zlacker

[return to "GrapheneOS accessed Android security patches but not allowed to publish sources"]
1. LinAGK+pJ[view] [source] 2025-09-11 13:55:38
>>uneven+(OP)
So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
◧◩
2. Hizonn+aS[view] [source] 2025-09-11 14:44:07
>>LinAGK+pJ
Fuck, and I cannot emphasize this enough, the OEMs.

I am so sick of security being compromised so stupid, lazy people don't have to do their jobs efficiently. Not like this is even unusual.

◧◩◪
3. microt+9g1[view] [source] 2025-09-11 17:01:20
>>Hizonn+aS
I don't think it is laziness per se. It's a combination of having far too many models (just look at Samsung's line-up, more than ten models per year if we don't count all the F and W variants), using many different SoCs from different vendors (just taking Samsung again as an example, using Qualcomm Snapdragon, Samsung Exynos, Mediatek Helio, Mediatek Dimensity, sometimes even a different chipset for the same phone model per region), each model supported for multiple years now on a monthly or quarterly update schedule (Samsung: recent A5x, Sxx, Sxx FE, Z Flip x, Z Flip 7 FE, Z fold x, Xcover x, etc. are on a monthly schedule). This across a multitude of kernel versions, AOSP versions (for older phones), OneUI versions (for phones that haven't been updated yet to the latest OneUI).

The must have literally over tens of different models to roll out security updates for, with many different SoCs and software versions to target.

And compared to other Android vendors, Samsung is actually pretty fast with updates.

It's true that other manufacturers have smaller line-ups, but they also tend to be smaller companies.

Compare that with Apple: every yearly phone uses the same SoC, only with variations in simpler things like CPU/GPU core counts.

◧◩◪◨
4. Hizonn+ni1[view] [source] 2025-09-11 17:15:03
>>microt+9g1
> I don't think it is laziness per se

You forgot the "stupid" part.

> It's a combination of having far too many models (just look at Samsung's line-up, more than ten models per year if we don't count all the F and W variants), using many different SoCs from different vendors > [...] > This across a multitude of kernel versions, AOSP versions (for older phones), OneUI versions (for phones that haven't been updated yet to the latest OneUI).

Those are choices. If you want to do that, you need a process that can support it.

I suppose it could be that they just don't care and are deliberately screwing their users, but never attribute to malice that which can be explained by incompetence and all that.

[go to top]