Is It Foolish To Install an XDA Custom ROM?
I've gone through several rooting procedures on the XDA forums over the years. In the most recent one I tried to root my HTC Desire C (CDMA). It turns out that I nearly hosed the phone when I installed bootloaders that some senior members on here promoted with full confidence to users, yet neglected to ask if the user had a CDMA phone.
There is a thread on the HTC Desire C where a senior member provides a hacked version of a bootloader and ROM. The user then responds (on page 2 or 3 of 11+ pages) that their phone can't get beyond the 'dev bootloader', and effectively the senior member has provided a patch which hosed at least a few phones.
Subsequent threads appear which show users in the same situation I was in after applying the XDA hacks
. After hours of researching I found a workable bootloader and managed to get it flashed, and get my phone rooted. I doubt many people will be able to reproduce my results and get the phone rooted. I expect most people will give up on rooting, consider the phone locked, and just avoid going anywhere near the bootloader again.
Furthermore, the bootloader I downloaded in at least one thread for the HTC Desire C has an HTC Legal Message that causes concern on how the uploaded patch was originally obtained - i.e. was it obtained legally?
After spending ~12 hours learning all of the above, I embarked on seeing what XDA developers say is involved with creating a custom ROM. I was shocked. Even the most well-documented processes are incredibly horrid. They involve hacking binary files, fudging package names, and more sketchy procedures that any Android Engineer would expect to leave the OS in an unstable state; for example not using zipalign on system apps.
Any software engineer using binary-file hacking would expect to be unable to fix bugs in the software. To fix bugs efficiently and reliably (i.e. test and prove the bug is fixed), a software engineer needs source code.
But worst of all, the custom ROM and bootloader binaries have code that not even the author knows the origin of, as demonstrated in the Custom ROM developer guides/postings. If HTC or Google have tracking code in a binary, the custom ROM will have it too. If there is malware in the binary that might steal their passwords or other identification, the user has no way of knowing.
I've seen at least three (3) instances of supposedly popular XDA ROMs where a hacker has taken an existing ROM, hack it's binary files for the new target device, fix no bugs in the previous ROM, and introduce new ones in theirs. I've even seen ROM developers criticize other ROM developers for not fixing bugs, and then when I investigated the ROM from the complainant, I found they didn't fix any bugs either. Of course not, it appears to me the majority (all) of the hackers on XDA use binary files to create custom ROMs, with some hacking of text, XML (layouts, values, assets), and other text files - but not any actual JNI-C or Java code.
These custom ROMs are not open source. I'm skeptical they're even legally complying with the open source licenses in the original code. It is certain that any and all files used for the development of a custom ROM available from XDA are also obligated to follow the Apache2 license that governs the OS build (I'm not sure which licenses cover the bootloaders), yet it's quite difficult on XDA to find links to custom ROM source files.
That latter point makes the entire process of hacking binary files to generate a custom ROM completely untrustworthy. Contrast this with CyanogenMod which provides (or attempts to provide) techniques to build custom Android ROMs from source, and which provides a lineage of ROMs with stability ratings.
It doesn't benefit an open-source community to propagate software with bugs, lacking sources, and possibly in violation of licensing. Since this forum is not a Q&A thread, I won't ask people to stop, I'll demand it. Since that never works, I would have to wish XDA the shortest lifespan possible. Delete this thread and I'll post it elsewhere, where XDA users can't comment.