Related
Hi all!
I'm an android developer, and I regularly read the official android-dev and android-porting lists, but on all the fan blogs and from lurking here, it seems that all the good development is coming from XDA-dev!
So why don't you guys do some patch submission? Features like auto-rotating browser and the transition animations should really, really be in the main source, but the official Android team have their thumbs up their asses in regards to UI/polished stuff.. (I bet they're too busy working on the lower level cellular stuff and the ARM-generating stuff like in the *flinger libraries).
So you guys should make some patch submissions over at (http://source.android.com/submit-patches)!
That way, the next RC will have all of these lovely features you guys have implemented.
((Or, alternately (but more ambitiously), fork the entire codebase. Strip out the DRM and add a framework for native code execution. Perhaps that's a pipe dream, though..))
Thoughts?
I think forking the Android source would be a very nice touch, if Google doesn't pull it together. We could still add on to stuff from the official code, but add on all the special stuff that Google refuses to (they've said they won't add the ability to change CPU speed, etc).
Oh, absolutely, there would be numerous advantages to having a fork. It should definitely be discussed! I'm afraid that Google may be trying to exert too much control on their platform in ways that we don't always want, so there is nothing legally to stop us from forking and maintain a more badass tree. GitHub could provide the hosting.
Of course, it might be a waste of effort. If you submit the badass patches, then the good features here go out into all the phones in the next versions. Work on the fork, and only the selected users who are able to flash their own phones can use it, unless some Chinese companies start using it or something like that.
Names?
XanDroid? I'd rather like to see Mandroid with in a slick black theme..
Well to me it seems like the only people doing cool things right now with android have rooted devices
So why cant you ***** a little on google lists to make them actually do some work. The Roadmap @ http://source.android.com/roadmap is a joke. Either they give us root or they start working imo. =)
Seanambers said:
Well to me it seems like the only people doing cool things right now with android have rooted devices
So why cant you ***** a little on google lists to make them actually do some work. The Roadmap @ http://source.android.com/roadmap is a joke. Either they give us root or they start working imo. =)
Click to expand...
Click to collapse
Do you think that the release of the new unlocked Dev phones will change things?
Yeah it'll most probably shake things up a bit, however what about all those that already have a g1?
I for sure isnt buying a new phone to get root.
But even so, we're still talking about modifications to the OS and the packaged applications, which would be released in the next RC version, so even non-root users would get the features in the next update, along with anyone running Android on something besides a G1.
my .02
Id say submit some of the things found here and see what goog does with it, if they openly add these things that need root at this point and let xda dev participate in the OS with such submitions...then cool thats how open source works best, when anybody can add to the project, a phone OS utopia
If they ignore it then, a fork is the way to go but give google a chance to do the right thing first before, just leaving them in the xdadevs dust with a custom distro...
bhang said:
Id say submit some of the things found here and see what goog does with it, if they openly add these things that need root at this point and let xda dev participate in the OS with such submitions...then cool thats how open source works best, when anybody can add to the project, a phone OS utopia
If they ignore it then, a fork is the way to go but give google a chance to do the right thing first before, just leaving them in the xdadevs dust with a custom distro...
Click to expand...
Click to collapse
Google has refused to add multiple features. They feel that they aren't necessary, or that your average consumer wouldn't want it (main thing I can think of atm is CPU speed).
If they don't add the features we request, simply because *they* don't like them, then a fork would get us exactly what we want/need. After we fork it, and the number of users using stock Android plummet, maybe they will listen .
I see a problem with forking... who says what is allowed and not allowed? That is the main problem. Now if you wanted to just add an app that would be one thing but there is not going to be an easy way to do this.
Gary13579 said:
Google has refused to add multiple features. They feel that they aren't necessary, or that your average consumer wouldn't want it (main thing I can think of atm is CPU speed).
If they don't add the features we request, simply because *they* don't like them, then a fork would get us exactly what we want/need. After we fork it, and the number of users using stock Android plummet, maybe they will listen .
Click to expand...
Click to collapse
Given the number of G1s with modified fw installed compared to the total number of sold units, I somehow doubt the number of users is going to plummet.
IMHO it would be a needless fork unless some new or considerably modified features were planned. Better to just patch the functionality into the official builds, if at all possible.
I'm not convinced by that logic. There would be an important difference between a fork and patched versions of the firmware, as a fork would have a totally different design philosophy. Whereas Android is focused on speed (or whatever the hell they're concentrating on..but to be honest, I think they're dicking about over there), Mandroid could have more focus on polished features and low-level access. ((And! No DRM, and I'd like to see some more security features..ZRTP?))
Either way, I think it's really important for the success of the open future of phones that the open source community take and give back. There's no need for the back-and-forth like with, say, PSP-cracking as we have the source code and we are allowed to do whatever we like with it. If we just keep patching what they give us and keeping the modifications closed, then we aren't really in control.
As for project management, I'm absolutely sure there are people who are capable of maintaining an active open-source project such as this, as long as there is a well-thought out design philosophy. I'd love to be involved, if enough people are willing to give it a shot. But, first, it'd be easier just to submit patches.
Miserlou! said:
PSP-cracking
Click to expand...
Click to collapse
PSP cracking is insanely different. If you were in that scene, does my name look familiar ? Was net admin at toc2rta/malloc, admin of psp-hacks.com, worked with a lot of people on a lot of stuff that I barely remember as it was years ago .
But for the PSP, we were working with a system we knew nothing about. So yes, Android would be a lot simpler to work with. But if Google doesn't listen to us, it's not like it would really matter.
neoobs said:
I see a problem with forking... who says what is allowed and not allowed? That is the main problem. Now if you wanted to just add an app that would be one thing but there is not going to be an easy way to do this.
Click to expand...
Click to collapse
Android is licensed by both the Apache Software License (do whatever you want with it) and the General Public License (do whatever you want with it as long as you make the source code available for others). We are certainly allowed to do this, but the problem lies with the G1 owners running the official RC30. They wont have the rights required to flash the image which leaves them out of the party.
2 words
The community(did I spell that right?)
Bhang
Datruesurfer said:
Android is licensed by both the Apache Software License (do whatever you want with it) and the General Public License (do whatever you want with it as long as you make the source code available for others). We are certainly allowed to do this, but the problem lies with the G1 owners running the official RC30. They wont have the rights required to flash the image which leaves them out of the party.
Click to expand...
Click to collapse
I meant who is going to the be decision maker of what features will be added... The Community as a whole? What about some that want it but only 25% of the community wants it?
neoobs said:
I meant who is going to the be decision maker of what features will be added... The Community as a whole? What about some that want it but only 25% of the community wants it?
Click to expand...
Click to collapse
That's what project leads are for. And hypothetically when enough people are dissatisfied with the xda-dev fork they will go and create their own fork. Except I don't think there is any real argument yet to go and create an xda-dev fork in the first place. Forking an operating system meaningfully is not a weekend project for a single person.
I have said it before, let's give them a bit more of a chance, a fork isn't something a guy can do in a weekend.
So let's see what happens in RC3X, the next release will give folks a bbetter idea of where their heads are at. If enough of the community is unhappy there will be a fork
Bhang
Alright - there's been some concern about me link baiting for traffic to my blog. I don't really care much about traffic to my blog whatsoever (no, I don't get any ad revenue), so I'm reposting the entire post, in its entirety, without any links back to my blog.
It's inflammatory, but I think there's suggestions that should be considered. I'll post some of the suggestions in here on the XDA suggestions thread, too.
TL;DR: Cowboys suck (even if they contribute tons of code upstream, witholding source code "until it's ready" for an OSS project is disingenuous at best), the XDA forums are *okay*, but the flat comment format that most, if not all forum software impose is completely outdated (look at Reddit and mailing lists for inspiration), and other OSS communities have largely figured out how to separate user/developer communication lines without hiding anything from anyone.
Without further ado...
---
I've been a member of the XDA Developers Forums for a few months, and after following development forums for various phones (mostly the Nexus S and the HTC Thunderbolt forums), I've concluded that the XDA Developers forums suck. Perhaps an even stronger claim is that the Android developer community sucks, but I won't be defending that claim in this post.
So, why do the XDA Developers forums suck?
For one, the purpose of the forums is to centralize discussion and cooperation of development projects for Android. Based on what I've seen so far on the Nexus S and Thunderbolt forums, I believe that the forums have largely failed at this task. ROM's are largely developed independently with about over half of the ROMs maybe sharing source code to the community, with the biggest offender being CM7 for Thunderbolt (the source code for most of the OS is shared to the public, but the most important part that adds support for the Thunderbolt's radio will not be open sourced "until it's done.") Worse, there's a lot of prima donnas in the community - in most other dev communities, most of the work is done in teams, though there may be benevolent dictators or celebrities (but almost none of the things that are present in the XDA community - witholding of source code and "heroism.") As much as slayher has contributed to the community, it's telling when you see CM7 on Thunderbolt completely contingent on him finishing his radio interface layer code, and having to go to a channel called #slayher for CM7 Thunderbolt support. Who the **** creates a channel based on their handle for a software project?
Not only that, but the discussion that does take place on the forums around development is almost always centered on end user support. Many other communities solve this with mailing lists in order to help focus branching topics in a thread (most forums are notoriously bad at this, given that the default view in most forums and the way that a forum focuses your conversation often defaults to a flat hierarchy of posts.) Any relevant developer discussion is drowned in a sea of user support questions, and I would not blame anyone who wishes to take their conversation elsewhere.
What I propose as an alternative is the following:
* A site that is an aggregate of mailing lists for various phones, software projects associated with each phone, etc.
* User support may be provided on this same site on forums, like how XDA is setup right now. The only difference is that dev discussion is separated into mailing lists (and make it crystal clear that any developer related discussion should be posted on the mailing lists.)
* This site should not post anything that doesn't have any source code freely available under the GPL/BSD/Apache/etc. licenses.
EDIT: There's a couple of things I want to address:
"Why are you complaining? The developers put a lot of time into making these ROM's!"
I'm not complaining about the devs creating software - in fact, I recognize that they've put a lot of hard work in writing these ROM's. However, there's a problem with how development is done: there's a lot of cowboys in the community who bring out the "I have a family" card when they don't try to avail themselves of responsibility by releasing their code and letting others contribute in a meaningful way. In a lot of other OSS projects, there's not a lot of that going on - people contribute, things are documented, and there's a process to merge changes in.
I want to contribute to the CM7 Thunderbolt project, but the outstanding issues largely have to do with the RIL code, which is not even available!
"Why don't you develop your own ROM?"
Because my expertise isn't squarely in Android development. I'd rather contribute fixes to a project in order to get myself acquainted, then maybe I can think about developing my own ROM.
Linus' Law: "given enough eyeballs, all bugs are shallow."
im sure people have reasons for what they do. prepare to be flamed.
Sent from my ADR6400L using XDA Premium App
If you think CM is doing is wrong then hold Google to the same standard. They release their code when they think it's ready. This also applies to Linux, and Mozilla. Get off your high horse. It's impatient people like you that makes the community the way it is.
Sent from my DROID X2 using Tapatalk
Patience is a virtue guess that's something you never heard in your life. But yeah cool story bro...
I'm not saying I agree with Google's model, either. In fact, I think Google's sense of "open" kind of sucks, from the POV of someone who contributes to a lot of OSS projects (not large contributions mind you, but contributions nonetheless.) I patch things, they get merged into trunk, and the group agrees to cut a release once it's ready. This is different from waiting on one guy to release code "when it's ready" so people can contribute - it's frustrating, because everyone knows how busy he is (and, understandably, people want to help out to get things done faster *and* not have him be the sole person to go to), yet he keeps his cards close to his chest at all times for an OSS project.
Only the kernel is FOSS (GPL), and you have a legitimate complaint there. The Android community does a very poor job of making modified source available.
OTOH, the rest is (mostly) Apache license, so there's no requirement for releasing modified source. It's against the general spirit of things, but legitimate.
There are also a lot of prima donnas around. The ability to modify some header files and compile a kernel, or to do a cosmetic re-skin doesn't make one a "developer." The changes made simply don't rise to that level.
You've had some extremely productive posts, all 11 of them are filled with wonderful contributions...thank you!
There's more than just him working on it. He may be the lead, but he isn't the only one working. If you don't like it that way you can easily get the AOSP and do it your way. There is no one stopping you. If your way is truly better you should be able to go ahead of the pace CM is doing.
Sent from my DROID X2 using Tapatalk
So because your experience with the Thunderbolt and Nexus S forums has sucked, you think you can group all of XDA together? And anyone is welcome to help Slayher if they want or can, I'm sure if you just ask he'd be more than happy to have some help.
And unless you are going to go help him with this,no one cares what you think.
hey dude. your a noob.
STFU until you know what your talking about.
Nuff said.
mike.s said:
Only the kernel is FOSS (GPL), and you have a legitimate complaint there. The Android community does a very poor job of making modified source available.
OTOH, the rest is (mostly) Apache license, so there's no requirement for releasing modified source. It's against the general spirit of things, but legitimate.
There are also a lot of prima donnas around. The ability to modify some header files and compile a kernel, or to do a cosmetic re-skin doesn't make one a "developer." The changes made simply don't rise to that level.
Click to expand...
Click to collapse
Thanks - this is the first reasonable post so far.
The spirit is what I'm mostly arguing for - I want to see an open development spirit that's adopted by most GPL projects, whether or not it's an Apache/BSD/GPL/etc. open source license.
I know, you're not legally bound to share your code, but for the sake of the overall community, it'd benefit *everyone*, including other ROM authors, to open code, even if it's not done. Why? So others can help your project out, and so you don't have to stress out all of the time on a free project.
merc248 said:
but the most important part that adds support for the Thunderbolt's radio will not be open sourced "until it's done.")
Click to expand...
Click to collapse
If you have really done OSS development in the past, then you should know what some parts of code are held back until they're done. It keeps people from unnecessarily forking a project and watering it down or doing more harm than good (people complaining something doesn't work [because they will as they do]). Slayher doesnt do all the work. Again, if you follow the OSS community, CM has a similar relationship as the Linux Kernel itself does. One guy is the top figurehead of the project (Slayher for CM and Linus for Linux). However, each has many other people that contribute and add to the development (just go look at the code repository for CM and see who's committing, it's not just Slayher). Basically it just comes down to Slayer has final say on things, just as Linus does for Linux.
merc248 said:
A site that is an aggregate of mailing lists for various phones, software projects associated with each phone, etc.
Click to expand...
Click to collapse
Mailing lists? What are we in, the 1990s? I suppose we should open up a usenet group while we are at it. That's not a step forward, that's a step backwards. I agree that forums aren't really made for bringing together discussion and development, but a mailing list is way worse. Perhaps the biggest contributer to the forums being as they are is the forum software, vbulletin. It's not exactly the easiest thing in the world to mod and extend, just from my own experience of using it. For example, the presentation layer of it and css files are all stored within the database with no easy way to access besides some horrible gui that no developer would really want to use. You can force it to dump out the css and use the files for modification, but to modify the other parts of the presentation (xhtml, xml, etc), you have a much harder time doing.
merc248 said:
This site should not post anything that doesn't have any source code freely available under the GPL/BSD/Apache/etc. licenses.
Click to expand...
Click to collapse
So I guess we should throw out the forums discussing the iphone, windows phone and such, since those devices use things not under open source licenses. Even android kernel is not totally open source (the drivers have some binary blobs). The first phone with a totally open source kernel just came out (samsung galaxy s2).
I am by no means an android guru (and I make mistakes) and I am learning everyday, but I can say that you don't have all the answers and the ones you have, don't really seem to solve much.
yareally said:
If you have really done OSS development in the past, then you should know what some parts of code are held back until they're done. It keeps people from unnecessarily forking a project and watering it down or doing more harm than good (people complaining something doesn't work [because they will as they do]).
Click to expand...
Click to collapse
You know what I say in that case? **** the complainers. Open the code and accept patches from anyone who has not only followed the guidelines that you've set for your project, but also actually fix whatever bug (for the very tiny amount of OSS code I've written from scratch, I usually accept any reasonable pull requests - a lot of larger projects I've seen usually require a ticket in JIRA or Redmine.)
Slayher doesnt do all the work. Again, if you follow the OSS community, CM has a similar relationship as the Linux Kernel itself does. One guy is the top figurehead of the project (Slayher for CM and Linus for Linux). However, each has many other people that contribute and add to the development (just go look at the code repository for CM and see who's committing, it's not just Slayher). Basically it just comes down to Slayer has final say on things, just as Linus does for Linux.
Click to expand...
Click to collapse
That, I didn't know. The way it's presented, it sounds like slayher and very few other people are usually the ones credited with all of the work, but to be honest, it sounds like slayher is doing all of the work (and given that the RIL code is not even open sourced yet, I'm not convinced that anyone else is really working on *that*.) In that case, how would I figure out what outstanding bugs are in the CM7 build? Any small bugs that a junior dev would be able to tackle?
Mailing lists? What are we in, the 1990s? I suppose we should open up a usenet group while we are at it. That's not a step forward, that's a step backwards. I agree that forums aren't really made for bringing together discussion and development, but a mailing list is way worse. Perhaps the biggest contributer to the forums being as they are is the forum software, vbulletin. It's not exactly the easiest thing in the world to mod and extend, just from my own experience of using it. For example, the presentation layer of it and css files are all stored within the database with no easy way to access besides some horrible gui that no developer would really want to use. You can force it to dump out the css and use the files for modification, but to modify the other parts of the presentation (xhtml, xml, etc), you have a much harder time doing.
Click to expand...
Click to collapse
I only bring up mailing lists because they do one thing really really well: threading. Google Groups is a nice middle ground, since it provides an email interface, plus you can search for stuff pretty easily on a web frontend.
The other site I've seen that does comment threads really well is Reddit - I don't think it's feasible, however, for software development teams to use Reddit as a means of communication.
So I guess we should throw out the forums discussing the iphone, windows phone and such, since those devices use things not under open source licenses. Even android kernel is not totally open source (the drivers have some binary blobs). The first phone with a totally open source kernel just came out (samsung galaxy s2).
I am by no means an android guru (and I make mistakes) and I am learning everyday, but I can say that you don't have all the answers and the ones you have, don't really seem to solve much.
Click to expand...
Click to collapse
No, absolutely not! In fact, the forums should stay - I'm saying that to coordinate actual development work, mailing lists/Google Groups/whatever should be used instead, paired with something like Github or whatever. For example, it's confusing as hell to go through the single CM7 thread to find any relevant information concerning actual development - there's sometimes disperate threads here and there about workarounds that people have found, but it's incredibly confusing to follow sometimes.
merc248 said:
That, I didn't know. The way it's presented, it sounds like slayher and very few other people are usually the ones credited with all of the work, but to be honest, it sounds like slayher is doing all of the work (and given that the RIL code is not even open sourced yet, I'm not convinced that anyone else is really working on *that*.) In that case, how would I figure out what outstanding bugs are in the CM7 build? Any small bugs that a junior dev would be able to tackle?
Click to expand...
Click to collapse
I'm sure they would be glad to accept and review any patches contributed. Anyone can submit code, but it has to be reviewed and approved.
http://wiki.cyanogenmod.com/index.php?title=Howto:_Use_the_Issue_Tracker
http://code.google.com/p/cyanogenmod/issues/list (issue tracker)
http://review.cyanogenmod.com/#q,status:open,n,z (code review)
http://wiki.cyanogenmod.com/index.php?title=Howto:_Gerrit (how to post patches for review)
Cyanogen also has forums btw, not just a channel for help and support:
http://forum.cyanogenmod.com/
I really think you should review the CM community a bit closer. It seems like you didn't really examine it overly deep (I found all the links except the code review/forum with a 5 minute google search; the code review link I was aware of before just from my own browsing).
Also, if you really want to blame someone for the RIL issues, blame HTC, since they didnt give the source to the RIL on the phone (nor do they give the source to any of the changes they make to the android framework and htc sense).
Just random info on how the RIL is implimented on android. Android source comes with a generic one for GSM (3g and before) and then vendors just extend it for their own needs.
http://www.kandroid.org/online-pdk/guide/telephony.html
tl;dr
cool story bro...
Thanks for the links - I do know that CM has a set of forums, but didn't know they had an issue tracker and a code review site.
However, a search on the issue tracker turned up one result for Thunderbolt:
http://code.google.com/p/cyanogenmo...on Model Network Owner Summary Stars Priority
... with a comment on the bottom offering no support for the TBolt until it's actually merged in CM7.
Argh. :\
g00s3y said:
tl;dr
cool story bro...
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
...Sorry. I found it and couldn't resist.
+1 for mailing lists suck. I chuckled at the "why not just start up a usenet group" joke/comment.
Seems like there are a lot of other Android forums a guy could visit, if he doesn't like this one.
Hello all,
I was wondering if it would be possible for a developer to make use of vulnerability CVE-2016-0728 to gain root and inject SuperSU or others to gain permanent root on currently unrootable devices.
"perception-point(dot)io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/"
Another article here "databreachtoday(dot)com/zero-day-flaw-found-in-linux-a-8808" says that most android phones are vulnerable, even with SELinux enabled, and that it might just be harder.
I realize that I am not a developer and wouldn't understand at all how these vulnerabilities work, but I am just hoping that someone sees this. sorry I cannot post links yet.
Here's an active link for those interested- http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
I actually came here looking for discussion about patching this newly discovered vulnerability, but the OP's question is intriguing to the non-developer.
windowsman01 said:
Hello all,
I was wondering if it would be possible for a developer to make use of vulnerability CVE-2016-0728 to gain root and inject SuperSU or others to gain permanent root on currently unrootable devices.
"perception-point(dot)io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/"
Another article here "databreachtoday(dot)com/zero-day-flaw-found-in-linux-a-8808" says that most android phones are vulnerable, even with SELinux enabled, and that it might just be harder.
I realize that I am not a developer and wouldn't understand at all how these vulnerabilities work, but I am just hoping that someone sees this. sorry I cannot post links yet.
Click to expand...
Click to collapse
This is definitely something I'm interested in as well. I have a verizon galaxy s5 that my wife updated to latest lollipop and can't root it. If I could get super-su injected and then patch this it would be awesome!
I think there is potential.
However: "The vulnerability affects any Linux Kernel version 3.8 and higher. SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices."
windowsman01 said:
Hello all,
I was wondering if it would be possible for a developer to make use of vulnerability CVE-2016-0728 to gain root and inject SuperSU or others to gain permanent root on currently unrootable devices.
Click to expand...
Click to collapse
some people are interested in it if you see the comments
https://gist.github.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f
jb789 said:
Here's an active link for those interested- http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
I actually came here looking for discussion about patching this newly discovered vulnerability, but the OP's question is intriguing to the non-developer.
Click to expand...
Click to collapse
A Dutch consumer organization (consumentenbond) is sueing Samsung for the lack of security updates on their devices.
Here a link in English.
Now i wonder. I have for example a smartphone from the Chinese manufacturer 'No.1". I think No.1 users will never get a update about for example 'Linux Kernel Vulnerability (CVE-2016-0728)'.
What do you think, is their a possibility that if the Dutch consumer organization wins the battle, that we can sue all Android device builders who lack the priority of Android security updates?
I just send this email to No.1, curious is they reply (guess not,probably select and past in trashbin) :
Hello No.1 employee.
First of all, i'm very satisfied about my No.1 X6800 smartphone.
But i'm a bit dissapointed when i ask a question as consumer, and don't get any reply of the manufacturer of my smartphone.
I asked long time ago for a recovery / update rom for the No.1 X6800 on your website as firmware download. I see other phones roms , but not the X6800 rom.
But now..
A big security leak is found in the Linux kernel. (Linux Kernel Vulnerability (CVE-2016-0728)).
So i hope that the build in update app of the X6800 will offer me a update in future days.
May i remind you for the next thing: Consumentenbond takes Samsung to court for its poor update policy for smartphones.
Here a link: https://www.consumentenbond.nl/nieuws/attachment/20160118_Consumentenbond_takes_Samsung_to_court.pdf
Then i think, isn't it your duty to give us consumers of No.1 smartphones Android security updates ?
Click to expand...
Click to collapse
Sounds like it's unlikely to be exploited on Android, but still, it should be patched:
http://www.zdnet.com/article/how-to-fix-the-latest-linux-and-android-zero-day-flaw/
hi,
I would really appreciate if someone could help answer these two questions for me :
1. I have to revert back to marshmallow from nougat, to use xprivacy with better compatibility. But the security patch of custom roms are not latest, mostly '16.
Is it something to look out for, security wise?
2. Are open source apps actually secure as compared to closed source ones? Yes their code is open but I heard they are more vulnerable to attacks. Please enlighten me.
Thanks.
1. newer version of os is better prepared against attacks, but marshmallow is good enough for NOW. in the future marshmallow will become not good enough.
2. it depends how well the app/code is maintained. open source means revealing more attack vectors to an malicious attacker, however it also means broader chance for the good guys to review code and find security holes and patch them before bad guys uses the security holes. more developer involved = better security generally. same principle goes to closed source code; more developers paid by the company who is responsible for the code generally means better security. thus it is not a matter of source being open or closed; it is a matter of how many active people are involved in maintaining the code and how much effort is made in keeping the code secure.
juniecho said:
1. newer version of os is better prepared against attacks, but marshmallow is good enough for NOW. in the future marshmallow will become not good enough.
2. it depends how well the app/code is maintained. open source means revealing more attack vectors to an malicious attacker, however it also means broader chance for the good guys to review code and find security holes and patch them before bad guys uses the security holes. more developer involved = better security generally. same principle goes to closed source code; more developers paid by the company who is responsible for the code generally means better security. thus it is not a matter of source being open or closed; it is a matter of how many active people are involved in maintaining the code and how much effort is made in keeping the code secure.
Click to expand...
Click to collapse
Thanks pal.
juniecho said:
1. newer version of os is better prepared against attacks, but marshmallow is good enough for NOW. in the future marshmallow will become not good enough.
2. it depends how well the app/code is maintained. open source means revealing more attack vectors to an malicious attacker, however it also means broader chance for the good guys to review code and find security holes and patch them before bad guys uses the security holes. more developer involved = better security generally. same principle goes to closed source code; more developers paid by the company who is responsible for the code generally means better security. thus it is not a matter of source being open or closed; it is a matter of how many active people are involved in maintaining the code and how much effort is made in keeping the code secure.
Click to expand...
Click to collapse
shadowbone said:
Thanks pal.
Click to expand...
Click to collapse
Just be careful of what u doing and always be update your latest security patch and android.
Sent from my Pixel 2 XL using Tapatalk
JohnMichaelCost said:
Just be careful of what u doing and always be update your latest security patch and android.
Click to expand...
Click to collapse
Thank you for your advice But thing is cm13 for my device has its last security patch from dec 2016. And lineage OS 14.1 has latest security patch, but lacks xposed stability, especially for xprivacy, the one I need the most( because I am on No Gapps). So, that's the confusion I have.
And I completely go along with your words of being careful with what I do with my device.
After moving into a NoGapps environment I mostly use open source apps except for 2 or 3 apps whose functionality are not found in any apps on FOSS. Yet those apps from play store themselves have google analytics and measurement services in them. For a privacy freak like me, it is intimidating, I guess.
To be honest open source apps are just as secure as closed Sourced apps. The reason being is very few people are looking at either for security exploits. As for the security updates that is a personal choice. I don't put much worth to them as they are exploits that have been around since the beginning and Google is just pushing patches so they appear to be worried about security. Kinda funny coming from a company that makes its money from collecting and using personal data
zelendel said:
To be honest open source apps are just as secure as closed Sourced apps. The reason being is very few people are looking at either for security exploits. As for the security updates that is a personal choice. I don't put much worth to them as they are exploits that have been around since the beginning and Google is just pushing patches so they appear to be worried about security. Kinda funny coming from a company that makes its money from collecting and using personal data
Click to expand...
Click to collapse
Ooo.... Interesting. I didn't look at it in that perspective (regarding google and its patches). :laugh:
shadowbone said:
Ooo.... Interesting. I didn't look at it in that perspective (regarding google and its patches). :laugh:
Click to expand...
Click to collapse
Sounds familiar "android vs ios" sorry i mean open vs closed sources, the cloesd sources is very hard part for security longntime to hacked & hard finding the source "pay developer just like Apple"
Android other hand is open source is very cool unlike "cloesd sources" is updated everyday and developer are fighting against hackers to does not hacked the source
I will not to worried. Look my screen shot.
JohnMichaelCost said:
Sounds familiar "android vs ios" sorry i mean open vs closed sources, the cloesd sources is very hard part for security longntime to hacked & hard finding the source "pay developer just like Apple"
Android other hand is open source is very cool unlike "cloesd sources" is updated everyday and developer are fighting against hackers to does not hacked the source
I will not to worried. Look my screen shot.
Click to expand...
Click to collapse
Um not its not. Android isnt open source. Only AOSP is open source and that comes preloaded on 0 devices. Everything else is closed sourced. Even Google uses closed sourced files for their devices.
Also no one is looking at open source apps. Developers dont care about open source apps. As there is no money to be made from open source apps.
As for your screen shots. They mean nothing really as any hack would bypass it as it would happen when you are using the device. A perfect example is a built in screen recorder that then loads the videos up into a server when the device is asleep (Xiaomi is known for doing this)
Mobile security really is a myth. If someone wants your info (they really dont. They couldnt care less as your personal info is worth less then nothing) they can get it from social media sites easy enough.
zelendel said:
Um not its not. Android isnt open source. Only AOSP is open source and that comes preloaded on 0 devices. Everything else is closed sourced. Even Google uses closed sourced files for their devices.
Also no one is looking at open source apps. Developers dont care about open source apps. As there is no money to be made from open source apps.
As for your screen shots. They mean nothing really as any hack would bypass it as it would happen when you are using the device. A perfect example is a built in screen recorder that then loads the videos up into a server when the device is asleep (Xiaomi is known for doing this)
Mobile security really is a myth. If someone wants your info (they really dont. They couldnt care less as your personal info is worth less then nothing) they can get it from social media sites easy enough.
Click to expand...
Click to collapse
you're right. Android security So really is nothing special in fact.
May i ask you about Xiaomi why they are doing this ? And google vs AOSP ?
JohnMichaelCost said:
you're right. Android security So really is nothing special in fact.
May i ask you about Xiaomi why they are doing this ? And google vs AOSP ?
Click to expand...
Click to collapse
They are required to by the Chinese government. I take it you don't know much about how they do things. Here is a fast run down. China requires all data from its citizens to be monitored and recorded. This is part of the reason for China's great firewall. When people buy devices made for China this is something that happens.
As for Google vs aosp. Think about it this way. Why would you buy a pixel device is you can get all the same features from aosp? No money to be made there so not good business. Yes Google pushes a lot to aosp. But it is getting less and less. Heck even the base aosp apps have not gotten any real updates in years. Google wants you to use their closed Sourced apps. Allo, duo, Gmail, contacts, phone etc. If it wasn't for 3rd party developers like the ones here aosp apps would still be bare bones.
I second your view zelendel. Although, I have to ask, not that I don't understand your valuable thoughts you posted before, but..
Now that more and more vulnerabilities are brought to light these days like the blueborne or KRACK, and google or devs here, for that matter, pushes security patches to fend against these vulnerabilities. Would you say extending privacy capabilities using root and xposed tools and some common sense while using apps , should suffice against threats of these sorts?
Edit : nvm. Got hold of the desired ROM with latest patch. Thanks for your input guys.
shadowbone said:
I second your view zelendel. Although, I have to ask, not that I don't understand your valuable thoughts you posted before, but..
Now that more and more vulnerabilities are brought to light these days like the blueborne or KRACK, and google or devs here, for that matter, pushes security patches to fend against these vulnerabilities. Would you say extending privacy capabilities using root and xposed tools and some common sense while using apps , should suffice against threats of these sorts?
Edit : nvm. Got hold of the desired ROM with latest patch. Thanks for your input guys.
Click to expand...
Click to collapse
Just not to be worried about hacking our phone. Developer of app/google/aosp/etc. here to save us from hackers in fact maybe.....
But as for root,CFW,etc they doesn't hooked even you have gapp.
But hacking WiFi WAP so... i don't worries, just i said earlier "be careful what you doing" remember that.
If you need very privacy like "donald trump" [emoji13] so vpn your phone install x private and cover with your camera, encryption your phone and always be updated your apps/security patch and android of course.
Sent from my Pixel XL using XDA-Developers Legacy app
shadowbone said:
I second your view zelendel. Although, I have to ask, not that I don't understand your valuable thoughts you posted before, but..
Now that more and more vulnerabilities are brought to light these days like the blueborne or KRACK, and google or devs here, for that matter, pushes security patches to fend against these vulnerabilities. Would you say extending privacy capabilities using root and xposed tools and some common sense while using apps , should suffice against threats of these sorts?
Edit : nvm. Got hold of the desired ROM with latest patch. Thanks for your input guys.
Click to expand...
Click to collapse
To be honest if I was really worried about security then root would be out of the question as it opens up doors that can be exploited. An example is a root binary that was found to work so it auto granted root to every app and removed the logs of it doing so.
The KRACK vulnerability is a whole other thing as patching a device is pointless if the router you are connecting to is not patched.
Just use common sense really. As long as Android pushes a lot of code open source there will always be issues like this that pop up. (its soo much easier to find exploits when you have access to all the code. And before you say it, no not as many people are looking for security threats as people think)
Thanks you guys for your valuable advice's. I'll make sure to keep a watch out. :good:
(might be this is off topic but i need your help guys)
Hi guys i need your help with my Old nexus 5 (stock never did ctf or rooted) and mtk phone as a same problem.
In google camera when I video mode it crash even open it please help me.
Nexus 5 and mtk phone are running both android 6.0 stock.
Any idea what happened ?
JohnMichaelCost said:
(might be this is off topic but i need your help guys)
Hi guys i need your help with my Old nexus 5 (stock never did ctf or rooted) and mtk phone as a same problem.
In google camera when I video mode it crash even open it please help me.
Nexus 5 and mtk phone are running both android 6.0 stock.
Any idea what happened ?
Click to expand...
Click to collapse
Have a take a look.
JohnMichaelCost said:
Have a take a look.
Click to expand...
Click to collapse
I'm not sure. Are you using official/stock build or some ported apk?
shadowbone said:
I'm not sure. Are you using official/inbuilt build or some ported apk?
Click to expand...
Click to collapse
Ok.. but thanks anyway is working again.....
i am officially build.
Sent from my Pixel XL using XDA-Developers Legacy app
JohnMichaelCost said:
Ok.. but thanks anyway is working again.....
i am officially build.
Sent from my Pixel XL using XDA-Developers Legacy app
Click to expand...
Click to collapse
You are Gonna have to run a logcat to find out. Chances are if you are not rooted or been messing around then it will be hard are.
This Google website offers frequently updated daily GSI builds of AOSP, where code changes from literally any contributor to the Android Open Source Project are built and hosted on Google Servers.
Branch Grid
ci.android.com
The FAQ states that there is a two factor security system in place to ensure the added code is genuine and safe.
Reviewers check the added code and make sure it's consistent with Google Guidelines.
Verifiers build the changes and verify it if everything checks out.
That's basically it.
Meaning the code inside those images ready for download on ci.android.com has only been vetted by a single reviewer, before a verifier builds them for testing and it is hosted as an artifact.
I understand that these img files are not meant to be used by anyone, but it still seems a little crazy to me that Google would publicly host an image file of AOSP which could potentially be downloaded or even flashed by anyone, while the code inside has basically undergone 0 scrutiny.
Are you honestly suggesting that the AOSP source could contain malicious code?
There are very few people who can contribute to the source, and the current security measures which you've already detailed are sufficient for this. Open source does not mean open development.
V0latyle said:
Are you honestly suggesting that the AOSP source could contain malicious code?
There are very few people who can contribute to the source, and the current security measures which you've already detailed are sufficient for this. Open source does not mean open development.
Click to expand...
Click to collapse
There is literally a single person who reviews code changes in the aosp-master and aosp-android13 branches before they are built on ci.android.com and the resulting images publicly released for download on Google servers.
This reviewer person is neither a Google employee nor in any way associated with or beholden to them. It's a random civilian who was chosen to become a reviewer by virtue of submitting "high quality code".
This doesn't strike you as at least a bit ridiculous?
tablet_seeker said:
There is literally a single person who reviews code changes in the aosp-master and aosp-android13 branches before they are built on ci.android.com and the resulting images publicly released for download on Google servers.
This reviewer person is neither a Google employee nor in any way associated with or beholden to them. It's a random civilian who was chosen to become a reviewer by virtue of submitting "high quality code".
This doesn't strike you as at least a bit ridiculous?
Click to expand...
Click to collapse
No, because while Google supports AOSP, it does not control it - Android is not a Google product. This avoids conflict of interest. Whoever it is who reviews code changes was undoubtedly chosen based on their merits. Linus Torvalds isn't employed by any major company, yet I doubt you have any complaints about the fact that he maintains the Linux kernel "master" (which by the way is what the Android kernel is based on).
Android is, and was always meant to be, free and open source software, and that's the beauty of it. This is why the proper way to build Android is without GMS or any Google apps; the user themselves must choose to install those, as they are Google proprietary software. The Continuous Integration builds do not have integrated GMS; in fact the only "official" GSIs with integrated GMS are here.
It sounds like your entire argument is "How can we trust AOSP to be clean"? Simple answer: Because it's open source. You (and anyone else) can download, decompile, inspect, literally do anything you want to the code. Sunlight is the best disinfectant, as the saying goes; would you rather that Android be closed source, owned fully by a major tech giant which works primarily to serve its own corporate and shareholder interests - or would you rather things be as they currently are, with the source code freely available for anyone to inspect? It's really really hard to get away with malicious code in the latter circumstance...not so much the former.
I'm not exactly an expert in this field but I'll tag a few brilliant people who can better outline things:
@karandpr @pndwal @sd_shadow @osm0sis
There are undoubtedly more, if any of y'all know someone more knowledgeable on this issue please tag them. Also feel free to set me straight if I'm wrong
V0latyle said:
I'm not exactly an expert in this field but I'll tag a few brilliant people who can better outline things:
@karandpr @pndwal @sd_shadow @osm0sis
There are undoubtedly more, if any of y'all know someone more knowledgeable on this issue please tag them. Also feel free to set me straight if I'm wrong
Click to expand...
Click to collapse
The concept of Open Source is admirable, there is no question about that, however people tend to weaponize its significance.
Your contention that anyone could simply download, inspect and verify AOSP source code, or any high level open source code for that matter, is laughable. From a layman's perspective this might as well be closed source, they would never be able to authenticate it. Thus, they must rely on the opinions of so called experts, or in this case the decision of a reviewer who is apparently qualified to evaluate some of the most complex Javascript known to man, because they submitted "high quality code".
Putting aside the questionable requirements to become a reviewer, I really would like to stress how incredibly difficult it is to read, let alone understand code on this level. I personally know Javascript, but wouldn't even attempt to decipher a single paragraph of AOSP code.
Saying that anyone can do it is dishonest. It's the same as a local ISP telling people they can switch to another carrier if they don't like it, when there's nobody else around.
tablet_seeker said:
The concept of Open Source is admirable, there is no question about that, however people tend to weaponize its significance.
Your contention that anyone could simply download, inspect and verify AOSP source code, or any high level open source code for that matter, is laughable. From a layman's perspective this might as well be closed source, they would never be able to authenticate it. Thus, they must rely on the opinions of so called experts, or in this case the decision of a reviewer who is apparently qualified to evaluate some of the most complex Javascript known to man, because they submitted "high quality code".
Putting aside the questionable requirements to become a reviewer, I really would like to stress how incredibly difficult it is to read, let alone understand code on this level. I personally know Javascript, but wouldn't even attempt to decipher a single paragraph of AOSP code.
Saying that anyone can do it is dishonest. It's the same as a local ISP telling people they can switch to another carrier if they don't like it, when there's nobody else around.
Click to expand...
Click to collapse
Apples and oranges. My point is that everyone has the ability to do so, and if they don't know how, they can learn. This is not the same as telling someone to use an alternative that doesn't exist, and to be frank I find your comment that my statement is "laughable" to be rather disrespectful, because what I said is verifiably and factually correct. I don't know Java or Python or C++ or any programming language for that matter, but I know that I can go to Android Code Search and view any aspect that I wish. So can you, so can anyone else who has an Internet connection. Yes, it requires a certain degree of knowledge and understanding of the workings of such code but that requirement is not prohibitive in of itself. It doesn't matter if you're a layman or not - the code is freely available to view, and so is the information necessary to educate oneself to the point where they can understand it. "If you don't know, learn."
If someone does find a problem with the code, they can submit bug reports. Literally anyone can do this, and the Issue Tracker is also available for the general public to view.
I suppose my only observation from this is that the the verifiers, and possibly contributors, should have published merits by which anyone can establish their bona fides. Still, the AOSP project is made up of some of the most brilliant minds in software
To simply state that "Android can't be trusted because I don't know anything about Java and I don't know who's in charge of verifying the code" is an extremely ignorant assertion. It's one thing if you find a particular issue with the code that you can demonstrate and document, as well as any resistance from the "main" project in fixing it. It's another when you question the legitimacy of something without evidence or proof. If you're going to make accusations, you had better have receipts.
V0latyle said:
Apples and oranges. My point is that everyone has the ability to do so, and if they don't know how, they can learn.
Click to expand...
Click to collapse
They don't and they can't.
Your self-admitted lack of expertise in this area is probably why you believe that.
The equivalent of what you're claiming would be that anyone has the ability to perform brain surgery or make a revolutionary discovery in quantum physics.
You are confusing ability with possibility.
It may be humanly possible for most people to learn basic or even advanced programming, but by no means does simply anyone have the ability, or in other words mental capacity, to comprehensively read and verify source code of this caliber. I just have to stop you there.
The average xda member who flashes these images is content with understanding how to change the color of the status bar. Apples and oranges, indeed.
You are casually brushing over things that represent some of the most complex and sophisticated subject matter in all of modern computer science.
V0latyle said:
I don't know Java or Python or C++ or any programming language for that matter, but I know that I can go to Android Code Search and view any aspect that I wish.
Click to expand...
Click to collapse
Of course you can, but again, there is a difference between the possibility of you gaining access to the code and your ability to even remotely grasp its meaning.
If you are past the age of 15 yo and have never had any meaningful exposure to programming, I can guarantee you that it would be virtually impossible.
V0latyle said:
So can you, so can anyone else who has an Internet connection.
Click to expand...
Click to collapse
Again, you do not understand.
I have actually done some software engineering. Nothing major, but enough to help me understand the hierarchy.
The sheer incalculable, intellectual discrepancy between us and the people who actually drive innovation and work on stuff like the kernel project or AOSP is something that you can only appreciate once you have been personally exposed to it.
V0latyle said:
Yes, it requires a certain degree of knowledge and understanding of the workings of such code but that requirement is not prohibitive in of itself.
Click to expand...
Click to collapse
It absolutely is. 99% of the people who use this code will and could never understand it, no matter what.
V0latyle said:
It doesn't matter if you're a layman or not - the code is freely available to view, and so is the information necessary to educate oneself to the point where they can understand it. "If you don't know, learn."
Click to expand...
Click to collapse
That is simply a logical fallacy.
Just because it is possible doesn't mean it is plausible.
V0latyle said:
I suppose my only observation from this is that the the verifiers, and possibly contributors, should have published merits by which anyone can establish their bona fides.
Click to expand...
Click to collapse
I agree. I also like that you used the phrase "bona fides". Very nice, lol. You know latin by any chance?
V0latyle said:
To simply state that "Android can't be trusted because I don't know anything about Java and I don't know who's in charge of verifying the code" is an extremely ignorant assertion.
Click to expand...
Click to collapse
It's a realistic one.
This is a problem with modern science as a whole. If I asked you right now to prove to me the existence of DNA or viruses, you'd have to refer me to scientific theories and expert opinions, that you have chosen to trust, even though you could hypothetically verify their findings yourself, yet never will.
If you're going to blatantly disregard all the points I've made, I see no need to continue this. I'm not sure whether you're arguing for argument's sake, or have an actual reasonable concern for the integrity of Android source.
V0latyle said:
If you're going to blatantly disregard all the points I've made, I see no need to continue this. I'm not sure whether you're arguing for argument's sake, or have an actual reasonable concern for the integrity of Android source.
Click to expand...
Click to collapse
With all due respect, your argument was weak and I have soundly refuted it.
Neither you, nor I will or could ever fully understand AOSP source code, let alone verify it. That's simply the bottom line. We have to trust in the assurances of its creators, thus it may as well be closed source to us.
Also, I believe you should remove the warning about politics, since you have already opted to edit my post.
tablet_seeker said:
With all due respect, your argument was weak and I have soundly refuted it.
Neither you, nor I will or could ever fully understand AOSP source code, let alone verify it. That's simply the bottom line. We have to trust in the assurances of its creators, thus it may as well be closed source to us.
Click to expand...
Click to collapse
Except we could. Plenty of people do. It's not written in an obscure or secret language; with sufficient knowledge of the code involved, one can easily decompile and understand it. And since the resources that can give one said knowledge are freely available, anyone can do it. I've never bothered to, and apparently neither have you, so while it is true that we don't understand the code as it is, we could, and there are many members of this forum who can - none of whom are Google employees, nor are they directly involved with AOSP.
There's a difference between someone who doesn't understand but is willing to learn, vs someone who doesn't understand and won't be taught.