"Baseless" could not be further away from the truth. You literally have the GOS developer messages coming in live while he rehashes frivolous accusations and threatening to exposing him. To claim objectivity, when you seem to cherry pick the parts of the video that would (loosely) fit your narrative. Where is your evidence that Rossmann is in anyway associated to harassment campaign against the project ?

> This is exactly the same as going to a restaurant, having an argument with the owner, and then claiming that they might be putting poison in the food, even though there's absolutely zero evidence or anything that might indicate that, solely because you had a disagreement with someone and now want to harm their reputation.

Damn, so close, you were almost there. A more accurate analogy you could have come up with, had you actually critically listened to Rossmann's argument in his video. Yes, it's like going to a restaurant and having a disagreement with the cook, for the latter to explicitly threaten to harm onto you. At that point, is it that far fetched to think he might poison the food ? When you know he has full control over the kitchen ?

You can disagree with Rossmann perception of the actual threat, but you should at least admit that it is not absurd for Rossmann to think that someone who demonstrated such irrational behavior might attempt to harm in through the means at their disposal, among which introducing malicious code. It might be unlikely given what we know about software dev, but it is not impossible, and for Rossmann, that is the only thing that matters at the end of the day.

Moreover, the GOS dev himself clearly stated he would "publicly expose him" (At 2:14 in https://youtu.be/4To-F6W1NT0?t=134 "and there will be information published about your (Rossmann) attacks on me in support of an abusive person). Why the double standard ? That GOS dev can go around dishing out "reputational harm" but his targets doing the same is not fair game ?

At this point, Rossmann did him a service by publishing everything himself. As far as any reputational harm is concerned, the GOS developer essentially brought it on himself. Could have dropped back when they had the fallout in September 2022, as per the chat logs (<https://www.swisstransfer.com/d/d75ff782-4a7d-4497-b04e-edd1...>) ...

> I would go further and say that it was his intention of harming the project's reputation, but that's just my personal opinion.

Sure, "harm the reputation of the project" when he was proactively giving them no string attached grants, spreading the word, and giving them an opportunities to tell their side of the story ...

> I'm quite certain that there are more people than just me, who think that someone with close to two million subscribers on YouTube should fulfill due diligence by doing some basic research and at least read the extensive official documentation that's provided, before putting out a video with serious allegations and a very high potential of harming someone's reputation.

Then in the first place, perhaps the cyber security geniuses who built a privacy and security oriented OS for smartphone could do the due diligence of gathering and presenting actual evidence of Rossmann implication in the alleged harassment campaign before before posting multiple accusatory statements across their socials media "with serious allegations and a very high potential of harming someone's reputation" ?

He never called Linus "insane" or "delusional" as the parent post claims, hence the request for evidence.

He (rightfully IMO) criticized some of his business practices (Honey, BilletLabs, "Trust me bro"), and quite a few more controversies which LTT was embroilled in.

He criticized Linus' behavior and lack of accountability based on his personal interaction with him, as well as publicly available evidence. At worst, called him a narcissit. If anything, he is vindicated by all the LTT apologies videos (one of which Linus and other staff even make puns and sponsor placements ...) that follow up each controversies.

Any more specific evidence you think show that "Rossmann has the habit of calling random people insane and delusional". I am willing to bet you have none.

Again, that is beyond the point. The developer going rogue (for arbitrary reason) and turning the code malicious is not impossible.

> That literally takes a few minutes to look up, it's all really well documented on the official website. https://grapheneos.org/faq#default-connections

All of you who keep commenting "But it's so easy, just look it up" are lacking consideration and empathy. Other people don't think like you, they don't have to think like you. Just the documentation you have linked has so many technical terms, someone not familiar with networking and system design will barely make any sense of it.

It is a also a matter of trust. After the developer express their hostility multiple time, even if someone was willing to go through it, what if the documentation is not forth coming ? It is within the devs control after all. How does one even make sure that the software does what the documentation says it does ? etc...

> But yes, I do believe that he's obliged to do some research before putting out such absurd claims entirely based on speculation with no technical knowledge or understanding.

What "absurd" claim did he put out exactly ? His issue was never about the technical aspects of GOS. It was about the broken trust and the perception that using software from a hostile developer was a risk factor, hence his stopping using it (at least on his devices with sensitive info).

I think the Pixel Tablet was a matter of a week or two.

There seems to be two challenges though that popped their nasty head lately. Some developer being temporarily unaivalable due to personal issue, and something about Android Open Source Project (GOS is built upon it, to put it simply) not necessarily support upcoming Pixels.

But the team seems resilient and motiviated to keep the project going.

Rossmann did exactly in September 2022. If you actually bothered going through the document, would could see that they had an initial interaction that did not pan out. Rossmann wished Daniel best of luck and said he would not be further involved because of the disagreement.

On his social media and other platforms, Daniel did not stop talking about how Rossmann was allegedly attacking (without any concrete evidence). Daniel himself contact Rossmann again out of the blue with borderline threats blackmail umprompted, as can be seen in Rossmann's video on "Why I deleted Graphene OS". Asking nicely did not work, and Daniel threatened to "publicly expose him", so he went public. What was he supposed to do ?

> Clicks. Money.

Rossmann channel is not making him money. It is not monetized. His business is about repairing Macbooks and data recovery. This drama does not generate him money. He does not get paid for people using CalyxOS etc... over Graphene OS. There is simply no incentive

> And on top of that he is attacking his work which is actually very valuable.

What "attack" ? Is a comment "Informative but unfortunate" on a video criticizing Daniel's behavior an attack ? Is giving the project a 40K USD grant no string attached an "attack" ? Is proposing an to do interviews to further promote the project an "attack" ? Is making videos to actually dispel misconceptions about GOS and praising how good it is on his channel and "attack" ? None of you who carry water for Daniel and his toxic behavior have any evidence of Rossmann directing attack at GOS, and even loss so Daniel himself.

> I don't care if Luis is on the right side of the argument. If he was chatting me up on the bus and told me about it, i would be glad to know. Attacking a person on public for money and leverage is bs.

Again, no evidence it is about money and leverage.

> Edit: Especially in the case of Daniel, if you have made the conclusion that a person is trully paranoid, this is a clinical situation, do you expect to "fix" them by exposing them? Or are you throwing more gas to the fire?

Keeping it private the first few time did not seem to work, might as well try. If Daniel himself is beyond help, at least make it so other people know what kind of person they are entrusting they phone security and privacy to.

By the way, I managed to find their archived conversation which are not available anymore in the video description. Curious about your opinion on it: <https://www.swisstransfer.com/d/d75ff782-4a7d-4497-b04e-edd1...>

It has they initial conversation and disagreement in September 2022, after the GOS developer in question accuses Rossmann of being complicit with harassment campaigns again said dev., because he also gave the same 40K USD FUTO grant to other similar project and had some interview with their developers.

The second set of files are the text messages that feature in the video, after said GOS developer contacted Rossmann umprompted on May 2023 with the same type of accusation.

Feel free to peruse and make you own opinion.

For more context, there was a Google Drive link that is unfortunately not available anymore, but I found and uploaded it here: <https://www.swisstransfer.com/d/d75ff782-4a7d-4497-b04e-edd1...>

It has they initial conversation and disagreement in September 2022, after the GOS developer in question accuses Rossmann of being complicit with harassment campaigns again said dev., because he also gave the same 40K USD FUTO grant to other similar project and had some interview with their developers.

The second set of files are the text messages that feature in the video, after said GOS developer contacted Rossmann umprompted on May 2023 with the same type of accusation.

Feel free to peruse and make you own opinion.

That is the most disingeneous take on the video. The claim this kind of commenters that freely carry water for the toxic GOS (ex-?) lead developer is the exact reason why Rossmann made the video. The evidence is all there for the public to see. Daniel does not get to essentially harass people he disagrees with after they have been asked to not contact them, threaten them to "publicly expose them" and get away scott free.

Being a genius at cyber security or autistic does not give one a free pass to treat other like garbage.

> The video was made to direct harassment towards the project and founder after the project refused to work with Rossman.

The video was made to expose the harassment of the project founder toward Rossmann, when the former contacted him out of the blue with frivolous accusations after they parted way a year earlier due to un-reconciliable disagreements.

> He has done similar things to others, labeling them as insane and delusional.

No evidence provided, as usual.

> Is waiting for the new pixel and then putting grapheneOS on it a good way forward? Seems weird to pick a google device to get away from that company.

> Has anyone else done the same?

I did end up going for a Pixel + GOS. Although it is conterintuitive to use a Google device to get away from Google, according to GOS developers themselves, the Pixel series were the only devices that met their strict requirements for security.

From personal experience, been using it for almost 3 years now, and it gives you 95% of the benefits of Android while giving you back control over your phone, and being generally more secure.

Just stay out of the radar of the leadership, they can be a bit abrasive, for the lack of a better expression.

I will concede that my statement is not the most accurate. However it is not a matter of logic, but description. What I meant to say is that the OS is the substrate of all applications running on the phone, and all the relevant data. Having privileged access to the OS opens the user to the most critical vulnerability.

> This is exactly why one should continue using GrapheneOS as it is by far the best, most secure and private option. Rationally speaking yes. When the developer of the OS threatens to "public expose you" and accuses you of directing harassment / swatting against them without evidence however, a layman (that has no obligation to understand how GOS updates work) is justified in feeling unsafe or uncomfortable using said software. A determined enough (hostile) developer could find a way to target him personally. Even if you personally feel it is unlikely, the probability is ultimately non-nil.

The GOS x Rossmann matter was never a technical issue, it was about the (in my opinion) toxic approach of that lead GOS dev to Rossmann. A huge misunderstanding I dare say. But the damage was done and Rossmann is within his right to criticize his approach and stop using his software.

> Same updates would have to go to all GOS users and as stated before, This is a irrelevant point. Stuxnet was harmless to most systems, while still targeting very specific Iranian systems. All GOS user, (me included) don't audit the code every time there is an update.

> the previous project leader has a stellar reputation when it comes to their work and prior actions regarding users security and privacy. Stellar reputation is quite the exaggeration. That lead GOS dev has an indeniable controversial and abrasive reputation. Imagine the ingenuity and persitence that you perceive about his "work and prior actions regarding users security and privacy", and imagine it being deployed toward someone that dev does not deem as a "simple user", but a personal enemy / enemy of the project ? Nobody would want to be on the receiving side of whatever such person is capable, and neither does Rossmann, understandably.

> > the artist being "Google" and all their controversial practices > You believing this is a problem, you should then be using an iPhone anyway.

I will assume you are good faith, and just misread what I wrote. My point was that in the same way we cannot trust Google software (at least privacy wise) because of the profit incentive of its leaders, another OS like Graphene OS can also inspire distrust if their leadership demonstrate hostile behavior (even if just toward a single specific user).

> You are worrying GOS devs might push a malicious update. Me personally, no. I am not worried. I know enough about software to know that it is unlikely. And I am a nobody. Rossmann is, because he is a layman, and the lead dev was clearly hostile against him. We don't get to deny his perspective.

> even when there are no proofs of that happening ? Not having proof of it never happening so far, is not a proof that it will never happen in the future.

> What prevents the same from happening with other projects [...] Nothing prevents it, and no one involved either in this discussion, nor in the original incident stated this.

> You are implying people should switch to less secure options because of this one thing that also applies to all other options? Again, nobody implied that. I personally never said it. My argument was that I found the leadership lacking, and to a certain extent, the community (examplified by this kind of "water carrying" arguments you have presented). Even Rossmann himself never said it. He only made public his reasons for not mainly using GOS since the altercation, and still recommends it whenever he discuss phone privacy. The grandparent however did bring up this issue with GOS leadership as a data point, which would still be good to have for prospective GOS users.

> It does not make any sense and seems dishonest. If anything, you moving the goal post with such strawmen arguments is what seems dishonest...

To take the specific case of Rossmann, how is he muddying the water ? If anything, he is clarifying his position on stopping using GOS. It is important context, not "muddying the waters".

You yourself say that: > And of course Daniel pretty much does for anyone :p

And Rossmann brought up the receipt to corroborate the GOS developer hostile behavior toward him, which was his argument. And even if you take it further back to origin, the "Informative but unfortunate" comment, this was not targeting GOS's quality and claim of security. The argument in that specific case was the questionable behavior of the leadership, which you seem to agree was not a "conversation based on logic". If some people can't be reasoned with, what is Rossmann supposed to do ? He "agreed to disagreed" and cut contact with the dev, kept the GOS situation under the lid as it was still a project he liked, but that was apparently not enough to keep that developer at bay ...

Emphasis on "seemed to have stopped using it as his main device". For all we know, he kept it as secondary device (its just that good) after removing anything he deemed critical. Again, he never said "don't use GOS", or "GOS is not secure". He said he was did not feel safe enough because of the hostility from the lead dev.

> People who are familiar with how GrapheneOS updates work wouldn't agree. No identifiers are sent to the update server, so targeted updates aren't possible that way. Also, update servers only host static files. If Rossmann was really that worried, all he'd have to do is use a VPN. But that was all just a huge dramatic act so his video would get more views, and possibly to entertain his fellow Kiwi Farms members.

Does it matter ? Rossmann is a layman when it comes to software. What he perceives is that "lead GOS dev is hostile against me and has essentially full control over the project". First, he is under no obligation to spend hours learning how GOS updates work and audit the code every release, whether or not some identifier is being tracked or not (and by the way, you can still get identified and tracked even if you use a VPN). The damage was done once that lead GOS dev persist in toxic behavior, for the lack of a better word.

> But that was all just a huge dramatic act so his video would get more views, and possibly to entertain his fellow Kiwi Farms members.

Unsubstantiated claims. We cannot read his mind, and I have yet to see any evidence that would support these.

> Rossmann either doesn't understand this, or he made it up to get more views, or possibly to entertain fellow Kiwi Farms members.

Expecting a layman to know that is not reasonable. The argument is not about the GOS updates work in practice. It is about the "perpection", from Rossmann's perspective that the lead dev of the OS is hostile against him. Humans are not purely rational machines, and given the choice of either 1) spend hours auditing source code and updates pipelines (every release ?) and 2) stop using it for critical purpose, the latter is the easier choice, especially for a busy person like him.

> To be honest, I don't think that he didn't understand that he couldn't be targeted. He continued using GrapheneOS for months after the video. As I understand it, it was clear in a few videos months after the initial video was published.

For all we know, he is using it on his secondary device where he has removed what he deems critical. Again, Rossmann NEVER said "don't use Graphene OS", or "Graphene OS lack security" or anything of the sort. If anything, even after that video, he kept recommending GOS whenever he talked about privacy.

His argument is that he did not feel safe knowing using software from a hostile developer; and that he can't be bothered / not qualified to audit the code well enough to make it worth it (which is reasonable if you ask me, and I dare say most people).

Edit: > Rossmann either doesn't understand this Again, I agree with you here. He does not understand. He trusted the developer(s) to know what they are doing, but they broke that trust by being unreasonable, to say the least. He is under no obligation to understand. As for what you stated after that, I won't comment on it as I don't read minds, and pretty sure neither do you.

I don't have to elaborate techniques. If a determined (and potentially mentally unstable) developer decides to leverage their full control over the OS to make it happen can. I don't have to elaborate on the techniques which might or might not exist yet. Stuxnet only targeted specific Iranian systems, a needle in a hay stack, was spread did not harm random devices across the globe, and stayed mostly undetected. And this was done without "developer access" to the software itself. Is it hard ? Yes. Is it likely (especially given the knowledge of how GOS works) ? Perhaps not. Is it impossible ? Definitely not.

When the lead dev of the OS you use daily threatens to "publicly expose you" as a user, I won't blame said user to stop using the software. And even less, to provide such data point regarding the behavior of that developer.

My point is that from Rossmann's perspective, being target of the lead GOS software dev hostile behavior as per his "Why I deleted Graphene OS" induces Rossmann's --> perception <-- that the GOS could go after him if he really wanted to. First, everyone is busy and has their life, suggesting that his spend hours going through code and documentation he is not familiar with to make sure he is not target is moot. Most people don't read TOS, and same goes for Licences and docs of OSS. Between doing that and stop using it as it's main device OS, the easier choice is the latter. As a software dev myself, your expectation of layman being able to navigate something like a code review, or even an investigating an exploit is hardly reasonable.

So it is not "incorrect". I am not even saying Rossmann could be targeted. I cannot even make this claim as I have not gone through the docs nor understand the build and update pipeline, which is kind of my point: I can't be bothered neither for GOS, nor for the most of the FOSS software I use. The majority of OSS user rely on the vague concept that motivated and honest people audit the code, but hardly anyone is going deep dive into how an arbitrary piece of software works.

The main issue is the attitude of that GOS developer, whether they like it or not, taints the confidence in the project. it does not matter if Rossmann can or cannot be targeted technically.

The issue here is not technical but a reputation issue.

> The updater app is pretty easy to read through. I think a software developer would be able to understand it. The update servers' setups are also very easy to understand. It doesn't take a software developer genius to figure these things out.

Even then, it could be argued that the rules in place could be changed to introduce malicious exploit if the lead dev(s) were motivated enough. Especially given GOS relatively top-down structure, relying essentially on a benevolent dictator. Even if I made the effort, then ascertain there was no vector attack, now I have to stay on alert every commit / release version and spend as much time looking for a targeted exploit ? etc... Update server setup might be clean, but an admin could SSH or gain access in some way or another and do rogue changes, were they determined enough. The probability is not zero.

Again, the problem is eroding the trust of the specific user (Rossmann in this case).

On one hand, sure it can be a compliment. On the other hand, it only increases the perception that he is could enact significant harm if he ever comes after you.

> Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.

Who is "you" ? Neither Rossmann, neither me (software dev albeit not in cybersecurity), and even less so the average GOS user, and I would venture to guess that neither you can audit GOS code with enough confidence to declare that the risk of an exploit or backdoor being introduced is zero. Open-source is not a guarantee that code or software is secure (for e.g. CVE in xz utils and many such cases).

Edit: some clarifications.