While I’m an expert in one or two areas, I know next to nothing about the pointlessly complex rituals of installing smartphone ROMs, and I’m not eager to spend days of my life trying to shave that particular yak.
After hearing some good things about CyanogenMod over the years, I decided to try it today on an old phone that’s fundamentally solid but now too slow to be usable. I was quickly bewildered by the complexity of the rooting/unlocking process, and relieved when I found that the CM installer claims to take care of all this for you.
I went to get.cm on the phone as instructed, and got a huge confusing homepage full of builds, not the installer I’d been promised. I did some digging and found this notice:
This apparently happened in November 2015, so CM has been without one of its biggest selling points — ease of installation — for about 6 months now. Worse, those in the know have actively avoided giving information or updates on the situation. Worst of all, a search for “cyanogenmod installer” yields only copies on untrustworthy, malware-ridden software-download sites like softonic.
Meanwhile, the forums are a walled garden — you have to sign up an account for that specific forum in order to earn the privilege of posting a simple question — and the signup process rejects Fastmail addresses.
What mystifies me is how denying service to their users could possibly seem like an appropriate reaction to the discovery of an exploit. Surely it’s the CM builds and not the installer that are the problem? I don’t want to harp on this too much because it’s a distraction from my main point:
This is a great example of how taking a totalitarian, alarmist approach to security usually makes things worse. Those responsible for CM have, apparently in the name of protecting its reputation at all costs, not only left a major (majority?) section of their user-base high and dry, but encouraged potential users to run spyware-infested versions of the installer by pulling the official version indefinitely.
Potential users who’d be happy to wait a month or two to get the installer back, like me, have no reason to assume that will ever happen; we therefore have to either wait indefinitely or take the risk of getting pwned by downloading third-party-hosted versions of the installer. Refusing to make a single concrete assurance — like any responsible organisation would do — shows that CM only cares about its expert users, and while I’d be willing to take a small risk of having my phone exploited, I’m definitely not willing to knowingly infest my workstation with spyware, and I’ve been around long enough to know that software developers who refuse to commit themselves to any kind of schedule stand a good chance of never delivering at all.
As far as I can tell, this is the situation as of today: the CyanogenMod installer was a fantastic usability experiment that brought many new users to the project, but it’s dead now. CM is back to the status of an experts-only ROM like all the others, and will stay that way.