Mastodawn

@GrapheneOS

I'm glad you brought this to my attention!

But i have to say, from someone not reading the GrapheneOS forum every day, this reads like the writer was kinda angry, which is not the best of looks.

However, it made someone i know with a FP5 check its vendor SPL, just to realize it's a YEAR out of date.
He now wants to switch to Lineage, as FPOS is not an option because of the google stuff.

Might not be GrapheneOS-Levels of security, but at least his firmware will be more up-to-date

@heikomat Android does not have a separate user-facing vendor patch level. The Android security patch level covers the whole OS including the kernel and drivers. It also covers firmware. Android Security Bulletins cover the kernel, drivers and firmware. Look at the Android Security Bulletins and you'll see they have a YYYY-MM-01 section for AOSP userspace ppatches and then a YYYY-MM-05 section for the rest. Each patch level includes all previous patch levels. 01 patch levels include 05 ones.

@GrapheneOS I'm not sure i fully understand. If the Android Security Patch level also covers firmware, i would assume that it can not be newer than the patch-level from the vendor-blobs.

The person with the FP5 issued this command:

adb shell getprop | grep -e security_patch

and got this response:
[ro.build.version.security_patch]: [2025-06-05]
[ro.vendor.build.security_patch]: [2024-06-05]

(notice the 2024)

His (german) Settings-UI Says "Android Sicherheitsupdate: 5. Juni 2025"

https://support.fairphone.com/hc/en-us/articles/18682800465169-Fairphone-5-Release-Notes

@heikomat Android Security Bulletins and the corresponding patch level cover driver and firmware patches. The user displayed patch level is meant to be the lowest patch level for the device. Fairphone says the Fairphone 5 is on the June 2025 patch level:

The drivers and firmware should be on the June 2025 patch level for them to say that. It's likely Fairphone made a mistake in setting the vendor patch level. It's quite possible they did also miss a lot of patches.

@heikomat Fairphone's stock OS typically has 1-2 months of delay for applying the security patch backports. It should be noted that these backports covered by the Android Security Bulletins are NOT the full Android privacy/security patches which require the latest stable release. Take a look at the Android Security Bulletins and notice that they only list High and Critical severity patches. That's because they only cover what they backport to older initial yearly releases, not everything.

@heikomat The current release of Android is the July monthly release of Android 16. Prior to Android 16 being released in June, it was the May monthly release of Android 15 QPR2. Android 15 QPR2 is much closer to Android 16 than it is to Android 15 because quarterly releases are as large as yearly releases. The backports for Android 13, 14, 15 and 16 are partial backports of MOST High and Critical severity patches for AOSP to the INITIAL yearly release of Android 13, 14, 15 and 16.

@GrapheneOS I think i now see where the misunderstanding happened. I never mentioned that the person with the FP5 is currently running /e/-os, which is afaik the reason his firmware is outdated, and why he wants to switch to lineage, because lineage pulls the vendor image from FP directly

@heikomat Well, you can see what we're talking about both in terms of it lagging behind on patches and covering it up in the user interface. Have them check the rest of the user interface including the additional information available in the sub-menu for the Android version if that's available.

Standard Android devices have a single patch level set to the minimum of what's provided. LineageOS sets that incorrectly but adds a Vendor patch level field. /e/OS is a fork of LineageOS.

@heikomat It's possible some variants of /e/OS remove the extra patch level field while others don't. There are a bunch of variations of it with differences in the user interface and how things are handled. We've been focused on what they ship on the Fairphone 6, not the Fairphone 5 which is quite likely significantly different.

@GrapheneOS would you look at that, /e/-os on the FP5 actually doesn't hide the vendor SPL. we just assumed it wouldn't be listed because most ressources online only talk about the overall Android Security update version.

Still he feels kinda betrayed, that the for-profit murena ships horribly outdated firmware without really communicating it. He is a software developer, and if he didn't notice this in over a year, how is the average user supposed to know they are using vulnerable software?

@heikomat Please bear in mind the Android security patch level refers to the overall security patch level on the device. Android does not have a "Vendor security patch level" presented to users. The Android security patch level provides users with the overall minimum patch level for all of the firmware and software including drivers.

This vendor patch level is added by LineageOS and /e/OS. It downplays the importance by having the actual patch level tucked away in a menu as an extra field.