Vault 7 Security Vulnerabilities - LineageOS News & Discussion

Hi there LineageOS (LOS) enthusiasts
Could the following security vulnerabilities exposed by WikiLeaks on March 7, 2017 affect LOS? Official press release at https://wikileaks.org/ciav7p1/#PRESS
"Vault 7" reveals numerous CIA 'zero day' vulnerabilities in Android phones. Read more and source at:
• https://twitter.com/wikileaks/status/839124979367174144
• https://wikileaks.org/ciav7p1/cms/page_11629096.html
• https://twitter.com/wikileaks/status/839119536012001280
Still according to WikiLeaks, the CIA created huge amount of weaponized malware. Read more and source at:
• https://twitter.com/wikileaks/status/839122455738339328
CIA hacking tools exploits Apollo to make Android phones bulk-spy on you via WiFi networks around you. Apollo is a default music app in CyanogenMod (CM) 11 and earlier. Read more at:
• https://twitter.com/wikileaks/status/839210002694942725
• https://www.reddit.com/r/td_uncenso..._method_of_snooping_wifi_data_through_mobile/
Android Exploit/Tool Coverage at https://wikileaks.org/ciav7p1/cms/page_21561399.html
Here are two classified CIA's manuals with more technical information for software engineers. About how the CIA's malware infest and hack Linux based operating systems such as Android:
• Summary: https://twitter.com/wikileaks/status/839151511838015488
• Manual 1: https://wikileaks.org/ciav7p1/cms/files/DevelopersGuide.pdf
• Manual 2: https://wikileaks.org/ciav7p1/cms/files/UsersGuide.pdf
Any other volunteers interested to find more technical information for software engineers? Preferably with technical examples of how to produce the security vulnerabilities.
Currently 339 Vault 7's documents are related to CIA's Android hacking tools at https://search.wikileaks.org/?query...w_search=False&order_by=most_relevant#results
Search all Vault 7: CIA hacking tools at https://wikileaks.org/ciav7p1/
Cheers,
Francewhoa

Edward Snowden is currently reviewing WikiLeaks published documents about Vault 7 security vulnerabilities.
Snowden wrote:
• "Still working through the publication, but what @wikileaks has here is genuinely a big deal. Looks authentic." Source at https://twitter.com/Snowden/status/839157182872576000
• "the docs show iOS/Android are what got hacked - a much bigger problem." Source at https://twitter.com/Snowden/status/839155787226316800
• "Evidence mounts showing CIA & FBI knew about catastrophic weaknesses in the most-used smartphones in America, but kept them open -- to spy." Source at https://twitter.com/Snowden/status/839193727751098368

Today I tried to report those potential security vulnerabilities by using LOS bug tracking system. But it does not allow to create new bug report tickets. Related discussions at https://www.reddit.com/r/LineageOS/...s_jira_closed_on_weekdays_to_bug_submissions/
Do you know another option to report those potential security vulnerabilities to LOS maintainers?
I reported those potential security vulnerabilities to https://www.reddit.com/r/LineageOS/comments/5y1z86/vault_7_security_vulnerabilities/
And also to #lineageos on Freenode

Yes, I'm sure some of those exploits would still be effective on LOS or any/most Nougat ROMs. Though some would no longer work given updates & patches since first discovered. But no doubt there are also newly discovered exploits discovered since. Then of course there are a whole lot more not mentioned as they have been developed by other nations and hackers! It's a constant battle and always will be, all devices will be susceptible to exploits in some way, I believe, even on hardened OS like Copperhead, though of course it would be much much harder.
Whats most interesting to me (as nothing above is particularly unexpected to me) is the suggestion it's the Russians who have released it so that Trump can use it against his own agencies.
Also Trumps old S4 (running stock you would assume) would have been a cinch to hack, especially as by all accounts he's not at app tech literate!

About the alleged Russian interference speculations. Could the CIA be trying to divert your attention from the content of WikiLeaks' Vault 7?
Could WikiLeaks source be a U.S. whistleblower and insider? WikiLeak wrote: "The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive." Source at https://wikileaks.org/ciav7p1/
Here is a statement from the source. "In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons." Source at https://wikileaks.org/ciav7p1/
For those not familiar with whistleblower, there are some information at https://en.wikipedia.org/wiki/Whistleblower

Francewhoa said:
About the alleged Russian interference speculations. Could the CIA be trying to divert your attention from the content of WikiLeaks' Vault 7?
Click to expand...
Click to collapse
Yes, sure could
Could WikiLeaks source be a U.S. whistleblower and insider? WikiLeak wrote: "The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive." Source at https://wikileaks.org/ciav7p1/
Click to expand...
Click to collapse
Yes, and probably most likely.
Let's hope all this results in fixes that make our phones more secure, though by most accounts it sounds like many of these exploits had already been patched.
Edit: wish I had time to read all the links!

Related

The GPL and the past 24 hours' events

[Mods: I felt that this thread is most appropriate in this section as it pertains specifically to Android development. If you feel this is not the case and should be moved, please do so.]
As many of us know, Eugene and TeamWhiskey both released completely working Froyo ROMs today, and they were able to do so with leaked code that both were asked not to divulge. There's been some infighting between developers, and the use of the leaked code is the major point of contention.
What interests me is how developers have been respecting the GPL. As a major free/open source supporter, the fact that how this license permits developers and users alike to use any source code has not been respected scares me. I certainly don't want to see development of our phones fall by the wayside because some developers have access to code that others don't, when that code [or at least, the source code of developed ROMs that use leaked code] is legally required to be released to the public. (source, and examples of the GPL's standing in an American court of law)
Based on the current events and major milestones in Android development, I'm interested to see if anyone else agrees with me. (Or perhaps I'm wrong entirely - but there's a sticky on the top of this forum reminding developers about abiding by the GPL, so I assume that any ROM or kernel we've seen is GPL-derived.) I realize that some aspects of the Samsung version of Android in particular is under a proprietary license (TouchWiz, RFS), and this little point gets touchy. But Android itself and kernels for Android are GPL - so shouldn't any source code used by any Android project be released?
honestly? I'm concerned about the GPL implications too but I'm 100% sure that I don't have enough information to try to form an opinion about what's right or wrong in this scenario. I'm sure there is a lot going on in the background the average user such as myself doesn't know of what's going on here. edit: trying to speculate here is just too hard to guess, and would invoke both drama and the answers are not backed by anyone.
If you're not sure, ask the FSF.
Eugene and Sombionix need to take up their issues privately (and have since), and that was their only mistake. The rest of the scenario is simply not appropriate to come up publicly.
Although, I agree with the fact that the GPL has to be followed, the GPL only applies to source code. From what I gather, neither of these parties have any source code. They are both in the possession of a leak ROM. The word source here is used to mean the ROM from which the files came from.
When it comes to leaks, files in leaks CAN be traced back to the leak in some cases which is why many times, leaks cannot and will not be shared.
On the other hand, if they have the source code and it has been modified, then they must abide by the GPL.
One thing to consider here is that to the best of my knowledge, nobody other than Samsung at this point has the source to the SGS FroYo builds. What I mean by that is; everything that went on regarding the leak, is based off of binary files taken from a working phone. No source code involved. Google has released the code to 2.2, which satisfies the GPL licensing; with which Samsung has added proprietary software on top of for use with their phones, but because what they have added is NOT GPL'd, are not obligated to provide the source for.
I might be mistaken here, but assuming Samsung didn't change any of the existing AOSP code, and only added their proprietary software on top, then the 'must provide source code' clause is in fact being satisfied by Google. All Samsung needs to do to cover their behinds is provide a link to Google's Android development pages.
if it was GPLv3 we wouldn't have this problem, but a lot of companies are unwilling to jump to GPLv3 instead of GPLv2.
To clarify the position XDA takes on GPL code (having worked on the GPL policy you see at the top of every forum), it is required to release kernel sources if you have access to them.
It seems likely that no source code was available here, and the use of leaks in ROMs has been standard practice for a long time on XDA, and on other sites. There's no issue with this, and it is a signal of trust from the leaker to the developer that the source file will not be made available. Thus you are unlikely to get access to such leaks as a user, though you can enjoy the fruits of them after established developers with contacts have got access to them.
If it were insisted that sources be provided for EVERYTHING, then releases like this would be in breach of the XDA GPL code, and thus would stifle development. Samsung has not provided them with the sources (as I understand), so they have no obligations as far as I can identify, beyond passing on any standard notices placed in the ROM by Samsung, offering source code.
If a custom kernel was compiled to use the ROM, then its sources would be required under the GPL. The actual ROM itself is not GPL'd as such, and treating it as such would be detrimental to users on XDA.
If GPL sources have been used, then they must be posted per the GPL. Otherwise, there are no further obligations per the XDA rules. This does not appear to be the case here.
Just to back up this point, I worked on and released some ROMs, and never touched a line of source code personally. It's possible to do a surprising amount to ROMs without actually editing sources (often they're not available either when working on HTC devices...). It's only within the last month or two that I've actually looked at source code properly with intent on making changes.
Finally, I'll move this into general with a redirect for just now, as it's not directly related to a ROM, though is "on topic".
Ah - so the leaked code used to finish both Eugene's and Team Whiskey's was not code, but binaries (i.e., a leaked ROM?) This makes a lot more sense to me. Thanks for clarification.
I suppose this point becomes moot when froyo finally drops officially, but it's still important.
Sent from my SGH-T959 using XDA App
Well said Pulser_g2
Pulser.......Well said. The important thing people need to remember is not to "create" drama where it is not. The Dev's do work in concert and do produce amazing results contrary to the public chatter.
It is a blessing that there are so many good developers working on the Vibrant vs, say ...(you insert phone of choice). ......now off to flash............
As I mentioned in one of the Froyo threads, I feel like the GPL doesn't really apply in the case of leaked ROMs, since 1) nobody has the source anyway and 2) they're chock full of closed source Samsung bits. The leaked ROMS, and any ROM derived from it in some way, is already questionable to redistribute since Samsung hasn't granted permission to do so.
On the other hand, I do wish people would release source to any modifications of the Linux kernel and any other GPL software that's acquired through legitimate channels. I can understand that the source might be released slightly later than the binary, but most kernels at this point haven't had any source accompany them, ever. This really isn't in the spirit of the GPL, and as a long time Linux user it came as a surprise to me that this is the way things seem to work here.
The bottom line is that, like it or not, people actually don't have the *right* to not release source eventually. I hope they start doing so sooner rather than later.
Looks like a lot of people don't understand the GPL, even senior moderators.
We ARE talking about the GPL, not LGPL, right?
Samsung hasn't made any of the stuff they have posted official... Why would samsung release anything for something that is not yet official...
How would the devs of xda be able to give you the source they don't have?
If you want to fight a losing battle email htc about the mytouch slide..
Sent from my SGH-T959 using XDA App
First, I'm not trying to start a web battle here, just stating the facts.
1. The files that I received from our source gave me consent via email to build a rom and release it. Unfortunately, after the fact the rom was built and released, the source has been claiming that he did not want the files released, which was not at all what was discussed originally. Had he clearly stated that he did not want them released, I would not have done so. He specifically asked me to build a rom, but that he did not want his identity released, which I did not do.
2. You information regarding GPL is very wrong. We were not working from souce because source for the Vibrant 2.2 has not yet been released. The only Galaxy S device that has had source officially released has been the I9000. Had we been working from source, we would have gladly posted our edited source code with accordance with GPL law.
sombionix said:
2. You information regarding GPL is very wrong. We were not working from souce because source for the Vibrant 2.2 has not yet been released. The only Galaxy S device that has had source officially released has been the I9000. Had we been working from source, we would have gladly posted our edited source code with accordance with GPL law.
Click to expand...
Click to collapse
Yeah, this was my mistake. I was under the impression that you were working from source, not just a ROM, as was previously pointed out. So I guess it's a moot point.

[MOD] [THINKTANK] Building TaintDroid in a ZTE Blade Kernel

It would be great if TaintDroid could also be integrated in a Blade ROM.
ZTE Blade users, please show you're support if you also wish to see TaintDroid implemented in Custom ROM for your device.
webstas said:
A project for our Kernel devs maybe? i found this in the I9000 Forums and though i might keep it going over here in the Vibrant quadrant of XDA.
http://forum.xda-developers.com/showthread.php?t=812879
Click to expand...
Click to collapse
vasra said:
Most people don't yet know that many Android software leak all sorts of information to the internet with only scant user acknowledgement (basically what you accept when you install the app).
Due to this and the fact that there are already privacy information harvesting apps for Android on the marketplace - a team of security experts have created TaintDroid:
What is TaintDroid?
From the project's web page: "A realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones."
From: http://appanalysis.org/index.html
How can I install TaintDroid?
As TaintDroid is currently compiled into the kernel, you cannot easily install it, but you have to cook your own kernel. Instructions (for Nexus 1) are available at the project web site: http://appanalysis.org/download.html
How does TaintDroid work?
Here's a video demonstrating how TaintDroid works once it is installed and configured:
http://appanalysis.org/demo/index.html
Why would you want to install this?
There can be many reasons for installint TaintDroid:
- You want to learn about privacy features and play with Android kernel
- As it is currently impossible to differentiate between innocent and sneaky Android apps based only on what access rights they request, you may want to dig in deeper
- You are worried about what apps are doing behind your back and you want to know which apps to uninstall
- You want to help create Android a more secure and privacy-protected platform, instead of the swiss cheese it currently is
What can you do?
As compiling kernels is mostly beyond the reach of mere mortals currently, consider cooking TaintDroid into your kernel, if you are cooking one yourself and offering it available for others to try and use.
Hopefully increased awareness and usage will bring this program eventually into other modders and perhaps even Google's attention and something more easily accessible is offered for the public at large.
BTW, I'm just a user, interested in getting TaintDroid on my own Galaxy S. I'm not affiliated with the research program, but I like what they are doing. This information is purely FYI.
Click to expand...
Click to collapse
ps: Sorry for replication but as this suggestion/request is taken up specifically for the ZTE Blade device, I thought it would be appropriate to duplicate the previous posts.

[JobReq] DFW Android Dev - Android Architect

I was contacted by a recruiter through my LinkedIn profile and have no affiliation and gain nothing from posting this. My hope is that good Android developers are placed in good positions that help grow the platform.
Please see the description below if you are interested.
------------------------------------
I have a great opportunity regarding the following position….
Android Architect – SMARTPHONE
We are looking for an experienced software architect in developing and troubleshooting Android devices.​ You will be the resident expert on Android with knowledge and experience with programming all levels of the Android stack. You will be responsible for architecting and coding Android system middleware and working with a cross-discipline engineering team to support integration and validation. Many people can develop a Smartphone application, only a few can develop Smartphones…that is exactly what our client is wanting to hire!
Candidates must have a strong technical background and be capable of coming up to speed with a new team quickly.​ Good analytical, problem solving, and communication skills are essential as well as the ability to work collaboratively in a team environment.​ Excellent teamwork and written and verbal communication skills are essential. Creativity, responsibility, self-direction and self-motivation are hallmarks of our team and we expect the same from all who join us.
Duties and Responsibilities
Leads the development and maintenance activities of an Android device.​
Quickly ramping up and becoming a key contributor within an Engineering team.​
Ability to fix issues on a wide range of drivers from display to USB to Bluetooth to Ethernet.​
Stays abreast of technically area and provides knowledge transfer to fellow team members.​
Skills / Attributes Required
8+ years of software development experience with a strong preference for embedded device experience.
2+ years of direct Android stack development and integration experience with a strong knowledge of the Android SDK.
Knowledge of Android startup, integration and porting to new chipsets.​
Experience with Java, C#, or C++. Familiarity with web transport protocols (HTTP, HTTPS, SSL)
Candidate must have a BS degree (MS preferred) in Computer Science, Computer Engineering, Electrical Engineering or equivalent
Experience with other mobile platforms or mobile-web development a plus
Deep knowledge of the software development lifecycle, including scoping, planning, conception, design, implementation, deployment and maintenance.
The ability to work to agreed deadlines. Good troubleshooting / communication skills / team player.
Sorry, no relocation or sponsorship…local candidates only.
This is an excellent opportunity for someone who is “entrepreneurial spirited” that desires a challenging high profile position in a mid size telecom manufacturing company. Office location is in the N Dallas/ Richardson / Plano area. This is a stable company, with a well established name and reputation, and their products are sold and used in government agencies as well as in several big name commercial businesses across the country. This full time - strategic position offers a competitive salary, full health benefits package, 401K retirement plan, etc.
As you are aware, it’s not always the smartest or hardest working engineers that necessarily get ahead in their job or career path. Keeping an open mind and exploring an opportunity like this may be a way of leveraging your career? If you or anyone you know is interested and qualified – please submit a copy of your resume ASAP to me for immediate consideration. Note: All correspondence will be held in strict confidence. This is a great opportunity, but you must act quickly…we are currently setting up interviews. Thank you.
PS. Please inform everyone and forward this around to peers, groups, organizations, affiliations, etc. ,within the Dallas area.
GM and Associates has over twenty two years of expertise in building teams with placing “hard to find – high quality technical professionals”…one strategic acquisition at a time. As a general rule, we recruit “passive candidates” with stellar industry experience, have secure positions, and aren’t submitting their resume to competitor website’s. For more information, please review our website, (listed below)…and bookmark it for future reference. Also, “click” on the LinkedIn tab below, go to recommendations, and read about what other technical professionals have commented about our services
Sincerely,
George J. Martin (principal)
GM and Associates
972-618-3999 WWW.GM-A.NET
Click to expand...
Click to collapse
------------------------------------

Petition for Samsung to be more open :)

Hi, a developer called pulser_g2 developer called codeworx made this petition for Samsung to be more open and be a lot more developer friendly, this petition is for all Samsung android devices, not just the s2. So I thought I would post it here in the hope a few of you may consider singing it please
http://www.change.org/petitions/sam...t-achieve-full-potential-of-purchased-devices
Thank you
Edit: Sorry I made a mistake, the developer Codeworx just heavily promoted the petition, pulser_g2 is the developer who made it, and thanks entropy512 for pointing the mistake out
danielsf said:
Hi, on the galaxy s2 forum, the cm9 developer called codeworx made this petition for Samsung to be more open and be a lot more developer friendly, this petition is for all Samsung android devices, not just the s2. So I thought I would post it here in the hope a few of you may consider singing it please
http://www.change.org/petitions/sam...t-achieve-full-potential-of-purchased-devices
Thank you
Click to expand...
Click to collapse
Actually pulser_g2 created it - codeworkx is just pushing it hard. (he deserves to as he's the one maintaining CM9...)
Also consider pestering them on Twitter:
https://twitter.com/#!/search/users/samsung
Signed
10char
Im hoping the lack of posts in this thread just means people arent commenting in this thread but have signed the petition
I submitted this as a tip for the portal page, hopefully it gets picked up, since being on the portal would generate more interest in this
DT3CH said:
Im hoping the lack of posts in this thread just means people arent commenting in this thread but have signed the petition
I submitted this as a tip for the portal page, hopefully it gets picked up, since being on the portal would generate more interest in this
Click to expand...
Click to collapse
Only reason it's not on the portal is because pulser forgot his portal password (He even said so elsewhere.)
(This petition was filed by one of our senior moderator team.)
I haven't signed yet, but that is because I plan on writing a fairly decent bit on why cooperating with developers will benefit Samsung in my "Reason" field and need a bit more time.
signed!
10char
signed
Signed.
10char
IMO, in this day when manufacturers are locking down devices and intentionally making it very difficult for any development, Samsung has really catered to this small community. Companies like Motorola go as far as sabotaging their products to prevent any type hacking, rooting etc.
Sure, Samsung's official software upgrades are slow but I give them a lot of credit for reaching out in ways such as offering some of our top developers free devices.
Entropy512 said:
Only reason it's not on the portal is because pulser forgot his portal password (He even said so elsewhere.)
(This petition was filed by one of our senior moderator team.)
I haven't signed yet, but that is because I plan on writing a fairly decent bit on why cooperating with developers will benefit Samsung in my "Reason" field and need a bit more time.
Click to expand...
Click to collapse
LOL shows you what I know
Dont know any of the mods here
Joe T said:
IMO, in this day when manufacturers are locking down devices and intentionally making it very difficult for any development, Samsung has really catered to this small community. Companies like Motorola go as far as sabotaging their products to prevent any type hacking, rooting etc.
Sure, Samsung's official software upgrades are slow but I give them a lot of credit for reaching out in ways such as offering some of our top developers free devices.
Click to expand...
Click to collapse
The problem is they have, over time, become increasingly antagonistic to platform developers.
They are now failing to comply with the GPL with kernel source for many devices on a regular basis. The Infuse AT&T update took a month for source to show up, and Samsung ignored multiple requests for source in compliance with the GPL. The one time they answered, they claimed that they didn't have to provide source because they had stopped providing the update - that's bull****. If you provide a binary to someone, you MUST provide them the source - even if you are no longer providing binaries to other people.
They go out of their way to avoid releasing source whenever possible - see the AR6000 driver fiasco on the Tab 7 Plus.
The Galaxy S II hardware donation to the Cyanogenmod team was nothing but a PR stunt. If you follow the progress of CM9 on the I9100, you'll see that in addition to not providing any assistance to codeworkx and xplodwild, they are actively throwing barriers in the way. For example, secure containers (used by many apps) are disabled if a custom kernel is used in ICS.
Compare this to Sony, who provided technical assistance to the Cyanogenmod team leading to their entire 2011 lineup being well supported by CM, and also open-sourcing their sensor HALs when they didn't need to. They have also provided OFFICIAL ICS alphas and betas including source in compliance with the GPL, while everyone else just has leaks.
Unless Samsung changes their attitude - my next phone will be a Sony or a Nexus of some sort.
Entropy512 said:
The problem is they have, over time, become increasingly antagonistic to platform developers.....
Click to expand...
Click to collapse
Wow, I didn't realize all of that. As a GNex owner, I suppose I'm looking at things through rose colored glasses. I thought they changed a lot since the Froyogate fiasco which they received a lot of bad press. Thanks for the info, petition signed!
Signed
Especially since I have 2 Samsung devices currently
Entropy512 said:
The problem is they have, over time, become increasingly antagonistic to platform developers.
They are now failing to comply with the GPL with kernel source for many devices on a regular basis. The Infuse AT&T update took a month for source to show up, and Samsung ignored multiple requests for source in compliance with the GPL. The one time they answered, they claimed that they didn't have to provide source because they had stopped providing the update - that's bull****. If you provide a binary to someone, you MUST provide them the source - even if you are no longer providing binaries to other people.
They go out of their way to avoid releasing source whenever possible - see the AR6000 driver fiasco on the Tab 7 Plus.
The Galaxy S II hardware donation to the Cyanogenmod team was nothing but a PR stunt. If you follow the progress of CM9 on the I9100, you'll see that in addition to not providing any assistance to codeworkx and xplodwild, they are actively throwing barriers in the way. For example, secure containers (used by many apps) are disabled if a custom kernel is used in ICS.
Compare this to Sony, who provided technical assistance to the Cyanogenmod team leading to their entire 2011 lineup being well supported by CM, and also open-sourcing their sensor HALs when they didn't need to. They have also provided OFFICIAL ICS alphas and betas including source in compliance with the GPL, while everyone else just has leaks.
Unless Samsung changes their attitude - my next phone will be a Sony or a Nexus of some sort.
Click to expand...
Click to collapse
very well said
Done
Thanks for the info...
Everything to help the devs...
Sent from my Galaxy Nexus using xda premium
signed.. hope this petition will do something
Joe T said:
IMO, in this day when manufacturers are locking down devices and intentionally making it very difficult for any development, Samsung has really catered to this small community. Companies like Motorola go as far as sabotaging their products to prevent any type hacking, rooting etc.
Sure, Samsung's official software upgrades are slow but I give them a lot of credit for reaching out in ways such as offering some of our top developers free devices.
Click to expand...
Click to collapse
I totally agree.I would like Sammy to be more open, like Sony, but I understand they are a company and they have certain policies which will increase their profits...Since my tab has unlocked bootloader and I can flash anything I want I'm ok.
sent from my nokia 3210
Signed.... suggest you do also...
Sent from my Inspire 4G using XDA
signed........let us know how it goes
Signed. Glad to see this.
Sent from my SGH-T989 using Tapatalk

[Q] OmniROM - better than CyanogenMod?

Hello,
thinking about installing OmniROM which sounds great! I'm using CyanogenMod 10.1.3 Stable. If you guys had CM what do you think? Is there big difference between those two ROMs?
Well as far as I know about CyanogenMod is been the best to date..!! OmniRoM on the other had has made a huge followers list and has been lead by Chainfire (superuser app developer).
My opinion is to be in CyanogenMod as long as you need changes to play with. Moreover Cyanogen has more supported devices than that of Omni.. And if you have your device on their list.. Give it a shot!
Well now coming to differences, Omnirom has multi-window support, has over clocking, and the rest are the same but with different interface..
Sent from my Motorola Xoom using xda app-developers app
Thank you for answer. I'm on Nexus 4 (soon Nexus 5). So I will continue with CyanogenMod until there will be stable version of OmniROM
It is way too early to tell if OmniROM can have as great of a following as CM. OmniROM has a very long road ahead if it wants to compete with CM simply because it needs to be supported on all the flagship devices and more. That is the only way OmniROM's name will get out there. There are so many people out there that haven't even heard of OmniROM yet but ask anyone about CM and most will tell you that they have heard of it.
I will give OmniROM a chance but it has to come to the Sprint LG G2 or else they are losing potential followers.
Better? Who knows, too early to tell.
Different? Sure. Many of the first developers involved with Omni are former CM maintainers/contributors dissatisfied with certain recent events (frequent ninjamerges without review, leads -2ing things with little explanation beyond "I don't like it", and most importantly, attempting to use their Contributor License Agreement against a longtime contributor in order to create a proprietary closed-source derivative of Focal under a commercial license.) To a great degree, it's about the spirit in which the projects are developed. We're going to try to be as open and receptive to new ideas as we possibly can.
Among other things I expect to see going forward - as CyanogenMod attempts to obtain GMS certification for CM on some devices, you may see a lot more features getting removed/rejected. (GMS is the ability to officially include gapps with a device. The CTS and CDD which have been discussed many times in the past are a part of this, but GMS can actually go way beyond this. I've heard, for example, of one OEM that wanted to preinstall a particular rotation control app. While that app is readily available on the Play Store, Google effectively said to that OEM, "You can preinstall that app, or have a GMS license - not both.")
Entropy512 said:
Better? Who knows, too early to tell.
Different? Sure. Many of the first developers involved with Omni are former CM maintainers/contributors dissatisfied with certain recent events (frequent ninjamerges without review, leads -2ing things with little explanation beyond "I don't like it", and most importantly, attempting to use their Contributor License Agreement against a longtime contributor in order to create a proprietary closed-source derivative of Focal under a commercial license.) To a great degree, it's about the spirit in which the projects are developed. We're going to try to be as open and receptive to new ideas as we possibly can.
Among other things I expect to see going forward - as CyanogenMod attempts to obtain GMS certification for CM on some devices, you may see a lot more features getting removed/rejected. (GMS is the ability to officially include gapps with a device. The CTS and CDD which have been discussed many times in the past are a part of this, but GMS can actually go way beyond this. I've heard, for example, of one OEM that wanted to preinstall a particular rotation control app. While that app is readily available on the Play Store, Google effectively said to that OEM, "You can preinstall that app, or have a GMS license - not both.")
Click to expand...
Click to collapse
I noticed that Omni has a CLA as well (https://gerrit.omnirom.org/static/cla_individual_omni.html). How is the Omni CLA different from that of CM?
nushoin said:
I noticed that Omni has a CLA as well (https://gerrit.omnirom.org/static/cla_individual_omni.html). How is the Omni CLA different from that of CM?
Click to expand...
Click to collapse
you didn't read the full sentence
attempting to use their Contributor License Agreement against a longtime contributor in order to create a proprietary closed-source derivative of Focal under a commercial license
AFAIK CLA will be same, just that they won't try to trick authors into dual licensing like CM tried with focal
ericdabbs said:
I will give OmniROM a chance but it has to come to the Sprint LG G2 or else they are losing potential followers.
Click to expand...
Click to collapse
Lol
Sent from my SCH-I545 using XDA Premium 4 mobile app
munchy_cool said:
you didn't read the full sentence
attempting to use their Contributor License Agreement against a longtime contributor in order to create a proprietary closed-source derivative of Focal under a commercial license
AFAIK CLA will be same, just that they won't try to trick authors into dual licensing like CM tried with focal
Click to expand...
Click to collapse
Yeah.
To be absolutely, 100% clear - They attempted to represent the CLA as something that would give them the ability to relicense a GPL contribution if the contributor was the original copyright holder of said contribution. (In the event where the contributor is not original copyright holder, no CLA in existence would allow relicensing because the contributor didn't have the rights to relicense the code.)
THIS IS NOT THE CASE. YOU CAN'T USE THE CLA THAT WAY. But they attempted to do so anyway - not only was it just wrong to treat a contributor like that, they misrepresented the document as giving legal powers it didn't actually give them.
The CLA is there as a "cover your ass" legal document in the case of a nasty legal dispute. I hope to hell we never have a need to use it. (In fact, in my opinion, the CLA is redundant and unnecessary for Apache and GPL licensed contributions, as the Apache and GPL licenses explicitly grant compatible redistribution/usage rights. Some other contributions are not as clear in terms of licensing, for example, media assets.) Another place it might come into play is if someone submits something with a license like that found in this file:
https://github.com/oppo-source/R819...89/kernel/drivers/dum-char/partition_define.c
In theory, if someone who was in the category of MTK or a licensor contributed such an item to our Gerrit, that contribution in combination with the CLA would be written permission to reproduce/modify/disclose the file. Note that not just anyone can submit something like that - there are other clauses to handle that (clause 7 I think???) - effectively saying that you yourself have the legal rights to contribute whatever you're contributing.
Oh, FYI, that file and files with similar licensing are one of the things holding back support of MTK devices.
One thing to note: CLAs DO exist that do give the kinds of power that Cyanogen, Inc. wanted to wield. An example is Canonical's Harmony CLA:
http://mjg59.dreamwidth.org/4553.html - He links to the Harmony CLA there (direct link - http://www.canonical.com/sites/default/files/active/images/Canonical-HA-CLA-ANY-I.pdf ), take a look at clause 2.3 - it's nasty:
Code:
2.3 Outbound License
Based on the grant of rights in Sections 2.1 and 2.2, if We
include Your Contribution in a Material, We may license the
Contribution under any license, including copyleft,
permissive, commercial, or proprietary licenses. As a
condition on the exercise of this right, We agree to also
license the Contribution under the terms of the license or
licenses which We are using for the Material on the
Submission Date.
This is VERY different from the "sublicense" language in the AOSP CLA. For a bit on sublicensing:
(crap, can't find one of the better links I used to have...)
http://programmers.stackexchange.com/questions/189633/what-sublicense-actually-means has some info
http://www.contractstandards.com/document-checklists/technology-license-agreement/sublicenses - Note "Additionally the scope of rights that the Licensee can sublicense is often narrower than the scope of the original license (e.g. the purpose or end-product is limited to those specifically enumerated)." - Commercial dual-licensing of a GPL contribution is prett unambiguously expanding the scope of the original license and NOT something that a CLA which only grants you sublicensing rights allows.

Categories

Resources