Hacker News new | past | comments | ask | show | jobs | submit login
CopperheadOS has imploded (twitter.com/danielmicay)
289 points by nitrohorse on June 11, 2018 | hide | past | favorite | 166 comments

Context from when this showed up last week: https://news.ycombinator.com/item?id=17239259

The CEO, _jayy, posted a number of comments, then deleted all but one. The deleted comments were preserved by yegortimoshenko. Links: https://news.ycombinator.com/item?id=17241694

There's even more context about how this CEO managed the business in a reddit thread in response to those tweets as well, which includes some detailed and revealing comments from the developer:



That's the most detailed explanation of things I can find in this thread. Thanks.

"the manager", personified. Sheesh.

"Code doesn't sell itself" is almost managerial/ceo self-parody -- especially when it's a two-person show (not to mention the score of successful open/open-ish projects that totally and utterly lack a marketer/salesman.)

I think he meant "Code doesn't skim its' own profit."

There are plenty of skilled and honest managers in tech, so I fail to see how this is "the manager" personified.

The engineer recognizes that with a competent manager things would be in a better place - nowhere does he say that the manager as a figure is redundant, quite the opposite in fact.

If anything this is "founder failure" personified, which is why VCs are absolutely obsessed with founder chemistry.

He or she is saying that he's a personification of the well-known and sometimes-accurate manager cliché that engineers love to hate. Think pointy-haired boss in Dilbert. It's become an abstraction that people use for conversing, including for laughing, so it doesn't go away when you say "I know many contemporary counterexamples".

CEO also blocks everyone who supports Daniel on their IRC channel. I've been repeatedly asked to take down these links and documents, and CEO even told me "they would come after me" if not for the fact that I live in Russia. See IRC logs: https://view.matrix.org/room/!VxEwjfmZAypdXzZfUp:matrix.org/

Mirror: https://github.com/yegortimoshenko/copperhead-takeover

CEO has sent DMCA takedown request on my GitLab repo, which clearly abuses copyright law. To use the mirrored pages, replace "yegortimoshenko.gitlab.io" in URLs with "yegortimoshenko.github.io".

"I already prevented any possible compromise of the OS. I am not capable of compromising it anymore so no form of coercion can make me do that. It's very unfortunate that things ended this way and now I guess the little money I earned from this will go to legal fees, etc." - Daniel Micay


Apparently he's deleted the signing keys.


I'm wondering if destroying the signing keys will have legal consequences. Are signing keys considered company IP when their identity is "fused" with the main developer?

Reading online posts it seems that the community is trusting the developer, not the company behind him.

If those keys were generated before the company existed, and there is no explicit assignment, then they clearly belonged to him.

If they were generated later, it gets very hairy. Were they created with company resources? On company time? Is there a record of this happening? Etc etc.

Going to court would be a huge waste of money for all parties involved, at this point.

His twitter says he originally generated them in 2009-2010 to submit packages to the aur. So he's probably in the clear.

But if those keys represent Person A at Company X then who owns them? Can the company use them if they don't represent the truth anymore?

Who's responsibility is it to guard/change/dispose them?

Ultimately, who cares who's morally right or wrong? Lets skip the drama and try to see the legal angle, with the goal of figuring out a way to "save" the source code (of possible).

The way I see it (with my limited legal knowledge, IANAL) is that Daniel Micay got paid for his services, and therefore the copyright is assigned to the company behind CopperheadOS. I'm not sure if Daniel can be fired, that'd depend on the legal entity of CopperheadOS (for example, in a general partnership both partners bear responsibility and liability which levels the playing field). I tried looking it up on the homepage, but I've been unable to figure that out. What is the legal entity behind the company "Copperhead Security"?

[1] https://en.wikipedia.org/wiki/General_partnership

Daniel Micay got paid for his services, and therefore the copyright is assigned to the company behind CopperheadOS

If he was an employee, but if he was paid as a 1099 and no assignment of IP agreement was signed, it is his.

Additionally, if it was a "derivative work" of code he had written prior to W-2 employment, that would also muddy the waters of IP ownership.

Copperhead is based in Canada but you appear to be citing US law.

Yes, US law, I am ignorant of Canadian IP law as it relates to employees and contractors.

It sounds like they were both shareholders in the company but neither signed an actual employment agreement.

So they weren't contractors or employees, which makes this a giant mess to sort through.

Source: Almost 10 years ago I was in a situation that was shockingly similar to Daniel's.

Can you tell how it was and how it was resolved, and what you'd do differently if it happened again, if you would?

Ugh there's so much circumstance and context I would have to preface with, but in the end when we decided we couldn't work together anymore (after almost 3 years), we came up with 2 options:

Either one of us buys the other out, or we dissolve the business. He chose to buy me out and attempt to keep going, but the company folded less than a year after I left.

It wasn't quite a messy as this situation seems to be, but it was rough, as both of us had basically put everything we had into the business.

2-person startups are kind of platonic marriages, and as such splitting up is basically getting a divorce (at least in terms of mental stress).

edit: to answer your "what would I do differently" question, absolutely insist on getting a lawyer up front to draft all the paperwork and employment agreements (we didn't do this because it seemed so expensive).


As a SWE, all of my employment contracts explicitly state that code that I wrote for the company is owned by the company. Just because he was paid for services does not mean that the company owns the copyright of the code he wrote.

If I pay a photographer for services, the photographer owns the copyright unless we agree otherwise in a contract. If there is no agreement, the creator owns the work.

My (very limited) understanding is that the rule about works for hire only applies to non-employee contractors under certain tightly defined circumstances. Actually employing a photographer as an employee would mean you own the copyright, paying the photographer as a contractor would not.


Depends on the jurisdiction. Where I live, the employer has an implicit exclusive license to the IP produced by their employees. In theory, employees can even rescind that license but will need to compensate the business (in practice I don't think that's actually possible, the monetary damages to the employer would be ridiculous).

I was speaking from a US perspective.

What jurisdiction do you work in?

Sorry to be even more anal but that has nothing to do with Sweden.

I live and work in Sweden too and I am able to dictate those parts of my contract. Especially as I do a lot of open source work.

SWE refers to software engineer, not being a Swede.

Oic, I had never seen that term used before.

SWE = software engineer?

Also not a lawyer, but I remember reading on /r/gamedev of a geme developer who got screwed over by his artist saying that he could no longer use the assets, or something like that; I believe the same principle applies here. Copyright belongs to the creator of the work unless explicitly stated otherwise.

In the U.S., copyright is automatically granted to the creator of the work, unless the work is a "work made for hire", in which case the copyright goes to the employer. When someone's artist asserts ownership over something they were paid to create, they're essentially challenging its status as a "work made for hire".

The Copyright Office has a circular that they distribute to clarify and help people decide, in general, whether certain types of work qualify as "works for hire" or not. [0]

[0] [PDF] https://www.copyright.gov/circs/circ09.pdf

Ouch! Seems that a company does need a goodwill explicit contract between partners so that in the case of a split or disagreement, the company can use the assets already created, even if copyright is still owned by the parties themselves. Or else all that work can be killed by one spiteful party (or one aggrieved one). Yet... in this case, would that be a good thing? Conundrum.

Debatable without an employment agreement. For all we know the company hired the primary developer as an independent contractor. The tweet references an email demanding the signing of an employment agreement after the fact. That itself is shady and can only enhance distrust. What they need is a dissolution agreement, not an employment agreement.

Further complicating it, Micay says the code is licensed non-commercial. So how can the company commercially exploit that code anyway? I'd be suspicious of any after the fact employment agreement attempting to coerce a re-licensing permitting commercial usage.

Not a huge surprise if you followed rust a few years back:


didn't know Graydon Hoare left rust o_o

ps: the archived date confused me, just in case, this is a 3yo thread https://www.reddit.com/r/rust/comments/2u1dme/daniel_micay/ (enjoy the art)

yikes, what happened here?

/r/rust mod here, strcat asked us to remove the thread in order to keep it from being associated with his real name in Google search results etc. In order to keep the useful discussion in that thread from being lost entirely I created the archived version seen above, with his real name redacted.

Hang on a very very large second here.

I thought you couldn't edit post titles on reddit, and especially not 3 years ago.

Please please clarify.


  From       Title           ID      Date
  github.io  "[strcat]"      2u1dme  Thu Jan 29 02:39:34 2015 UTC
  reddit     "Daniel Micay"  2u1dme  Thu Jan 29 02:39:34 2015 UTC
It's exactly the same post.

EDIT: This is now at 0 points. If I have missed something or misunderstand I welcome clarification. Thanks very much!

Check the URL of the archived thread.

Okay, I've done that. The only thing I can think of to specifically look at is the ID fragment. I see the same ID in the archived thread on reddit.com and the archived thread stored on github.io (I'm not sure which source to disambiguate "archived thread" to).

My point was/is that the threads are identical, and given the different titles points to an supposedly-impossible ability to change thread titles. This is very interesting to me.

In case I'm [still] missing the point you're trying to get at. Further clarification and patience is appreciated.

he explained the point. The archived copy has been redacted, the whole reason the archive exists (and the original deleted) is because its impossible to redact the information on reddit while leaving the rest of the post intact.

Sorry if I'm missing something obvious, but what does Rust have to do with CopperheadOS?

They're pointing to the disagreement between Rust developers and strncat (the CTO of COS, and an influential contributor to Rust).

Ah ok, so I'm guessing that strcat is Daniel Micay then? That wasn't obvious to me (I initially thought that Mozilla might have been funding CopperheadOS or something).

Yep, Daniel Micay == strncat.

What are you trying to imply? This seems entirely unrelated.

It's another example of Daniel Micay (strcat) contributing technically to something, having a falling out with other folks involved with it, then quitting in a huff.

I think that's a really overly simplistic view of the Rust situation and an unnecessary comment on the current situation. Daniel did not 'quit in a huff' or even quit at all.

This belittles his contributions and the situation he's been put in.

I saw how badly he treated people in the rust community, so I have zero doubt that his problems dealing with people played a role in the current situation.

Didn't intend to belittle his contributions though; he contributed significantly to rust and (as I understand it) did ~everything technically on CopperheadOS.

This is an extremely disingenuous interpretation of events, and seems to be given for no other purpose than to shame the clear victim of an abusive business partner. This has nothing to do with how he worked with rust developers, and even Graydon made it clear in that thread that strcat was always justified in his interactions with them. It is extremely dishonest to spin this around and use it to suggest such a ridiculous level of dishonesty.

> This has nothing to do with how he worked with rust developers, and even Graydon made it clear in that thread that strcat was always justified in his interactions with them.

No, Graydon really said nothing of the sort. https://slash-r-slash-rust.github.io/archived/2u1dme.html#co...

"[strcat] is an outstanding technical voice, everyone knows that. He is also an uncompromising technical voice who quickly becomes defensive, critical, sarcastic, belittling, insulting and accusatory when his (often correct) views are not acted-upon by others quickly enough or to his satisfaction. He needs to work on his communication style. He's stepped way over the line of the CoC repeatedly, and if I were still in a leadership role, I probably would have had to ask him to leave by now. It pains me to say that."

What you just quoted literally shows Graydon saying that strcat's views were often correct. I wasn't commenting on strcat's tone/delivery because that's a separate issue, I was saying that it shows nothing about dishonesty, and only backs up the notion that he's honest (if a bit emotional).

Somebody having less than perfect communication skills is no reason to be wildly speculating and throwing them under the bus when they're the victims of something much worse.

What a shame. I used to hang out on Rust IRC when Daniel was still engaged with the project. He always seemed so knowledgeable and he fought for what he thought was best for the language.

So the tweet makes it sound like someone seized control but the email just makes it sound like this guy was just fired. I'm pretty confused

They were the two co-founders of the company, and both still own 50% of the shares of the company, with Daniel having been the CTO and sole developer of its products.

What does the other guy do then?

Handle the "business side".

From 30 minutes reading about this and no prior knowledge about the project or the people involved, this seems to be the probably wrong timeline:

1. Developer starts a project, hacks on it for a while.

2. Developer decides he'd like to get paid for hacking on project.

3. Enter guy. Developer and guy incorporate, with guy as CEO and director, developer as CTO and person who does all the coding. Ownership is 50-50, company assets and personal assets are a mess (domain name & DNS are on the CEO's personal card, copyright for the code CTO writes is not assigned to the company, CTO controls private keys, and some are his personal private keys from before the incorporation).

4. CEO & CTO have a falling out wrt company direction.

5. CTO takes this personally, as a betrayal, seeing the falling out as the destruction of the project he has built basically single-handedly at great personal sacrifice.

6. CTO destroys private keys, plans to sue over copyright. Project is now imploded.

Insert between 5 and 6: CEO "fires" CTO (while simultaneously asking him to sign an employment agreement in the first place)

strncat seems to have conceded that despite the 50/50 ownership, "guy" has the ultimate power since he's a "director" and strncat is not. Does that even make sense? I'm no expert in American contract law, but usually the director(s) serve at the pleasure of the majority of stakeholders and if the stakeholders reach an impasse it's up to the bylaws or a court to figure it out. The way I see it, strncat is still 50% owner of Copperhead and could succesfully challenge all of guy's actions.

Note they're in Canada, so American contract law has no say in this case.

Also, neither seems to understand the difference between being a shareholder and having an employment agreement.

If you own part of the company AND you intend to draw a salary (not just get dividends) then you need both, otherwise you end up in this mess.

Coming up with, and successfully executing a business plan that allows a new entrant smartphone OS to make enough money to employ enough developers to keep it competitive with mainline Android and iOS. Presumably.

You know, the thing Windows Phone, Ubuntu for Android, CyanogenMod and Firefox OS all attempted unsuccessfully.

The "Company" guy has control over the domain/DNS, not the signing key(s).


I figured it was only a matter of time. It's absurd to think you can run a company with a product like this, with only one full-time developer. RIP folks who bought devices from them, who will not longer be receiving updates.

Note to technical cofounders - always keep 51%.

That's an option, but not necessarily the sole one. This problem isn't new. I'd say its one of the primary reasons why a general partnership is a legal entity, or a good choice in this case [1]. It'd level the playing field between both partners, creating a mutual interest from an authority higher than themselves (ultimately, the government). I'm not saying it is without problems though (imagine one of the partners becomes terminally ill).

Another option would've been to call it earlier, before burn-out, when it turned out there was no market for this. If people don't wanna pay or donate for the product, there's no demand apparently. No need to work for a minimum wage. Get a regular job, and use your leisure time as you see fit (for EXAMPLE on a project like this but without pressure or obligation).

[1] https://en.wikipedia.org/wiki/General_partnership

The fundamental tension of "unprofitability" was there from the very start, as real security is directly at odds with traditional business models. The goal of the businessman is to become a middleman, but security precludes having a man-in-the-middle!

Which is why these projects overwhelmingly flame out. The engineer figures there can't be much harm from a business type trying to design a business around their project, as they assume the project philosophy will remain unaffected. Meanwhile the business type is excited about having a new in-demand raw material to which they can add inefficiency to derive a revenue stream. The engineer figures they own the code, so whatever games the business monkey plays, they can only end up back in the same spot. Meanwhile the business type is busy conjuring and documenting bureaucracy like corporate structure and implicit contracts with which to seize power over the raw resource (the project) if the coder doesn't submit to his "real world" supervision.

It's likely that the engineer could prevail and end up owning the code, but only after an expensive and draining legal battle - it's simply easier to move on to productive non-zero-sum things. Meanwhile the business type is all too willing to fight said battle, as investing real money into paperwork games was basically their entire operation all along.

IMHO the real shame in this case was licensing the code base something other than GPL. GPL would have made continued use unambiguous even in the presence of ambiguous ownership.

I can follow you until

> IMHO the real shame in this case was licensing the code base something other than GPL. GPL would have made continued use unambiguous even in the presence of ambiguous ownership.

I don't understand how GPLv2 or GPLv3 or BSDL and many (any, AFAICT) FOSS license would not have done the same. The problem is CC non-commercial. Its actually an anti competitive license. Imagine RedHat using that for all their software. Oracle not allowed to compete?

Yes, the non-commercial license is the bigger problem as it's an ambiguous club that a hostile copyright holder could FUDgeon any sizable community with.

I had been thinking that with BSD, a gone-hostile company could make an argument that more recent changes were not actually intended to be released under BSD, whereas with GPL we know they would have had to have stuck with the license to build on top. But that latter part isn't true if they're arguing that they're the copyright holder.

edit: Actually what I was thinking is true IF there is an additional contributor who's patch got accepted into the main tree. But in this case, given that the ostensible goal of CC non-commercial was so that the code could be dual licensed, we'd expect any such contributor to have been shuffled into copyright assignment.

Not a propitious number for a blockchain company ;-)

That won't necessarily save you, in light of eBay vs Newmark.

Assuming you came up with the idea first, or that you didn't but you're such a technical genius that you can leverage that, sure.

haha aye. people will give grief at some point especially if money is involved. always have some ensurance it can't go completely out of hand...

Between CopperheadOS and CyanogenMod imploding, what's left? LineageOS and Replicant? Anything else?

LineageOS seems to be alive and well.

I'm currently using it while I wait for the Librem5, after which I hope to say goodbye to the dumster fire that is Android.

So what do you plan to move to? iOS?

The Librem 5 runs on a Debian (iirc) based Linux distribution with a custom phone-focused userland, running everything through Matrix

Not only does it run PureOS (Debian derivative) but it's not restricted to run only PureOS. I could run Arch Linux on my phone, yay!

If Microsoft, who seem to be on an open source binge, would let loose WindowsPhone 8.1 ...

(It's not like MS are doing anything in that space anymore, except piling up Win10 stuttering on the remains ... and it might, perhaps, possibly, stub someone's toe ...)

If anyone has grafted a Metro Design scion on a Linux rootstock, that would be worth a look too.

But what about apps? That's a major part of the reasons why Windows Phone died, developers refused to commit resources to port/develop apps to yet another mobile platform.

IIRC, Palm webOS tried to fix that by allowing developers use familiar HTML/JS-based tooling (Enyo) [0] to build apps for that platform, but the die had been cast with iOS and Android.

[0] https://en.wikipedia.org/wiki/Enyo_(software)

Yep, that's the unfortunate rub. And why I'm on iOS now ("dumpster fire" is also my take on the alternative ...)

I will never use a Microsoft device.

I still have an old phone on which I'd installed CyanogenMod. Unfortunately, it's old enough that LineageOS isn't an option, the only updates were nightlies, and it never got past KitKat. About the only use case I can find for it now is as a SIP handset for my Asterisk box. I might just chuck it into a recycling bin, since it's a 3G handset to begin with.

There's an unofficial LineageOS build for my daily driver, but that, too, is trouble waiting to happen since VoLTE isn't supported, and I visit Michigan often enough to need it; I'm on T-Mobile, and a lot of their rural Michigan coverage is Band 12 LTE-only.

There is also https://postmarketos.org/ for the adventurous :)

Tried it on a N900. i3wm with its hardware keyboard works very well!

Sailfish OS [1]

And an alternative for WearOS is AsteroidOS.

[1] https://en.wikipedia.org/wiki/Sailfish_OS

There's eelo, a recently crowdfunded new project. They build on top of LineageOS.

Unfortunately their goals seem not to align with their actions:

They claim to focus on privacy, yet the first thing they publish is a new launcher.

Also they plan to offer a lot of cloud replacements. What do they replace it with? Their own cloud offering. I'd rather host this stuff myself.

But maybe I'm just not their target audience...

I didn't hear about CyanogenMod imploding. What happened there?

Cyanogen Inc, the company founded to do commercial work on it and running a lot of the project infrastructure, ran out of money after some weird things like cancelling a licensing deal with OnePlus suddenly and closed. community part of the project rebranded to LineageOS

Right. The community part - which is still alive and well in its rebranded form as LineageOS - was doing the most important work anyway (or, even if that's a loaded statement, the community part was extremely productive and still is).

> after some weird things like cancelling a licensing deal with OnePlus suddenly

just to be specific, they licensed the exclusive right to the cyanogen name in india to micromax (while previously licensing the non-exclusive right to oneplus in all regions), who then got an injunction against oneplus selling their devices in india.

Factory images improved and then surpassed Cyanogenmod in a whole bunch of ways.

Still no universal way to revoke fine grained permissions from apps in factory Android.

It seems a little silly to me that someone would trust a "secure OS" from a situation where one guy could "seize control" of the company and infrastructure. This is largely why I've never seen third party ROMs as a significant solution to the security situation with mobile phones.

That being said, I'm curious what the other side of this story is. The email makes it sound like the guy's being fired.

> The email makes it sound like the guy's being fired.

The person being 'fired' owns 50% of the company and is the CTO and sole developer of the products, with most of it written on their own time. There's no employment / copyright agreement in place with Copperhead.

You seem like a good guy and principled person, but you should let folks know that you are the developer in question, no?

I disagree, at least to some extent.

CopperheadOS is open source. The scripts to build a ROM are open and it's possible to audit them. In fact, if you don't want to pay for COS you are free to build your own image using said scripts. I've done it. It's easy.

I think the whole mistake CopperheadOS did was switching to a Creative Commons license that prevented commercial use by third parties. This has effectively made it tricky for Daniel Micay to continue his great work on CopperheadOS elsewhere once the company imploded.

It's sad, because it's IMHO the very best ROM out there. I don't want to use anything else. I think they should have gone for a more sustainable business model. In his shoes, I'd restart COS by doing a crowdfunding round and aiming at a few other devices (which may not be hard now with device-agnostic ROMs made possible by Treble).

COS has had a reduced target market since Google decided to price Pixel terminals much higher than Nexus. There are rumours that they might release a cheap Pixel to compete with iPhone SE. That might be good for COS.

> CopperheadOS is open source.

Technically, it is. But, as you pointed out, the license they chose guarantees that it will essentially die out, specifically the bit prohibiting the non-commercial use of it.

It's also mildly interesting that Daniel aggressively defended the creative commons license they chose, when challenged.

I don't understand this.

What exactly is licensed under Creative Commons Non-Commercial?

It is either open source, or it isn't. If it is open source (OSI approved), that doesn't prohibit non-commercial work. Because then it wouldn't be OSI approved. Right?

You don't understand that people might use the words "open source" in a slightly different way than you do?

>If it is open source (OSI approved)

OSI has tried to assemble all the different terms of "open source" that make sense. Creative Commons Non-Commercial isn't one of them:


It isn't "a different way than I do"; its different from both the defacto meaning of the term open source, and it isn't according to OSI. That makes calling such open source deceiving, just like calling shared source open source would be deceiving. Seen enough of that shit to stick to frameworks such as OSI-approved (which is more liberal than FSF or DFSG so it could be even more strict ie. we're being generous).

"shared source" doesn't let you use the code yourself. CC-NC gives you the exact same rights to use/modify/redistribute that you got the code under.

The OSI approves licenses with various restrictions on them, such as displaying authorship, or reciprocation, or patent grants. I haven't seen any reason to categorize a noncommercial restriction as fundamentally different. The noncommercial clause is a huge issue because of how vague it is, but that's a different topic entirely.

Also, using the OSI list as the ultimate reference isn't appropriate in the first place. They only approve licenses that are designed for software. I think almost everyone would agree that CC-BY and GFDL are open source licenses, despite them not being on that list.

"various restrictions on them, such as displaying authorship, or reciprocation, or patent grants."

Those are for the greater good. Saying you are not allowed to use the source code for commercial reasons is discrimination and that isn't allowed according to OSI. I'm cool if you don't wanna use OSI as a rule of thumb; but then my alternatives are FSF's free software definition, or DFSG.

We're discussing source code; so whether something is OSS or not refers to open source software; OSS. The last S is usually omitted, but it still refers to open source software.

> I think almost everyone would agree that CC-BY and GFDL are open source licenses, despite them not being on that list.

These have nothing to do with open source. They might be in the spirit of open source at best (in the situation of GDFL and text), but that's it. Documentation cannot be open source, and GDFL can actually be harmful in that context.

In the thread, he says he owns the vast majority of the code, so he should be able to use it freely and distribute it under any license; at most he'll have to request new licenses from other contributors or rewrite their code.

He also apparently deleted the signing keys to prevent himself from being coerced into offering another update.

Sure, CopperheadOS the project is dead, but nothing stops him from launching a new project with the same code.

The issue with your suggestion that it being open source and auditable makes it secure is that you probably have not read or audited all of the source. Security still relies inherently on trust. And therefore the structure of the entity that controls that software must be trustworthy.

"I think the whole mistake CopperheadOS did was switching to a Creative Commons license that prevented commercial use by third parties."

Maybe. It depends on what commercial use means in that license. Quite a few products are given away for free supported by other products that are commercial. The Open Core model usually does that with layering but the paid product can be entirely different. Maybe something running on CopperheadOS like backup or messaging software. Something individuals and enterprises might buy.

CC non-commercial isn't open source.

Yes it is. Open source literally means that the source is public. I think you mean CC non-commercial is not "free software".

No, open source means the license meets the OSI definition of open source, which CC NC doesn't.

opensource.com would beg to differ. I suppose it depends on where one gets their definition from.

CC NC forbids using the material for commercial purposes [1]. On 'use', opensource.com defers to the four freedoms [2], which includes the freedom to use software for whatever you like. So by opensource.com, software licensed under CC BY-NC-SA 4.0 is not open source. Also they don't mention creative commons when discussing open source licenses [5] because it doesn't make sense for code.

I can see why you might think opensource.com says that open source "literally means the source is public" if you only read the first sentence in their defining article [3]. Fair enough, this is a common misunderstanding [4].

[1] - https://creativecommons.org/licenses/by-nc-sa/4.0/

[2] - https://opensource.com/law/10/10/license-compliance-not-prob...

[3] - https://opensource.com/resources/what-open-source

[4] - https://www.forbes.com/sites/wenjiazhao/2012/07/06/beliefs-a...

[5] - https://opensource.com/law/13/1/which-open-source-software-l...

It is open source but not free software.

Not according to the OSI definition, which arguably traces back very directly to the original idea behind the term:

> 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.


The whole OSI endeavour is far from uncontroversial in the OSS/FOSS world. It's not gospel to quote from, particularly when it comes to commercial use. A lot of people would say that OSI exists precisely to make sure corporation-friendly clauses like this would prevail in the open-source world. Hell, the whole "open source" term was literally invented by people like ESR to differentiate from Free Software enough to make it an easier sell in the commercial world.

> Hell, the whole "open source" term was literally invented by people like ESR to differentiate from Free Software enough to make it an easier sell in the commercial world.

If it was invented for that purpose, isn't that a reason why one shouldn't use the term for things that conflict with that goal?

"Free Software" following GNU also can't have a non-commerce clause (Freedom 0). I totally get that people want to restrict commercial use, but I believe "everyone can use the software" is enough of a core value and a NC-license would be incompatible with so much of the ecosystem that it's fair to classify NC-licenses as something else.

The OSI definition is based on the DFSG, so in practice it's stricter than the free software definition.

> "secure OS" from a situation where one guy ... Best comment. Security is a probability theory. You rate probabilities of factors and multiply them. Probability of one guy inserting backdoor is much higher than probability of inserted backdoor in iOS or Android, hence, you'd be better off with stock SW.

And you'll be sticking out like bamboo tree in midwest, with your 'secure os'

This is silly. Security is not so much probability theory as it is cost vs benefit.

The probability of one guy inserting a backdoor is high, but the payoff for compromising his platform is incredibly low.

The probability of compromising one of the big two - android/ios - may be low (keyword: may. It turns out large groups are also made up of lots of "one guy"s) but the payoff is huge.

> probability of compromising one of the big two - android/ios - may be low - payoff is huge.

Whats your point? My point is that it takes nation state to do that.

It takes a nation-state to do it and nation-states have an interest in doing so. Copperhead maybe could be comprised in the short term by just any thug with a led pipe making threats but those thugs have much softer targets than that so why would they?

> the payoff for compromising his platform is incredibly low

True, but price of the compromise is low as well. Scratch that. All it takes is to hack this one guy, i can do that :)

Visiting the HN website is pretty "sore thumb", I wouldn't skip a secure OS for that reason. We should just ALLL choose a secure OS!

Could you try to rephrase it? As it is, it makes zero sense at all.

No one could seize control of the company, that's the point. The signing keys were wiped - compromise is now impossible through that avenue.

fwiw, the screen-shot: https://paste.xinu.at/QIWIC7/

On the upside, the damage that's there remains in plain sight thanks to the guy who made the opposite of the last paragraph happen.

Does anyone have any idea how many devices run CopperheadOS? The market has to be extremely tiny. How many people are capable of manually flashing an image onto a Nexus/Pixel, and then what subset of that group is interested in a "more secure" ROM?

>How many people are capable of manually flashing an image onto a Nexus/Pixel, and then what subset of that group is interested in a "more secure" ROM?

It's mostly their commercial clients. Very few regular people can use COS for recent devices (for free) since you need to build it from source.

It's not that hard. I'm a mechanical engineer who happens to care about privacy. I was able to build it by following a guide. There are many tutorials if you search. I don't have any degrees in computer science or IT, if I could build it I would guess anyone could.

Yeah, it's not hard. The steps are pretty well documented. It's just not very practical. You need to do it every month and flash manually. You lose the OTA mechanism unless you also set up an update server and hack on the code to point to your update server. I don't know how well that stuff is documented. In any case, all this is extremely niche. You need a good HPC like system to have reasonable build times. Note that you are also building chromium in addition to the ROM. The parent's point was about user numbers, and I am pretty sure that that's minuscule outside of their paid users.

Well, you can't do any of that if there's even a hint of commercial use because of the CC BY-NC-SA license they (CopperheadOS) used. So you can basically only build it for yourself.

And the uncertainty of what Creative Commons means for code. It likely extends to the produced binary. Does it extend to the use of that binary - are you violating the license if you use a phone with self-built CopperheadOS for work purposes?

Is it possible for them to fork under a new name? I ask because it depends on how they have structured the copyright of their code and open source licensing. I don't see any other simple solution besides forking and creating a new entity he owns 100% of.

I asked strncat, he said it's not possible even if provided a substantial amount of funding. (Something about having to rewrite tools or something like that.)

The code is available under non-commercial licensing. It sounds like ownership beyond that is going to be sketchy enough that no other licensing is likely safe to assume under any condition short of a definitive resolution in court or another company buying out both partners.

damn i was about to buy a phone compatible with it...

what was the price of yours vs iPhone 7?

iOS is better :)

I was a techie, thinking Android is open source and I get SD slot. Busted big time. Android is Google's child, tied to its services, like Chrome, phoning home on every step.

iOS is years ahead in security and privacy. Read its whitepapers, read forensics blogs - they're all about iOS, mentioning Android in the passing, as too easy to be a blog post - blog.elcomsoft.com

Another Theo

I love Theo, no compromises. Theo Victor! :)

His employment is suspended with pay, stipulating signing an employee agreement?

OK so you're suspended, and we will pay you only if you sign this agreement that any ethical company would have had you sign at the start of employment.

This sort of duress after the fact is unethical and possibly illegal. And the demand for control of a personal GPG key predating employment is eyebrow raising and properly should invite ridicule.

If the underlying hardware is compromised(it is) then it doesn't matter what the os does.\ EDIT: If you are downvoting me - state why.

Depends on your threat model. Sure, it's impossible to keep out certain nation states, but a number of OS changes can keep malicious applications developed by less-skilled nation states or highly skilled individuals under control. It's not perfect, but it's better than nothing.

Unless you are suggesting that we should just give up on security entirely because it's impossible to have a system that is 100% secure?

Do people really need to worry about other than national states with android and ios? Exploits/Viruses in these OSes are extremely rare in comparison to the desktop OSes and they're just getting harder to exploit. It's gettting to the point where you need the resources of one of the cyber superpowers to exploit these OSes. Their permissions based security model is great and hopefully will make their way to desktop.

My theory is that there is a backdoor into these OSes. It's the path of least resistance and there's precedence of this. Obviously Apple/Google are going to vehemently deny this as this and these backdoors would be able to provide the most precise form of surveillance ever created.

There are relatively easy tutorials out there, some on freaking YouTube ffs, about how to connect to the JTAG pins on most Android phones and pull data right out of memory.

These are barely above trivial attacks that don't require a nation state to pull off, just a talented engineer.

I don't think most people care about physical access exploits. If you did you would have some specialized software which would remotely wipe it upon being tampering with. Common sense.

What really matters security wise is who is this security for? If it's for state actors(vault7) then it's useless. It's known that copperheados doesn't do much to defend against them as the phones are exploited on a hardware level. All this extra security is pointless as the people you are most worried about, has access.

> If you did you would have some specialized software which would remotely wipe it upon being tampering with. Common sense.

If somebody physically attaching to your device isn't doing so in an environment that doesn't also block radio signals, they've already failed... and you can't be wiping your phone every time it loses signal.

The threat model of a personal computer and the threat model of something that literally follows you everywhere and knows everything you do are very different.

Physical access is much easier to obtain exposes you to way, way more. Getting a divorce? Your phone is probably something you want to guard extremely closely. You can get someone to pin your android phone for low-double digit thousands of dollars -- or even free if it's the right kind of person with the wrong kind of morals. IMO, if you have any meaningful assets to protect, whether they're yours or your company's, buying an Android phone with JTAG pins is _insane_ (or simply poor risk analysis).

But what do I know? I've only JTAG'd a phone before, scraped the RAM, obtained the unlock code and all of the user data. Random thought: how many people do you know whose phone unlock code is also their ATM pin number?

The first rule of vote club is you do not talk about vote club. Also, people who vote on your comments either up or down don't owe you explanations. Both of these are standard HN practice.

Not GP, but I don't consider it harmful or whatever to ask why folks disagree with you if you don't understand why folks would disagree with you. Sure, none of us owe them an explanation for voting a certain way, but maybe someone will come along and explain it, and they'll learn something new.

I don't think the system is strictly "you're right" or "your're wrong" and providing any supporting explanation is discouraged.

I don't consider it harmful

It pretty much always devolves into pointless meta. If someone wanted to tell you how right or wrong you are, they'd reply to your comment. Sometimes, perfectly reasonable comments get downvoted. Sometimes, truly awful comments get upvoted. Sometimes people fatfinger the wrong button on their phones. Every poster and every thread is better off just living with it, not worrying about it too much and sticking to the quality of the conversation itself.

We are the quality of the conversation itself.


Yea, we literally are, unless all other commentors on HN are bots...

No you literally aren't. You are you. The conversation is the conversation. Those are two distinct things. Nobody can ask you to be mindful of the quality of other people. It's trivial to just avoid interminable discussions about voting.

The most telling thing about this is that nobody ever demands explanations for upvotes so it's obviously not because there's some real belief these explanations would make the conversation better. It's just that being downvoted feels bad. But really, at worst, you'd eat -4 points here or there. Best is to just put on your wizard hat and Epictetain stoic robe and move on. And this isn't merely a good idea - it's the law.

Discussions about why comments are downvoted are useful to understand the group mentality of the site, and sometimes the post is just factually wrong, badly composed, or has another negative quality that would be similarly evaluated by multiple readers. Maybe the author mistyped something.

If the only feedback is a bundle of downvotes, it makes sense to ask for more detail. The site is better off when contributors understand what comments the community considers valuable. Sometimes the meta-discussion even leads to a good, but downvoted, comment recovering.

Discussions about why comments are downvoted are useful

Well, you'd have to convince not me but the moderators of the site of that. They're quite explicitly off-topic in the written guidelines. Have been for many years along with 'neither downvotes nor upvotes come with an explanation obligation'.

And more generally, it's social interaction, not a compiler. Like most social interactions and for most people, it's not that hard for a newcomer, with a bit of participation, to sort out the context and written and unwritten norms, without constant and explicit error messages.

Or, I can just answer people's questions about their downvotes to the best of my ability. They're guidelines, in the sense of rules of thumb. There are plenty of times when they just don't make sense. In doing so, you're just taking the chance that a lot of people disagree with your reading of the situation.

> And more generally, it's social interaction, not a compiler.

You've never asked "What did I say wrong?" when someone reacted unexpectedly in a social interaction? No one owes you an explanation, but there are times when it's a reasonable question and shouldn't hurt to ask.

They're guidelines, in the sense of rules of thumb.

That's really not how they're treated. Neither 'don't be a butthead' nor 'don't whine about votes' are serving suggestions. They're both enforced constantly, directly and indirectly. Without that, the site would be an unreadable cesspool.

You've never asked "What did I say wrong?" when someone reacted unexpectedly in a social interaction?

I don't present every stranger who bumped me on the bus and then gave me the stink eye as if I was the clumsy boor with a questionnaire aimed at establishing a more constructive basis for our ongoing relationship. I just frown and go back to staring at my phone. This is a far more taxing and awkward near-daily social interaction than a seemingly inexplicable downvote.

> That's really not how they're treated.

It really is, in my experience, at least in the rare cases where the reason for a mob downvote isn't clear.

> I don't present every stranger who bumped me on the bus...

But then, you have a single, specific focus for the "downvote": Some single person, who's apparently having a bad day. The cause is obvious, won't be improved by questions, etc. It's a good example of a case where the rule-of-thumb applies. Further, your "questionnaire" could be a raised eyebrow to the person next to you, who might look up, shrug, and turn away.

The whole point is to see if you're being the asshole, or if it's the other guy being unreasonable.

Now, imagine that everyone on the bus is self-selected for a trait besides wanting to travel somewhere. Say, they're tech or business people, congregating for the chance to talk about things that interest "hackers". They're there specifically to talk and discuss. A driveby downvote doesn't aid that goal. An explanation of why the commenter is being unreasonable does, even when it comes as speculation from someone who didn't downvote them.

But then, you have a single, specific focus for the "downvote"

Cause that's what we're talking about, Willis. Downvotes and how they require none of the emotional or mental energy you seem to be willing to spend on them. It's a complete waste of time, at least, given the purpose of the site and we have rules to remind us what a complete waste of time it is.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact