/)

~~~
mindslight
Well I don't really _want_ to use Android. What I want is a long-battery-life
GNU computer that fits in my pocket, with an optional chorded keyboard. Which
could then run any needed Android apps in an untrusted vm [0]. Alas.

I'll have to look into microG. My plan was just to avoid attractive nuisance
apps on my everyday phone, and stick with stuff from F-droid. But then of
course eg traveling puts one in a different mode of just needing to get a
problem solved on the go [1].

It is a bit worrying that microG's first listed feature is augmenting
perfectly-fine GPS location.

The split with Lineage seems annoying, for both practical and long term
considerations. From a quick reading, it seems like Lineage is being stubborn
and preserving the paradigm where Google is trusted more than the purported
owner of the device.

Seems like one would definitely have to use a VPN with microG, lest Google
continue to infer social metadata from whatever IP address (ie wifi network)
one was connecting from [2].

[0] I wouldn't mind say running Waze for the highway part of routine trips
(with a nonce account of course), to report highway robbers and other hazards.

[1] Which is how these surveillance companies get us over the barrel, but I
digress.

[2] It seems like the best solution here would be some sort of headless "wifi
condom" that would connect to 3g/4g/wifi networks, do the VPN stuff, and
present a single constant wifi network.

~~~
milcron
>Well I don't really want to use Android. What I want is a long-battery-life
GNU computer that fits in my pocket.

Librem5 is definitely something to watch:
[https://puri.sm/shop/librem-5/](https://puri.sm/shop/librem-5/)

I'm also watching the Pyra, but development is super slow: [https://pyra-
handheld.com/boards/pages/pyra/](https://pyra-handheld.com/boards/pages/pyra/)

------
troyvoy88
The damage done to this project is done. No coming back from this. Base has
been compromised.

------
bhouston
Nothing will be left here but ruins.

~~~
Analemma_
History is full of co-creators having a fallout and then being willing to burn
whatever they made to the ground rather than give an inch to the other guy.
Sadly, this looks like it will be yet another example.

------
twblalock
As far as I can tell, both the CEO and the developer have behaved very
unprofessionally during this whole affair, airing their grievances and their
dirty laundry on public forums. I don’t think I would trust either of them to
run a company or maintain a trustworthy codebase. They should consider the
damage they are doing to their reputations and start acting like adults.

~~~
yegortimoshenko
I'm not sure what you expect from the developer, to just take it? He doesn't
have power in the company because even though he's a 50% shareholder, he's not
on the board of directors.

~~~
foobarchu
I mean, personally, I hold them both to the same standard of professionalism,
as they were both "c-levels" within their company. He's more than a developer,
at that point, so airing of dirty laundry comes off as kind of a petty attempt
at "bringing the other guy down with me". Especially the times where he was
posting direct snippets from their private emails, then a sinister sounding
summary of the rest (but not the actual content of the rest, meaning he's
probably twisting some words).

I think both sides are acting really shitty here, I wouldn't want to partner
with either of them in any future endeavor.

------
djschnei
Out of the loop here... What whistle did he blow? Anyone have a tldr?

~~~
AdmiralAsshat
CopperheadOS was spearheaded by two people (to my understanding): the founder,
and the lead developer. They had a falling out. The developer felt that the
founder had compromised their ideals in order to make money (how this was done
has not been detailed). The founder told the developer that he's out. The
developer, in turn, deleted the signing keys so that no new software can be
published under the CopperheadOS name.

The developer alleges now that the founder has gotten Reddit to delete his
(the developer's) account.

~~~
numbsafari
It was never a very secure OS / product / distro if a single individual was
able to destroy the signing keys in this fashion.

If this personal battle is enough for folks to say the whole thing is now
compromised, and one person held all the keys, how do you know he hadn’t been
compromised before? If the code has no third party audits, or a web of trust,
then it was never secure to begin with.

~~~
TheAceOfHearts
There's always a chain of trust. What alternative would you suggest?

I think I remember reading that in Google there's like 5 people that have the
master keys and are able to deploy any kind of change at any moment without
any review or oversight. They're the top of the chain of trust.

~~~
twblalock
There is a big difference between a chain of trust with multiple people
involved and corporate oversight, and a chain of trust that consists of one
person who wields absolute power.

So yeah, there is always a chain of trust, but some are better than others. In
the Google case, if one of those 5 people started doing bad things, the others
would presumably be able to stop him and undo the damage.

