
LineageOS will be a continuation of what CyanogenMod was - soundsop
http://lineageos.org/Yes-this-is-us/
======
gsnedders
Who's going to make sure LineageOS users get security updates in a timely
manner? Is _anyone_ going to be paid to work on it?

Any large OSS distribution is going to have a fairly continuous stream of
security fixes to ship to their users, and that takes a fair amount of time,
and I'm always concerned about whether any new project (okay—it's not quite
new, but they have a fraction of the number of developers they did twelve
months ago!) has the resources to ship them in a timely way.

~~~
g_p
Not directly an answer, but one of the big issues with security patches for
custom ROMs is the amount of patches they don't (read can't) ship. The
proprietary blobs are very often not patched when the device is vendor-
supported, and once it reaches end of life from the vendor (but the community
ROMs give devices significantly extended longevity), there's no more patches
to these blobs.

Blobs incorporate the modem, baseband firmware, bootloaders, and many (most?)
of the hardware drivers and imaging drivers.

51% of Android kernel vulnerabilities in vendor drivers are a result of
missing or incorrect bounds checks, and over the whole Android kernel, 44% of
all vulnerabilities were missing bounds checks, and 12% for null pointer
dereference.

Looking across the whole kernel, from Jan 2014 to April 2016, 85% of kernel
bugs are born in vendor drivers, with the remainder in the core kernel.

Vendors therefore are shown to write bad code. It's fairly safe to assume this
is reflective of the quality of their blobs too - there's certainly a load of
vulnerabilities in those if you look at the Android Security bulletins for
bugs without a source reference for the fix.

So agreement with your concern, but I'd just like to highlight that custom
ROMs are not really a good security solution, as there's just so much to fix
(at a kernel level, requiring detailed driver knowledge of the vendor/SoC
stuff), and blobs that won't get updated after the vendor abandons the phone.

Ref:
[https://events.linuxfoundation.org/sites/events/files/slides...](https://events.linuxfoundation.org/sites/events/files/slides/Android-%20protecting%20the%20kernel.pdf)

~~~
BuuQu9hu
The only solution seems to be reverse engineering the blobs and mainlining
Linux kernel drivers, without both of those security updates get much much
harder to impossible.

I've no idea how to achieve that on volunteer time, maybe a crowdfunded
reverse engineering and mainlining org could work?

~~~
kelnos
One problem is that RE is time consuming (regardless of whether or not someone
is paid to do it), and the useful life of phones tend to be much shorter than
other kinds of devices, so digging apart a blob on one phone is likely to have
a limited useful lifetime.

And for phones that the manufacturer actively supports, often a new version
(especially if it's a new Android version) means new blobs to RE.

When you consider a lot of phones lose a ton of their user base after 2 or 3
years, it becomes much less attractive to even bother.

~~~
BuuQu9hu
The alternative; devices with no updates and no support outside their original
OS, doesn't seem very attractive either.

Maybe we can create incentives for manufacturers to do this work themselves,
but I doubt that will ever happen, unless maybe we start getting obnoxious
viruses like there were on the PC at one point?

~~~
kelnos
Sure, that's not a particularly attractive outcome, either.

I just think it's unrealistic to think paid RE work is going to fill this
need.

I think there are two realistic options: 1) the manufacturers suck it up and
agree to support devices with timely updates over a longer lifespan, or 2)
manufacturers open-source every bit of software that runs on the device.

#2 seems less likely, given that a lot of hardware is driven in part by
loadable firmware these days. On the other hand, if that firmware is chipset-
specific and not device-specific, and the chipset manufacturer can commit to
releasing security updates for those, at least 3rd-party OS images could pull
them in without help from the device manufacturer.

But really, it's all about demand: Apple tends to support hardware with new
releases for 4-ish years as a matter of course, and i-device users are
accustomed to expecting that. Android users just don't expect that, and your
average user doesn't understand security enough to get why that's such a big
problem. They likely mostly just think, "oh well, I won't get the new shiny
Android version Jane has on her new phone, that's ok". If average users can be
educated to the point where they will switch manufacturers if they're not
getting security updates for the useful life of their phone, the manufacturers
will listen to their declining sales. I just don't expect that to happen.

------
dispose13432
The question is what will ensure the continual non-profitness of lineageOS?

The problem is two fold:

1\. Get maintainers. 2\. Make sure that the high ranking individuals can't
just "take the ball and go home", and (however unpopular this opinion may be
here), GPL is the only way to ensure that they will never be able to sell out
ever again.

And especially after the CM/CyanogenOS/Focal/Paranoid Android situation,
private ROMs seem to be too much of an "aquihire" risk.

~~~
g_p
GPL is the route that OmniROM tried to go down, in order to attempt to ensure
that the ROM remained community focused and true to its roots.

One potential issue with CM is that users were signing contributor license
agreements (CLAs) to the "project leads" of the "CyanogenMod Project" [1].
While everything is under Apache 2, which ensures it can be used in future,
there were plenty of cases where people submitted code under the copyright of
the project (see headers which state "Copyright (C) 2016 The CyanogenMod
Project").

You are correct with point 2 - if you want to prevent "acqui-hire" type
takeovers, you need to ensure that there isn't a tight-knit group of
individuals willing to agree and sign over the rights.

This situation would be very, very different if the original CM project had
taken a better approach at the start - perhaps forming a 501(c)3 for the
holding of the cyanogenmod.org domain and any trademarks/name rights. Then a
commercial license could be granted to the incorporated form of CM.

I wish I could find a good primary source, but best I can see at the moment
are fairly blog-type news sites [2]. The issue we see here is that the
project's stewards were turning their focus from the project to the
"commercial spinout", rather than in keeping the project going. At that point,
there's little that the contributors could do really - it seemed the leaders
had made the decision to build the inc version, despite high profile
disagreement. Not sure GPL would fix that, but it certainly helps ensure a
community project _can_ live on, even if it won't guarantee it will.

[1]
[https://review.cyanogenmod.org/static/cla_individual.html](https://review.cyanogenmod.org/static/cla_individual.html)

[2] [http://www.androidheadlines.com/2013/09/author-
cyanogenmods-...](http://www.androidheadlines.com/2013/09/author-cyanogenmods-
focal-application-reveals-drama-cyanogen-incs-new-business-plans.html)

~~~
hackuser
> GPL is the route that OmniROM tried to go down

You write in past tense; what happened?

~~~
g_p
Nothing, sorry - was using the past tense thinking about when the decision was
made a while back. Omni seems to be getting more traction of late with people
concerned about the CM issues. They are still GPL and that probably acts as a
fairly decent barrier to any kind of acqui-hire attempts. Also having a
diverse range of contributors (many with good jobs) helps there too, by making
it very expensive/complex to try to get enough people onboard.

In an ironic sense, the argument used by CM was "CM Inc is different from CM
community", and I think that was enough to keep some of the alternative ROMs
pretty small. Sadly though, it has now emerged CM community was indeed a
subset of CM Inc, and not so separate after all.

------
swiley
If google wants Android to survive as a platform, they should be directly
giving money to projects like this, they are what make it bearable.

~~~
Qub3d
google offered to _buy_ Cyanogen.
([http://arstechnica.com/gadgets/2014/10/google-reportedly-
tri...](http://arstechnica.com/gadgets/2014/10/google-reportedly-tried-to-buy-
cyanogen-inc/)) Also, recall that Cyanogen (the company, not the mod) said
that they were going to "put a bullet in Google's head". I bet Google has
tried to offer support to them and Cyanogen turned it down.

~~~
unethical_ban
I can't fathom why Google would buy them. Why not make a version of AOSP that
people can actually use, like Cyanogenmod?

~~~
m45t3r
What you mean by "usable"? Vanilla Android is really usable nowadays (I have a
Nexus 6P with Android 7.1.1, non-rooted with locked bootloader since I don't
really root nowadays). CyanogenMod nowadays is more important for their
support to multiple hardware then the customization from AOSP per see. This is
especially true since for those who really want mods, things like Xposed
Framework offers much more customization.

~~~
gsnedders
"Vanilla Android" (from the AOSP) doesn't pass the Compatibility Test Suite
(CTS) nowadays, so according to Google's Android trademark rules shouldn't be
called Android. Some of the "Core" apps simply _don 't work_ at all.

Don't confuse what Google publish at the AOSP with what they ship on the
Nexus/Pixel devices: they're increasingly different, with AOSP increasingly
dysfunctional. Heck, the initial release of Android 7 for the 5X/6P at the
AOSP _wouldn 't even compile_ because it had closed source compile-time
dependencies.

~~~
m45t3r
I know that AOSP isn't the same Android running in Nexus. However I have an
Android tablet that I used to run AOSP (nowadays is running CyanogenMod,
probably needs to change it to LineageOS). The core experience is exactly the
same once you install GApps (at least the minimum necessary to run Play
Store).

And no, I really don't need anything that CM brings (I only switched from AOSP
to CM because it was better supported on my tablet, CM actually had a
developer while the AOSP guy was simply pulling the changes from the CM
developer).

------
dispose13432
Also, why don't they remerge with OmniRom?

~~~
em3rgent0rdr
I was hoping for the same thing. Ideally the two projects haven't diverged too
much already. I don't see any mention on OmniROM's blog (last update was Dec
20). I know Omni has separate additional features like OpenDelta (for
incremental updates) and OmniSwitch.

------
tehwalrus
Very pleased by this. Have used CM on my phone for over a year now, was quite
scared with the idea of it disappearing!

(Will also look into seeing how I can contribute, although every time I've
tried I've hit a "users file crappy bugs" filter that stops me reporting
without installing a debug build on my main phone.)

------
xianwen
I am very happy to see the continuation of CM in the form of LineageOS. Thank
you.

------
realstuff
So is it time to buy a phone instead of my OnePlus One as it won't be updated
anymore?

~~~
cookiecaper
You're probably better off using a stock Android derivative built for OPO.
There's always a nice variety of them on xda-developers.

I used to use CM on everything but over the last few years I've been plenty
happy with pure stock Android (+ root). Didn't end up using most of CM's extra
features and found that it was often unstable and/or leaving lots of things
just sort of half-working.

~~~
dispose13432
>There's always a nice variety of them on xda-developers.

I personally stay away from there.

For root level access, I'd prefer relying on a project with actual reputation
on the line, and has periodic spot checks.

~~~
cookiecaper
If you have a popular device, that idea is fine. If you don't, I'm not sure if
you're going to have much of an option moving forward. Less common devices
frequently have phone-specific builds of popular distributions like CM
published by a developer-user on xda as their only non-default option.

Even CM's support for a wide range of hardware was mostly bankrolled by
Cyanogen Inc, which will now no longer be funding them as they rebrand under
LineageOS. It's unclear whether any but the most popular phones will continue
to see support from a group that has "actual reputation" on the line or not.

~~~
dispose13432
They had a lot of phones before Cyanogen Inc.

They were the base Mod behind others (like Open Kang)

------
circlingthesun
The name doesn't exactly roll off the tongue.

~~~
DonHopkins
I agree -- it's almost as clumsy to pronounce as cyanogenmod, and the meaning
isn't particular inspiring or evocative. HeritageOS? AncestryOS? FamilyOS?
DerivationOS? Why do I want to use it, now?

~~~
em3rgent0rdr
would be great if software developers named their project simply based on what
their project actually does (e.g. "Word"). For example: "OpenPhoneOS".

~~~
edent
> OpenPhoneOS

So it doesn't work on tablets?

Is it open to hackers?

What's an OS?

There's a reason Amazon isn't called "books.com" \- definitive names rarely
make for good brands. They limit your options and can carry preconceptions.

~~~
em3rgent0rdr
fair points...that was just the first thing that came to my mind. Better might
be something along the lines of: LibreMobile

Of course you don't want too definitive to limit your options. But what I'm
criticizing is things like "Cyanogenmod" (what does green-blue have to do with
it? is is some type of element?) or "Android" (is it a robot?). Apple won a
lot of users simply with a simple definitive name "iPhone". And you can have
definitive names that leave options open, e.g. "YouTube" or "The FaceBook".

------
MrF3ynmann
When exactly will cm shut down? Until when will I be able to get the freshest
nightlies of CM14.1?

~~~
g_p
Secondary source since the website seems down right now.

[http://www.androidpolice.com/2016/12/24/cyanogen-shutting-
se...](http://www.androidpolice.com/2016/12/24/cyanogen-shutting-service-
nightly-builds-december-31-2016/)

At some point before 31st December (at the latest), according to their blog
post. In reality, their website is down right now. Downloads and other sites
are up, but the blog is down.

------
dispose13432
Also, will I have to re-reclean flash LineageOS over CM?

------
the_duke
What's the background on this?

Why is Cyanogen shutting down?

~~~
distances
There was more discussion recently at
[https://news.ycombinator.com/item?id=13249307](https://news.ycombinator.com/item?id=13249307).
Incompatibilities in Cyanogen Inc. leadership plus some bad deals, is what I
gathered.

~~~
dispose13432
tl;dr Cyanogen Inc failed, and is pivoting away from ROMs.

What I don't get is why they won't just give up the CM name/domain? Are they
pulling an OpenOffice?

~~~
g_p
I suspect this was one of their biggest/only assets. I wonder (purely from a
thought experiment point of view) how the original spin-out could have gone if
the project had kept the name in trust and granted a worldwide exclusive
license for a period of X years, where X was longer than the initial
investment term, with a renewal option.

On the other hand, given what's gone down between both sides lately, it seems
the split is somewhat less than civil, and holding onto the name and killing
off the "annoying project which resents and criticises the company" might be
suitably vindictive and designed to cause inconvenience to the project.

------
LordWinstanley
I'm getting really confused here.

I thought CyanogenOS was a commercial venture that arose out of CyanogenMod.
But that they were essentially separate protects. I'd read about CyanogenOS
coming a cropper, but understood this wouldn't affect CyanogenMod. Now, these
linked articles seem to be treating -OS and -Mod as the same project/same
organisation.

Can anyone explain?

~~~
chei0iaV
Cyanogen Inc (the commercial venture) owns the infrastructure and trademarks
of CyanogenMod (community project). So now that they've been ditched, the
CyanogenMod community has to change the name and find new infrastructure.

------
fuayenah
Funny they'd use that quote of Andy Rubin, like it means anything nowadays.

[https://twitter.com/CopperheadOS/status/772592323112869888](https://twitter.com/CopperheadOS/status/772592323112869888)

