I've been a long time Android user and have been flashing custom roms on older phones when they end of life from their manufacturer to keep them up to date.
I started thinking.. how far should we trust custom roms?
There's a whole other debate how much you should trust the OEM roms as well but right now I'm focusing on custom roms.
Sure, they're open source but I'm not sure exactly how many eyes there are on the source code itself for a given rom. Many of them are "just" tweaks of some bigger more basic rom too, like Lineage OS for instance, then there's usually just one guy managing his particular rom.
Someone could theoretically add some nasties in there without people noticing if the code isn't vetted.
Sure, you could say that that's possible in all open source projects, like Linux Distros and so on, but there we have a ton of people working on the code so there's a much higher chance of bad stuff being found.
I'm not necessarily saying I don't trust Lineage OS or other roms, I was just hit by a train of thought and wanted to see what you guys think.
For my part I'd give more credibility to LOS than roms based on it that are managed by just one or a few persons for instance, but still.
I don't know. Was I suddenly hit by the paranoia stick or are these valid concerns?
Thoughts?
I'd say keep digging. I've never gone too deep into this, because I don't have a device that can be rooted. When I do venture down this path I tend to come across these great revelations; "Ah ha!" moments, where I see accusations of telemetry and developers being called "shills". So far, they have all turned out to be trolls and personal vendetta situations.
Honest researchers looking into this have probably published articles, I'd have to take a look since I do have access to those through my work. Then there are opinionated YouTubers and people with neocities sites...
I think these are valid concerns, and they are the same concerns many people have with Open Source software: who do you trust, big company with infinite resources, or a guy with a Forgejo?
The guy on Codeberg or Forgejo might have less resources to hide something, and probably wouldn't dare. The bigger the companies, the more people involved with the resources to make tracking software look like regular data requirements.
If you employ something with hundreds of hours of code you're less likely to see backdoors. Look at a simple program and any kind of odd insertion stands out immediately.
Yeah but how?
I mean, who's going to verify the code? And then there are new nightlies every day. Sure they don't contain that many changes, but you'd need to monitor them, for every rom on every phone. Well, maybe just for the one rom and the one phone model that interests you but that's still not feasible if it's not a paid full time job. If someone were to do that on their spare time they wouldn't have much of that left :P