[ikeboy]

I'm writing this from a Samsung device that never had a supported lollipop release. If I'd be on stock, I'd be vulnerable to many vulnerabilities including stagefright.

But I'm using an open source ROM called cyanogenmod, currently on Android 5.1 (cm 12.1). I upgraded to a newer nightly after patches were made to fix stagefright, and now I'm not vulnerable. I could also have installed a version of cyanogenmod from KitKat that back ported the patch.

So yes, open source can and has addressed this. If your device is supported by cyanogenmod, you can fix it.

Note that marshmallow cm builds are expected to be released soon, and afaik my device (S3) will still be supported: this would make my device upgradable 2 entire major releases after the manufacturer dropped support.

[pjmlp]

That doesn't work for the common user.

[ikeboy]

No open source solution can. Even if it was a patch downloaded on top of stock, you can't get people to upgrade if it's not automatic/promoting them.

[breakingcups]

In fact, there are already Marshmallow nightlies for the S3.

Interesting is that, even though you are running 12.1 on the S3, there was never an official CyanogenMod release for the S3, only unofficial ones. But now a maintainer has stepped up, made MM (CM 13) run on the S3 again and we get our official releases again.

[ikeboy]

https://download.cyanogenmod.org/?device=d2spr looks pretty darn official to me.

And I don't see any CM 13 releases yet. I thought they were expected to drop in a few weeks.

Edit: I assume you were talking about the international version. That does seem to have skipped lollipop. I also came across unofficial builds of 13 for my device, but I'm not upgrading until I have debug time.