Some turbulence at CalyxOS

You’re right, it is really tempting to beat down on folks when they are transparent like this — Devault’s post about sr.ht funding/infrastructure a year or two ago comes to mind — but it really is important to temper that impulse. They’ve learned a lesson the (very) hard way, and they won’t make the same mistake again. If I were a CalyxOS user, I’d probably come back around eventually.

Sure, just like there's a better way to handle a hard drive failure than paying a data recovery firm to try to get the data off of it again. We all know you need backups and you need to test the backups and make sure you can restore from them and you need to upgrade your backup software when whatever you were using is end of life and you need to replace your backup drives and, and, and....

We all knows this, and we do a lot of this, but hard drives only fail occasionally and if you're anything like me you find double-checking your backup process to be one of the most tedious and mind-numbing chores you can possibly imagine. So when the day comes and the hard drive really does die, often you discover, quite unhappily, that your backups were not in as good of shape as you thought.

Signing keys are like that except way worse. The rules about how to handle them are not as well-developed and automated as backups are, fewer people have that problem so there aren't as mature of tools, and you rarely have a problem so you have to go out of your way to simulate failure in a way that really tests your procedures (and it's very easy to think that you have done this when you haven't). On top of that, thinking about departures in small, close-knit groups can be a bit like thinking about a relative dying. It shouldn't be, and everyone knows that, and yet. It requires thinking about uncomfortable topics like "what if we all end up hating each other, how is this going to work" and working them out in detail and making and testing procedures and this is all emotionally fraught and taxing and it's very easy to put it off.

If the employee/executive departed on good terms, can’t you trust their word (backed by a written legal agreement) that they have destroyed all copies they may have possessed?

Which suggests to me that there is more to this story than they are saying publicly.

Of course, ideally it would be stored in a HSM with secret sharing, so even if they retained their share, absent access to the HSM it would be useless, and then you could invalidate their existing share so it wouldn’t work even if they somehow gained HSM access

But, so long as trust remains intact, you possibly can tolerate the security risks the less than ideal situation entails-once trust is destroyed, you can’t.

It should be possible, but it's frequently the case that organizations haven't accurately determined whether it is possible until the first time they try to do it. It sounds like they realized that their process was inadequate, and they're taking the time to fix the process and audit it before they take users again.