@GrapheneOS

I'm glad you brought this to my attention!

But i have to say, from someone not reading the GrapheneOS forum every day, this reads like the writer was kinda angry, which is not the best of looks.

However, it made someone i know with a FP5 check its vendor SPL, just to realize it's a YEAR out of date.
He now wants to switch to Lineage, as FPOS is not an option because of the google stuff.

Might not be GrapheneOS-Levels of security, but at least his firmware will be more up-to-date

@GrapheneOS I'm not sure i fully understand. If the Android Security Patch level also covers firmware, i would assume that it can not be newer than the patch-level from the vendor-blobs.

The person with the FP5 issued this command:

adb shell getprop | grep -e security_patch

and got this response:
[ro.build.version.security_patch]: [2025-06-05]
[ro.vendor.build.security_patch]: [2024-06-05]

(notice the 2024)

His (german) Settings-UI Says "Android Sicherheitsupdate: 5. Juni 2025"

@heikomat Android Security Bulletins and the corresponding patch level cover driver and firmware patches. The user displayed patch level is meant to be the lowest patch level for the device. Fairphone says the Fairphone 5 is on the June 2025 patch level:

https://support.fairphone.com/hc/en-us/articles/18682800465169-Fairphone-5-Release-Notes

The drivers and firmware should be on the June 2025 patch level for them to say that. It's likely Fairphone made a mistake in setting the vendor patch level. It's quite possible they did also miss a lot of patches.

@heikomat Well, you can see what we're talking about both in terms of it lagging behind on patches and covering it up in the user interface. Have them check the rest of the user interface including the additional information available in the sub-menu for the Android version if that's available.

Standard Android devices have a single patch level set to the minimum of what's provided. LineageOS sets that incorrectly but adds a Vendor patch level field. /e/OS is a fork of LineageOS.

@GrapheneOS would you look at that, /e/-os on the FP5 actually doesn't hide the vendor SPL. we just assumed it wouldn't be listed because most ressources online only talk about the overall Android Security update version.

Still he feels kinda betrayed, that the for-profit murena ships horribly outdated firmware without really communicating it. He is a software developer, and if he didn't notice this in over a year, how is the average user supposed to know they are using vulnerable software?

@heikomat Please bear in mind the Android security patch level refers to the overall security patch level on the device. Android does not have a "Vendor security patch level" presented to users. The Android security patch level provides users with the overall minimum patch level for all of the firmware and software including drivers.

This vendor patch level is added by LineageOS and /e/OS. It downplays the importance by having the actual patch level tucked away in a menu as an extra field.

@heikomat The build number field shows the device is running an Android 13 QPR3 OS release from September 2023.

You can see the Linux kernel version is 5.4.219 which is quite behind the current 5.4.296 for the 5.4 LTS branch. Linux 5.4 is end-of-life in December 2025:

https://www.kernel.org/category/releases.html

They're already very far behind on Linux kernel LTS revisions but it will be end-of-life after December 2025. This is a consequence of the Fairphone 5 SoC choice. What's their plan after end-of-life?

@GrapheneOS @heikomat

They have no plan, FP3 and FP4 are still running EOL kernels despite claimed support: https://forum.fairphone.com/t/is-fairphone-really-interested-in-sustainability/99302/2