"Code
doesn't sell itself" is almost managerial/ceo self-parody -- especially
when it's a two-person show (not to mention the score of successful
open/open-ish projects that totally and utterly lack a
marketer/salesman.)
I think he meant "Code doesn't skim its' own profit."
There's even more context about how
this CEO managed the business in a reddit thread in response to those
tweets as well, which includes some detailed and revealing comments from
the developer:
"I already prevented any possible
compromise of the OS. I am not capable of compromising it anymore so no
form of coercion can make me do that. It's very unfortunate that things
ended this way and now I guess the little money I earned from this will
go to legal fees, etc." - Daniel Micay
I'm wondering if destroying the
signing keys will have legal consequences. Are signing keys considered
company IP when their identity is "fused" with the main developer?
Reading online posts it seems that the community is trusting the developer, not the company behind him.
Ah ok, so I'm guessing that strcat
is Daniel Micay then? That wasn't obvious to me (I initially thought
that Mozilla might have been funding CopperheadOS or something).
Ultimately, who cares who's morally
right or wrong? Lets skip the drama and try to see the legal angle, with
the goal of figuring out a way to "save" the source code (of possible).
The
way I see it (with my limited legal knowledge, IANAL) is that Daniel
Micay got paid for his services, and therefore the copyright is assigned
to the company behind CopperheadOS. I'm not sure if Daniel can be
fired, that'd depend on the legal entity of CopperheadOS (for example,
in a general partnership both partners bear responsibility and liability
which levels the playing field). I tried looking it up on the homepage,
but I've been unable to figure that out. What is the legal entity
behind the company "Copperhead Security"?
As a SWE, all of my
employment contracts explicitly state that code that I wrote for the
company is owned by the company. Just because he was paid for services
does not mean that the company owns the copyright of the code he wrote.
If I pay a photographer for
services, the photographer owns the copyright unless we agree otherwise
in a contract. If there is no agreement, the creator owns the work.
My (very limited) understanding is
that the rule about works for hire only applies to non-employee
contractors under certain tightly defined circumstances. Actually
employing a photographer as an employee would mean you own the
copyright, paying the photographer as a contractor would not.
What a shame. I used to hang out on
Rust IRC when Daniel was still engaged with the project. He always
seemed so knowledgeable and he fought for what he thought was best for
the language.
That's an option, but not
necessarily the sole one. This problem isn't new. I'd say its one of the
primary reasons why a general partnership is a legal entity, or a good
choice in this case [1]. It'd level the playing field between both
partners, creating a mutual interest from an authority higher than
themselves (ultimately, the government). I'm not saying it is without
problems though (imagine one of the partners becomes terminally ill).
Another
option would've been to call it earlier, before burn-out, when it
turned out there was no market for this. If people don't wanna pay or
donate for the product, there's no demand apparently. No need to work
for a minimum wage. Get a regular job, and use your leisure time as you
see fit (for EXAMPLE on a project like this but without pressure or
obligation).
I figured it was only a matter of
time. It's absurd to think you can run a company with a product like
this, with only one full-time developer. RIP folks who bought devices
from them, who will not longer be receiving updates.
They were the two co-founders of the
company, and both still own 50% of the shares of the company, with
Daniel having been the CTO and sole developer of its products.
From
30 minutes reading about this and no prior knowledge about the project
or the people involved, this seems to be the probably wrong timeline:
1. Developer starts a project, hacks on it for a while.
2. Developer decides he'd like to get paid for hacking on project.
3.
Enter guy. Developer and guy incorporate, with guy as CEO and director,
developer as CTO and person who does all the coding. Ownership is
50-50, company assets and personal assets are a mess (domain name &
DNS are on the CEO's personal card, copyright for the code CTO writes is
not assigned to the company, CTO controls private keys, and some are
his personal private keys from before the incorporation).
4. CEO & CTO have a falling out wrt company direction.
5.
CTO takes this personally, as a betrayal, seeing the falling out as the
destruction of the project he has built basically single-handedly at
great personal sacrifice.
6. CTO destroys private keys, plans to sue over copyright. Project is now imploded.
Is it possible for them to fork
under a new name? I ask because it depends on how they have structured
the copyright of their code and open source licensing. I don't see any
other simple solution besides forking and creating a new entity he owns
100% of.
If Microsoft, who seem to be on an open source binge, would let loose WindowsPhone 8.1 ...
(It's
not like MS are doing anything in that space anymore, except piling up
Win10 stuttering on the remains ... and it might, perhaps, possibly,
stub someone's toe ...)
If anyone has grafted a Metro Design scion on a Linux rootstock, that would be worth a look too.
But what about apps? That's a major
part of the reasons why Windows Phone died, developers refused to commit
resources to port/develop apps to yet another mobile platform.
IIRC,
Palm webOS tried to fix that by allowing developers use familiar
HTML/JS-based tooling (Enyo) [0] to build apps for that platform, but
the die had been cast with iOS and Android.
I still have an old phone on which
I'd installed CyanogenMod. Unfortunately, it's old enough that LineageOS
isn't an option, the only updates were nightlies, and it never got past
KitKat. About the only use case I can find for it now is as a SIP
handset for my Asterisk box. I might just chuck it into a recycling bin,
since it's a 3G handset to begin with.
There's an unofficial
LineageOS build for my daily driver, but that, too, is trouble waiting
to happen since VoLTE isn't supported, and I visit Michigan often enough
to need it; I'm on T-Mobile, and a lot of their rural Michigan coverage
is Band 12 LTE-only.
Cyanogen Inc, the company founded to
do commercial work on it and running a lot of the project
infrastructure, ran out of money after some weird things like cancelling
a licensing deal with OnePlus suddenly and closed. community part of
the project rebranded to LineageOS
Right. The community part - which
is still alive and well in its rebranded form as LineageOS - was doing
the most important work anyway (or, even if that's a loaded statement,
the community part was extremely productive and still is).
> after some weird things like cancelling a licensing deal with OnePlus suddenly
just
to be specific, they licensed the exclusive right to the cyanogen name
in india to micromax (while previously licensing the non-exclusive right
to oneplus in all regions), who then got an injunction against oneplus
selling their devices in india.
Does anyone have any idea how many
devices run CopperheadOS? The market has to be extremely tiny.
How many people are capable of manually flashing an image onto a
Nexus/Pixel, and then what subset of that group is interested in a "more
secure" ROM?
>How many people are capable of
manually flashing an image onto a Nexus/Pixel, and then what subset of
that group is interested in a "more secure" ROM?
It's mostly their
commercial clients. Very few regular people can use COS for recent
devices (for free) since you need to build it from source.
It's not that hard. I'm a mechanical
engineer who happens to care about privacy. I was able to build it by
following a guide.
There are many tutorials if you search. I don't have any degrees in
computer science or IT, if I could build it I would guess anyone could.
Yeah, it's not hard. The steps are
pretty well documented. It's just not very practical. You need to do it
every month and flash manually. You lose the OTA mechanism unless you
also set up an update server and hack on the code to point to your
update server. I don't know how well that stuff is documented. In any
case, all this is extremely niche. You need a good HPC like system to
have reasonable build times. Note that you are also building chromium in
addition to the ROM. The parent's point was about user numbers, and I
am pretty sure that that's minuscule outside of their paid users.
Well, you can't do any of that if
there's even a hint of commercial use because of the CC BY-NC-SA license
they (CopperheadOS) used. So you can basically only build it for
yourself.
And the uncertainty of what Creative
Commons means for code. It likely extends to the produced binary. Does
it extend to the use of that binary - are you violating the license if
you use a phone with self-built CopperheadOS for work purposes?
It seems a little silly to me that
someone would trust a "secure OS" from a situation where one guy could
"seize control" of the company and infrastructure. This is largely why
I've never seen third party ROMs as a significant solution to the
security situation with mobile phones.
That being said, I'm curious what the other side of this story is. The email makes it sound like the guy's being fired.
> "secure OS" from a situation
where one guy ...
Best comment. Security is a probability theory. You rate probabilities
of factors and multiply them. Probability of one guy inserting backdoor
is much higher than probability of inserted backdoor in iOS or Android,
hence, you'd be better off with stock SW.
And you'll be sticking out like bamboo tree in midwest, with your 'secure os'
> The email makes it sound like the guy's being fired.
The
person being 'fired' owns 50% of the company and is the CTO and sole
developer of the products, with most of it written on their own time.
There's no employment / copyright agreement in place with Copperhead.
CopperheadOS
is open source. The scripts to build a ROM are open and it's possible
to audit them. In fact, if you don't want to pay for COS you are free to
build your own image using said scripts. I've done it. It's easy.
I
think the whole mistake CopperheadOS did was switching to a Creative
Commons license that prevented commercial use by third parties. This has
effectively made it tricky for Daniel Micay to continue his great work
on CopperheadOS elsewhere once the company imploded.
It's sad,
because it's IMHO the very best ROM out there. I don't want to use
anything else. I think they should have gone for a more sustainable
business model. In his shoes, I'd restart COS by doing a crowdfunding
round and aiming at a few other devices (which may not be hard now with
device-agnostic ROMs made possible by Treble).
COS has had a
reduced target market since Google decided to price Pixel terminals much
higher than Nexus. There are rumours that they might release a cheap
Pixel to compete with iPhone SE. That might be good for COS.
Technically,
it is. But, as you pointed out, the license they chose guarantees that
it will essentially die out, specifically the bit prohibiting the
non-commercial use of it.
It's also mildly interesting that Daniel aggressively defended the creative commons license they chose, when challenged.
What exactly is licensed under Creative Commons Non-Commercial?
It
is either open source, or it isn't. If it is open source (OSI
approved), that doesn't prohibit non-commercial work. Because then it
wouldn't be OSI approved. Right?
It isn't "a different way than I
do"; its different from both the defacto meaning of the term open
source, and it isn't according to OSI. That makes calling such open
source deceiving, just like calling shared source open source would be
deceiving. Seen enough of that shit to stick to frameworks such as
OSI-approved (which is more liberal than FSF or DFSG so it could be even
more strict ie. we're being generous).
In the thread, he says he owns the
vast majority of the code, so he should be able to use it freely and
distribute it under any license; at most he'll have to request new
licenses from other contributors or rewrite their code.
Not according to the OSI definition, which arguably traces back very directly to the original idea behind the term:
> 6.
No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a
specific field of endeavor. For example, it may not restrict the
program from being used in a business, or from being used for genetic
research.
The issue with your suggestion that
it being open source and auditable makes it secure is that you probably
have not read or audited all of the source. Security still relies
inherently on trust. And therefore the structure of the entity that controls that software must be trustworthy.
"I think the whole mistake
CopperheadOS did was switching to a Creative Commons license that
prevented commercial use by third parties."
Maybe. It depends on what
commercial use means in that license. Quite a few products are given
away for free supported by other products that are commercial. The Open
Core model usually does that with layering but the paid product can be
entirely different. Maybe something running on CopperheadOS like backup
or messaging software. Something individuals and enterprises might buy.
I was a techie, thinking Android is
open source and I get SD slot. Busted big time. Android is Google's
child, tied to its services, like Chrome, phoning home on every step.
iOS
is years ahead in security and privacy. Read its whitepapers, read
forensics blogs - they're all about iOS, mentioning Android in the
passing, as too easy to be a blog post - blog.elcomsoft.com
Depends on your threat model. Sure,
it's impossible to keep out certain nation states, but a number of OS
changes can keep malicious applications developed by less-skilled nation
states or highly skilled individuals under control. It's not perfect,
but it's better than nothing.
Unless you are suggesting that we should
just give up on security entirely because it's impossible to have a
system that is 100% secure?
Do people really need to worry about
other than national states with android and ios? Exploits/Viruses in
these OSes are extremely rare in comparison to the desktop OSes and
they're just getting harder to exploit. It's gettting to the point where
you need the resources of one of the cyber superpowers to exploit these
OSes. Their permissions based security model is great and hopefully
will make their way to desktop.
My theory is that there is a backdoor
into these OSes. It's the path of least resistance and there's
precedence of this. Obviously Apple/Google are going to vehemently deny
this as this and these backdoors would be able to provide the most
precise form of surveillance ever created.
The first rule of vote club is you
do not talk about vote club. Also, people who vote on your comments
either up or down don't owe you explanations. Both of these are standard
HN practice.
Not GP, but I don't consider it
harmful or whatever to ask why folks disagree with you if you don't
understand why folks would disagree with you. Sure, none of us owe them
an explanation for voting a certain way, but maybe someone will come
along and explain it, and they'll learn something new.
I don't think the system is strictly "you're right" or "your're wrong" and providing any supporting explanation is discouraged.
It
pretty much always devolves into pointless meta. If someone wanted to
tell you how right or wrong you are, they'd reply to your comment.
Sometimes, perfectly reasonable comments get downvoted. Sometimes, truly
awful comments get upvoted. Sometimes people fatfinger the wrong button
on their phones. Every poster and every thread is better off just
living with it, not worrying about it too much and sticking to the
quality of the conversation itself.
No you literally aren't. You are
you. The conversation is the conversation. Those are two distinct
things. Nobody can ask you to be mindful of the quality of other people. It's trivial to just avoid interminable discussions about voting.
The
most telling thing about this is that nobody ever demands explanations
for upvotes so it's obviously not because there's some real belief these
explanations would make the conversation better. It's just that being
downvoted feels bad. But really, at worst, you'd eat -4 points here or
there. Best is to just put on your wizard hat and Epictetain stoic robe
and move on. And this isn't merely a good idea - it's the law.
Discussions about why comments are
downvoted are useful to understand the group mentality of the site, and
sometimes the post is just factually wrong, badly composed, or has
another negative quality that would be similarly evaluated by multiple
readers. Maybe the author mistyped something.
If the only feedback is a
bundle of downvotes, it makes sense to ask for more detail. The site is
better off when contributors understand what comments the community
considers valuable. Sometimes the meta-discussion even leads to a good,
but downvoted, comment recovering.
Discussions about why comments are downvoted are useful
Well,
you'd have to convince not me but the moderators of the site of that.
They're quite explicitly off-topic in the written guidelines. Have been
for many years along with 'neither downvotes nor upvotes come with an
explanation obligation'.
And more generally, it's social
interaction, not a compiler. Like most social interactions and for most
people, it's not that hard for a newcomer, with a bit of participation,
to sort out the context and written and unwritten norms, without
constant and explicit error messages.
Or, I can just answer people's
questions about their downvotes to the best of my ability. They're
guidelines, in the sense of rules of thumb. There are plenty of times
when they just don't make sense. In doing so, you're just taking the
chance that a lot of people disagree with your reading of the situation.
> And more generally, it's social interaction, not a compiler.
You've
never asked "What did I say wrong?" when someone reacted unexpectedly
in a social interaction? No one owes you an explanation, but there are
times when it's a reasonable question and shouldn't hurt to ask.
They're guidelines, in the sense of rules of thumb.
That's
really not how they're treated. Neither 'don't be a butthead' nor
'don't whine about votes' are serving suggestions. They're both enforced
constantly, directly and indirectly. Without that, the site would be an
unreadable cesspool.
You've never asked "What did I say wrong?" when someone reacted unexpectedly in a social interaction?
I don't present every stranger who bumped me on the bus and then gave me the stink eye as if I
was the clumsy boor with a questionnaire aimed at establishing a more
constructive basis for our ongoing relationship. I just frown and go
back to staring at my phone. This is a far more taxing and awkward
near-daily social interaction than a seemingly inexplicable downvote.
The CEO, _jayy, posted a number of comments, then deleted all but one. The deleted comments were preserved by yegortimoshenko. Links: https://news.ycombinator.com/item?id=17241694
reply