Security Updates

jayloofah · October 8, 2025, 3:56am

Just to bump this - could anyone in the Mudita team provide some very basic instructions on installing Lineage GSI on Mudita? I know it’s possible (as I’ve done it before) but the process is a bit convoluted and it would be a testament to the ethos company to allow users to own their device and install other operating systems on it.

Would a response from the Mudita team be possible?

bone_naga · October 8, 2025, 4:05am

Lineage is fantastic for security-focused people. Do they have a version for the MK? That would solve my security concerns with their OS and vague outline of how they’ll do security updates.

urszula · October 8, 2025, 11:06am

@jayloofah I responded in another thread. I saw the question there as well:

bone_naga · October 9, 2025, 2:08am

How would it compromise MuditaOS? Lineage is its own OS. If you’re flashing Lineage, then you’re no longer running MuditaOS so there’d be nothing to compromise.

urszula · October 9, 2025, 9:26am

@bone_naga here’s what I meant by compromising MuditaOS K in a broader, technical and functional sense, it’s not about damaging the OS itself, but the entire software integrity and design architecture it depends on.

MuditaOS runs on a locked bootloader that ensures only signed, verified system images can run on the device.

Unlocking that bootloader to install Lineage disables verified boot (AVB), which protects the OS from unauthorized modifications.
Once that’s gone, the chain of trust that guarantees the authenticity of MuditaOS K and its updates is permanently broken.
Even if you reinstall MuditaOS later, the device would no longer be considered cryptographically secure, hence, “compromised.”

Additionally, Mudita OS K is also designed for specific hardware configurations (E Ink display, custom power management, Offline+ switch, etc.).
Flashing Lineage could overwrite partitions and functions critical for those hardware interactions.

This is just my speculation because I am not familiar with LineageOS.

bone_naga · October 12, 2025, 6:05am

So it only affects security if you go through all of that and then return to MuditaOS.

It would be better if Mudita just built their next OS off of Lineage so it would have all the security features, which Mudita doesn’t seem to be that transparent about right now. Then they could add in the hardware specific stuff for e-ink and such.

Meanwhile, the US is heavily stepping up electronic surveillance and are already targeting people based on what they say online. Security and digital privacy are rapidly becoming “must haves” instead of “nice to haves.”

urszula · October 13, 2025, 9:41am

@anon7028788 That’s such a wonderful message to read & thanks for sharing your experience! We’re really glad to hear that returning to the Kompakt has been such a positive and mindful choice for you. It sounds like you’ve found the perfect balance between functionality and focus, using it exactly as it was intended, as a tool that supports real life, not distracts from it.
Enjoy those moments on the soccer field with your kids, and we’re so happy to have you on the Mudita Forum again!

anoniononioning · October 15, 2025, 2:01pm

That sounds promising, but would be nice to get some more details for what it actually means.

anoniononioning · November 2, 2025, 9:09am

The silence around security is deafening.

I’ve decided that I’ll wait until the next 1.4 update and see if there’re new patches or even just clarification for the security model, before potentially selling my Kompakt. And by security model I mean concrete information about how new security patches are/will be backported/implemented to AOSP 12. I’d love to use Kompakt but I’m afraid I don’t have any use for it if security remains questionable. Not expecting GrapheneOS-level hardening or anything like that, but just some basic security so I can trust the device with my and my loved ones’ personal data. All we know about Kompakt security updates until now is that the update 1.2 brought some minor UI tweaks.

tobi · November 4, 2025, 10:13pm

I think that this will really need to be spoken about in an upcoming update. Security concerns are not a small deal. Especially if this is an important and bespoken feature of a device from mudita.

anoniononioning · November 10, 2025, 9:07am

Sorry for spamming this thread, but just as an update, we now have a good (scary) litmus test: a critical vulnerability that’s been patched in AOSP 13 and above.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

https://source.android.com/docs/security/bulletin/2025-11-01