alt.hn

4/21/2026 at 3:04:24 PM

Original GrapheneOS responses to WIRED fact checker

 https://discuss.grapheneos.org/d/34369-original-grapheneos-responses-to-wired-fact-checker

by ChrisArchitect

4/21/2026 at 3:53:09 PM

> Donaldson, now 42, is a self-taught hacker who never finished school, was briefly unhoused, and spent most of his twenties in a “positive hardcore punk band.” “It’s cool being smart,” he told me. “But if you can’t pay your bills, you’re a dumbass.”

> The domain “Copperhead.co” was registered by Donaldson in 2014 and incorporated in 2015 under both Donaldson’s and Micay’s names. The idea was that shares would be split equally, with Donaldson as CEO and Micay as de facto chief technology officer. Their flagship product

It sounds to me like some "business" characters I know well. They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50. This didn't work out for Donaldson, and now he spends his time harassing Micay? Is that the gist or am I misreading?

by gslepak

4/21/2026 at 4:01:15 PM

> They "handle the business" while someone else does 99% of the actual work, then ask to split 50/50.

As a response, Micay decided to destroy the update signing keys for all the CopperheadOS devices out in the wild. Resulting in financial damages to Donaldson.

Hardly a level-headed response, even if you disagree about the financial share of something.

by Avamander

4/21/2026 at 6:40:39 PM

That is a perfectly level-headed response. Signing keys must be protected. In the event of a hostile takeover, where a malicious party seeks to compromise the privacy and security of your userbase, destroying the keys is a sensible decision. Failure to do so, and successful compromise of the keys, will let the malicious party push whatever update they want, and it will be accepted due to being signed correctly.

It was not a disagreement about shares, it was a hostile takeover. Someone who never owned the project sought to steal it.

by HybridStatAnim8

4/21/2026 at 8:51:21 PM

Exactly. It was a bold and necessary move to defend the users and the project. Some users got bricked OSes, but had he handed over the keys it would have put those users at risk and would have destroyed the credibility of the project. Also, and as from what I understood from the GOS response he was not an employee of the company and had the ownership of his OS, and CopperOS would have been able to use their own signing keys but they never did which is strange, so even legally it looks like a "level-headed" response.

by latable

4/22/2026 at 12:01:26 AM

Important to note that users only stopped getting updates, the phones were not bricked and they can reinstall the OS signed with the new key.

CopperheadOS was always's Micay's project and used his own signing key. The key never belonged to Copperhead the company afaik.

by TommyTran732

4/21/2026 at 5:06:44 PM

> Hardly a level-headed response, even if you disagree about the financial share of something

According to the linked responses, the keys were not deleted because of disagreement over financial share, but over how the keys were to be used (in particular, in potentially dangerous security-wise ways), for which he did not want personal responsibility over (the keys belonged and used by him even before that project)

by freehorse

4/21/2026 at 5:21:15 PM

[flagged]

by Avamander

4/21/2026 at 5:55:34 PM

Phantom Secure is directly named as one of the parties Donaldson was dealing with, with others being suspected:

>Donaldson tried to make a deal with Phantom Secure, which ultimately didnt work out. Micay suspected other counterparties were linked to organized crime, but we cannot confirm those identities or ties on short notice. Donaldson began pursuing such deals before Micay left and continued afterward.

https://discuss.grapheneos.org/d/34369-original-grapheneos-r...

by ysnp

4/21/2026 at 11:55:03 PM

Stated by Micay/Graphene, who has also stated /e/ is in cahoots with the French government, CalyxOS is to thank for his swatting, F-Droid conspires against him and Rossman being a Kiwifarms supporter.

You can't believe someone who has constantly claimed things without receipts.

by joemazerino

4/22/2026 at 5:57:19 AM

From what I've read I understand it is more like:

/e/OS (recipient of EU funding) and iodéOS are European projects that have not been singled out by the French government in smearing despite them having the similar self-professed goals to GrapheneOS. That they had any influence at all on the French government directly is speculated but not asserted.

CalyxOS/Techlore are blamed for being complicit in escalating the animosity and furore around what were initially low-key fallouts/disagreements. This led to GrapheneOS/Micay escalating to defend themselves which unchecked fuelled a spiral of influencer content, vile spamming of CSAM in GrapheneOS rooms (I can personally attest these were some of the biggest on Matrix at the time and led to the team giving up on Matrix moderation and self-protection capabilities), intense public speculation/accusations about Micay's character/mental health etc. which eventually resulted in the swatting attempts.

F-Droid project members have publicly aired their dislike of Daniel as a result of direct or indirect disagreements and did have a software quirk that caused an issue for GrapheneOS/possibly other custom OSes' users due to their added permission (which the two parties again disagreed on). Conspires is loaded wording.

But I do not think it is productive for me to dredge up posts and potentially cause more misunderstandings as a complete outsider for something that is directly affecting someone's life like this. They (Micay/GrapheneOS) have posted detailed contextual snippets and information about what has happened so please contact them directly for reference to the original posts and discuss if you really wish to find out more.

by ysnp

4/21/2026 at 6:41:57 PM

The claims arent vague, they are quite specific in what happened. This wasnt spiteful and this wasnt disgruntled. It was the logical choice given the circumstances.

by HybridStatAnim8

4/21/2026 at 7:03:00 PM

[flagged]

by Avamander

4/21/2026 at 8:25:14 PM

Hey! On a quick introductory note, I'm the community manager and the person who was interviewed. Please, read questions 17, 25 and 26 and our respective answers to them in the linked forum thread. In particular the following parts that I'm pasting here for convenience:

Question 17: Did your and Donaldson values begin to diverge? Was Donaldson more concerned with making money than you were?

Answer: [...] In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.

The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.

Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.

Question 25: Did things between you and Donaldson devolve when he approached you about a compliance audit? Did he tell you that he needed to know how the signing keys were stored?

From Wired:

We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.

Question 26: Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?

Answer: Yes and yes.

The large defense contractor in question was Raytheon. The decision to destroy the signing keys was not based on a financial disagreement, but an existential one. Every single CopperheadOS user back then would have been compromised otherwise. It's of course a big deal given the implications, but it acted as a last resort for Daniel to stop a hostile takeover attempt fueled by greed, which he ultimately took because there was no other way out.

by spring-onion

4/21/2026 at 11:06:16 PM

Raytheon literally asked for the signing keys of CopperheadOS? After all this vagueposting around it, I find that hard to believe.

Or is it just that Raytheon went against what he thought CopperheadOS stood for?

by Avamander

4/22/2026 at 12:31:59 PM

As part of a contract which Donaldson wanted to pursue, evidently at any cost.

by spring-onion

4/21/2026 at 11:55:55 PM

Have any pieces of evidence to support this?

by joemazerino

4/21/2026 at 4:21:37 PM

Sometimes deleting it all is the only principled action https://www.theguardian.com/technology/2013/aug/08/lavabit-e...

by ForHackernews

4/21/2026 at 4:56:01 PM

IMO its a lovely paradox that no one can argue against such a deletion. Either the party choosing deletion is reasonable so there are grounds for deletion or unreasonable and they are the grounds for deletion.

by torvoborvo

4/21/2026 at 4:15:14 PM

"Financial damages".

So what? Causing someone financial damages isn't illegal. Your boss causes you financial damages when they fire you. Your competitor causes you financial damages when they offer a discount.

If Micay was a 50% owner, sounds like he didn't do anything illegal. Immature maybe, which simply puts him at parity with the other party involved.

by margalabargala

4/21/2026 at 6:48:20 PM

Deleting the signing keys for the sake of protecting ones users is the mature and responsible thing to do.

by HybridStatAnim8

4/21/2026 at 4:18:58 PM

> Immature maybe

Yeah, that’s the issue. I don’t want people who behave immaturely, impulsively, or vindictively, having a key role in something as important as my phone os. I want stability, maturity, and thoughtfulness.

by kennywinker

4/21/2026 at 6:53:07 PM

That is what CopperheadOS, and now GrapheneOS, provides. Its a level of "battle tested" that most OS and app devs never have the opportunity to have. Deleting the signing keys during a hostile takeover attempt rather than submitting to pressure or greed is an amazing quality that is rare to find.

by HybridStatAnim8

4/21/2026 at 8:39:45 PM

So what exactly would you have done? Risk the key being taken over by a shady entity? Does the alternative really scream "mature, stable, and thoughtful" to you?

by TommyTran732

4/21/2026 at 8:59:42 PM

It looks like a very mature action to me: It certainly avoided the compromission of an OS that aims to be secure after all. It is not some windows OS with encryption keys sent to the cloud, so if security is compromised I fully expect targeted devices to break.

by latable

4/21/2026 at 4:30:06 PM

Understandable wishes, but you might have to put something from yourself into it if this is a pressing concern. Or you will be left to your own corporate devices.

by exceptione

4/21/2026 at 4:39:10 PM

What exactly are you suggesting? If i go help out at the graphene os project, that won’t change their leadership. Should I make my own fork?

by kennywinker

4/21/2026 at 8:21:41 PM

The leadership is great. Persistent, patient and friendly.

They were able to improve. I don't think many of the often negative and ad-hominem critics would be able to endure such a pressure as they had in the past.

by chappi42

4/21/2026 at 4:53:28 PM

The GOS (GrapheneOS) lead had responded to criticisms like yours that he gladly retreats inside his tech role if others would take it upon them to refute the claims from rivals. So if you are that balanced, normal person, you could take that work out of his hands. Or help fund a full time PR person.

«In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.»

Micay is rightfully paranoia, just having a GOS phone makes some government agencies quite mad. There are many ways a project like GOS could die, disinformation could certainly kill it. Other projects don't help the case if they throw mud at it. Rather, they should focus on their real technical shortcomings, but such articles aren't written somehow. https://eylenburg.github.io/android_comparison.htm

EDIT

  > Should I make my own fork?
You could contact him to offer your help where he falls short.

by exceptione

4/22/2026 at 4:28:30 AM

Ah yes, i’ll definitely be volunteering my time to help with something i have no experience or qualifications about. Great idea.

by kennywinker

4/21/2026 at 4:24:19 PM

Mental health and wellness issues in high tech research and development are everywhere. I would suggest that you focus on the product and what it can/cannot do for you.

by cf100clunk

4/21/2026 at 4:28:10 PM

Suggest away. It’s still a factor in my decision making, because if I can’t trust the developers to behave well, i can’t trust the product to continue to do what it says it can do for me.

by kennywinker

4/21/2026 at 6:57:47 PM

Destroying the signing keys in the midst of a hostile takeover is the responsible thing to do. Its for the safety of their users. Thats a commendable trait to have.

by HybridStatAnim8

4/21/2026 at 9:01:41 PM

What does it means to "behave well" for you in this case ?

by latable

4/21/2026 at 5:53:58 PM

When you have to trust the OS images generated by the authors it becomes a massive issue.

by goodpoint

4/21/2026 at 6:59:03 PM

You always trust the developers of software. The only way to stop that is to not use the software.

by HybridStatAnim8

4/21/2026 at 6:18:54 PM

[dead]

by joyous_limes

4/21/2026 at 7:12:31 PM

Then avoid GrapheneOS

by goodpoint

4/21/2026 at 4:49:10 PM

The path to maturity requires immaturity.

by rigonkulous

4/21/2026 at 4:23:47 PM

Things aren't only bad if they're illegal. There's plenty of bad things one can do that are perfectly legal, and plenty of good things one can do that are totally illegal.

by ryanmcbride

4/22/2026 at 2:02:22 AM

It's not clear to me that causing "financial damages" to the person described is even a bad thing.

If you prevent your grandparent from getting scammed, you've caused financial damages to the scammer.

by margalabargala

4/21/2026 at 5:10:27 PM

And there are legal remedies to create deterrents without a court. Boycotts, journalism or new competition.

by abnercoimbre

4/21/2026 at 4:17:21 PM

[flagged]

by Avamander

4/21/2026 at 6:49:07 PM

More like the coordinates of a home were burned to protect its occupants. It was a practical choice, not an ideological one.

by HybridStatAnim8

4/21/2026 at 4:24:35 PM

If you own something you can do what you want with it including rendering it useless

by dmbche

4/21/2026 at 4:36:35 PM

If you own all of it, yes. If you only own most of it, the minority owners do have some rights -- just fewer than you do.

by amalcon

4/21/2026 at 6:50:18 PM

Micay owns the whole project. Ownership of the project was not exchanged or divided, part of the explicit terms of the agreement were that Micay would hold the keys and ownership of the project just as they always have.

by HybridStatAnim8

4/21/2026 at 5:50:13 PM

Sure!

by dmbche

4/21/2026 at 4:27:55 PM

[flagged]

by Avamander

4/21/2026 at 6:51:18 PM

Thats a characteristic all modern OSs and modern apps have. You need to trust the key holders, always. Some people make their own builds for this reason. Depends on the threat model.

by HybridStatAnim8

4/21/2026 at 7:02:09 PM

[flagged]

by Avamander

4/21/2026 at 4:25:18 PM

The keys got wiped for way spookier reasons than Micay wanting money.

Intelligence wanted in, and Donaldson seemingly would have been happy to oblige.

by DANmode

4/21/2026 at 4:34:09 PM

[flagged]

by Avamander

4/21/2026 at 4:41:56 PM

From the story you’re commenting on:

> From Wired:

> We understand that Daniel's recollection was not that James wanted to know more information about how the signing keys were stored, but that he wanted direct access to them.

> Did you suspect his request was tied to a deal he was brokering with a large defense contractor? Did you believe this would put the entirety of CopperheadOS’ user base at risk?

> Yes and yes.

by DANmode

4/21/2026 at 4:43:34 PM

[flagged]

by Avamander

4/21/2026 at 6:45:49 PM

They were compromised. Greed overtook the principles on which the project was founded and put the project at risk. They agreed from the start that Micay would own the project and hold the keys. They explicitly accepted those terms. Despite this, they tried a hostile takeover anyway.

Forking and building a separate build isnt dual signing, its just forking. You can do that right now with GrapheneOS and its build guide if you want.

Im not sure what you mean by the last part, GrapheneOS has been quite upfront with all of this from the start.

by HybridStatAnim8

4/21/2026 at 6:58:24 PM

[flagged]

by Avamander

4/21/2026 at 5:02:11 PM

From a security-minded user perspective it makes sense to destroy keys when instead of a single entity I receive updates from I get another entity that is not equivalent, and half of my previous entity thinks that the other half is sus.

by lostmsu

4/21/2026 at 5:11:48 PM

[flagged]

by Avamander

4/21/2026 at 6:47:44 PM

It wasnt intelligence agency compromise, it was a business partner compromise, who intended to violate the privacy and security of their users. Nothing about this is done out of spite. Im not sure where youre getting that from. You just seem to be attacking peoples character for making the right choice given the circumstances.

by HybridStatAnim8

4/21/2026 at 6:56:51 PM

[flagged]

by Avamander

4/21/2026 at 4:35:30 PM

What is your source for this?

by next_xibalba

4/21/2026 at 4:42:28 PM

TFA.

Reddit and IRC/etc logs from the period are illuminating, too.

by DANmode

4/21/2026 at 3:56:26 PM

I love GrapheneOS and I use it daily for more than 2 years. However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication. Even when they are 99% right most of the time, they sometimes don't come as mature and professional.

by Cortex5936

4/21/2026 at 5:23:47 PM

My gut feel is that Micay is genuine, and obviously also very defensive.

At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.

A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.

(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)

I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".

Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.

(Source: Am long-time GrapheneOS user, and have donated.)

by neilv

4/21/2026 at 6:51:57 PM

I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.

With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.

In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.

I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?

by microtonal

4/21/2026 at 7:08:27 PM

All of the defensiveness is warranted. They speak neutrally and objectively.

The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.

The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.

Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.

by HybridStatAnim8

4/21/2026 at 8:41:19 PM

> The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.

Responding to attacks so defensively is almost alway a bad look for organizations. They could really use a PR person with a more measured voice that corrects facts and projects confidence, and does not convey victimhood, insecurity or defensiveness. Take a look at the tone of press releases issued by companies when some tech press bozo writes a hit piece on them, for good examples of dealing with people attacking you.

by ryandrake

4/22/2026 at 12:09:17 AM

I would not use those words to describe the approach they take. They make the effort to speak neutrally and objectively, but the issues they are making light of are often exactly as extreme and common as they describe. Many people have voiced appreciation that they decide against a "corporate-speak" approach. The GrapheneOS accounts are meant to be accounts that let project members speak to users, rather than take on a corporate appearance.

by HybridStatAnim8

4/21/2026 at 9:03:00 PM

I'm sure you realize that confident assurances of a random new pseudonymous account on a Web site isn't sufficient for anything of importance.

Is there an authoritative source of information about how a takeover like that isn't possible by design, which people can verify, analyze, hold parties accountable for the pieces that require it, etc.?

by neilv

4/21/2026 at 10:10:08 PM

I am a GrapheneOS user and community member, and I am active in the chat rooms. I made this account to assist with misinformation.

As for how such a thing would not be possible;

-GrapheneOS updates do not trust the network, so any compromise of update servers for OS and app updates would not be able to push malicious updates. Only those who hold the signing keys are capable of pushing updates that will be accepted.

-Multiple people review the code that gets included in the OS. There is not one point of failure when it comes to social engineering.

-GOS supports reproducible builds, so the code that is published can be verified to be the code that is built for the official builds.

So in other words, you would need to convince multiple people who are consciously protecting against this, and who have a proven track record of burning the keys if the privacy and security of their users are in jeopardy. On top of that, you need to conceal this from every developer, moderator, and community member who would raise the alarm at the slightest indication of compromise.

by HybridStatAnim8

4/21/2026 at 4:09:32 PM

Personally, I like that they come across as a little paranoid. That's exactly the attitude I want in the people protecting my privacy and security. I hope the developers lie awake at night, unable to fall asleep because terrified that someone somewhere is plotting to attack and exploit them

by Georgelemental

4/21/2026 at 8:05:42 PM

While I understand you are trying to be positive about this, I don't think it's good to want our team portrayed like this, sorry. Paranoid people are people who'd easily be influenced into doing harmful behaviors because it believes it will stop their problems. Making a response to inaccuracies and bad journalism platforming an extremely malicious actor isn't a symptom of that. We don't have people with severe mental illness on the team. That would be irresponsible and mental illness is not something to romanticise in my opinion.

by finalst

4/21/2026 at 4:12:09 PM

There's healthy paranoia and there's treating even casual commentary/criticism from anyone as an existential threat & coordinated attack...and responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.

That's not healthy for any project.

by busterarm

4/21/2026 at 7:12:41 PM

This is false. Commentary and criticism is not treated as a coordinated attack. Coordinated attacks are treated as coordinated attacks. Criticism is often used as an excuse to try and hide attacks, and many people unfortunately cannot tell the difference.

by HybridStatAnim8

4/21/2026 at 4:42:51 PM

Recently, the socials have been more moderate and level-headed, imo.

by Cider9986

4/21/2026 at 5:13:44 PM

Could you share a link or something about this?

> ...responding to that with sustained, coordinated attack campaigns online. That's what Micay's history is.

For the rest, in general, I'm tempted to give grapheneOS the benefit of the doubt. Running any FOSS project is hard, running it against the (implicit) wishes of OEMs/Google (who throw in things like Play Integrity) is even harder, and doing it when 3 letter agencies at the US govt actively hate you is harder still.

Being paranoid in responses to FUD campaigns isn't ideal, but save coordinated attacks, I'd say fairly understandable.

by user_7832

4/21/2026 at 6:56:58 PM

Well, they have had to deal with multiple swattings, constant misinformation from some competitors (e.g. Murena's CEO doing interviews with various media where they insinuate that security-hardened systems like GrapheneOS are only for criminals and secret agents, complete with 'think of the children'-style arguments), and some local/national governments boosting the narrative that GrapheneOS is for criminals.

So I can understand why they are as defensive as they are.

by microtonal

4/21/2026 at 5:04:57 PM

Based on how discourse in the US has been perverted by inches and millions of mosquito bites they may not be wrong. Stamping out bad information fast and hard seems to be the only way to combat mass coordinated disinformation. Being polite just lets people play the "both sides have merit" game.

by TehCorwiz

4/21/2026 at 9:19:31 PM

not true at all...

There's no coordinated attacks on anyone or projects by GrapheneOS. They respond to misinformation, that's about it.

There have been many attacks on privacy/security projects, not just GOS, recently. If you keep up with the GOS forum you can see posts saying GOS was hacked without evidence. Other claims that GOS is only used by criminals. Theyre not true. Misinformation that aims to destroy the reputation of the project should be responded to.

by singing_tartly

4/21/2026 at 4:44:29 PM

https://xkcd.com/225/

by uqers

4/21/2026 at 5:30:52 PM

That's hilarious thanks for sharing.

by Cider9986

4/21/2026 at 4:48:03 PM

Realistically Stallman would start lecturing them on how his licenses are not open source.

by tokai

4/21/2026 at 6:23:09 PM

Richard Stallman would most certainly not use the term open source to lecture somebody about free software.

by kibibu

4/21/2026 at 4:33:57 PM

When Louis Rossmann thinks your communication has a problem with going on rants, it must be pretty out there.

by toaste_

4/21/2026 at 6:32:32 PM

Rossmann is a way bigger ranter than GrapheneOS people. Have you seen some of his videos lol.

Rossmann wanted to work with GOS and they didn't want him. So Rossmann made that video to make Daniel look bad for revenge probably. Saying he was leaving GOS was a lie, not that GOS can push malicious updates which was also a huge lie. Even after pointing that out that part wasn't corrected because Louis doesn't care about accuracy, he only cares about making Daniel/GOS look bad. He used his big following to punish Daniel. Now he works with Nick from Calyx after he got pushed out and are doing business together.

The more you learn about the story, the more you see the Copperhead stuff was just the beginning and those involved held grudges and pushed their grudges onto more people who bought their lies and it continued. Privacy-focused OSes that pretend to compete with GrapheneOS suck. GrapheneOS is led by someone with integrity, unlike some other projects.

by joyous_limes

4/21/2026 at 7:15:13 PM

Rossmann publicly blasted a private discussion, twisting what was going on, and then lied to his own viewers. Such a claim from an identity verified kiwifarms account holder holds no weight.

by HybridStatAnim8

4/21/2026 at 4:43:49 PM

[flagged]

by Cider9986

4/21/2026 at 4:56:09 PM

[dead]

by retr0rocket

4/21/2026 at 4:46:04 PM

So do I. What's your point?

by OsrsNeedsf2P

4/21/2026 at 5:29:09 PM

The point is, you are a terrible human if you subscribe to that trash. Wake the fuck up man, that shit is awful.

by not_really

4/21/2026 at 5:14:23 PM

[flagged]

by kiwiscum

4/21/2026 at 8:06:31 PM

>Anyone who participates in a website that exists to coordinate the doxxing and harassment of people into committing suicide is the absolute lowest kind of bottomfeeder in society

okay and? Do you have any proof Rossmann has done any of that. He made the account for the sole purpose of engaging with _his_own_thread_ on the site... Does defending yourself from "coordinate the doxxing and harassment" make you "the absolute lowest kind of bottomfeeder in society" too?

by akimbostrawman

4/21/2026 at 8:19:35 PM

Rossmann made a thread on Kiwi Farms because Kiwi Farms members support him, and they support harassing his targets.

Rossmann has an account on Kiwi Farms for the purpose of engaging with his supporters on the site. He acts friendly with them and they choose to actively support him.

Rossmanns thread on the site is in support of him, not a harassment thread against him.

by HybridStatAnim8

4/22/2026 at 9:29:42 AM

>Rossmann has an account on Kiwi Farms for the purpose of engaging with his supporters on the site. He acts friendly with them and they choose to actively support him

Once again. Okay and? Kiwifarms is a legal site in the us. He is engaging in no harassment or doxxing of anyone just talking to people that talk about him. Does micay talking on twitter with other people mean he supports musk or anything else anybody does on the platform?

If all your points are just "guilt by association" then just say that.

by akimbostrawman

4/21/2026 at 5:18:29 PM

> However, and as Louis Rossmann pointed out in one of his videos, they really need to work on the "defensiveness" and "rants" of their communication

Not that I disagree but Louis Rossmann giving someone advice to tone down the rants is ironic.

by Matl

4/21/2026 at 6:52:52 PM

The difference is that Louis' rants are contained to his channel and largely only paid attention to by his fanbase.

Micay rants are most often on other peoples' platforms and he deliberately tries to draw as much public attention as he can muster.

by busterarm

4/21/2026 at 7:17:56 PM

GrapheneOSs posts are made to combat misinformation. Drawing public attention from those who may be misled and put at risk is how one combats misinfo. Its not ranting and its not somehow unreasonable to defend oneself.

by HybridStatAnim8

4/21/2026 at 7:45:15 PM

Your entire comment history on HN exists across two separate posts about GrapheneOS.

You're not a community member, you're an astroturfer.

by busterarm

4/22/2026 at 9:04:11 AM

Ehm,

Astroturfing is the deceptive practice of hiding the sponsors of an orchestrated message or organization to make it appear as though it originates from, and is supported by, unsolicited grassroots participants.

https://en.wikipedia.org/wiki/Astroturfing

They are pretty much the opposite of an astroturfer, they mentioned several times in the comments that they are an active supporter/community member of GrapheneOS. So, they are not hiding and they are grassroots participants.

Please avoid personal attacks on HN, even more so when they are incorrect.

by microtonal

4/21/2026 at 8:45:28 PM

I have been a GrapheneOS user for several years, and I choose to dedicate my time supporting the project. Supporting an open source project is not 'astroturfing'.

I am an active chatroom member, and many people see me there on a regular basis. I choose to volunteer my time, and am not paid or compensated in any form.

by HybridStatAnim8

4/21/2026 at 6:10:45 PM

Have you considered that the smooth-talking "mature" and "professional" people are more likely to sell your data to advertisers at the first opportunity?

by dooglius

4/22/2026 at 9:23:23 AM

I don't care about messaging or professionalism in marketing. I'm perfectly happy with the way GrapheneOS is being managed right now, including their lengthy technical rebuttals to any attempts of attacking the project to dilute its quality or reach.

by jasonvorhe

4/21/2026 at 5:39:59 PM

It would be interesting if there were a state sponsored effort to discredit a project that helps some people keep their communications private.

by wyldfire

4/21/2026 at 5:53:56 PM

There might be one, in France.

by Cider9986

4/21/2026 at 4:41:26 PM

Being "right" shouldn't excuse bad behavior, especially if you depend entirely on a community to survive, which we all do.

by mvkel

4/21/2026 at 7:20:03 PM

Defending oneself isnt an unreasonable thing to do. GrapheneOS is entirely funded by donations and receives a lot of donations to this day. Them defending themselves is not an existential risk, the attacks against them are.

by HybridStatAnim8

4/21/2026 at 8:09:01 PM

Why the scare quotes? Being right is the literal opposite of bad behavior.

by balamatom

4/21/2026 at 7:03:16 PM

Louis Rossmann caused a lot of harm to GOS and blasted them publicly for trying to raise issues privately. That is disgusting behaviour. He then lied to his own viewers about no longer using GrapheneOS, lied about fears of a targeted update despite that not being possible, among a lot of other things. Note he also has an identity verified kiwifarms account.

GOS only defends themselves from attacks. Its not that they are misinterpreting what is an attack, there are really just that many attacks. It leaves little room for much else than defense. Nobody should have to deal with the inhumane level of attacks.

by HybridStatAnim8

4/21/2026 at 4:15:52 PM

It's a personality type / disorder (pick your poison). There's no hope for change. Programming seems to attract such people, because they are fixated on being right and proving that they are right. I know a few more examples. My common sense policy is - if the software these types produce works for me, I will be using it, but I will never allow myself to be dependent on it. That kind of person will gladly burn their own house to the ground, with everyone in it, if that's what's required to prove their truths or maintain some kind of intellectual purity.

by neonstatic

4/21/2026 at 6:17:06 PM

[dead]

by cindyllm

4/21/2026 at 5:05:48 PM

One common personality disorder I see a lot is psychologizing your interlocutors to invalidate them, thus insulating you from having to think you're wrong about something

Classic OCPD behaviour

by 1attice

4/21/2026 at 5:12:30 PM

One common personality disorder I see is being extremely defensive when encountering any discussion of human psychology. This comes from a deep psychological fragility.

Classic OAD (Obvious Asshole Disorder)

by throw4847285

4/21/2026 at 9:52:33 PM

>being extremely defensive when encountering any discussion of human psychology

You just have paranoidal schizophrenia and attributing imaginable things to random people you don't like.

by u8080

4/21/2026 at 5:20:33 PM

You couldn't even bother to google an actual disorder! Bah, you insult me :)

by 1attice

4/21/2026 at 5:31:54 PM

Ok, but what I'd be wrong about here? I'm not even claiming that the person in the article is that way. I don't know enough about them. I have noticed a certain trend, however, and that's what I was noting.

by neonstatic

4/21/2026 at 5:05:56 PM

[flagged]

by Pr0ject217

4/21/2026 at 4:17:30 PM

[flagged]

by balamatom

4/21/2026 at 4:21:37 PM

[flagged]

by stevemk14ebr

4/21/2026 at 4:22:58 PM

No.

by balamatom

4/21/2026 at 4:34:13 PM

[flagged]

by elpocko

4/21/2026 at 4:52:45 PM

Signal obedience at all times or be destroyed.

by balamatom

4/21/2026 at 4:40:47 PM

[flagged]

by simianparrot

4/21/2026 at 5:20:22 PM

Parent is obviously being sarcastic.

by idle_zealot

4/21/2026 at 6:00:13 PM

Poe's law gets me again. It's getting really rough these days on HN, I have to admit... My bad. Seems the AI-Protectorate Flagging Brigade managed to parse the sarcasm though.

by simianparrot

4/21/2026 at 4:45:10 PM

[flagged]

by OsrsNeedsf2P

4/21/2026 at 4:15:13 PM

[flagged]

by uberman

4/21/2026 at 4:40:17 PM

> By extension should we not use Linux as Torvalds is essentially in the same boat?

Eh, Linus signs his personal name to rants. Having a blog post by GrapheneOS per se making non-factual personal attacks (nestled among, to be clear, factual attacks) does seem wanting for maturity, at least from a distance.

by JumpCrisscross

4/21/2026 at 4:51:12 PM

[flagged]

by balamatom

4/21/2026 at 8:07:51 PM

There are a lot of judgemental comments here criticising Daniel's character, responses and handling of what was likely a very trying and stressful period in their life.

Barely any comments about the linked thread which is about Wired publishing an article that was extremely poorly researched after having misled GrapheneOS about the intention and content of what would be published. This seems like the sort of thing that should earn a disclaimer on future Wired articles as worthless and get them removed from RSS feeds/have subscriptions cancelled. Complete lack of integrity and respect for standards. Why did they not interview anyone else involved in the project or around at the time?

by ysnp

4/21/2026 at 4:58:51 PM

I personally can't understand why anyone bothers doing open source anything.

This Micay guy spends so much time and does something hugely beneficial and we're arguing about how he responds to criticism?

I'd rather direct and blunt rather than the weasel words and lies most companies put out.

by Accacin

4/21/2026 at 7:26:22 PM

The GrapheneOS team does find corporate speak/slop to be undesirable. I appreciate that a lot.

by HybridStatAnim8

4/21/2026 at 4:57:53 PM

The fact that graphane is getting attacked speaks enough for it's relability. First in france now in Wired.

I'm more concerned that Signal incorporated in US is having easy life.

by maxo133

4/21/2026 at 5:15:10 PM

> I'm more concerned that Signal incorporated in US is having easy life.

To add - ironically, it was Durov (Telegram founder) who got arrested in Paris.

by user_7832

4/21/2026 at 5:34:00 PM

I don't find it ironic at all. Zero trust for anything Russia related.

by neonstatic

4/21/2026 at 9:57:57 PM

Zero trust does not mean government pressure is okay

by u8080

4/21/2026 at 5:47:29 PM

he is not pro-Putin, the Telegram team was forced to leave and it has been blocked several times in Russia.

by kelvinjps10

4/21/2026 at 6:30:04 PM

Not being pro-Putin doesn’t really matter to Putin. If he tells Durov to sit and be a good dog, Durov will sit and be a good dog.

https://www.youtube.com/watch?v=48Kk7kobMQY

by Jamesbeam

4/22/2026 at 5:54:24 AM

Unlikely the case, Telegram is the app that Russian government is most focused on blocking right now, it's almost impossible to use without proxy or VPN.

Not saying Durov is perfect but video you linked is about guy who has all his assets in Russia while Durov has none.

by sandmn

4/22/2026 at 7:39:41 AM

Follow the money. Not the person.

https://curia.europa.eu/site/upload/docs/application/pdf/202...

https://www.ft.com/content/36a37387-cb71-4851-a56f-de2571d52...

Also, I disagree with Durov having no assets in Putin’s direct reach.

https://istories.media/en/news/2024/08/27/pavel-durov-has-vi...

The man looks on photos like he genuinely loves his long-term girlfriend and the three kids he has with her. Kids are stupid tho. They climb on everything and fall out of windows frequently.

by Jamesbeam

4/21/2026 at 5:56:19 PM

Durov is about as anti-Putin and russia in general as one can get. He go fucked hard in russia and has been going extremely hard against the censorship in russia. TG is one of the few chat apps that can avoid russia's suppression measures, when everything else working over internet fails.

by yaro330

4/21/2026 at 6:29:05 PM

Durov has been going hard against censorship because the pressure on Russians to switch to MAX might consign his own app to oblivion. But to call Durov “anti-Russia” when Telegram development and servers remained in Russia, is to ascribe to him a dissident status that he doesn’t actually deserve.

(Durov himself is known to regularly visit Russia, while denying he ever visits Russia. Telegram opened a Dubai office claiming that it was now a Dubai-headquartered company, but that was a mere legal formality; no one was actually there at that office, and journalists visiting it found that not even the building staff knew anything about Telegram. In practice, the company continues to exist out of Russia.)

by TFNA

4/21/2026 at 8:01:17 PM

Do you have a source for any of this? Wikipedia and news that I can find support that he fled Russia after government conflicts. It’s also well known that he keeps his and the dev team’s location secret, so anybody going knocking on incorporation addresses in Dubai then feigning surprise is acting in bad faith.

by kqp

4/21/2026 at 8:29:03 PM

This was all over the news a couple of years ago when Russian entry/exit records were leaked. Doing a Google search for “durov visited russia frequently” will get you plenty of reportage.

"so anybody going knocking on incorporation addresses in Dubai" The point is that Telegram has repeatedly countered claims that it is a Russian app with "Actually, Telegram is a Dubai company”. People reasonably interpret that as more than a mere incorporation address, and it isn’t being emphasized enough that development is still largely done from Russia, and servers are also located there.

by TFNA

4/21/2026 at 6:18:24 PM

Half of Russian military uses it in the field. I do not care what story that guy is spreading around about his affiliations or lack of with Russia. Zero trust. Never touching Telegram.

by neonstatic

4/21/2026 at 3:34:45 PM

Fascinating read. I know nothing about any of this neither the parties involved nor Copperhead though I had heard of Graphene. To that end, I wish the response included a pre-amble for those like me who were not familiar with what was going on. I guess I could probably read the Wired article though. Still. good read and I loved the Q and A at the end.

by uberman

4/21/2026 at 8:48:28 PM

Frankly insane and speaks to the entitlement of many users that they are against Micay and GOS on this primarily because their online comms are abrasive; I'm used to this having seen the same from many in the Minecraft and Skyrim mods communities, but it still stands saying: You are not owed ANYTHING from a free software developer. They can say anything they want to you and revoke the software at any point or anything they wish - they are providing the software for purely no reason but they want to. If Micay wants to be rude on main he has absolutely every right to do so; if you don't like it, don't use his software. He's not a steward or paragon of virtue just because he has a popular software project, and it's extremely easy to stand on a soapbox and say "If I was in that position, I'd be so much better!" To all the detractors in this thread, I beg you: go make software and give back instead.

P.S. I avoided making any statements about what I personally think about Micay and the GOS team's behaviour above because I don't use it and have never looked into it before reading this article, but from looking at the comments, the WIRED article, the forum thread linked in this post, and some cursory research, it just seems like they are a popular software project that is at odds with many powerful actors with obvious motivations against their existence and popularity - if they are constantly combative online instead of being friendly, don't you think part or all of it may be because they have to defend themselves against attacks instead of having the freedom to be friendly like say SQLite/FFMPEG/Rust/other free software projects? I'm admittedly new to HN but this entitlement and refusal to empathise with the people giving you free shit seems insanely out of character

by rrvsh

4/22/2026 at 2:08:00 AM

Conversely, projects aren’t owed any users. If the people behind a project want it to be used, at some point they may realize why other organizations tend to avoid posting rants from their founders as public communications.

by antonvs

4/22/2026 at 8:48:51 AM

Good projects follow their mission statement.

by DANmode

4/22/2026 at 3:59:24 AM

It seems very plausible to me that there is a vested interest in seeding drama and chaos into the reputation of GOS. Why wouldn’t there be? Especially when it seems there’s an easy way to trigger Micay, and there are cottage industries online specializing in exactly this sort of thing.

I get the sense a lot of people care about this project and care about defending it but good luck against the propaganda and bullshit like this that comes along with it.

I really enjoy GOS and used it as a daily driver for ~3 years

by mapotofu

4/22/2026 at 8:49:41 AM

All it takes is comments like this!

by DANmode

4/21/2026 at 5:54:21 PM

The WIRED article may as well have been written by an unhinged AI as it hasn't been properly fact checked before being published.

by rarez

4/21/2026 at 4:15:41 PM

I think this micay guy is a little paranoid

by R1shy

4/21/2026 at 8:12:31 PM

Just read the article again and I'd suggest also reading responses we sent to fact checkers (many answers didn't even show up in the article). James' side of the story is riddled with lies. So, if you read the article with that in mind, you can see that Copperhead got steered in the wrong direction by James. Daniel has been the owner of the open source project from the beginning and Copperhead was never in control of it. It was right to move forward without James. Nothing paranoid about that. It's more a move by someone who is dedicated to doing things right.

See the attacks on GrapheneOS and even other privacy projects trying to make them look like they are designed for criminals. Even French law enforcement took part. We have shared these details publicly and even with links to articles with quotes. There was even news about authorities in Spain assuming anyone with a Pixel was likely a criminal.

Months ago, we saw tons of reports of organizations reporting hacking GrapheneOS without any evidence or links to court cases. We never claim that GrapheneOS isn't hackable, but we still haven't seen any credible evidence showing forensics companies were able to hack it.

These are just a few examples of how GrapheneOS is being attacked. Again, we're not the only ones.

It's also important to note that GrapheneOS has many project members. GrapheneOS isn't a one man show.

Our responses to these things are not out of paranoia. We want our users to know what's going on, so we keep them informed. What's wrong with that?

by other8026

4/22/2026 at 12:00:50 AM

[flagged]

by joemazerino

4/21/2026 at 7:28:19 PM

The claim anyone on the GrapheneOS team is paranoid is unsubstantiated.

by HybridStatAnim8

4/21/2026 at 7:31:13 PM

How do you know?

by Avamander

4/21/2026 at 8:05:16 PM

“I’m not paranoid! Why? What have you heard?!??!????”

(I’m aware I’m interacting with a sock account that only indulges in defenses of GrapheneOS on HN and im being facetious.)

Every once in awhile there’s a group or a project that was just asking to be burned down with everyone inside, I wasn’t there so…

I’m a grapheneOS user and I , personally (?) kind of find the guys public melties entertaining. It’s also a really damn good mobile OS.

by razingeden

4/21/2026 at 8:26:05 PM

I gathered you were being facetious, but I do not appreciate being called a sockpuppet.

I am a GOS community member and I have been for several years. I am active in the GrapheneOS chatrooms, and I choose to volunteer my time assisting others.

by HybridStatAnim8

4/21/2026 at 8:33:11 PM

Eh, just tell your truth as you know it and don’t get too caught up on what people make of it.

I get to be “entertained” because it’s not my first day on the internet, nor involved in a project or page that’s come with death threats doxing , ddosing, vendettas, vindictiveness, mutually assured destruction and or prolonged public outrage.

Maybe someone wants a broom or has some magical thinking that they’re going to profit off someone’s work. In my case, they stole everything I wrote and went “we don’t need you now.” And oh look, they failed.

That’s just how fucking people are in this society anymore. That part isn’t funny.

So it’s that kind of (unfortunately) knowing chuckle.

If you guys over at GoS insist on putting on a messy public spectacle, fine, but if you’re telling me how to react to it? Get bent lol.

by razingeden

4/21/2026 at 10:21:53 PM

I must emphasise I am not associated with GrapheneOS.

by HybridStatAnim8

4/21/2026 at 5:13:14 PM

I just realized that Lineage and Graphene are two separate projects.

by Pxtl

4/21/2026 at 4:32:49 PM

[flagged]

by SV_BubbleTime

4/21/2026 at 3:52:08 PM

[flagged]

by htx80nerd

4/21/2026 at 4:37:32 PM

A lot of the readers here think Wired is still pre-2006 / pre-Condé Nast ownership.

I was personally involved in a story they did in 2015 that was paid for by a three letter gov agency to bad mouth a companies tech into changing. I know only a few of their tricks, and they’re dirty as hell.

by SV_BubbleTime

4/21/2026 at 4:44:04 PM

Wired was so cool… 30 years ago.

by antonvs

4/21/2026 at 4:08:18 PM

[flagged]

by Lapsa

4/21/2026 at 3:48:35 PM

[flagged]

by roos85

4/21/2026 at 3:56:20 PM

There has been a substantial surge in low quality and Reddit hive mind replies on HN lately. I’m curious what the root cause of it is.

by clemailacct1

4/21/2026 at 4:22:11 PM

As far as I can tell (including looking at third party analytics attempts), there had been a massive increase in users over the last 3 years. Smaller communities tend to hold their trademark character a lot better. Pure speculation, but (beyond the bots) I suspect that a lot of the newer users are younger, and the attempt to be a bit more focused and sincere here is something they miss before they start posting.

by sgc

4/21/2026 at 4:20:00 PM

It is now easier to mass create and program dormant accounts. They can be used later for any purpose.

I wouldn't be surprised to see a "Show HN: I made 1000 accounts with more than 20,000 karma with Claude Opus 6.7" in the future

by catlikesshrimp

4/21/2026 at 4:00:18 PM

You only just noticed this now? At the very least, HN is subject to the same intellectual capture that's taken over (seemingly) the whole damn world the past decade.

by busterarm

4/21/2026 at 11:45:55 PM

[flagged]

by joemazerino

4/22/2026 at 1:37:52 AM

> Hopefully the HN mods will unflag the astroturfing campaign done by GrapheneOS here to allow a good healthy discussion.

A quick Google search shows that you've been attacking Daniel for a long time using this account. You complain about moderation and astroturfing and I find tons of posts by you attacking Daniel. You clearly have some sort of weird vendetta against him. Don't pretend to want a "good healthy discussion" when all you seem to be interested in is attacking him further.

by other8026

4/21/2026 at 4:55:44 PM

[flagged]

by johnnyApplePRNG

4/21/2026 at 5:48:25 PM

Evidence?

(I know one historical connection that looks suspicious, but it could be explained by the fact that prestigious social network graphs in the US tend to be incestuous, and a closely-connected world.)

by neilv

4/21/2026 at 5:08:33 PM

Citation needed

by 1attice

4/21/2026 at 4:00:50 PM

[flagged]

by 0gs

4/21/2026 at 5:59:44 PM

[flagged]

by 9cb14c1ec0

4/21/2026 at 8:29:01 PM

that is one extremely unsubstantiated statement

by polotics

4/21/2026 at 8:08:16 PM

[flagged]

by balamatom

4/21/2026 at 3:40:54 PM

I know that GrapheneOS has almost a cult following on HN, but I'll make two comments.

1- GrapheneOS has a long history of long rants attacking people and projects. The leads will tell you that they're just correcting falsehoods etc, but a lot of companies/brands are target of falsehoods and don't bother to respond. I don't claim that GrapheneOS is wrong on anything they say, I'm just saying that these rants are a choice, and I see them as a red flag.

2- I once interacted with GrapheneOS on mastodon and I said something like the above. Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image". Within 2 or 3 exchanged tweets they were threatening me with legal action. To me being a litigious project/person is an even bigger red flag than above. I have never in my life met someone who both lightly threatens legal action AND is an upstanding person.

Just my opinion, don't get upset over it.

EDIT: I just want to spell it out AGAIN - I don't claim that anything on their post is factually wrong, I have no idea.

by ekjhgkejhgk

4/21/2026 at 4:14:58 PM

Graphene is not a consumer brand and they do not intend to be a consumer brand. They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do. That will absolutely limit their scope and reach, but it also allows them to focus on the one thing they’re trying to do without making compromises.

For contrast, Signal is a very secure messenger which also wants to be user friendly so as to get the largest user base they can, which leads to all kinds of compromises - everything that’s come out that looks like a vulnerability in Signal originates in some feature or capability added to make the product more user friendly. Graphene will not make those trades.

Neither approach is de facto right - they spring from fundamentally different philosophies on how to maximize user safety, and both have been extremely successful in their missions, but you’ve gotta recognize what you’re looking at when you look at Graphene.

by roughly

4/21/2026 at 4:39:14 PM

> They do one thing: make as secure a phone OS as they can. That’s it. If you’re expecting them to do anything in a friendly way, it ain’t gonna happen, that’s not who they are or what they do.

These things are not mutually exclusive:

You can make a great technical product while being friendly. You can make a great technical product while not being friendly.

You can make a compromised or flawed technical product while being friendly. You can make a compromised or flawed technical product while being unfriendly.

This comes up pretty often in other HN threads, unrelated to Graphene. There's this weird personality type who insists that they aren't legally obligated to be friendly or nice or pleasant, therefore it's fine for them to be unfriendly or jerks or unpleasant.

by ryandrake

4/21/2026 at 7:40:12 PM

GrapheneOS needs to defend themselves. There would be more time for other types of posts other than defensive ones if they did not have to defend themselves.

by HybridStatAnim8

4/21/2026 at 5:20:20 PM

As a community organizer for systems programmers: welcome to my world! I've finally made some headway after a decade, helped by the mass layoff apocalypse. (Turns out social skills help you stay solvent.)

by abnercoimbre

4/21/2026 at 5:13:20 PM

Actually, you can't make a great product if you've alienated your allies, because all successes are intrinsically social, from the iPhone to Python to even the processor itself.

Going it alone is that nineties libertarian romanticism, a persistent self-destructive tendency that in present market conditions is unsustainable

by 1attice

4/21/2026 at 7:40:49 PM

GrapheneOS does not consider those who attack them as allies.

by HybridStatAnim8

4/22/2026 at 9:47:31 AM

What allies?

Their allies seem securely in place.

Their popularity and project support have never been stronger…

and they’re partnering with a (popular!) hardware manufacturer.

https://motorolanews.com/motorola-three-new-b2b-solutions-at...

Respectfully, what are you talking about?

by DANmode

4/21/2026 at 4:28:21 PM

If they were doing that one thing, they would not have posted this. It's fine not to market to consumers, but this raises additional concerns about the founder's judgement. Someone else claimed that they deleted update signing keys for copperhead devices. That's seriously concerning if true; possibly bad enough to switch away from grapheneOS.

by fwipsy

4/21/2026 at 7:07:26 PM

He deleted the signing keys because it looked like the other owner of Copperhead OS wanted to make the signing keys available to government agencies and/or criminal organizations. He deleted the signing keys to protect their users against malicious updates, which is the right thing to do and should increase trust in him and the project.

It's worth actually reading the linked post. Relevant segment:

In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.

The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.

Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.

by microtonal

4/21/2026 at 8:01:10 PM

Ah, thanks for setting me straight. That's reassuring. I think I would still have more respect and trust for GrapheneOS if they either didn't respond, or struck a more neutral tone; but that's more subjective.

by fwipsy

4/22/2026 at 12:04:15 AM

Is it that Donaldson wanted to pursue deals with criminals or he wanted to backdoor an OS for a defense contractor or that he was a government spy? From the article it seems like none. Claims need receipts or they are blind assertions.

Me? I was a CopperheadOS user from the 2021 rebuild era before GrapheneOS existed in its state. All I've seen from GrapheneOS and Micay are claims without evidence and over-moderation of points they don't agree with.

by joemazerino

4/21/2026 at 7:43:23 PM

GrapheneOS has never concealed this information, it has been publicly accessible on the GrapheneOS website for years, as an article describing the projects history. https://grapheneos.org/history/

Deleting signing keys under threat of a hostile takeover is the responsible thing to do.

by HybridStatAnim8

4/21/2026 at 7:05:30 PM

[dead]

by joyous_limes

4/21/2026 at 7:14:21 PM

It's not just about being friendly. If they have a bubble around them of employees, true believers, and people just afraid of speaking out that chills free expression of criticism, the truth has trouble getting out, which hurts trust.

Still a user though.

by orblivion

4/21/2026 at 7:41:35 PM

GrapheneOS is open to criticism about their project.

The issue is criticism is often used as an excuse to conceal attacks.

by HybridStatAnim8

4/21/2026 at 7:52:45 PM

Maybe true, but but the flip side is that sometimes what is called an attack is actually criticism. That's how it appears to a lot of us from the outside.

by orblivion

4/21/2026 at 8:12:40 PM

GrapheneOS wants to post more positive things, rather than just defensive replies. But they have very little choice in the matter. If the inhumane levels of attacks werent happening, they would have more time to discuss future features, how they choose to approach features, etc. But ignoring the attacks only make it worse. The suggestions to ignore it, even if genuine, arent helpful.

by HybridStatAnim8

4/21/2026 at 8:31:14 PM

I'm thinking about this a bit more.

It may be the case that Daniel and the project are so under siege that they need to take a hostile attitude toward some of the people they interact with as a matter of self preservation. They may have no other option. But taking this posture while also being fair to all of the people around them (i.e. some people who aren't actually attacking them) may be difficult or even impossible. I can see this behavior in myself sometimes. I just don't have the energy to be fair. "F U".

I wouldn't want to see friendly corporate slop either. I appreciate how down to nuts and bolts the communiques are on Mastodon and how deadly serious they take everything. That part of the communication style makes me trust them more.

I think a good step in the right direction might be acknowledging that being defensive necessarily leads to erring on the side of assuming bad faith rather than good, which leads to some mis-judgements. So far you said that GrapheneOS is open to all criticisms, which (though I haven't followed the space very recently so my memory on specifics is hazy) just does not seem to match my interpretation. I think that if we were having this conversation on Twitter or Mastodon, Daniel would have blocked me by now (if he hadn't already blocked me years ago).

by orblivion

4/21/2026 at 10:33:11 PM

People can accidentally be spreading attacks with loaded/presumptuous statements even when their intentions are pure. Unfortunately, pure intentions can still cause harm that needs to be countered.

Take your reply as an example, the GrapheneOS accounts are managed by multiple people, so the fixation on one specific project member may not even be accurate to the discussion. Having ones character attacked is immensely harmful on its own, but being attacked for something one may not even be doing is also immensely harmful.

The unfortunate reality is that people tend to believe the first thing they read, and without something countering it, will roll with it, intentionally or otherwise. So countering misinfo efficiently and quickly is vital.

by HybridStatAnim8

4/21/2026 at 7:30:47 PM

It's not about friendliness, it's about trust. Everybody else on this thread understood this.

There's many examples of people being unfriendly and still coming across as someone of character, Linus Torvalds comes to mind.

by ekjhgkejhgk

4/21/2026 at 4:39:15 PM

I’d prefer that the people behind an OS I’m using on important devices be stable, for hopefully obvious reasons.

by antonvs

4/21/2026 at 8:33:37 PM

All the stuff about members of our team not being stable is ridiculous and only works in favor of people or organizations that don't like us or want to damage GrapheneOS.

GrapheneOS has multiple people helping out. Many developers as well as people who help out with non-development work. It's a big claim to say that the whole team is unstable.

I'd suggest reading the article again. Considering the situation, the party about deleting the keys should be a good sign for anyone reading it. It shows that the project's leadership cares about doing things the right way. Members of the team are similarly dedicated to helping build and support an OS that improves people's privacy and device security, not to scam users by making a flashy product and rake in cash. Or, in Donaldson's case, work with shady companies and even possibly criminals.

Privacy and security projects like GrapheneOS are important considering the political landscape these days. People really need to stop repeating inaccurate claims about us, like that we're criminals, unstable, crazy, etc.

by other8026

4/22/2026 at 2:43:10 AM

> It's a big claim to say that the whole team is unstable.

I didn’t claim the whole team was unstable.

> only works in favor of people or organizations that don't like us or want to damage GrapheneOS.

Then I’d suggest stop shooting yourselves in the foot with personal rants published as public communications. If you genuinely feel you’re doing important work, then why wouldn’t you take your public communications seriously and behave maturely, as an organization?

As another comment in this thread put it:

> It's not about friendliness, it's about trust.

by antonvs

4/21/2026 at 5:09:37 PM

Stable people don't do crazy things like make a new OS in their spare time.

by ipaddr

4/21/2026 at 6:20:12 PM

Stable people can do even more crazy and secure things like, e.g., Qubes OS.

by fsflover

4/21/2026 at 6:38:38 PM

[dead]

by joyous_limes

4/21/2026 at 3:49:53 PM

> Something along the lines of "you know regardless of whether or not you're factually correct, these public attacks on other people companies are really bad for your image"

Sometimes they aren't even factually correct and get a bit upset about it when called out.

Anyways, I have gotten the same impression and these seem like red flags to me as well.

Which is why I'd take everything in that response with a mountain of salt (and I'd pay attention to what they're not saying).

by Avamander

4/21/2026 at 5:18:51 PM

> Sometimes they aren't even factually correct and get a bit upset about it when called out.

Example: https://news.ycombinator.com/item?id=47248521

by fsflover

4/21/2026 at 5:25:42 PM

There you go again.

Example: https://news.ycombinator.com/item?id=47247016

by bwoah

4/21/2026 at 5:46:21 PM

Yes, I don't like when anybody spreads falsehoods about any important free software. Do you?

However your example is unrelated. Their arguments were rather reasonable and informative in the discussion you linked to. So I don't complain about that anymore.

by fsflover

4/21/2026 at 7:46:27 PM

What they said here is accurate, not sure what youre trying to show?

by HybridStatAnim8

4/21/2026 at 7:58:32 PM

What exactly is accurate? Have you seen my reply to that? Hardware kill switches cut power and prevent any recording.

by fsflover

4/21/2026 at 9:41:52 PM

You have been saying this sort of stuff on the Qubes forum and a bunch of other places for awhile now.

Hardware kill switches are nice-to-have, but they are significantly less important than the OS actually protecting the mic. With your Librem/PinePhone, you cannot even reasonably expect your calls with end-to-end encrypted apps like Signal and Element to be protected. Any app with access to the PulseAudio socket (which happens to be anything that you want to have audio playback with) can snoop on your mic at any moment in time. This does not even require an OS compromise.

This has been pointed out to you repeatedly and yet you choose to ignore it, and instead you just do character assassination whenever a post regarding GrapheneOS or Daniel Micay shows up because what Micay says goes against your favorite ideological products...

by TommyTran732

4/21/2026 at 9:49:10 PM

> Any app with access to the PulseAudio socket (which happens to be anything that you want to have audio playback with) can snoop on your mic at any moment in time.

I said multiple times that I exclusively run trusted apps on the phone. I use Qubes for untrusted staff. Do you understand that threat models can vary?

> Hardware kill switches are nice-to-have, but they are significantly less important than the OS actually protecting the mic.

I never said they were more important. I only said they could reliably protect in sensitive cases.

> instead you just do character assassination

I choose to dispute false information. I don't care about any personalities. And I would be happy to be proven wrong, too.

by fsflover

4/21/2026 at 10:13:20 PM

> I said multiple times that I exclusively run trusted apps on the phone. I use Qubes for untrusted staff. Do you understand that threat models can vary?

By that logic, you might as well just not have the killswitch at all. Everything is magically "trusted", right?

Yes, I do understand that threat models can vary. Please give an example of a threat model where it makes more sense to use a phone which cannot protect any private calls over a functioning phone that has real protection.

If you are going to say "oh, when you never talk on the phone at all" then you might as well just remove the mic. It's not hard.

As usual, there is nothing that GrapheneOS or Micay says regarding the Librem or Pinephone that is inaccurate. You are just saying stuff that doesn't even remotely make any sense. Perhaps you are being deliberately disingenuous. Perhaps you are just so blinded by an ideology that you cannot see that what you say is just nonsense. I wouldn't know.

> I choose to dispute false information. I don't care about any personalities.

Doesn't seem to be what you are doing here.

by TommyTran732

4/21/2026 at 10:21:10 PM

> there is nothing that GrapheneOS or Micay says regarding the Librem or Pinephone that are inaccurate.

This is completely false:

> Their microphone kill switch also doesn't prevent audio recording

by fsflover

4/21/2026 at 10:41:38 PM

> Their microphone kill switch also doesn't prevent audio recording

It doesn't prevent audio recording in the super paranoid "oh, the whole phone has been compromised" scenario because it is bypassable via the sensors.

In fact, it doesn't even protect the phone in normal operation, because apps with device=all can access the sensors without the whole phone being compromised.

It doesn't prevent audio recording with any normal usage either because the OS is incapable of protecting private conversations thanks to the PulseAudio socket. "Exploiting" this is significantly easier than any of the stuff involving the sensors.

by TommyTran732

4/21/2026 at 8:15:52 PM

Their entire post regarding pinephones is accurate.

Hardware kill switches need to be correctly implemented. A kill switch cutting off mics and not sensors or speakers is incomplete and privacy theater.

Not to mention kill switches assume the device is already compromised, at which point everything on it is likely compromised as well.

by HybridStatAnim8

4/21/2026 at 8:37:37 PM

> Their entire post regarding pinephones is accurate.

I never mentioned Pinephones, although I do believe that the attack on them is still too harsh. Their security is about as good as the one for Linux. And it's not exactly "atrocious". Especially if you only use software from the official repositories. Let's agree that it should be improved though. (I prefer Qubes OS myself.)

> Hardware kill switches need to be correctly implemented.

Are you saying they aren't for Librem 5?

> A kill switch cutting off mics and not sensors or speakers is incomplete and privacy theater.

I explained in the link above that cutting all sensors is exactly what happens if you choose it.

> Not to mention kill switches assume the device is already compromised

This is not accurate. Kill switches imply that even if the device is compromised (which you can never 100% verify, even on GrapheneOS), your location etc is still private, when you need it.

by fsflover

4/21/2026 at 4:25:27 PM

More context on experiences with Micay[1]. Also went on long rant at Louis Rossmann[2] in an very knee-jerk tone, which led Rossmann to stop using it despite being a long-term advocate for GOS, due to trust issues. Likewise I don't doubt they're talented.

[1] https://news.ycombinator.com/item?id=36089104

[2] https://www.youtube.com/watch?v=4To-F6W1NT0

by Springtime

4/21/2026 at 7:49:07 PM

Micay was distressed due to ongoing circumstances. Rossmann choice to publicly blast what was supposed to be a private discussion, lied to his own viewers, twisted what was happening, etc. Also note Rossmann has an identity verified kiwifarms account.

by HybridStatAnim8

4/21/2026 at 6:49:00 PM

[dead]

by joyous_limes

4/21/2026 at 9:28:19 PM

I think this is the case of a lot of successful OSS. Intrigued people of all horizons comes and interact with few people building something meaningful, mostly on their free time, and expect to be welcomed as customers by the company spokesman. Torvalds had a famous way to express himself freely and hurt some feeling on the Linux mailing list, yet Linux is still a successful OSS project.

I would go on a stretch to say that people that express themselves naturally, without detour, are maybe more trustful than the usual silver-tongued corpo.

by latable

4/21/2026 at 4:31:53 PM

One of the main criteria to differentiate "rants" from "correcting falsehoods" is proper citing of sources. In the case of Grapheneos, unfortunately I often see very few sources in what they post online.

(But, if you ignore the rants, that's a fantastic OS.)

by fph

4/21/2026 at 7:47:06 PM

GrapheneOS has plenty of evidence and they post it alongside their claims. They post it carefully though, and are willing to provide it to people upon request.

by HybridStatAnim8

4/21/2026 at 8:00:13 PM

How far down do you have to scroll on https://grapheneos.social/@GrapheneOS to find a citation to a source for one of their claims?

by fph

4/21/2026 at 8:17:13 PM

At the time of writing, I scrolled 4 posts down and found one. GrapheneOS are security researchers, so they often are a first party source. As for the attacks, they have plenty of evidence for their claims. They avoid giving any attacks more publicity, but they usually provide evidence if you ask.

by HybridStatAnim8

4/22/2026 at 9:14:13 AM

Please provide a link to this post you found, so I can tell which one you think is a citation to a source. If you want some examples of recent posts that should have a source but don't, here they are:

https://grapheneos.social/@GrapheneOS/116442796907613215

https://grapheneos.social/@GrapheneOS/116442754144530576

https://grapheneos.social/@GrapheneOS/116439834987996043

https://grapheneos.social/@GrapheneOS/116439798112845463

https://grapheneos.social/@GrapheneOS/116439747793648606

(the linked post in Mastodon is the one displayed with a bigger font, not necessarily the first at the top of the page.)

by fph

4/21/2026 at 7:36:32 PM

They dont have any history of attacking others. They have a history of defending themselves from attacks.

Other organizations having the resources to continue despite the damage does not mean GrapheneOS can or should deal with the damage it causes. That makes no sense and its excusing horrible behaviour from attackers. They arent rants, the truth just often requires more words than a lie, such is the nature of computer science.

by HybridStatAnim8

4/21/2026 at 3:47:32 PM

"They have a long history of long rants attacking people and projects" in response to a long post...

You are very much saying that OP is an attack post.

Or at least implying the point that it is tonally dissonant to claim otherwise.

If you didn't believe it was wrong you would comment on the post but you are explicitly avoiding doing that.

by Guvante

4/21/2026 at 3:52:58 PM

Do you have a link to the mastodon interaction where they threatened you with legal action?

I ask because I'd be pretty disappointed in GrapheneOS over that kind of thing and it'd probably at least partially change my opinion of them, but it's better to validate these types of serious accusations and get the full context.

by thenewnewguy

4/21/2026 at 7:32:24 PM

I don't. My very vague recollection is that I was alarmed and either deleted it or blocked them. So it either no longer exists, but even if it does I have zero interest in digging it out. I'm always anonymous on social media like HN and Mastodon, but who knows what one can discover if they're the kind of unhinged person who will dedicate enough time to doxing someone...

by ekjhgkejhgk

4/21/2026 at 5:10:31 PM

Do you have links to #2

by its-summertime

4/21/2026 at 4:05:48 PM

Is there a similarly bombastic take on Motorola somewhere?

by jimmySixDOF

4/21/2026 at 9:09:56 PM

Agreed.

I like the product, and even recommend GOS to those who want a hardened phone OS. But goddamn, their social media gives me major red flags and I hate remembering that they exist.

I genuinely think that the information in this post is accurate, and at the same time, I think that it is painted in a way that feels off. Like the data is correct, but there are aspects that are clearly emotionally manipulative and combative.

I also have had some less than great interactions with GrapheneOS devs, when I was not seeking out interaction from them on social media (they came to my post and were combative) and played victim that I bullied them and was in league with the harassment campaign when I just asked them to leave me alone.

Overall, I just think that GrapheneOS is a good product, but unless you want to join their cult, just never talk about it neutrally or negatively unless you are ready for weird interactions.

by bokavordur

4/21/2026 at 4:41:17 PM

#1 imo is the fact that some orgs are resilient to libel, and some are heavily affected. If someone is lying about your security protect in order to harm your reputation, I don't find it odd to respond with some zeal.

#2 on the other hand sounds unhinged, though no source is provided. Threatening legal action for broad criticism of project management is wild.

by unethical_ban

4/21/2026 at 7:57:09 PM

Its not broad criticism, its attacks that use criticism as a false excuse. Defending themselves neutrally and objectively is not unhinged.

by HybridStatAnim8

4/21/2026 at 3:53:18 PM

[flagged]

by busterarm

4/21/2026 at 7:55:44 PM

None of this is accurate. Community backlash was not what forced them to step down. The attacks, including attempted murder, was what led them to handing the lead developer position to another trusted project member.

Attacks against GOS have not been quiet for years, attacks have still been ongoing during that time.

by HybridStatAnim8

4/21/2026 at 4:13:23 PM

i think a lot of attention is rightly attributed to like, i dunno say tiktok/ig "influencing" and how that can send people who gain a lot of notoriety off the deep end. it absolutely has. but so do software projects.

not enough people talk about how software projects also offer up a similar kind of atmosphere: you're suddenly hyperconnected with a whole bunch of humans you don't know and are receiving feedback from people outside of your immediate community. "hackers" for all the interesting ways they've contributed to computer science over the decades also have branches spawned from the original chronically-online, highly-opinionated and sort of antisocial and poorly adjusted sects of civilization. being the face of a project is like pouring rocket fuel on whatever predispositions you might have, and on more than one occasion we've seen people go from occasionally unhinged person to seriously unhinged.

this comes with a lot of bad outcomes for quite a few people, primarily it always has some serious amplification qualities to egos and narcissism. and for genuinely good and kind people who are just trying to share their value/contributions and are suddenly jettisoned into spotlights, we often see them suddenly step back and discontinue work on a project entirely.

we often see these departures and think solely "must be burn out" and don't put much more thought into what that means. but we don't do enough to frame how software projects just elevate people into a position that most people don't do a good job in mentally and socially, and how it deteriorates the pieces of them that make them feel like they're valuable members of a community/tribe. some have luck making their project communities their tribe, but that's obviously a risky step to take. for many who have a successful project, sometimes it starts as the most validation they've ever received and then they don't know how to reconcile with the exponentially-widened audience when negative reception starts pouring in.

daniel micay is just one of like.. many in these sorts of projects i've seen who are simply unfit for the role. for many reasons, i don't think he's a pleasant person at all. i don't have any answers here. i also see this in homebrew scenes for gaming, it's like my least-favorite human petri dish of software development enjoyers. lot of oddball developers in that space and quite a lot of incredibly dramatic fallouts and theatrics that seem to come with the anonymous nature of not tacking your real name / identity to a project, and a consuming audience that has zero idea what goes into development so the negative feedback/demands that come in are in their own way unhinged.

by trueno

4/21/2026 at 4:19:27 PM

I'm well familiar with what you're talking about. I see it in the emulation space as well. Famously so with byuu/near.

We have all of the parasocial behavior from bystanders as well. Cult mentalities and hero-worship. It's quite a strange phenomenon.

by busterarm

4/21/2026 at 5:55:46 PM

oh god yeah the emulation space is absurd.

by trueno

4/21/2026 at 5:17:36 PM

Welcome to the artworld. 19th century European artist culture resurfaces. Don't cut off your ear :)

by 1attice

4/21/2026 at 4:07:06 PM

[dead]

by cf100clunk

4/21/2026 at 6:12:56 PM

[flagged]

by bubblethink