| To be clear, the signing keys were not Copperhead signing keys but rather signing keys of the open source project they had agreed to support and were trying to take over including coercing turning over personal signing keys used for the project to the company. The project existed before the company was founded, and was largely written before it was incorporated. It wasn't written on company time as an employee. The original project has continued and the original repositories are the ones in https://github.com/GrapheneOS on GitHub (they were migrated here and have the original stars from before Copperhead even existed), which as you can see is an actual open source project under actual open source licenses with quite active development, just as it was when it started out. Copperhead only has a barely maintained fork of the legacy code, which they are using in violation of the previous non-commercial license which they themselves convinced the project to use, which required the project to sign off on their business deals - which was actively acknowledged and respected, right up until after the failed takeover attempt where the previous arrangements / deals were simply ignored. The donations of the project were also stolen by Copperhead, which refused to return them to donors when they demanded their money either be passed along to where it was supposed to go or returned. Similarly, the project's Twitter account was stolen, and Copperhead deleted all evidence of what had occurred to cover it up along with sending bogus DMCA takedown notices to users / customers who tried to archive it on GitHub / GitLab. The cover-up was largely successful along with the attempt to take credit for the work and masquerade as the creators and developers of the project via the Twitter account takeover. People don't look closely at what happened, or at the published legal threats, actual proof and of course the still developed code. People just trust that a corporation is in the right, despite the fact that it's screwing over an open source project and co-founder of the company who owns 50% even today. Nothing to see there, clearly. Copperhead took over the infrastructure that had been provided and it was clear that it would not be possible to ever push out another update from the actual open source project. The only use for the signing keys would have been a compromise of the project. The CEO of Copperhead had explicitly agreed to an arrangement where they would be supporting the project while having direct ownership and control over it. The company was supposed to building a business around the project and supporting it. They were unfaithful to the agreement and turned on the project, and did immense damage to it that set back years of both technical work and work to forge connections and collaboration with other organizations and individuals. It's going to take a long time to repair the damage done to it. And by the way, here is a series of 2 tweets for you to consider. A) https://twitter.com/snowden/status/944244053184524288 I wonder why anyone would want to compromise this OS? B) https://twitter.com/snowden/status/1047618052089696257 Which is quite a bit after what happened leading up to the keys needing to be wiped, and the project continuing on without Copperhead's involvement. Here is an archive of some of what was posted, which was then covered up, including via bogus DMCA takedowns (which is noted in the repository): https://gitlab.com/yegortimoshenko/copperhead-takeover The person who posted this archive was a neutral party observing what was happened, not someone involved in it. |