1. 29

  2. 13

    I’m typing this on a nexus 4 and while I agree Google’s commitment leaves more to be desired, I’d like to point users towards community efforts (specifically lineage in my case). This isn’t my primary phone anymore but it is still alive and kicking as a WiFi only Internet device.

    Edit: link https://download.lineageos.org/

    1. 9

      Update: Moved this “in thread”.

      Yeah, and Nexus phones are still the best you can get on Android!

      As for running LineageOS, I do wonder about the security, a couple of things:

      • Are the releases properly signed and are there signature checks when performing updates?
      • Can the boot loader be locked again (as supported by Copperhead OS)?;
      • My Samsung Galaxy S3 uses a (long) EOLed Linux kernel, are there any security updates back ported?;
      • There is never an update for the BLOBs (baseband, firmware), is this safe?

      I mean, I am hardly in a position to complain as this thing is so old…and made by Samsung… and probably this S3, even with a lot of potential security holes, is probably more secure than the latest Samsung flagship with all its crap and spyware…

      1. 3

        I’m not affiliated with LineageOS, but these answers are based on what I understand:

        • Releases are not pgp-signed, but for each release they currently provide a md5sum (yeah.. not ideal) that you can either manually check, or if you use the “LineageOS Updater” in the Settings app, it will automatically verify the md5sum.
        • Locking the boot loader on a custom ROM is generally discouraged, due to the complications it can cause with the ROM and with the custom recovery (e.g. TWRP). On Nexus devices it’s usually less risky, but on anything else people always recommend against it.
        • Kernel update backports depend to a large extent on your device maintainer for LineageOS and how active they are. For instance, here’s the main hammerhead (Nexus 5) kernel and this I think is the kernel used for Galaxy S3 devices.
        • This also depends on your device maintainer, but I think there are actually updates to the blobs from time to time.
        1. 3

          Qualcomm never produced the binary blob updates. It simply goes vulnerable until someone creates an open source version by reverse engineering.

        2. 1

          Does anyone know a short summary of exactly what the goals of the LineageOS project are?

          Based purely on the name I’m guessing a long-term Android variant for a given device?

          The about page is rather irritatingly terse, and the rest of the site isn’t much more informative.


          1. 5

            It’s the fork/continuation of the still-better-known CyanogenMod. CyanogenMod’s main initial claim to fame was that it distributed a de-Googlized, power-user-oriented version of Android: all open-source base software, nothing that does tracking by default, unlocked root access, as many underlying OS/hardware/firmware features as possible exposed as user-modifiable settings, etc. It’s also become popular among people who have phones EoL’d by the official Android releases, though.

            1. 1

              Thank you very much.

              Maybe there is hope for my Nexus 5X from October 2018. :-D

        3. 5

          Disclaimer: I work for Zebra Technologies

          For the single use device market, that is now moving to Android, Zebra Technologies offer, in the paid maintenance service, security updates for the time we sell a device (up to 5 years) plus two additional years.
          This is branded as Lifeguard for Android.

          Most of these devices are not meant to be used as a personal phone but are the kind of devices that you can find in big retail chain across the world.

          As other wrote, in the Android world, Nexus devices are still the best. Apple is a bit better supporting devices up to about 4 years, more or less.
          Would be interesting to understand if people would be willing to pay for a service that provides security updates to their personal phones…

          1. 4

            Rather than asking for more money to continue support, I wish companies in the smartphone business were explicitly supportive of open source communities taking over maintenance of their EOL product lines.

            I see a moral obligation to society here that vendors are currently getting a free pass on entirely ignoring. It’s the same problem as with IoT devices. A huge faction of end users don’t ever upgrade until the phone hardware acually dies and thus they keep running software full of holes for years. This leaves a lot of playground for bad actors to do harm by exploiting old bugs.

            And yes it could hurt some of the sales of new devices. And I also understand the phone supply chain makes open sourcing things difficult because it is infested with patents and binary blobs. But from one blob set I have looked at (a qualcomm one for the fairphone 2) there’s a lot of stuff in these blob sets which could be open sourced withut issues (a wpa_supplicant binary is just one silly example). And if hardware docs for legacy chips and devices were released, with a free community pass on related (and likely outdated) patents, skilled developers could write open source drop-ins for the missing hardware support bits.

            1. 5

              I think this is one of the cases where some legal solutions could be successfully applied. If I went to a store and was sold a food product with over it’s best before date the shop that sold it too me would be fined. There are also safety standards for selling/obtaining a used car etc. I think software (or at least a certain subset of it like phones and medical devices) should be restricted in a similar way - no permission to sell software shipping with outdated software that is past it’s security support date.

              This would impact telcos and would at least give them a push to actually roll out vendor provided upgrades. This also impacts the long tail of users getting a phone at the end of lifetime as a new device from the vendor.

              Granted, I agree that having vendors helping out the community support the product would be a welcome addition - for now I will be happy when the middle man along the road don’t actually prevent people getting security fixes that are being released and just held back because the vendor doesn’t want to spend the money on backporting it to his crapware bundled OS image.

              1. 1

                That all sounds good. However, lets say hypothetically the world didnt change, the vendors remained motivated by profit, vendors didnt update properly, and the parent’s service was available. Would you buy it under those circumstances?

                1. 2

                  I assume a part of the market able to afford it would. Consider people getting iPhone’s now and products directly from Google on the second tier as the target market that would be able to use such a service. Everyone else is stuck with unsupported devices.

                  I don’t think it’s realistic for a third party to provide security updates outside of the telco & hardware manufacturer while still being able to provide a quality service (working calls, all sub-components on the device like WiFi, camera, etc working) without charging a significant amount on top of your contract.

              1. [Comment removed by author]