What would it be your feelings towards an hypothetical community project based on your AndroidHardeningArchive (at least, the unencumbered parts)?
Conversation
Replying to
I have no plans to change the non-commercial usage license for the archived code, if that's what you consider encumbered. It's only the subset of the privacy and security features that were shipped in stable releases based on Android 8.x anyway. Most of the work isn't there.
2
Replying to
TBH, I haven't checked the licenses, I've just assumed there could be some code in dispute that would be better to avoid/rewrite.
And even if it's just a subset of the privacy features, it sets the security bar higher than bare AOSP and LineageOS.
1
Replying to
Most of it would need to be overhauled or rewritten due to Android 9.0. I own the vast majority of the code and only small portions would need to be rewritten for me to change the licensing.
I already did it for reviving github.com/AndroidHardeni and github.com/AndroidHardeni.
1
Replying to
The only blocker for using permissive licensing for the entirety of it is not having any funding for my work. In order to expand the scope back to making an OS with substantial hardening across the board, there would also need to be funding for other developers too.
1
Replying to
I want to spend most of my time working on compelling privacy and security research and engineering, not endless maintenance and release engineering. Simply handling the endless stream of bugs in upstream projects that are uncovered by mitigations is far too much of a workload.
Replying to
There's no community that is going to do it. I doubt there's even interest in fixing a single one of the non-trivial memory corruption bugs uncovered by using a hardened malloc and other mitigations. They're often issues that should be release blockers and yet take ages to solve.
1
Replying to
I mostly agree with you. As I mentioned above, would be great if some trusted foundation funded a Hardened Android project like yours.