I'm writing this from a Samsung device that never had a supported lollipop release. If I'd be on stock, I'd be vulnerable to many vulnerabilities including stagefright.
But I'm using an open source ROM called cyanogenmod, currently on Android 5.1 (cm 12.1). I upgraded to a newer nightly after patches were made to fix stagefright, and now I'm not vulnerable. I could also have installed a version of cyanogenmod from KitKat that back ported the patch.
So yes, open source can and has addressed this. If your device is supported by cyanogenmod, you can fix it.
Note that marshmallow cm builds are expected to be released soon, and afaik my device (S3) will still be supported: this would make my device upgradable 2 entire major releases after the manufacturer dropped support.
In fact, there are already Marshmallow nightlies for the S3.
Interesting is that, even though you are running 12.1 on the S3, there was never an official CyanogenMod release for the S3, only unofficial ones. But now a maintainer has stepped up, made MM (CM 13) run on the S3 again and we get our official releases again.
And I don't see any CM 13 releases yet. I thought they were expected to drop in a few weeks.
Edit: I assume you were talking about the international version. That does seem to have skipped lollipop. I also came across unofficial builds of 13 for my device, but I'm not upgrading until I have debug time.
I've got a Japanese Galaxy S. As far as I know, there are no ROMs with a working modem :-( So either I'm stuck on Gingerbread, or I don't get a working phone. Binary blobs suck.
Learned my lesson. Next phone will be a Nexus so that I can be sure that it isn't abandoned 6 months later. I do admit that it seems strange to have a nearly 5 year old phone and still use it. But it does everything I need it to do so I can't really justify dropping $X00 upgrading to a new phone.
Asking as a GNex owner: what did you expect Google to do when TI decided to exit the mobile space and could no longer maintain its drivers for newer kernels? I was pissed off, but only at TI.
- Have their own teams develop the required fixes. After all they are developing Android.
- Have had the business sense to make a proper contract with TI that would either oblige them to keep doing the fixes even after product termination or provide the relevant information for Google.
This is how a company ensures its costumers are safe from outsourcing deals.
Right now, Google can let it happen again and people can choose to properly blame Google or the OEM.
For all practical purposes no, being open source does not help. Yes, Android is OS, but the device manufacturers and carriers lock down their devices so you do not have the freedom do install changes or make modifications to your own device. They do not accept contributions from the OS community.
I believe this will eventually be true for everything - from servers to desktops to laptops, etc.
Sure, I install cyanogenmod when I can. Ordinary users cannot do that. Samsung is actively hostile to this and samsung makes some of the most popular android devices.
It does, but only for users technical enough to do so. And most users who are, probably buy newer phones anyways.
Also, here in the US, our largest carrier (Verizon), requires phones to have encrypted bootloaders. So my phone, for instance, cannot be flashed with a third party build.
> Also, here in the US, our largest carrier (Verizon), requires phones to have encrypted bootloaders. So my phone, for instance, cannot be flashed with a third party build.
Nexus 5X and 6P work on Verizon, and have a unlockable bootloader out of the box.
But I'm using an open source ROM called cyanogenmod, currently on Android 5.1 (cm 12.1). I upgraded to a newer nightly after patches were made to fix stagefright, and now I'm not vulnerable. I could also have installed a version of cyanogenmod from KitKat that back ported the patch.
So yes, open source can and has addressed this. If your device is supported by cyanogenmod, you can fix it.
Note that marshmallow cm builds are expected to be released soon, and afaik my device (S3) will still be supported: this would make my device upgradable 2 entire major releases after the manufacturer dropped support.