undefined | Better HN

0 pointsoridecon9y ago0 comments

Like I said, it was just an example. I don't have the time or knowledge to review an entire custom ISO and after that another ISO from the Gapps provider that I choose. I'm sure there are some tricks to cut down the review process time but anyway.

It's a trade-off. I'm installing custom software to improve security, but at the same time, can I trust that this solution won't be a source of malware?

I hope this didn't came out as accusatory, I was just trying to show another aspect of using custom ROMs.

0 comments

1 comments · 1 top-level

zifnab069y ago

It didn't - I'm mostly curious what people's thoughts are on things.

For what its worth, the mirror selection software we're using [1] won't send you to a mirror that has a modified file. If a mirror is doing something malicious (and that doesn't catch it), builds are signed and can be verified [2]. Obviously there's some level of trust involved (build infrastructure isn't auditable, android builds aren't reproducible).

[1] https://github.com/etix/mirrorbits [2] https://wiki.lineageos.org/verifying-builds

j / k navigate · click thread line to collapse