zlacker

[return to "GrapheneOS accessed Android security patches but not allowed to publish sources"]
1. LinAGK+pJ[view] [source] 2025-09-11 13:55:38
>>uneven+(OP)
So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
◧◩
2. tester+S11[view] [source] 2025-09-11 15:39:01
>>LinAGK+pJ
How does this work legally? If Android AOSP is open-source, once one OEM updates, surely the owner gets the legal right to request sources. IIRC the maximum delay is 30 days.
◧◩◪
3. bri3d+161[view] [source] 2025-09-11 16:02:00
>>tester+S11
Almost all of AOSP is under the Apache or BSD licenses, not the GPL. Very few GPL components remain (the kernel being the large and obvious one).

So, yes, making a GPL request will work for the very few components still under GPL, if a vendor releases a binary patch. But for most things outside of the kernel, patch diffing comes back into play, just like on every closed-source OS.

◧◩◪◨
4. dijit+Nh1[view] [source] 2025-09-11 17:10:56
>>bri3d+161
weird tangential question then: when does GPL stop being infectious?

I would understand in a modular system like an operating system: one can argue that the kernel is a single component.

But if you're buying an appliance, the OS is effectively one single unit: all linked together.

Why does a binary executable and a binary image seem to operate differently in this space - both are inscrutable?

◧◩◪◨⬒
5. rollca+Rk1[view] [source] 2025-09-11 17:31:48
>>dijit+Nh1
The FSF has always been pretty clear on this: you use a linker (static or dynamic) = it applies; you don't = it doesn't. They even wrote LGPL with this distinction in mind, and introduced exceptions to yacc (bison) to accommodate non-free software.

In case of binary releases, you can request the sources of the relevant subcomponent (e.g. the kernel). The component boundaries are pretty clear wrt Linux: Torvalds has made it quite clear early on, that the kernel's GPL2 does not apply to anything in the user space.

Here also, the important distinction between GPL 2 & 3: with GPL3, it would be a breach of the license to ship code on a device that does not allow the end user to update that code. Which has effectively pushed everyone away from GPL3-licensed software.

IMHO the move to GPL3 has likely caused more harm than good to the FOSS ecosystem; in some alternative universe, GPL3 never happened, most of Android's userspace is GPL2, and we get the source for everything. In both universes we still don't get to deploy changes to devices we own, so IMHO the GPL3 won us nothing.

◧◩◪◨⬒⬓
6. pjmlp+4s5[view] [source] 2025-09-13 06:46:30
>>rollca+Rk1
Note that all FOSS OSes for embedded systems none of them are GPL based, Linux kernel is the only remaining GPL project amongst the alternatives.

Eventually everything comes to past, us in this realm, and the legacy left behind, eventually other projects will take Linux place, it can even be an heavily forked Linux.

[go to top]