- Related discussion earlier this week, https://news.ycombinator.com/item?id=45158523
- So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
by stebalien
2 subcomments
- The bigger headline is that Google is effectively giving attackers 3-4 months of advanced access to security patches: https://grapheneos.social/@GrapheneOS/115164183840111564.
by ChocolateGod
1 subcomments
- > Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.
Android is is over 15 years old and Google still hasn't fixed the update mess. Google should be in charge and ship security updates, not OEMs. You don't see Dell responsible for Windows security updates.
- The solution (heavily) alluded to by GrapheneOS in https://grapheneos.social/@GrapheneOS/115164212472627210 and https://grapheneos.social/@GrapheneOS/115165250870239451 is:
1. Release binary-only updates (opt-in).
2. Let the community (a) make GPL source requests for any GPLed components and (b) let the community reverse engineer the vulnerabilities from the binary updates.
3. Publish the source once everything is public anyways.
Which just shows how utterly ridiculous all this is.
- The CRA should help here hopefully. See cyber resilience act Article 14 – Reporting obligations of manufacturers https://www.cyberresilienceact.eu/the-cyber-resilience-act/#
- One thing that seems positive is that it is now possible to release binary patches earlier than before, isn't it? My understanding is that before, OEMs had to wait for 1 month, and now they can release the binary patches right away.
I see a lot of people saying how the whole thing is completely ridiculous, but this part seems like a win.
- I wish we had more choices beyond Android and iPhone.
I think this thread makes it quite clear that Android is not a secure OS, period. Like, maybe it’s safer on a Pixel with Google’s own distribution, but even still, Graphene is claiming that Google’s team is stretched thin and isn’t fixing issues from 2024.
Meanwhile, Apple is allegedly building the most secure devices you can connect to the Internet: https://techcrunch.com/2025/09/11/apples-latest-iphone-secur...
by honeybadger1
2 subcomments
- i don't understand googles rationale here, what is the point in giving wind to the hackers sails while also driving home the narrative that android is a less secure system, especially after the recent changes related to the security of the latest iphone?
by 9cb14c1ec0
2 subcomments
- This is ridiculous. Makes one wonder about the state of OEM development. It's not hard to build a CI pipeline for android. There is no good reason OEMs can't be running test builds of ROMs with security patches within hours, and have QA done in a day or two, or a week max.
- The only responsible disclosure is full disclosure.
- I currently use LineageOS on my pixel. Is it worth trying GraphineOS?
- > Companies like NSO can easily obtain access. It's not a safe system.
If NSO group develops exploits, why would they have early access?
- If the smart plan of having others reverse-engineer the fixes won't work, I imagine they'll turn into a delayed-source product.
To my recollection, they always maintained that being open-source doesn't matter for security, after all
by cyberkendra
0 subcomment
- [dead]
by llyou_m1233
0 subcomment
- llyou_m1233
by Velocifyer
1 subcomments
- Don't trust these guys.
by mcflubbins
4 subcomments
- "They can easily get it from OEMs or even make an OEM."[0]
I agree with their points in the thread, but could Graphene "become" an OEM to get access to the security patches sooner? Just curious.
[0] https://grapheneos.social/@GrapheneOS/115164297480036952
Hacker News