LOS devs/maintainers are also so smug, obnoxious, toxic and power tripping in IRC chat (as they are ops there, obviously), that sincerely - just fuck them, especially luca and lukasz. Currently the project is in poor hands.
That's alright though. Recent devices still have manufacturer's support. LOS is a godsend for the older devices, often not as powerful as the new ones, that really need the lightweight, bloat free Android for smooth operation.
Yes, but note that very old devices will need mainline kernel support before newer AOSP/LineageOS releases can be ported to them. (Of course, this is also desirable as a way of supporting non-AOSP mobile Linux releases there, which are by far the most exciting development in the custom modding scene.) Old downstream kernels don't cut it any more.
Takes time to bring up devices, LOS is a volunteer project, and manufacturers don’t send them devices like they used to. Finally, no matter what they rely on the manufacturers releasing kernel source for a release and some take months and ship squashed and/or incomplete source. Availability of bootloader unlocking is a factor but what I just said is the bigger reason for the delay.
LineageOS isn't unsigned, it just happens to be signed by keys that are not "trusted" (i.e., allowed - thanks for the correction!) by the phone's bootloaders.
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.
Either I misunderstood or HN is much stupider than I thought.
My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys that are then validated against.
If you’re not in that list then signing can be valuable for other reasons, but PKI is not among them any longer as theres no distinction between self-signed and a semi-trusted entity: things will break.
If you expect your website to work with keys issued from your internal company CA; you would be surprised to find that random browsers distributed on the internet wouldn't trust it.
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
The first party must be able to entirely decide that "some third party" for it to be anything more than an obfuscation of digital serfdom.
My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys that are then validated against.
If you’re not in that list then signing can be valuable for other reasons, but PKI is not among them any longer as theres no distinction between self-signed and a semi-trusted entity: things will break.
If you expect your website to work with keys issued from your internal company CA; you would be surprised to find that random browsers distributed on the internet wouldn't trust it.
Wow, shocker.
Unless there's legislation to force them to allow enrolling new keys or otherwise disabling secure boot, the abuse will continue.