Thank you for this headsup! This ROM is a dream come true,
This is more straightforward and more secure than regular LOS + Tingle + my flashable ZIP and should be the first option for users relying on Gobble Services in their phones.
The way signature spoofing is implemented in the custom LOS for mG, it is as safe as possible. Only privileged system apps* can obtain that permission. It follows the Android security model. And @larma knows a lot about it.
It surely exposes a new vector of attack, but c’mon, only an app getting superuser rights can force their installation on system. And if it already has superuser rights (
root user, see * below), it has all rights to do whatever it wants to.
My bet here is that LineageOS devs just don’t want to poke Gobble’s nose (again), because although Gobble cannot take legal actions for custom ROMs —they are based on AOSP, which is libre software, and thus forkable—, they can invoque a variety of companies that can do it for the redistribution of BLOBs or just render custom ROMs useless (e.j. by replacing Android’s bootloader with a new one less permissive that cannot be forced to install custom recoveries).
*= system apps in Android can be normal or privileged, depending on the folder where they are installed. If they are in
/system/app, they have same privileges as user apps, but they just cannot be uninstalled. If they are on
/system/priv-app, then they can request some special permissions right from the
system user (user #1000, which still less powerful than
root, user #0)
P.S.: I’ve remembered a ROM I used on my former mako and I think this LOS+mG ROM is its closest and updated spiritual successor: BRNmod. It also included some other neat privacy-oriented removals.