Even though things are moving slowly at Replicant, we figured it was time to release another batch of Replicant 4.2 images. This release doesn’t add support for any new device, but has a focus on security instead, thanks to an active member of the community: Moritz (also known as My Self on the forums). For months, Moritz has been evaluating whether Replicant is affected by various vulnerabilities, retrofitting patches to close those vulnerabilities and submitting these for inclusion in Replicant. Thanks to his great work, this release includes fixes for security issues such as the Stagefright vulnerability or the Installer Hijacking vulnerability.
Since the previous release, all the Replicant-specific source code was moved over to git.replicant.us, that is gracefully hosted by the FSF. We are planning on moving all the Replicant source code over to that new server, so that we don’t have to rely on third parties such as CyanogenMod and AOSP to provide the full source code for Replicant. In the meantime, we have started tagging the commits used for each release and signing those tags with the Replicant release key, so that it’s possible to reliably retrieve the source code for a given Replicant release. Those tags are also combined in the release metadata’s git-tags.