zlacker

[return to "GrapheneOS accessed Android security patches but not allowed to publish sources"]
1. LinAGK+pJ[view] [source] 2025-09-11 13:55:38
>>uneven+(OP)
So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
◧◩
2. tester+S11[view] [source] 2025-09-11 15:39:01
>>LinAGK+pJ
How does this work legally? If Android AOSP is open-source, once one OEM updates, surely the owner gets the legal right to request sources. IIRC the maximum delay is 30 days.
◧◩◪
3. immibi+q43[view] [source] 2025-09-12 10:37:47
>>tester+S11
Have you ever tried requesting the source code for your phone?

They'll either ignore you, or give you something that is obviously not the source code (e.g. huge missing sections; often they'll only produce kernel code and not even a way to compile it). Law be damned. They don't follow it and nobody is forcing them to

[go to top]