GrapheneOSWe have early access to Android Security Bulletin patches and will be able to set up a workflow where we can have releases already built and tested prior to the embargo ending. For now, we've still been doing the builds after the embargo ends. It will mainly help when they screw up pushing to AOSP.
We're in the process of obtaining early access to the major quarterly and yearly releases. This is a much bigger deal and will substantially help us. There's an immense workload with a lot of time pressure for porting to new major releases without early access which gets worse the more we change.
We did not have early access to Android 16 QPR1 and have not been able to start porting yet. We should have early access prior to Android 16 QPR2.
We're going to need to make private repositories for working on this stuff internally. We can potentially make special preview releases based on these.
Google recently made incredibly misguided changes to Android security updates. Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.
We can't break the embargo ourselves but if someone posted the patches publicly we would be able to ship them months early, as would others. The patches are broadly distributed to OEMs where most of their engineers have access. Companies like NSO can easily obtain access. It's not a safe system.
Google's existing system for distributing security patches to OEMs was already incredibly problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar.
The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days. Moving in the opposite direction with 4 months of early access is extraordinarily irresponsible. Google has also abandoned pretending it's private by allowing binary-only embargo breaches.
Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons. Lowering the bar for OEMs to pretend things are fine while reducing security for everyone is a ridiculous approach and should be quickly reversed.
Rafael@GrapheneOS
Have you though what you will do once Google stops supporting AOSP? They say that it is not going to happen but...
Have you though what you will do once Google stops supporting AOSP? They say that it is not going to happen but...
Celinho@rafaelm7o @GrapheneOS could start already having a parallel using open harmony.
@celinho @rafaelm7o We're not interested in that OS.