Mastodawn

@GrapheneOS

I'm glad you brought this to my attention!

But i have to say, from someone not reading the GrapheneOS forum every day, this reads like the writer was kinda angry, which is not the best of looks.

However, it made someone i know with a FP5 check its vendor SPL, just to realize it's a YEAR out of date.
He now wants to switch to Lineage, as FPOS is not an option because of the google stuff.

Might not be GrapheneOS-Levels of security, but at least his firmware will be more up-to-date

@heikomat Android does not have a separate user-facing vendor patch level. The Android security patch level covers the whole OS including the kernel and drivers. It also covers firmware. Android Security Bulletins cover the kernel, drivers and firmware. Look at the Android Security Bulletins and you'll see they have a YYYY-MM-01 section for AOSP userspace ppatches and then a YYYY-MM-05 section for the rest. Each patch level includes all previous patch levels. 01 patch levels include 05 ones.

@GrapheneOS I'm not sure i fully understand. If the Android Security Patch level also covers firmware, i would assume that it can not be newer than the patch-level from the vendor-blobs.

The person with the FP5 issued this command:

adb shell getprop | grep -e security_patch

and got this response:
[ro.build.version.security_patch]: [2025-06-05]
[ro.vendor.build.security_patch]: [2024-06-05]

(notice the 2024)

His (german) Settings-UI Says "Android Sicherheitsupdate: 5. Juni 2025"

https://support.fairphone.com/hc/en-us/articles/18682800465169-Fairphone-5-Release-Notes

@heikomat Android Security Bulletins and the corresponding patch level cover driver and firmware patches. The user displayed patch level is meant to be the lowest patch level for the device. Fairphone says the Fairphone 5 is on the June 2025 patch level:

The drivers and firmware should be on the June 2025 patch level for them to say that. It's likely Fairphone made a mistake in setting the vendor patch level. It's quite possible they did also miss a lot of patches.

@heikomat Fairphone's stock OS typically has 1-2 months of delay for applying the security patch backports. It should be noted that these backports covered by the Android Security Bulletins are NOT the full Android privacy/security patches which require the latest stable release. Take a look at the Android Security Bulletins and notice that they only list High and Critical severity patches. That's because they only cover what they backport to older initial yearly releases, not everything.

GrapheneOS

@heikomat The current release of Android is the July monthly release of Android 16. Prior to Android 16 being released in June, it was the May monthly release of Android 15 QPR2. Android 15 QPR2 is much closer to Android 16 than it is to Android 15 because quarterly releases are as large as yearly releases. The backports for Android 13, 14, 15 and 16 are partial backports of MOST High and Critical severity patches for AOSP to the INITIAL yearly release of Android 13, 14, 15 and 16.

@GrapheneOS I think i now see where the misunderstanding happened. I never mentioned that the person with the FP5 is currently running /e/-os, which is afaik the reason his firmware is outdated, and why he wants to switch to lineage, because lineage pulls the vendor image from FP directly

@heikomat Well, you can see what we're talking about both in terms of it lagging behind on patches and covering it up in the user interface. Have them check the rest of the user interface including the additional information available in the sub-menu for the Android version if that's available.

Standard Android devices have a single patch level set to the minimum of what's provided. LineageOS sets that incorrectly but adds a Vendor patch level field. /e/OS is a fork of LineageOS.

@heikomat It's possible some variants of /e/OS remove the extra patch level field while others don't. There are a bunch of variations of it with differences in the user interface and how things are handled. We've been focused on what they ship on the Fairphone 6, not the Fairphone 5 which is quite likely significantly different.

@GrapheneOS would you look at that, /e/-os on the FP5 actually doesn't hide the vendor SPL. we just assumed it wouldn't be listed because most ressources online only talk about the overall Android Security update version.

Still he feels kinda betrayed, that the for-profit murena ships horribly outdated firmware without really communicating it. He is a software developer, and if he didn't notice this in over a year, how is the average user supposed to know they are using vulnerable software?

@heikomat Please bear in mind the Android security patch level refers to the overall security patch level on the device. Android does not have a "Vendor security patch level" presented to users. The Android security patch level provides users with the overall minimum patch level for all of the firmware and software including drivers.

This vendor patch level is added by LineageOS and /e/OS. It downplays the importance by having the actual patch level tucked away in a menu as an extra field.

https://www.kernel.org/category/releases.html

@heikomat The build number field shows the device is running an Android 13 QPR3 OS release from September 2023.

You can see the Linux kernel version is 5.4.219 which is quite behind the current 5.4.296 for the 5.4 LTS branch. Linux 5.4 is end-of-life in December 2025:

They're already very far behind on Linux kernel LTS revisions but it will be end-of-life after December 2025. This is a consequence of the Fairphone 5 SoC choice. What's their plan after end-of-life?

The Linux Kernel Archives - Releases

@heikomat In regards to it still running Android 13, only the latest stable releases of Android provide full privacy and security patches. Android provides backports of most High and Critical severity patches to the initial yearly releases Android 13, 14, 15 and now 16. The backports for Android 13 are to the initial yearly release, not Android 13 QPR3. Porting those to Android 13 QPR3 is an error prone process being done by them downstream. Patches are being missed or applied incorrectly.

Tavi Jul 23, 2025

@GrapheneOS @heikomat

They have no plan, FP3 and FP4 are still running EOL kernels despite claimed support: https://forum.fairphone.com/t/is-fairphone-really-interested-in-sustainability/99302/2

Is Fairphone really interested in sustainability?

I mean Fairphone’s support claims are already a stretch: Release vs EOL date: FP1: December 2013 through July 2017 FP2: December 2015 through March 2023 FP3: September 2019 through September 2024 FP4: September 2021 through September 2026 FP5: September 2023 through September 2028 On the Linux kernel side: Fairphone 1 used Linux 3.4 Fairphone 2 used Linux 3.4 (released May of 2012) which went end of life in October of 2016, yet Fairphone claimed support until March of 2023. Fairphone 3 cur...

Fairphone Community Forum

Packets From The Void Jul 23, 2025

@divested @GrapheneOS @heikomat
They have discovered a marvelous tool for providing support for EOL kernels and SOCs, lying about it!

(stateofresearch) HAS MOVED Jul 23, 2025

@DarkOptimism

Shaun Chamberlin Jul 24, 2025

@venisewurith
Thanks for the tag — yes, I've been following this these past few days ✊

Jonas Vautherin Jul 23, 2025

@GrapheneOS
I don't understand this. Are you talking about the difference between "Android security update" and "Vendor security patch level"?

What is this "Android security patch level" you mention? And what do you mean by "tucked away in a menu as an extra field"? I see both next to each other.

Genuinely interested, I just don't understand what you are describing :-).
@heikomat

@jonasvautherin @heikomat

> Are you talking about the difference between [...]

Android has a single unified user-facing patch level covering the firmware, kernel, kernel drivers, userspace drivers and the rest of the OS. That's the whole point of the patch level. The patch level also includes all previous patch levels. Missing 1 patch for a component it includes freezes it before the level including it until that's covered.

This is a non-obvious inner menu from pressing Android version.

@jonasvautherin @heikomat

> What is this "Android security patch level" you mention?

The "Android security update" field refers to the Android security patch level. This is what we described above. /e/OS and LineageOS set the value inaccurately, including for apps reading it, and then define a separate vendor patch level they often also set incorrectly but at least usually closer to the real patch level. They're misusing the main field against the standard definition and adding another one.

@GrapheneOS considering all this, what OS would you recommend to the Person with the FP5, if buying a new phone or having Google services are not an Option.

We think lineage is the least bad option considering these constraints, but what do you think?

suomynona1405 Jul 23, 2025

@heikomat @GrapheneOS imho: get a pixel device, if you want to safe money get a pixel 7a/8a. Install GrapheneOS via web installer in 15 minutes and enjoy:)