zlacker

[return to "GrapheneOS accessed Android security patches but not allowed to publish sources"]
1. LinAGK+pJ[view] [source] 2025-09-11 13:55:38
>>uneven+(OP)
So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
◧◩
2. lima+HP[view] [source] 2025-09-11 14:28:35
>>LinAGK+pJ
The stupidest part is that, according to the thread, OEMs are allowed to provide binary only patches before the embargo ends, making the whole thing nonsensical since it's trivial to figure out the vulnerabilities from the binaries.

Fun fact: Google actually owns the most commonly used tool, BinDiff ;)

◧◩◪
3. nroets+UQ[view] [source] 2025-09-11 14:34:52
>>lima+HP
Unless the OEMs bundle numerous changes with the security patch(es).

(I'm not saying it happens. I just theorise how the policy could have been envisaged)

◧◩◪◨
4. numpad+Hv1[view] [source] 2025-09-11 18:39:04
>>nroets+UQ
In the good old days, there were exploits patched years prior by some OEMs that were never upstreamed even to Google. New rooting apps come out and... just doesn't work. I don't know if that still happens, though.
[go to top]