That's alright though. Recent devices still have manufacturer's support. LOS is a godsend for the older devices, often not as powerful as the new ones, that really need the lightweight, bloat free Android for smooth operation.
LineageOS isn't unsigned, it just happens to be signed by keys that are not "trusted" (i.e., allowed - thanks for the correction!) by the phone's bootloaders.
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.
There aren't a lot of recent devices supported.
That's alright though. Recent devices still have manufacturer's support. LOS is a godsend for the older devices, often not as powerful as the new ones, that really need the lightweight, bloat free Android for smooth operation.
Why is this?
Because it is more profitable for smartphone makers if you need to buy a new one.
Unless there's legislation to force them to allow enrolling new keys or otherwise disabling secure boot, the abuse will continue.
Most modern manufacturers disallow unlocking the bootloader and flashing unsigned firmware, which is a requirement for this kind of thing.
LineageOS isn't unsigned, it just happens to be signed by keys that are not "trusted" (i.e., allowed - thanks for the correction!) by the phone's bootloaders.
not allowed is a clearer language here.
thats effectively the same thing.
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.
Yes, I understand the value of signatures, but thats not how PKI works.