I like to invite @DanielMicay in this conversation.— Kingshuk 'Tito' De (@AndItsTito) February 5, 2019
Ex-CopperheadOS dev spits fire as CEO says project not dead
Followers of PiunikaWeb may remember that we published an article yesterday about the ‘demise’ of CopperheadOS and possible alternatives.
The term ‘demise’ is intentionally kept under quotes, as CopperheadOS is not actually dead. The company, Copperhead Limited, is still selling the privacy focused OS bundled with second generation Google Pixel phones.
James Donaldson, CEO of Copperhead Limited, posted a quick (and surprising) tweet after the original story got published.
The author (@AndItsTito) wanted to include Daniel Micay (the lead developer of CopperheadOS, who was fired by Donaldson) in the conversation, while explaining the reasons to call the fork ‘dead’.
Last I checked, @CopperheadOS is still based on Oreo and lagging behind several security patches. 🤔— Kingshuk 'Tito' De (@AndItsTito) February 5, 2019
Donaldson tried to defend the company by comparing it with other Android OEMs and their update strategy.
A privacy + security focused distribution which is outdated (+ vulnerable) looks pretty much 'dead' to me. Yes, I consider there was a dispute, but that shouldn't be considered as an excuse for the situation.— Kingshuk 'Tito' De (@AndItsTito) February 5, 2019
Daniel jumped in and explained why the current CopperheadOS lineup is affected by not upgrading to Android 9 Pie and related SoC/platform specific patches.
Yes, that's accurate. It's not only behind several security patches, but lacks hardware and device security updates all the way back to August 2018. Those updates are available through Android Pie, and it was mandatory to migrate last year in order to continue providing them.— Daniel Micay (@DanielMicay) February 5, 2019
Pixel, Pixel XL, Pixel 2 and Pixel 2 XL stopped receiving security updates via the AOSP 8 branch in August last year. They never received an August 2018 security update via Android 8 as you can see from https://t.co/vcjf9aZv9K and the AOSP repositories for them which ended then.— Daniel Micay (@DanielMicay) February 5, 2019
If you look at a security bulletin like the February 2019 one, you can see it's divided into two:https://t.co/Ur3Lmj1KTH— Daniel Micay (@DanielMicay) February 5, 2019
The 2019-02-01 portion is made available via AOSP including the 8.1.0 branch that Copperhead continued merging months late.
The 2019-02-05 portion is not.
The -05 updates are tied to the SoC platform, kernel and other device-specific code not updated via the baseline AOSP releases. Copperhead does not have these updates since August 2018. They DO NOT have even the August 2018 security update and are dishonest about the patch level.— Daniel Micay (@DanielMicay) February 5, 2019
They resorted to doing the same thing that other ROMs have done for years: lying to their users (in this case customers) about the patch level they're providing to make it appear secure. They're aware they lack full security updates since August and are just incredibly dishonest.— Daniel Micay (@DanielMicay) February 5, 2019
They only applied a tiny subset of these additional patches, and are pretending that they did all the work. It's not feasible to provide full security updates for these devices via Android 8. I would have migrated to Pie within 2 weeks in August if the company hadn't gone rogue.— Daniel Micay (@DanielMicay) February 5, 2019
Daniel even made a serious accusation against his former company. Copperhead Limited allegedly sold Nexus 9 tablets to Médecins Sans Frontières (MSF), though the devices already reached EOL status then.
In private, before things publicly fell apart, the company was already engaged in selling contracts it would be unwilling to properly fulfil with quality products. Copperhead sold Nexus 9 tablets to @MSF despite them being end-of-life. There is a lot that I considered unethical.— Daniel Micay (@DanielMicay) February 5, 2019
As per James Donaldson, he and Daniel Micay are currently engaged in a legal battle due to the damages done towards the company and their customers by Micay’s actions. As a consequence, the former blocked Daniel on Twitter and hence couldn’t see and/or respond to his messages yesterday.
They aren't the same thing. RattlesnakeOS explicitly doesn't include hardening. It's a set of scripts for making signed builds of AOSP on AWS. The #!os project is also focused on making scripting for building, aimed at making it easier to do reproducible builds, etc.— Daniel Micay (@DanielMicay) February 5, 2019
Indeed! If you go through the article, these points are clearly mentioned. 🤓— Kingshuk 'Tito' De (@AndItsTito) February 5, 2019
Yeah, the Rattlesnake and hashbang projects just shouldn't be called forks when they don't fork or continue the past work but rather develop scripting around AOSP builds. They do useful work, but it's not the same thing.— Daniel Micay (@DanielMicay) February 5, 2019
He also talked about his Hardened Android Open Source Project:
It lacks the resources to provide production quality releases and to quickly restore all of the past privacy and security work for Android P. However, it's progressing, and time taken to write a completely new hardened allocator already makes one part of it substantially better.— Daniel Micay (@DanielMicay) February 5, 2019
It also now supports the Pixel 3 and Pixel 3 XL, which were never supported when it was branded as CopperheadOS and are not supported by the poorly maintained and incredibly insecure fork of the old work by Copperhead that has replaced the old CopperheadOS.— Daniel Micay (@DanielMicay) February 5, 2019
Daniel was kind enough to point out a technical mistake in our article. We wrongly assumed that the current hardened_malloc was still based on OpenBSD’s implementation.
The hardened_malloc project isn't a fork or port of OpenBSD malloc. It's a new allocator written from scratch to provide better performance and substantially better security than the past work on making an extended fork of OpenBSD malloc with additional security features.— Daniel Micay (@DanielMicay) February 5, 2019
It's heavily inspired by OpenBSD malloc along with borrowing ideas from other allocators like jemalloc and PartitionAlloc. It's a much different allocator than OpenBSD malloc. It has much different design choices and approaches to the core design and is inherently 64-bit only.— Daniel Micay (@DanielMicay) February 5, 2019
James suggested that we should have contacted them before coming up with the article. As a result, today we have reached out to both James and Daniel individually to gather further info.
For flashaholic readers, Daniel pushed February security update yesterday.
PQ2A.190205.002.2019.02.05.02 release with the February security update and Chromium 72.0.3626.76 is being pushed out via https://t.co/5oNUPIUT2n. There are also improvements to the next generation hardened malloc and a small amount of progress restoring past security features.— Daniel Micay (@DanielMicay) February 5, 2019
TL;DR: Fasten your seatbelts! It is really not ‘dead’. Please follow the Twitter conversation for latest updates as the discussion is still ongoing.
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.