Related
I'm just putting this in a new thread so that everyone can see it without having to accidentally come across it in the Hero Source Attempts thread... Some other users have realized that if everyone who has a twitter account messages HTC through twitter, it becomes bad PR for them because everyone sees it, and they are more likely to meet our demands at a speedier pace.
If you really want lots of cool ROMs and lots of options, we gotta get that dang kernel, and this seems to be the best tactic so far. Supposedly it worked in getting the GSM kernel. SO GET TO WORK PEOPLE! START TWEETING/Messaging THROUGH TWITTER @HTC!!
Here is the original post by another user:
I personally believe that these two methods would work fastest. If they get 1000 emails, no one hears about it. But if they get 1000 tweets, or an article on Engadget, it's bad PR. This is basically what happened with the GSM Hero:
slashdot article - tech.slashdot.org/story/09/10/16/1720224/HTC-Dragging-Feet-On-GPL-Source-Release-For-Hero-Phone
acknowledgement - twitter.com/htc/status/4928377685
compliance - twitter.com/htc/status/5071201112
admission of responsibility - twitter.com/htc/status/5071514606
(sorry, I've been a member for almost 3 years but this is my first post... can't post links)
I tweeted the following, please retweet or write your own similar: @htc When can we expect to see the CDMA (Sprint) Hero kernel source code? It's been 3 months, this is ridiculous! #gplviolation
I posted a tweet, lets hope this will push them to at least acknowledge the requests.
posted a tweet too hope it helps
Posted a Tweet, i pray engadet will pick up on this.
lol been posting at least 2 tweets a day for the last 3 days. glad to see others are joining in.
Yup. Tweeted
@HTC come on, it's long past the weekend.CDMA Hero sources please.#HTC get your act together #GPL #Violation #CDMA #Hero #Sources
Click to expand...
Click to collapse
to try and get as many tags in as possible...
EDIT: Well, a search for #gplviolation on twitter is certainly interesting! (Try it...)
if you search htc you get a lot of people asking how to update to 2.x reply tweeet them to get the word out if you can.
Done! I hope we see something soon.
Done! Tweeting twice a day.
If you post a tweet regarding this, please be sure to include @htc, @sprint, and add the #gplviolation hashtag for tracking purposes.
tweet sent!
Does it really matter much if we get the kernel? As I understand it, there's a load of closed-source proprietary software running under the hood on our devices.
It depends. If HTC compiled proprietary code into the kernel itself, they're between a rock and a hard spot. Under the GPL, anything physically compiled into the kernel MUST have its source released. If HTC licensed proprietary camera drivers from anyone (Qualcomm, most likely) under terms that forbid them from disclosing the source, it's *their* problem to worry about.
IMHO, if that's the situation HTC is in, the best thing they could do to at least get everyone off their back would be to just go ahead and release their best 2.1 internal build (officially, for testing with the Android Emulator, since they can't officially condone rooting) as a "developer's preview". If they did, the necessary files would be ripped and built into a working 2.1 heroc distro within days, if not hours, and pretty much everyone would forget about the source for now & give them some breathing room for a few months.
As I understand it, even if HTC's 2.6.29 kernel had bugs, as long as those bugs weren't with msm_camera itself, we could use THAT 2.6.29 kernel to bootstrap newer builds of 2.6.29 (kind of like how Microsoft used prerelease versions of Visual Studio 2010 and Windows 7 to build Windows 7 itself). The problem now is that there's a literal hole in the 2.6.29 kernel that we can't fill, because we have neither the include file's source nor a compiled binary to drop in place.
Now, it's important to remember that we can't actually demand the 2.1 kernel yet under the GPL, since it hasn't actually been released yet. I'm only mentioning that as an *alternative* that would satisfy pretty much everyone for now, to give HTC some constructive alternatives to consider if releasing the full 1.5 kernel source for heroc is, in fact, completely out of the question due to licensing problems arising from msm_camera. Regardless of whether or not HTC can release the source to msm_camera for heroc, they can obviously redistribute 2.6.29 binaries built from it... and one of those binaries would be more than adequate for our purposes right now.
miamicanes said:
, it's important to remember that we can't actually demand the 2.1 kernel yet under the GPL, since it hasn't actually been released yet.
Click to expand...
Click to collapse
I realize you are referring to a CDMA-specific kernel (I thought 2.0 and after would be GSM and CDMA ready?), but the kernel for 2.1 HAS been commercially released. It's running on the Nexus One. Demanding the code under GPL is perfectly reasonable.
I mention this because this problem is now beyond any specific device. The manufacturers and carriers are, in my opinion, abusing the GPL and we ought to have a united front on that fact.
5tr4t4 said:
I realize you are referring to a CDMA-specific kernel (I thought 2.0 and after would be GSM and CDMA ready?), but the kernel for 2.1 HAS been commercially released. It's running on the Nexus One. Demanding the code under GPL is perfectly reasonable.
I mention this because this problem is now beyond any specific device. The manufacturers and carriers are, in my opinion, abusing the GPL and we ought to have a united front on that fact.
Click to expand...
Click to collapse
The source for the kernel compiled for the Nexus One, which uses completely different hardware, is (or must be) available. HTC does not need to provide it, as they are not the company selling the device - Google is.
^^^ Just to add to what he said, the kernel for the Nexus One also lacks the compiled-in driver for the CDMA Hero's camera.
Here's an example to illustrate why the GPL places so much practical importance upon the availability of ALL source used to build the kernel... and why it's generally accepted that proprietary binary kernel loadable modules are OK (at least, among pragmatists like Linus). Suppose the maker of your PC used a proprietary NVIDIA chipset with no public documentation, and shipped it with Ubuntu Linux on the hard drive. However, suppose they compiled the video driver directly into the kernel.
Anyone who bought the computer would be put in a needlessly bad position -- unless someone reverse-engineered the chipset, you wouldn't be able to use any distro of Linux not officially blessed and released by the computer's maker. You might be able to use a slightly newer build of Ubuntu if someone did a binary diff on the newer kernel and pulled out the metaphorical duct tape. You might possiblybe able to get away with using the old kernel in a newer distro (enjoying some bugfixes in the other programs besides the kernel itself). You might even be able to diff a newer build of Linux on a newer, but similar, computer released by that maker that they happened to ship with a newer kernel. But you'd never really be able to build your own kernel the way God and Linus intended, because the kernel and proprietary video driver would be inseparable. If you tried, the compiler would complain because it was missing a very, very important #include file -- the proprietary video driver.
On the other hand, suppose the manufacturer bundled the proprietary video driver as a loadable kernel module (.ko file). NOW, things change significantly. Richard Stallman might still grouse because you don't have the source to the video driver, but in utilitarian terms, you're much better off than you were in scenario #1. Although you're still dependent upon the manufacturer for a newer video driver, because it's physically separate from the kernel itself, you can build your own newer, better, and different kernels whenever and however you'd like. As long as the low-level interface between the kernel itself and the kernel module doesn't change on your platform, the two are sufficiently abstracted from each other to allow one to change without affecting the other.
IMHO, the most disgraceful part of this whole thing is that we theoretically have phones running an open platform, but we're still reduced to ripping binary images and tacking them together with metaphorical duct tape, just like we were with Windows Mobile. If anything, it's gotten worse. At least Windows Mobile didn't have to be rooted, and the newer versions generally didn't break the previous version's device drivers. Sigh.
miamicanes said:
^^^ Just to add to what he said, the kernel for the Nexus One also lacks the compiled-in driver for the CDMA Hero's camera.
Click to expand...
Click to collapse
Right, I understand this. I was making the point that the fact that 2.1 has a commercial release means the we can demand the code under GPL. Shouldn't we be aiming for a unified android kernel source with GSM and CDMA support, adding binary drivers/libs (or setting device-specific compile flags) as needed? Nexus being controlled by Google (who seems to be releasing their modifications immediately on git) might be a starting place for this de facto Android.
I'm simply advocating for thinking beyond our own personal devices.
Holy shut!!! Welcome to the age of technology.... **** with us and we will tweet Ur ass to death. Lol. It's an all Twitter offensive. Were declaring Twitter war on HTC until we get source. ROFL
@5tr4t4: well, it was more for the benefit of others who might stumble on this thread and aren't quite sure why it's such a big deal
I think what Jonnythan was saying is that there's no need to get the source to the Nexus One's kernel from HTC, because you can download it right now directly from Google.
As far as platform neutrality goes, we'd be 99.9% of the way there if HTC would just move the proprietary stuff out of the kernel proper and into loadable kernel modules so they'd simultaneously be in compliance with the GPL and not making our lives needlessly difficult by making us jump over hurdles that shouldn't be blocking our way in the first place
miamicanes said:
As far as platform neutrality goes, we'd be 99.9% of the way there if HTC would just move the proprietary stuff out of the kernel proper and into loadable kernel modules so they'd simultaneously be in compliance with the GPL and not making our lives needlessly difficult by making us jump over hurdles that shouldn't be blocking our way in the first place
Click to expand...
Click to collapse
If they were to move some stuff to binary *.ko's they'd most likely move all non-boot-essential hardware support out there, which would actually make things much, much more challenging for us. That way they could have a "universal" kernel (and GPL source tree) that is used across devices, and each device just has its own *.ko's. They'd only have to release one (fairly useless) tarball for GPL compliance. Be careful what you ask for.
In theory this should be quite useful, no?
Just putting this up here for those who may have lost hope, but on a whim I checked their source repository today and it would seem they've at least uploaded Kernel source!
ftp://Kernel_End_User:[email protected]/
Directory: Pure XL P0010UU (it's a bit of a mess, you may wish to CNTRL+F this)
I haven't checked their software repo yet for ROM source, but it was not uploaded when I initially found this information about a month and a half ago.
The kernel is only VANILLA STOCK source, I haven't compiled it or anything, I'm only linking their servers because I imagine that this isn't getting checked on a regular basis (not much to expect would happen). But, something has happened, so I figured I'd draw some attention to it.
Many thanks to those ROM and kernel devs who have been working to bring us some solid software. It's honestly my only major gripe with the phone.
We (me, acheron, root-expert) tried to compile this several times with CyanogenMod repos with no luck. It's from 7th December 2015 so nothing changed.
bemolx said:
We (me, acheron, root-expert) tried to compile this several times with CyanogenMod repos with no luck. It's from 7th December 2015 so nothing changed.
Click to expand...
Click to collapse
Darn. If only they were more willing to facilitate development.... the software is my only real issue with the phone. Thanks for your work, however.
Same thing here... I would love to have the latest CyanogenMod
Only for updating this post:
Kernel source, mostly ready for Marshmallow ROMs, you can find here on 'cm-13.0' branch.
Linux upstream 3.10.103
Still trying to boot it up.
Gonna update CyanogenMod thread soon.
Cheers
bemolx said:
Only for updating this post:
Kernel source, mostly ready for Marshmallow ROMs, you can find here on 'cm-13.0' branch.
Linux upstream 3.10.103
Still trying to boot it up.
Gonna update CyanogenMod thread soon.
Cheers
Click to expand...
Click to collapse
Great news @bemolx
TheLastCanadian said:
Darn. If only they were more willing to facilitate development.... the software is my only real issue with the phone. Thanks for your work, however.
Click to expand...
Click to collapse
Out of curiosity, how have other manufacturers "facilitated" this sort of development for their products?
vicks1008 said:
Out of curiosity, how have other manufacturers "facilitated" this sort of development for their products?
Click to expand...
Click to collapse
Some lend active support to the venture, LG has a dedicated team for liason, better documentation, etc.
I think it's probably pretty telling that it's only now the BLU source has worked - and it took them 5 months to even release it.
BLU releases kernel source codes upon request instead of proactively providing them. If they're asked for on launch, then the kernel source is released shortly after. So I don't believe the claim that it took 5 months to release.
Can you show me proof of other manufacturers lending support to show BLU?
NVMD.
TheLastCanadian said:
Your belief is irrelevant. They have had many requests, and always it is a referral to the FTP site they host. This site did not populate with the kernel/rom source for quite a few months after I bought the phone, and I was already behind the curve by about 2. I purchased mine on the 30th of December, 2015. I made this post the day after I noticed they had Kernel/Rom. If the URL was still working, I could verify for you the time limit. With that said, it was approximately 5 months.
As for other manufacturers lending support.... ZTE for instance is collaborating with Cyanogenmod, LG proactively provides source and has actually tried to make the process quite simple for most of their phones, and ultimately, contacting BLU about the matter is functionally worthless, as BLU is a reseller and at the whim of Gionee. BLU can't help because they don't do R&D or software as I can tell for the phone.
I'm particularly pissed about the fact I asked before I bought the phone if source was available and it was GPL compliant and I was told yes. 5 months is just a little outside of Amazon's return policy. The Pure XL is a good phone, but the software is quite lacklustre. CM would really be the bees' knees.
Click to expand...
Click to collapse
Well I'm obviously not going to bother contacting my connections at BLU with that attitude. Good luck guys!
vicks1008 said:
Well I'm obviously not going to bother contacting my connections at BLU with that attitude. Good luck guys!
Click to expand...
Click to collapse
I should correct myself slightly. Supposing my e-mail record is correct, they released it 4 months after the phone. I say your belief isn't relevant because a fact is a fact.... as of April 5th, I was still getting apologies from them about Kernel source not being available, specifically, "No ETA on source at this time". Ergo, it could have been longer.
As for BLU, I'm just being honest. They don't develop, they're a reseller.
bemolx said:
Only for updating this post:
Kernel source, mostly ready for Marshmallow ROMs, you can find here on 'cm-13.0' branch.
Linux upstream 3.10.103
Still trying to boot it up.
Gonna update CyanogenMod thread soon.
Cheers
Click to expand...
Click to collapse
Just a small update;
Linux kernel upstream: 3.10.104
Regenerated defconfig as well, the same branch.
I'll try it with full build today.
this is the first device I've had success modding, and i was blown away when i was able to install NetHunter as well I started this crazy business about a year and a half ago when i got an S6 for my wife and an S6 Edge+ for my daughter, needless to say I was not successful modding those devices I was almost discouraged to the point that i was going to pursue a different hobby when i came across some dude selling a samsung Tab E (probably hot) that was locked, and, go figure, the dude didn't have the password. i gave him $50 and decided to give it a go.
as the process dragged on i realized, and no offense to the almighty devs, that i needed to stop adhering to all the "rules". it's quoted like scripture here that one should NEVER try to flash components that don't match... lol
https://files.persona.cc/zefie/files/cell/SM-T560NU/kernel/
https://forum.xda-developers.com/showthread.php?t=3534545
https://github.com/jcadduono/lazyflasher
https://github.com/offensive-security/kali-nethunter/tree/master/nethunter-installer
https://build.nethunter.com/
HAVE FUN!!
no great mind has ever existed without a touch of madness - Aristotle
Curiosity
First off I have to say the first link is likely a phishing link. It pops up some reward for 5 billionth search and if you back out wrong another rewards page pops up. Mods please remove the link for security issues.
Second the github nethunter installer is no longer a valid repository.
Ok I'm really curious about putting nethunter on this device. I've had it rooted since I bought it. Twrp on it with a stock rom (oreo) but far outdated security updates. I see in this post I can throw lineage os on it which I never knew was possible before seeing this post. I couldnt find any custom roms. I'm going to flash that reguardless. I did several times in this device flash different versions of this stock rom and never had a problem. Atm I've got a nook device haha. So I know this device is versatile with or without the patching link.
The only place I can find nethunter is on kali site. But obviously this device is not on their page for downloads. I see theyve got a couple different generic android kernel downloads but I'm unsure of they will setup correctly. I cant see any assuring information that I wont damage the device flashing. I can deal with any brick, I just dont want to damage any chip.
This person really didnt layout how he went about it and just posted some useful links of repositories or tools. I really want nethunter and being I cant have it on my newer bootloader locked samsungs, and I dont have the funds for the one plus 7 pro atm, I'm hoping someone can assist me or give me a little more information on how to get nethunter. I have several kali builds on pc and laptops and VMS dating back to 2015 but as far as a useful handheld os I dont have and am unfamiliar with, yet i want it sooo bad. Thanks
Here is the link to the Nokia 8 kernel sources (Nokia8 V4.84A OSS)
https://www.nokia.com/en_int/phones/opensource
Hope there are developers for this phone :fingers-crossed:
Hopefully this gets the Devs pumped up a bit! But without a Bootloader Unlock it's kind of a "Bake A Cake But You Can't Eat It" scenario
Actually its pointless to release kernel source without unlocking the bootloader. Or, please correct me if I am wrong.
Correct , pointless but we can hope I'm still hanging on to my Nokia 8 just on the of chance HMD do live up to their "we will unlock these pesky bootloaders"
I'm new to trying to understand Android phones sources, but to me it appears that this is insufficient. I can't find anything that resembles what I understand to be a device tree or the relevant make files. Also, it appears to be quite incomplete, certainly nowhere near the full android source tree. Does it even include all the copyleft source?
[/COLOR]
madb1lly said:
I'm new to trying to understand Android phones sources, but to me it appears that this is insufficient. I can't find anything that resembles what I understand to be a device tree or the relevant make files. Also, it appears to be quite incomplete, certainly nowhere near the full android source tree. Does it even include all the copyleft source?
Click to expand...
Click to collapse
Nokia released the *kernel*'s source code, not the full Android code..
Get you knowledge here: https://forum.xda-developers.com/an...erence-how-to-compile-android-kernel-t3627297
I have been a fan of installing custom ROMs, root and other mods to my phones since I first owned an Android phone, which was a Sony Xpera Z3 Compact.
Back then I didn't care so much about security, because I was thinking 'What, are they gonna steal my Instagram account?'. But as I grew older the situation got more complex and now I feel the need to feel secure while using a ROM, which is almost never these days. So here are my reasons:
- Custom ROM developers have the exact same device as we do, so if they wanted to exploit it, they would exploit the hell out of it and get their hands on everything we have. (Looking at you, MIUI port)
- Some ROMs come with SELinux disabled which is a problem in itself, I believe.
- Even apps like Magisk, although they're open source (well, most of them) who knows what they're doing in the background.
- It is fairly easy to install a keylogger built into a custom ROM, how do we know that we are already not compromised a few times?
Am I being paranoid here? Or does everyone just want to install their flashy mods and get on with it, like I used to back in the day?
I would love to hear all of your opinions on this!
interesting thoughts and it's always good to be a little concerned about security and privacy!
for custom roms i think in general they tend to be more secure than most stock roms. especially when they have OFFICIAL status - you often get faster updates or updates at all if you have an older device.
unlike big company's, the developer of these roms do it for fun and in general don't have economical interest. so why would they want to steal data/insert backdoors or whatever? thats something company's and governments are interested in...
what i see is that these devs usually check exactly what's happening inside a ROM and a more likely to remove/block suspicious apps or whatever.
also custom ROMs are always open source, aren't they? so everyone can check what's happening... same like Magisk and stuff. everyone's gonna see it if you are trying to steal people's data or something.
i personally trust ROMs based on Lineage OS more than any other stock ROM because they're developed by normal people and not by greedy company's...
although im using MIUI right now because its comfortable but i don't really trust them chinese stuff in terms of data security
merlin.berlin said:
also custom ROMs are always open source, aren't they? so everyone can check what's happening... same like Magisk and stuff. everyone's gonna see it if you are trying to steal people's data or something.
Click to expand...
Click to collapse
First off, thanks for sharing your thought on this. Second, that's been a long time debate, whether open source software is really secure or not. Because although the source of the code is open for inspection, especially in small projects - like device specific projects, many of the security threats and bugs go unnoticed. Of course I trust Magisk, because it is open source AND many Android enthusiasts know about it to a level.
But when it comes to custom ROMs, if you actually check the forum, most of them aren't open source. Hell, we don't even know where they're coming from in some cases (MIUI, EvolutionX etc...). Well, I agree with the Official custom ROMs, because most of the time they're open sourced. But you need to be aware that especially the MIUI ports on this forum, are grabbed from Russian forums. So now (I'm not accusing anyone here), possibly the Russians (4pda), Chinese (Xiaomi) and feds (lol) can reach your data.
I share these concerns. I don't understand why xda doesn't have a policy of not allowing custom roms which don't display their origin/source. Miui mods, Gapps I never use. Bottom line is that with all data collection and spying going on through devices one can only protect her/himself based on personal knowledge and level of concern. And official vs. unofficial is a non issue.
Well, shortly - they aren't secure and you can trust them as much as you trust a person behind them, which you probably don't know well - means not much. And even if there is no bad will from trustworthy community member, you still have to trust that they weren't hacked and let's be honest - big companies are being hacked fairly regularly, let alone hobbyst xda developers. Considering the small user base of the roms, in 99% cases nobody would even realize any malicious stuff happening.
Definitely most stock roms are more secure than custom roms. BUT. Then comes privacy. On stock roms, google, and in most cases phone manufacturer harvest virtually all your data and everything you do, so the only plus here is that you may believe that it will never leak. For me it's not better at all.
At this moment probably the best you can get is a custom rom from trustworthy project with big userbase and many eyes watching - Official Lineage OS builds or one of the few serious privacy focused projects.
Hey,
as somebody who has published ROMs here I really wanted to share my thoughts on this.
First of all, you are right on having concerns about the security of custom ROMs.
There are essentially two types of security at stake here: One is the security of your device, if a third person gets physical control over it. Here, the case is quite clear: The moment you unlock the bootloader, an attacker with physical access to the device will be able to flash anything he wants and essentially circumvent any locking mechanism you have in place. Encryption would help, but implementing properly in a custom ROM and still keeping the functionalities users like about custom ROMs (e.g. easy switching between them, proper updates without the need for OTA) is quite difficult. In short, if you want to prevent anybody who might access your phone physically from gaining access to your data, keep stock ROM and boot loader locked.
The second type is data security and privacy, which was treated in OP. And OP was right, that there is a possibility of adding nearly anything to the code. I am speaking for myself right now, but I guarantee you, that I have never added anything to the ROM code (which for all AOSP ROMs needs to be public, any single line can be reviewed), device tree (public on github as well) or kernel (needs to be published as well). I know, it is my word to be taken here and there is nothing preventing e from lying (because I could add local changes to the code that are never made public). And there is a lot of faith involved, which is why I started building my own ROM. So if anybody feels uncomfortable with installing a ROM that potentially could contain malicious changes, it is better to stay on the stock ROM. On the other side though, the probability that devs like me, that do this essentially for fun and because they want more features and better experience than stock has to offer on their own phones, will invest the time to add a keylogger or other malware to than exploit maybe 10 or 12 people that will actually run the ROM, is quite low imho. Xiaomi, Huawei (or any other company) might be forced by some government to install backdoors or reveal userdata as well. It essentially boils down to trusting the open source community and a dev or trusting some corporation. I honestly do not have an easy answer to this and it probably differs for each person.
As why some ROMs (including my AOSiP 10) run with SELinux on permissive: SELinux enforcing is tricky. If the policy is written poorly, it will prevent your phone from booting or block essential features. And although I am quite android and linux savy and can write my own code, getting SELinux right is still a challenge. On Pie we had an experienced dev like Offain who essentially did it for most others as we used his trees, but for Ten we are still trying to get the devices working to their full extent on a never kernel version (4.9 instead of 3.18). SELinux has a lower priority for me, although I definitely want to make it enforcing as soon as possible.
The example of the kernel is a good point though why I think that custom ROMs can be more secure than stock if you are ready to trust the devs: Most of us use a newer, more up to date kernel than Xiaomi with upstreamed security patches, provide Android security patches earlier than Xiaomi and probably will continue to do so even when for Xiaomi the device will have reached EOL. At the moment, stock probably is the safest in terms of integrity, although it lacks features and is not quite up-to-date. But I have found on any device I owned, that keeping it somewhat up-to-date after official EOL through custom ROMs was a very important part of being able to use it longer than its intended life span.
Long story short: I guarantee you all that I am not interested in your private data and will not try to extort you or sell your credit card information or whatever... If there are bugs and vulnerabilities they are absolutely unintentional and I will try to fix them to my best knowledge if I am made aware of them. Anyway, please think critically and feel free to make the decision you feel best with.
opal06 said:
Hey,
as somebody who has published ROMs here I really wanted to share my thoughts on this.
First of all, you are right on having concerns about the security of custom ROMs.
There are essentially two types of security at stake here: One is the security of your device, if a third person gets physical control over it. Here, the case is quite clear: The moment you unlock the bootloader, an attacker with physical access to the device will be able to flash anything he wants and essentially circumvent any locking mechanism you have in place. Encryption would help, but implementing properly in a custom ROM and still keeping the functionalities users like about custom ROMs (e.g. easy switching between them, proper updates without the need for OTA) is quite difficult. In short, if you want to prevent anybody who might access your phone physically from gaining access to your data, keep stock ROM and boot loader locked.
The second type is data security and privacy, which was treated in OP. And OP was right, that there is a possibility of adding nearly anything to the code. I am speaking for myself right now, but I guarantee you, that I have never added anything to the ROM code (which for all AOSP ROMs needs to be public, any single line can be reviewed), device tree (public on github as well) or kernel (needs to be published as well). I know, it is my word to be taken here and there is nothing preventing e from lying (because I could add local changes to the code that are never made public). And there is a lot of faith involved, which is why I started building my own ROM. So if anybody feels uncomfortable with installing a ROM that potentially could contain malicious changes, it is better to stay on the stock ROM. On the other side though, the probability that devs like me, that do this essentially for fun and because they want more features and better experience than stock has to offer on their own phones, will invest the time to add a keylogger or other malware to than exploit maybe 10 or 12 people that will actually run the ROM, is quite low imho. Xiaomi, Huawei (or any other company) might be forced by some government to install backdoors or reveal userdata as well. It essentially boils down to trusting the open source community and a dev or trusting some corporation. I honestly do not have an easy answer to this and it probably differs for each person.
As why some ROMs (including my AOSiP 10) run with SELinux on permissive: SELinux enforcing is tricky. If the policy is written poorly, it will prevent your phone from booting or block essential features. And although I am quite android and linux savy and can write my own code, getting SELinux right is still a challenge. On Pie we had an experienced dev like Offain who essentially did it for most others as we used his trees, but for Ten we are still trying to get the devices working to their full extent on a never kernel version (4.9 instead of 3.18). SELinux has a lower priority for me, although I definitely want to make it enforcing as soon as possible.
The example of the kernel is a good point though why I think that custom ROMs can be more secure than stock if you are ready to trust the devs: Most of us use a newer, more up to date kernel than Xiaomi with upstreamed security patches, provide Android security patches earlier than Xiaomi and probably will continue to do so even when for Xiaomi the device will have reached EOL. At the moment, stock probably is the safest in terms of integrity, although it lacks features and is not quite up-to-date. But I have found on any device I owned, that keeping it somewhat up-to-date after official EOL through custom ROMs was a very important part of being able to use it longer than its intended life span.
Long story short: I guarantee you all that I am not interested in your private data and will not try to extort you or sell your credit card information or whatever... If there are bugs and vulnerabilities they are absolutely unintentional and I will try to fix them to my best knowledge if I am made aware of them. Anyway, please think critically and feel free to make the decision you feel best with.
Click to expand...
Click to collapse
exactly, we don't need your data, just why we would want it. additionally, as you said, all is open sources so OP can check all. everything was written here, perfect answer
opal06's post is right on the money as explanation to what security can mean for rom/device. No need to be defensive though, trust in developers is the only thing that keeps the custom roms community going and I've been using them since Gingerbread.
On the other hand, I must say, custom roms that come pre-loaded with all bells and whistles from Google diminish the trust factor.
celrau said:
On the other hand, I must say, custom roms that come pre-loaded with all bells and whistles from Google diminish the trust factor.
Click to expand...
Click to collapse
How come ? Could you explain that ?
marstonpear said:
How come ? Could you explain that ?
Click to expand...
Click to collapse
I guess what he means is that Google is notorious for grabbing any bit of data and having a custom ROM preloaded with Google stuff diminishes the need for installing it ib the first place, as it will have the same privacy concerns regarding Google as stock has. In general, Google's involvment into Android is a reason for concern to many, myself included. But there are very few ROMs that actually try to be privacy focused and get rid of Google entirely, although the situation can be improved by using MicroG services instead of GAPPS. They already work on many ROMs
opal06 said:
I guess what he means is that Google is notorious for grabbing any bit of data and having a custom ROM preloaded with Google stuff diminishes the need for installing it ib the first place, as it will have the same privacy concerns regarding Google as stock has. In general, Google's involvment into Android is a reason for concern to many, myself included. But there are very few ROMs that actually try to be privacy focused and get rid of Google entirely, although the situation can be improved by using MicroG services instead of GAPPS. They already work on many ROMs
Click to expand...
Click to collapse
I was half way through typing pretty much the same thing when I noticed your post, that's exactly what I meant. One more thing, some people really need Gapps (i.e. for some banking apps) but they should install them themselves as opposed to providing custom roms with Gapps preinstalled.
Thank you guys for sharing your thoughts on this! I believe all we can do is trust our devs with our info and devices and as a paranoid user, I believe I won't be able to do that, so I'll stick to stock ROMs for our device. But I also believe this has been very helpful for other users who want to try custom ROMs and if they're not as paranoid as I am, they can safely use the open-sourced/official ROMs in the forum. Cheers.
marstonpear said:
Thank you guys for sharing your thoughts on this! I believe all we can do is trust our devs with our info and devices and as a paranoid user, I believe I won't be able to do that, so I'll stick to stock ROMs for our device. But I also believe this has been very helpful for other users who want to try custom ROMs and if they're not as paranoid as I am, they can safely use the open-sourced/official ROMs in the forum. Cheers.
Click to expand...
Click to collapse
I wouldn't call it being paranoid, I think it's very sane.
I agree and have similar view on that, but please ask yourself a question - how much you trust Xiaomi and their security measures? Because in terms of privacy it's obvious that nothing worse than Xiaomi plus Google can happen to you. If you're really what you call "paranoid" you should rather get a device with official Lineage OS support that you would download directly from their servers or systems mentioned here: https://www.privacytools.io/operating-systems/#mobile_os
Thread closed at OP request