I'm not convinced CyanogenMod (or any other variant) is actually that great; I have a Samsung Galaxy S2 (i9100 model), the last non-nightly CyanogenMod update was over a year ago now. There have been a number of CVEs issued for Android (and likely numerous others cover Android as a platform, covering OpenSSL for example) over that time period, so there's no way the phone is anywhere near up-to-date with security fixes.
CyanogenMod doesn't have any way to distinguish which phones are currently receiving security fixes in a timely manner and which are not; nor do they have any list of security advisories covering packages they distribute (go look at any notable desktop/server Linux distro — they all have public lists of security advisories and documentation of what release fixes them).
To my knowledge there is no Android distribution that has anywhere near the cohesive security story — and they're all miles behind any desktop OS.
CyanogenMod changed their release versioning. There are no more "stable" builds anymore, at all. You're supposed to run "monthly" or "milestone" or whatever they are called. Yes, I think they could have communicated this much better.
And anyone running the stable builds have therefore never been updated to an at all recent build… sighs
And looking at my phone, I have no idea how I'm meant to update to the milestone builds. The updater lets me select "stable" or "all (inc. nightly)", and nowhere do the milestone builds appear…
None of this is helping me believe there's really any decent security story. Abandon all users who don't check the website (or whatever) to find out about releases, trusting the built-in updater to provide updates. Never publish any security advisories that cover your distribution…
> I have a Samsung Galaxy S2 (i9100 model), the last non-nightly CyanogenMod update was over a year ago now.
Same. The newest version which supports my phone is years old, and there are major usability issues, particularly in the dialler interface. The manufacturer (HTC) UI was miles better (i.e., actually usable).
It looks like there were snapshot builds in august and july.
(although how they differ from nightlies, I don't know)
I thought I was on a snapshot from April, but it turns out I'm on a nightly.
There was a monthly in August something, and I just installed the latest one which is from today. It may not yet be built for all supported devices though.
CyanogenMod doesn't have any way to distinguish which phones are currently receiving security fixes in a timely manner and which are not; nor do they have any list of security advisories covering packages they distribute (go look at any notable desktop/server Linux distro — they all have public lists of security advisories and documentation of what release fixes them).
To my knowledge there is no Android distribution that has anywhere near the cohesive security story — and they're all miles behind any desktop OS.