microg lineage forked from lineageOS because lineage developers considered the signature spoofing in microg to be a security vulnerability. Signature spoofing and microg are mentioned in these forums, and microg is mentioned in e foundation web pages, but I haven’t found an explanation of e’s position on the security issue. Is there one?
Crickets? (And a few more characters to meet Discourse’s requirements of 20)
I don’t think there’s much of a security issue to be honest. The Lineage folks probably consider a number of things risks and so don’t include support for them in their ROM (OMS/Substratum support for instance). Signature spoofing is a requirement of microG so if sigspoofing is really a security risk then running /e/ would not be a good thing. IMO I doubt the e.foundation would go through all this to put out an inherently vulnerable product.
Unlocking, rooting, and flashing stuff from who knows where opens up risks anyway. Anyway, in the years that I’ve run microG-based ROMs I haven’t seen or read anything concerning actual vulnerability issues with signature spoofing.