I’ve been a long time Android user and have been flashing custom roms on older phones when they end of life from their manufacturer to keep them up to date.
I started thinking… how far should we trust custom roms?
There’s a whole other debate how much you should trust the OEM roms as well but right now I’m focusing on custom roms.
Sure, they’re open source but I’m not sure exactly how many eyes there are on the source code itself for a given rom. Many of them are “just” tweaks of some bigger more basic rom too, like Lineage OS for instance, then there’s usually just one guy managing his particular rom.
Someone could theoretically add some nasties in there without people noticing if the code isn’t vetted.
Sure, you could say that that’s possible in all open source projects, like Linux Distros and so on, but there we have a ton of people working on the code so there’s a much higher chance of bad stuff being found.
I’m not necessarily saying I don’t trust Lineage OS or other roms, I was just hit by a train of thought and wanted to see what you guys think.
For my part I’d give more credibility to LOS than roms based on it that are managed by just one or a few persons for instance, but still.
I don’t know. Was I suddenly hit by the paranoia stick or are these valid concerns?
Thoughts?
It is a fair point to be honest.
Closed source could be a bit safer due to liability I suppose?
If they were to do something really nefarious and would get caught they’d get sued to pieces and probably lose most of the reputation?
Sure, a shady rom would lose it’s reputation as well but that’s about it. There’d be new ones out pretty quickly.
And for what it’s worth… I don’t think they’re doing anything shady… but still.
I mean, I use Linux on my main machine at home. That’s open source. I do trust that though…
This all struck me after flashing an old phone I had laying around (My main phone is supported for 2+ more years) and then feeling like… do I want to use this now? I got a slightly dirty vibe from in. :P
Being security conscious is annoying at times…
Genuinely I’d trust random FOSS stranger on the internet before I’d trust Google, Samsung, Apple, etc. It’d be a lot of work to be the sole maintainer of a LineageOS distro that only functions on one specific phone just to try to steal the data of the maybe 12 people who are going to install it.
That is a pretty good point to be honest.
And usually the Dev or the Devs grandma uses the ROM themselves. It would be alot of work to be insidious and make one version with harmful code, and one that is safe… For twelve random people from somewhere in the world.