)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":28423,"name":"Ramii Ahmed","display_name":"Ramii Ahmed","email":"ramii.ahmed.ramy@gmail.com","username":"Ramisky","avatars":[{"url":"https://www.gravatar.com/avatar/19efdedd54b35d6dccf6a978fb6d2894.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/19efdedd54b35d6dccf6a978fb6d2894.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/19efdedd54b35d6dccf6a978fb6d2894.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/19efdedd54b35d6dccf6a978fb6d2894.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"status":"Studying"},"change_message_id":"22004ff0dcf3b4ea1571db913c7bf65288286f9c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"39862c7d_6eecb768","updated":"2024-02-20 22:14:23.000000000","message":"I think that shipping custom MicroG is indeed a better idea than hardcoding keys, Mostly because yes, I\u0027m pretty sure the resources needed for that to be automated aren\u0027t that extensive.","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"},{"author":{"_account_id":25732,"name":"Sebastiano Barezzi","email":"seba@sebaubuntu.dev","username":"SebaUbuntu","avatars":[{"url":"https://www.gravatar.com/avatar/69c46a8345ae75b24d8966f7cea1a88f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/69c46a8345ae75b24d8966f7cea1a88f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/69c46a8345ae75b24d8966f7cea1a88f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/69c46a8345ae75b24d8966f7cea1a88f.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}],"status":"🌐, 🎤, 📷, 🖼️, 🎵, 👑"},"change_message_id":"df890e399506226279dcaf44b117e763084dd079","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"88b577ac_e86be4e4","updated":"2024-02-20 22:09:54.000000000","message":"Instead of hardcoding third party public keys (\u003d no control over the keys, keys can leak blah blah), how about providing flashable zips (like MTG) but with GmsCore signed with LineageOS platform keys?","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"},{"author":{"_account_id":33489,"name":"Golla Bertrub","email":"gollabertrub@gmail.com","avatars":[{"url":"https://www.gravatar.com/avatar/2af3cbe6eb1ca7bf5aa23defe29800b4.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/2af3cbe6eb1ca7bf5aa23defe29800b4.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/2af3cbe6eb1ca7bf5aa23defe29800b4.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/2af3cbe6eb1ca7bf5aa23defe29800b4.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"00dde6ad8ebb4a4005b3f91b4a9b98ed02580bbe","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"37adc63d_f7c30895","in_reply_to":"5cd1d735_3e3cf18f","updated":"2024-02-21 09:04:46.000000000","message":"If you wanted to make it something tied to a flashable zip, one option would be to allow apps in system dir to do signature spoofing, independent of their signature. Then microg could provide a flashable zip to install the two microg components to system dir.\n\nSome might wonder if there\u0027s anything to do security-wise for the flashable zip, as malicious flashable zips could then use signature spoofing. But malicious flashable zips can already do *everything*, so that\u0027s really a non-issue.\n\nAlso, signatures for system apps are not even verified (see https://github.com/LineageOS/android_frameworks_base/blob/lineage-21.0/core/java/android/content/pm/PackageParser.java#L1428), so technically microg could already today provide such a flashable zip and spoof a google signature. They don\u0027t, because that way it wouldn\u0027t be possible for users to easily install updates (signatures of updates to system apps are properly verified). Also this would be a more invasive way of signature spoofing, because even the OS and all its security APIs relying on signatures (like permissions with signature level, shared uid, etc) would be affected.\n\nAll in all, I think the solution in this patch is superior, providing better security for the users than any of the alternatives (asking users to install a flashable zip really isn\u0027t a good solution from security perspective).","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"},{"author":{"_account_id":2195,"name":"Chirayu Desai","email":"lineageos-gerrit@cdesai.in","username":"cdesai","avatars":[{"url":"https://www.gravatar.com/avatar/f47c3cc398b82ea856fbc0e8b4109eb6.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/f47c3cc398b82ea856fbc0e8b4109eb6.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/f47c3cc398b82ea856fbc0e8b4109eb6.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/f47c3cc398b82ea856fbc0e8b4109eb6.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"9a86ee583437ffb24b31087fdcd5f9bc3525113a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"5cd1d735_3e3cf18f","in_reply_to":"88b577ac_e86be4e4","updated":"2024-02-20 22:17:48.000000000","message":"Note that this doesn\u0027t give that much access either way. Let\u0027s say the keys leak, then what? Someone could make a rogue `com.google.android.gms` that is allowed to spoof signature on LineageOS, but that\u0027s all the access this gets you.\n\nJust to keep things simpler.","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"}],"services/core/java/com/android/server/pm/ComputerEngine.java":[{"author":{"_account_id":11801,"name":"Joseph Annareddy","email":"javelinanddart@gmail.com","username":"javelinanddart","avatars":[{"url":"https://www.gravatar.com/avatar/0df5381571b66bb61674368f2bfc3e60.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/0df5381571b66bb61674368f2bfc3e60.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/0df5381571b66bb61674368f2bfc3e60.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/0df5381571b66bb61674368f2bfc3e60.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"62de51b4d4d9f0162f4db59efe82093b40009519","unresolved":true,"context_lines":[{"line_number":1466,"context_line":"        // Allowlist the following apps:"},{"line_number":1467,"context_line":"        // * com.android.vending - microG Companion"},{"line_number":1468,"context_line":"        // * com.google.android.gms - microG Services"},{"line_number":1469,"context_line":"        if (!p.getPackageName().equals(\"com.android.vending\") \u0026\u0026"},{"line_number":1470,"context_line":"                !p.getPackageName().equals(\"com.google.android.gms\")) {"},{"line_number":1471,"context_line":"            return false;"},{"line_number":1472,"context_line":"        }"}],"source_content_type":"text/x-java","patch_set":1,"id":"16f664c9_db36f3de","line":1469,"updated":"2024-02-21 05:35:11.000000000","message":"One thought would be to make this a list somewhere up above and do list.contains(). However given this list is just 2 apps and is fixed, it might not be worth it.","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"},{"author":{"_account_id":10067,"name":"Łukasz Patron","email":"priv.luk@gmail.com","username":"luk1337","avatars":[{"url":"https://www.gravatar.com/avatar/63c52ed7e79934b002d63a86e9b9d78a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/63c52ed7e79934b002d63a86e9b9d78a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/63c52ed7e79934b002d63a86e9b9d78a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/63c52ed7e79934b002d63a86e9b9d78a.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"868c038baf317f13bfd102eec7f8b866ebe10717","unresolved":true,"context_lines":[{"line_number":1466,"context_line":"        // Allowlist the following apps:"},{"line_number":1467,"context_line":"        // * com.android.vending - microG Companion"},{"line_number":1468,"context_line":"        // * com.google.android.gms - microG Services"},{"line_number":1469,"context_line":"        if (!p.getPackageName().equals(\"com.android.vending\") \u0026\u0026"},{"line_number":1470,"context_line":"                !p.getPackageName().equals(\"com.google.android.gms\")) {"},{"line_number":1471,"context_line":"            return false;"},{"line_number":1472,"context_line":"        }"}],"source_content_type":"text/x-java","patch_set":1,"id":"7496a6b0_6aeb701a","line":1469,"in_reply_to":"16f664c9_db36f3de","updated":"2024-02-21 07:38:49.000000000","message":"I thought of having a map of packageName -\u003e (real, fake) but in the end, I think that might be an overkill for something like this.","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"},{"author":{"_account_id":13648,"name":"Bruno Martins","email":"bgcngm@gmail.com","username":"bgcngm","avatars":[{"url":"https://www.gravatar.com/avatar/3d939ee28d51d14e76de3a4510b309ce.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/3d939ee28d51d14e76de3a4510b309ce.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/3d939ee28d51d14e76de3a4510b309ce.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/3d939ee28d51d14e76de3a4510b309ce.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"change_message_id":"fed966554fd6a2e3ba5e97e979c691228fa441b9","unresolved":false,"context_lines":[{"line_number":1466,"context_line":"        // Allowlist the following apps:"},{"line_number":1467,"context_line":"        // * com.android.vending - microG Companion"},{"line_number":1468,"context_line":"        // * com.google.android.gms - microG Services"},{"line_number":1469,"context_line":"        if (!p.getPackageName().equals(\"com.android.vending\") \u0026\u0026"},{"line_number":1470,"context_line":"                !p.getPackageName().equals(\"com.google.android.gms\")) {"},{"line_number":1471,"context_line":"            return false;"},{"line_number":1472,"context_line":"        }"}],"source_content_type":"text/x-java","patch_set":1,"id":"c615076e_235a0e33","line":1469,"in_reply_to":"7496a6b0_6aeb701a","updated":"2024-02-21 11:05:25.000000000","message":"Done","commit_id":"9c86a47e24b1d1e2ba317503d279cfd1628ef06e"}]}