LWN: Comments on "Some turbulence at CalyxOS"

Shouldn't there be a better way to handle departures?

iabervon — Tue, 12 Aug 2025 12:19:57 +0000

It should be possible, but it's frequently the case that organizations haven't accurately determined whether it is possible until the first time they try to do it. It sounds like they realized that their process was inadequate, and they're taking the time to fix the process and audit it before they take users again.

All users will have to re-install to get updates

ber — Tue, 12 Aug 2025 09:40:41 +0000

From https://calyxos.org/news/2025/08/01/a-letter-to-our-commu... I understand that all users will have to uninstall and reinstall to get CalyxOS updates again (even after the four to six months).

A big problem is that Seedvault only does backups from some data and some apps (those that behave well and allow it), so this is going to be a bumpy ride. E.g see
https://calyxos.org/docs/guide/apps/seedvault/#what-is-no...

Shouldn't there be a better way to handle departures?

skissane — Sun, 10 Aug 2025 01:48:16 +0000

If the employee/executive departed on good terms, can’t you trust their word (backed by a written legal agreement) that they have destroyed all copies they may have possessed?

Which suggests to me that there is more to this story than they are saying publicly.

Of course, ideally it would be stored in a HSM with secret sharing, so even if they retained their share, absent access to the HSM it would be useless, and then you could invalidate their existing share so it wouldn’t work even if they somehow gained HSM access

But, so long as trust remains intact, you possibly can tolerate the security risks the less than ideal situation entails-once trust is destroyed, you can’t.

Shouldn't there be a better way to handle departures?

rra — Sat, 09 Aug 2025 18:14:14 +0000

Sure, just like there's a better way to handle a hard drive failure than paying a data recovery firm to try to get the data off of it again. We all know you need backups and you need to test the backups and make sure you can restore from them and you need to upgrade your backup software when whatever you were using is end of life and you need to replace your backup drives and, and, and....

We all knows this, and we do a lot of this, but hard drives only fail occasionally and if you're anything like me you find double-checking your backup process to be one of the most tedious and mind-numbing chores you can possibly imagine. So when the day comes and the hard drive really does die, often you discover, quite unhappily, that your backups were not in as good of shape as you thought.

Signing keys are like that except way worse. The rules about how to handle them are not as well-developed and automated as backups are, fewer people have that problem so there aren't as mature of tools, and you rarely have a problem so you have to go out of your way to simulate failure in a way that really tests your procedures (and it's very easy to think that you have done this when you haven't). On top of that, thinking about departures in small, close-knit groups can be a bit like thinking about a relative dying. It shouldn't be, and everyone knows that, and yet. It requires thinking about uncomfortable topics like "what if we all end up hating each other, how is this going to work" and working them out in detail and making and testing procedures and this is all emotionally fraught and taxing and it's very easy to put it off.

No good deed?

jadedctrl — Sat, 09 Aug 2025 17:48:58 +0000

You’re right, it is really tempting to beat down on folks when they are transparent like this — Devault’s post about sr.ht funding/infrastructure a year or two ago comes to mind — but it really is important to temper that impulse. They’ve learned a lesson the (very) hard way, and they won’t make the same mistake again. If I were a CalyxOS user, I’d probably come back around eventually.

Shouldn't there be a better way to handle departures?

KJ7RRV — Sat, 09 Aug 2025 14:19:24 +0000

Shouldn't it be possible to handle employee, or even executive, departures without having to change the key used for OTA updates, and thus require all users to manually reinstall?

Security Keys 2: Electric Boogaloo

cyphar — Sat, 09 Aug 2025 08:57:35 +0000

If I had a dollar for every time a security-focused Android distribution had some weird shakeup with a founder leaving and issues arising related to signing keys and the future of releases, I'd only have two dollars -- which isn't a lot, but it's a little weird that it happened twice.

No good deed?

tux3 — Fri, 08 Aug 2025 18:13:23 +0000

On the other hand, kudos to them for the transparency and clear messaging.

A less conscientious project might have tried to minimize, might not have communicated appropriately about why updates have stopped coming, or worse still, might have kept going without taking any action.

It looks like they're entering a long tunnel of trying to improve their infra and processes. The sort of project that is willing to bite the bullet and ask their users to uninstall (!) so they can spend a few months overhauling their security, is the sort of project that we shouldn't punish for communicating candidly!

Sucks for users who have to go months without a release, but I have to respect the commitment to their ideals, even at the risk of losing users.