Hello again
I’m posting because I see that a device that a family member of mine owns is not officially supported, and is instead listed as an unofficial build. I was wondering if there is any guarantee of quality or security with these builds? Like if they are made my trustworthy members of the community? I’m only asking because we’re currently trying to make the transition away from CalyxOS due to the recent restructuring and I want to make sure I’m not putting anyone else at risk. If it is trustworthy, do these builds also support device relocking?
If the builds can’t be trusted/relocked, what should I do moving forward? Would it be safer to stay on the currently outdated cOS build, or should we consider other options for security? Is there a possibility iodeOS will release officially for this device any time soon? I want to make sure I’m not accidentally/inadvertently putting anyone in harms way, and I’m the “tech person” in the family.
There are no guarantees. How did you know that the CalyxOS builds you used are ‘safe’? I guess you chose to trust the organisation and its members.
The unofficial builds for Google devices are made by @rik. He spends a lot of time in these forums, and does a lot of work responding to queries and generally being helpful
I don’t know whether the Pixel devices support bootloader relocking. I use (and make unofficial builds for) Sony devices which do not support relocking, and I don’t think that is a problem. See discussions here and here about why it is not a big problem and why it may not be a good idea. Most custom ROMs on most devices don’t support relocking and I have never seen any reports of that causing a real, exploitable security problem
I believe that the unofficial builds in these forums can be trusted, whether or not they support relocking:
as stated above, @rik does a lot of work here, and is also one of the maintainers of the LineageOS for microG project, upon which IodéOS is based;
@ronnz98 makes many unofficial builds of IodéOS and of /e/OS
I also make unofficial IodéOS builds and am the main active maintainer of the LineageOS for microG project. I used to make unofficial builds of /e/OS.
Obviously I am biased but I believe that all of the unofficial builds publicised in these forums can be trusted at least as much as CalyxOS builds.
I’m sorry, I wasn’t trying to imply that anyone here is “untrustworthy”, I would just like to make sure I’m not installing software that was created & compiled by someone who has no reputation in the community that could possibly be a bad actor. I prefer herring on the side of caution, especially when it comes to devices that are not mine. I would find it to be more likely that a small unofficial build made by one person would have a built in back-door than a build made by a larger well-known entity in my opinion. I could very well be wrong, and for all I know there could be a backdoor built into AOSP that was left in by both iode and calyx on purpose.
I’ve seen rik around the forums while browsing, and they actually did help me figure out the first couple issues I had when I first joined so I’ll concede to being skeptical of their reputation within the community. I wasn’t sure they were the one maintaining the build as I had read somewhere else in the forum that it was ronnz98 who had been making it.
Does rik share the source code for their build publicly for if I wanted to build it myself?
All the unofficial builds here use the Iodé and LineageOS source code trees. For devices officially supported by LineageOS (such as the current Pixel devices) the official LineageOS sources are used. For others, such as he Sony Yoshino devices, code comes from the sources of the unofficial LineageOS ROM on which they are based.
I am advocating for an official build for the Pixel 8a and the rest of the Pixel 9 series (beyond only the Pixel 9 which just was acquired by the dev team to create builds for). I did find that typically we only provide official builds for devices that the team has physical units of for hardware testing and support. But for series devices like this I think it wouldn’t be too much of a stretch to extend to the other models, maybe with an asterisk or something. This would then allow them to be able to re-lock the bootloader, be on the central OTA update server, etc.
I guess “stay tuned” on that front.
As @petefoth mentions, I do create (most of) the unofficial builds for Pixel devices. @ronnz98 did build a lot more of them before, but as I was already building older Pixel builds, I started building the newer device builds as well, as ronnz has a full plate with multiple ROMs and multiple device vendors that he makes builds for. Note that I hope to get OTA updates working for the unofficial builds hosted at the lineage4microG project site (essentially @petefoth and my builds) in the next month or 2, but giving the ability to re-lock the bootloaders is a bit beyond me at present.
+1 this is how I build, I can pass the script I use but it is nothing more than the sample script you can see if you look up the instructions. It essentially just sets the build directories and populates the necessary parameters for the docker image to run.
but I believe that all of the unofficial builds publicised in these forums can be trusted at least as much as CalyxOS builds.