zlacker

GrapheneOS accessed Android security patches but not allowed to publish sources

submitted by uneven+(OP) on 2025-09-11 07:43:12 | 337 points 84 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
1. mcflub+vG[view] [source] 2025-09-11 13:42:06
>>uneven+(OP)
"They can easily get it from OEMs or even make an OEM."[0]

I agree with their points in the thread, but could Graphene "become" an OEM to get access to the security patches sooner? Just curious.

[0] https://grapheneos.social/@GrapheneOS/115164297480036952

2. stebal+0J[view] [source] 2025-09-11 13:53:43
>>uneven+(OP)
The bigger headline is that Google is effectively giving attackers 3-4 months of advanced access to security patches: https://grapheneos.social/@GrapheneOS/115164183840111564.
◧◩
8. Miaour+lP[view] [source] [discussion] 2025-09-11 14:26:22
>>honeyb+UL
You mean the changes Pixels phones had since late 2021 ? /s https://grapheneos.social/@GrapheneOS/115176133102237994
14. stebal+VU[view] [source] 2025-09-11 14:59:26
>>uneven+(OP)
The solution (heavily) alluded to by GrapheneOS in https://grapheneos.social/@GrapheneOS/115164212472627210 and https://grapheneos.social/@GrapheneOS/115165250870239451 is:

1. Release binary-only updates (opt-in). 2. Let the community (a) make GPL source requests for any GPLed components and (b) let the community reverse engineer the vulnerabilities from the binary updates. 3. Publish the source once everything is public anyways.

Which just shows how utterly ridiculous all this is.

18. transp+uZ[view] [source] 2025-09-11 15:24:31
>>uneven+(OP)
Related discussion earlier this week, >>45158523
◧◩◪◨⬒
37. neobra+fm1[view] [source] [discussion] 2025-09-11 17:41:03
>>dijit+Nh1
There's a concept of "separate works", see for example https://www.gnu.org/licenses/gpl-faq.html#GPLCompatInstaller .

Tangentially, I assumed that the GPL must have some built-in exception for running non-GPL userspace programs on top of a GPLed kernel (similar to the System Library exception). However, it seems like it doesn't, since the Linux kernel has its own exception to allow this: https://spdx.org/licenses/Linux-syscall-note.html.

40. mkespe+Rr1[view] [source] 2025-09-11 18:16:05
>>uneven+(OP)
The CRA should help here hopefully. See cyber resilience act Article 14 – Reporting obligations of manufacturers https://www.cyberresilienceact.eu/the-cyber-resilience-act/#
◧◩
45. lawn+VC1[view] [source] [discussion] 2025-09-11 19:20:54
>>t1234s+rl1
GrapheneOS is by far the better OS security and privacy wise.

It should be the default choice for everyone IMO, as long as they have a phone that supports it.

See this comparison: https://eylenburg.github.io/android_comparison.htm

◧◩◪◨⬒⬓⬔
53. raron+lX1[view] [source] [discussion] 2025-09-11 21:47:27
>>cyphar+4m1
That is explicitly mentioned in GPL FAQ:

https://www.gnu.org/licenses/gpl-faq.html#MereAggregation

72. dangus+3n3[view] [source] 2025-09-12 13:26:18
>>uneven+(OP)
I wish we had more choices beyond Android and iPhone.

I think this thread makes it quite clear that Android is not a secure OS, period. Like, maybe it’s safer on a Pixel with Google’s own distribution, but even still, Graphene is claiming that Google’s team is stretched thin and isn’t fixing issues from 2024.

Meanwhile, Apple is allegedly building the most secure devices you can connect to the Internet: https://techcrunch.com/2025/09/11/apples-latest-iphone-secur...

[go to top]