[amluto]

I'm rather puzzled by all the fuss about this signature spoofing thing. As far as I can tell, the microg team has not proposed what seems to me to be the obvious solution: allow signature spoofing for system apps and their downloaded replacements only. So users can't install a signature-spoofed app unless they do it as root or using a .zip update. No risk of users clicking the wrong box or being dumb. Heck, one of LineageOS's review comments even offered this as a potential option with no meaningful reply.

What am I missing?

Edit: here's the review comment:

> Adnan Begovic > Oct 8, 2015 > > Patch Set 2: > > Also "dangerous" doesn't limit third party apps from using it, you'd have to limit this explicitly to system|signature if you wanted any realm of a security model.

That doesn't sound like "politics" to me. That's a spot-on reply.

[SifJar]

Sounds like they do this: https://lineage.microg.org/#faq7

> Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.

[amluto]

Sure, but did they submit a patch like that to Lineage OS? As far as I can tell, they didn't.

[larma]

The patch was submitted, it's unfortunately not visible to the public: https://review.lineageos.org/194562

[petecox]

It seems like such a small one method change, in the context of forking an entire distro.

I wonder if PackageManagerService is hard coded in many places, rather than using XML dependency injection. If the latter then may it be possible to override the method in a subclass, e.g. MicroGPackageManagerService and distribute the change via a once-only installable zip?

That way Lineage OS doesn't need to break security, only downstream.