https://xcancel.com/GrapheneOS/status/1952413110947430786
"July monthly release was not pushed to AOSP and then neither was the August monthly release. September quarterly release hasn't been pushed yet."
Not having the very tiny monthly updates pushed to AOSP is an annoyance which will delay a subset of non-security bug fixes until the quarterly releases. It's a bad change, although we know have a good idea why it happened and need the reason it happened to be reversed for them to push those again.
We've been told by multiple people at Google that the quarterly releases would still be pushed and that monthly releases are largely being phased out. However, the quarterly update was not pushed as expected on September 3rd. If it's pushed on Monday, it will be 6 days late. There hasn't been a similar delay for quarterly and yearly releases in the past.
GrapheneOS can still provide security updates but not having the quarterly release is a major problem and it's not clear why it wasn't pushed when they said it was going to be pushed.
There's a separate issue not specifically tied to AOSP impacting security patches which is what the initial part of our reply was about. See https://x.com/GrapheneOS/status/1964754118653952027 for an explanation.
An issue reported to Google 3 months ago and fixed today would likely get disclosed to partners around November 2025 or December 2025 and then officially fixed in March 2025. It's not just 1 month of early access for OEM partners now but rather around 4 months. Patches are artificially delayed beyond the time to fix them by 4 months. This is completely ridiculous. Google also doesn't control the patch releases for many projects such as the Linux kernel and many other external projects they use. This means they're always going to be at least around 4 months behind on including a small number of patches for those projects as mandatory to fix for Android OEMs. The bar for Android OEMs was already ridiculously low and they've made it far lower. It's dragging down the Pixel stock OS with it to a significant extent.
Google realizes this system is horrible and has therefore added a binary-only exception to the embargo which is a complete joke since they know it's easy to reverse the patches. However, it's not really being used in practice. It's just an option to ship binary-only patches without the long delay now. We have this option for GrapheneOS since we do have access to the partner bulletins via an OEM partner. We could also ask our OEM partner not to share them with us and instead obtain them another way with no NDA to publish them right away. We haven't asked for the December patches yet since we haven't decided how to handle it. The current embargo would allow us to publish a special delayed source release variant of GrapheneOS this month with December 2025 patches, but we want to provide source code for all our releases and do not want to have a special variant of the OS needed for the latest Android patches. With how broadly they've distributed the December 2025 patches, they can't seriously be considered private and it should be permitted to simply ship them now.
Android's partner licensing people are destroying the security work. Play Integrity API is similar pretend security actually just enforcing Google's partner licensing model while actually disallowing using much more secure devices. That's highly anti-competitive and so is what they're doing with security patches. Both should result in substantial regulatory action against them, and perhaps it will, but it will probably come a very long time from now when the damage is done.
Instead of focusing on ChatControl, the EU should look into that...
Fucking hell. Can Google stop being evil for like 5 minutes? It's like they can't go a week without coming up with some new fucked up thing to do to their already tormented mobile ecosystem.
That regex derived from the tweet seems apt.
The same is clearly coming for Chromium forks, which is why I've always thought the privacy and ad-blocking forks are a joke - if they ever gain enough marketshare, or if google just tires of the public open source charade, they have no chance of maintaining a modern browser on their own.
This is all the more likely now that Google has been emboldened by not having to sell off Chrome for anticompetitive reasons.
Now, I'm of the opinion that they should have been forced to sell off both, and maybe Chromebooks too, for the good measure.
No company with a direction as vile and openly user-hostile as what Google currently demonstrates should have anywhere near this level of control over the ecosystem.
Maybe the development will slow down, but let's be honest: we would still be fine if Android and iOS had stopped "improving" years ago. Now it's mostly about adding shiny AI features and squeeze the users.
Facebook was once small too. Yet people happily signed up, giving up their privacy in the process. What makes you think the remaining companies offering a free browser wouldn't try to monetize users in a similar way? How many people are willing to pay $5/month for a browser?
When Facebook started, it was a different era. And since then, Facebook has clearly abused their position with anti-competitive behaviours.
> How many people are willing to pay $5/month for a browser?
If they can keep using Google Chrome for free, we already know the answer. If the only way for them to have a reasonable browser would to pay... who knows? People pay more than that to access movies that they could download as torrents.
Also does it have to be 5$ per month? Do browsers need to keep adding so many features, and hence so many bugs and security issues, that only huge companies can keep up and nobody wants to pay for that work?
Maybe it's enough to pay 1$/year for a company to maintain a reasonably secure browser with the features that people actually need. Do people actually need QUIC? Not sure.
Insurgents like tiktok show that even today, people will happily give up their privacy for some dopamine.
>If they can keep using Google Chrome for free, we already know the answer.
Why would google continue maintaining chrome if they can no longer derive any benefit from it?
>If the only way for them to have a reasonable browser would to pay... who knows? People pay more than that to access movies that they could download as torrents.
No, the contention is that people will go for free browsers that violate their privacy or monetize them somehow, not some future where all browsers cost money.
>Maybe it's enough to pay 1$/year for a company to maintain a reasonably secure browser with the features that people actually need. Do people actually need QUIC? Not sure.
Remember when whatsapp was also $1/year, ostensibly for similar reasons? How did that go?
That is unrelated to the sentence you quote: if people can use Google Chrome for free, they don't pay for a browser. But if Chrome disappeared, they would still need a browser. Maybe they would pay if they didn't have a free choice?
> No, the contention is that people will go for free browsers that violate their privacy or monetize them somehow, not some future where all browsers cost money.
If there are more browsers instead of a monopoly, then websites will work on the paid, secure browser that I will use, so I'm happy. I don't want to prevent people from using bad software: I want to make it possible for companies to build good software.
By not using Chromium today, many times the websites don't work correctly because devs don't care, because Chromium is a monopoly. I say split it! Then websites will have to work on more than 1 browser.
> Remember when whatsapp was also $1/year, ostensibly for similar reasons? How did that go?
It was a huge success? WhatsApp is still a huge success.
Sure, a company can buy Chrome and proceed to sell user browsing habits data to the highest bidder, or use it as a backbone for decentralized scraping - backed by real user data and real residential IPs to fool most anti-scraping checks. But if they fuck with users enough, Chrome would just die off over time, and Firefox or various Chromium forks like Brave would take its place. This already happened to the browsing titan that was IE, and without the entire power of Google to push Chrome? It can happen again.
The alternative is Google owning Chrome for eternity - and proceeding with the most damaging initiatives possible. Right now, Google is seeking to destroy adblocking, tighten the control over the ad data ecosystem to undermine their competitors, and who knows what else they'll come up with next week.
Prior to Chrome, Google actually used to promote Firefox on its own pages instead - which was a major driver of Firefox adoption. Google did it because they had a partnership with Mozilla, and were very much in favor of users switching to a browser that's not Internet Explorer.
Then Google decided they wanted more control over Firefox. Mozilla decided that Google isn't going to get it. This resulted in Chrome.
Firefox was evicted from Google's promotion, and it never quite recovered.
If this is the reason, the remedy doesn't attack the root of the matter. If Chrome were unbundled from Google, what's to stop Google from creating a new Chromium fork - and naming it Cobalt and marketing the hell out of it to achieve the same market share?
Would you start to actually pay for all those hundreds of engineers maintaining the OS?
Either way, the new control center of Android wouldn't be Google. A decade ago, I would have seen that as a very bad thing. Now, I'm almost certain that this would be a change for the better. Google is not what it once was.
I would like to see this, at least something would be happening.
Honestly it'd probably be better off that way. Google has far too much influence and control.
Huawei found themselves on their own because of the ban, and decided to go for HarmonyOS NEXT. Probably they wouldn't come back to a "joint development AOSP" now.
Now if Google lost Android, what would happen for the others? Would they each try their luck with their own OS or would they try to go for a joint development?
Google is very clearly an abusive monopoly, and has been for a very long time. We all overlooked it because they were mostly benevolent. That is no longer the case.
I hope you're not referring to YouTube blocking the 3rd party YT Windows Phone client that didn't play or display ads? At the time, Microsoft was threatening Android OEMs with patent infringement (without disclosing the specific patents!), and making it go away if they agreed to make Windows phone models[1]. Google refusing to make a first-party YouTube client for Windows Phone was to be expected, it was an ugly, hand-to-hand fight and all parties used the weapons they had at hand.
1. The agreements were never made public, but HTC and Samsung disclosed they'd be making Windows phones in their respective agreements with Microsoft. Microsoft also initially filed an Amicus brief in Google v Oracle - supporting Oracle's position.
If Google does the math one day, and determines that they won't lose out anymore by not paying Firefox they'll stop paying.
Exactly. The only thing that can prevent this behaviour is regulations. But apparently nobody wants to regulate, so we're screwed.
A more detailed explanation is at https://x.com/GrapheneOS/status/1964754118653952027.
GrapheneOS has an OEM partner and early access to the security patches so our complaint isn't about us not having access. Google has added an exception to the embargo where binary-only patches can be released which we could use for a special security update branch but that's a ridiculous exception and it should be allowed to release the sources. It can be reversed from the security patches anyway and is trivial for Java and Kotlin. We can't break the embargo ourselves but we CAN publish the security patches early under the rules of the embargo via a special branch and people could reverse the patches from there which could then be applied to the regular GrapheneOS branch. The system is ridiculous and our hope is these changes are undone.
The title should really be changed from "for AOSP" to "for Android". There's a binary-only exception in the embargo now but that's not really about AOSP and isn't being used in practice even for Pixels. They've really just delayed all patches 4 months instead of 1 while also destroying any semblance of there being a real embargo (which was already very weak).
.. Google recently made.. misguided changes to Android security updates.. almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.
.. Google's existing system for distributing security patches to OEMs was already.. problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar.. The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days.
.. Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons.. Android is very understaffed due to layoffs/buyouts and insufficient hiring.. Google does a massive portion of the security work on the Linux kernel, LLVM and other projects.. providing the resources and infrastructure for Linux kernel LTS releases. Others aren't stepping up to the plate.
But Google has made sure that didn't happen and we're left with devices more locked down than the proprietary Windows ecosystem we were hoping to leave in the past - and with a company in charge looking to exert even more power over us than Microsoft did.
But actually, with Qt you do have KDE devs who push their own patches which does help deal with the flaws in the upstream project.
In the Android world, they need more devs doing the same and supporting projects like GrapheneOS with security testing/hardening.
In what scenario is this a serious threat because I can't think of any.
The problem represented in the tweet is deeper. It is about not receiving patches which means the device is basically unsafe to use altogether.
and this identification does nothing about that, this is not to protect users. such phishing are always found on play-store alone.
There's 0 reason you should need an app to fucking pay for parking. Why do you then?
Because running mostly unsandboxed native code on customers devices is a fantastic way to steal data and build profiles. Browsers just don't cut it - they're too safe, too secure, too abstracted.
Let's be honest here - what is a banking app? Web forms, some more web forms, and then to top it off, some web forms. I mean, hell, half these apps are just web views with spywa - I mean analytics - slapped on top.
Any thoughts on Linux phones?
The point, perhaps, is for one to emerge as the prominent choice, the correct one. Diversity however has its own value.
https://source.android.com/docs/setup/contribute/submit-patc...
If you develop for a diverse set of user you need a lot of effort.
The Play Store is mostly absent from China, and I really don't know how that ecosystem works.
Was there one ecosystem?
I would happily leave Android and go with such a fork. Instead, each (Samsung, Huawei, ...) try to make their own thing. And good luck to them to beat Android on their own.
What's stopping you from using a feature phone?
Back to your point, there's already a "split of hardware and software" in the PC market, and we know how it works out. Security there is a joke. Windows might be getting monthly security patches, but the same can't be said of the panoply of third party drivers/firmware. Whenever microsoft tries to push for better security they get shouted down by people claiming it's some sort of conspiracy to implement DRM.
Let's not forget that all these "features" which enable corporations like Google take complete control over the project also end up driving price up, constantly. Cheap phones are a sh*t iteration of more expensive phones, instead of being simpler more basic implementations of must have features without the "quality of life" bloat on the top tier models. They should have a different tier OS rather than the same one.
I would also not make the parallel between comms devices and PCs, they're different beasts.
And a such a product is going to absolutely niche, which means no economies of scale producing or maintaining it. You try to justify that by saying it'll be maintained by "the community", but who's going to want to do unglamorous work fixing security issues, compared to developing features? Mainstream phones have dedicated security teams and freelance vulnerability researchers going after them for fame/clout. Who would want to do security research for what's essentially a glorified nokia 3310 that maybe 1000 people use?
Ignoring how you assert this, when I outlined plenty of reasons which you've yet to rebut...
>it wouldn't look like a 3310, it would still look like a smart phone, probably OLED so more battery life. It would just miss a lot of modern features which are absolutely irrelevant to anyone who wants a privacy/security focused mobile phone. Probably not the latest CPU, not the latest mobile chip, but still decent for what it has to do.
Sounds like a $200 mid-range phone that's sold in much of Asia. Question is, who's going to make it? How are you going to amortize the development costs? You mentioned that it's going to use custom software/hardware to keep security maintenance burden low, but how would that be funded? Most of the SoC vendors are going to be providing kernels/drivers to you with the expectation that you're going to use it to build an Android phone. Good luck convincing them to provide engineering support for your custom software/hardware stack.
Not to mention the questions about maintenance you haven't addressed aside from some handwaving about it'll be simpler and therefore can be "community maintained".
https://danieldashnawcouplestherapy.com/blog/yellow-rock-met...
The OpenWRT One is another example of collaborating with community trusted vendors to build a niche community based hardware product.
Mainly because it is, and you can go Q.E.D. all you like, but there doesn't need to be a bunch of mustachioed villains explicitly making evil plans when everyone's ultimate aims align. They're going to get theirs, and the rest will just be a long for the ride while those people in a position of power continue to weave a collective path through the space of "conspicuously unimplemented features".
The computer was meant to be as a calculator. An unassuming tool to automate the mundane, not as a link in the chain of techno-fascism/feudalism/tyranny. The only thing that will ward off that eventuality is how we as people embrace and guide it's further usage & implementation.
The tech is currently here for every bad ending. I want to make that clear. It has already arrived. The knowledge of it's configuration to bring those ends are the part that isn't quite realized yet. I pray that it won't be unearthed, but with the way things are currently going, I have serious doubts.
Like it or not, TPM was meant to increase security by deterring evil maid attacks. If you can't stop this sort of attack, your device doesn't offer serious security, and a feature phone with wifi/bluetooth/cellular data turned off probably has similar security. Moreover TPMs were introduced over a decade ago and there's still no DRM that's based on it. People did forget about SGX though, which came and went but had actual DRM built for it. I've also never heard a peep about HDCP which is specifically for DRM purposes and is built into every GPU/monitor.
> Like it or not, TPM was meant to increase security by deterring evil maid attacks. If you can't stop this sort of attack, your device doesn't offer serious security, and a feature phone with wifi/bluetooth/cellular data turned off probably has similar security
TPMs in their commercial implementation do not deter any evil maid attack. Only some special cases like HEADS Firmware actually protects you from an evil maid attack. TPMs, Secureboot, etc. merely prevent non-signed code from booting when the hard has not been tampered with. Tamper with the hardware and make it show a green "everything is fine" screen while booting a tainted kernel and device drivers and a tpm won't save you.
> Moreover TPMs were introduced over a decade ago and there's still no DRM that's based on it.
Google Play Integrity API is essentially this. Can't run certain apps on devices that don't pass TPM based attestation. Not exactly DRM but something akin to it.
> People did forget about SGX though, which came and went but had actual DRM built for it.
People didn't forget, it got broken so badly intel gave up on it.
> I've also never heard a peep about HDCP which is specifically for DRM purposes and is built into every GPU/monitor.
You've just not been listening. It's just that HDCP also has been bypassed a lot.
Edit: The HN title is false and security patches were released. But this is more about Google trying to appease OEMs who aren't capable with keeping up with a monthly OS release schedule.
Google is more and more showing that they really don't want to contribute to AOSP.
So for me, Android should be split out of Google. Maybe the other Android manufacturers will start contributing to AOSP, and maybe Android will die. But let me be honest: if Google keeps going this way, I will move to an iPhone (and I've been using and developing for Android forever). We may as well try the split, and if it fails I'll end up with an iPhone anyway.
https://wiki.postmarketos.org/wiki/Devices#Main
Anyone know whether this is a sign of a push for being daily driver quality? Or a sign that volunteers previously doing promising work have drifted away, and they're acknowledging that?
Unfortunately there was/is no device supported by postmarketOS that fits that description. You'll need at least good telephony support including 4G features like VoLTE, proper camera support (not potato polaroid from the 80s quality), Wifi, Bluetooth, geolocation, working GPU acceleration, media hardware decoders, decent battery life. And I'm probably forgetting a few things.
Let's hope that initiatives like https://liberux.net/ will help make a fully working, long lasting device available!
I think the only realistic alternative would be to build upon AOSP properly, with Google being just a contributor instead of the owner. But it cannot come from a community fork by someone in their garage, it has to come from Android manufacturers. I was hoping that Huawei would start something like that, instead they went with their own HarmonyOS.
A blanket statement of a phone being "of daily driver quality or not" is impossible to make because everyone has different expectations of a "daily driver". I have been daily-driving the PinePhone since 2021 (it is my first and only smartphone) but that doesn't mean everyone else will be happy with it.
https://x.com/grapheneos/status/1964757878910136346?s=46
They say this:
Our reply here was linked on Hacker News with an inaccurate title ("Delayed Security Patches for AOSP"). Security patch backports were pushed to AOSP on September 2nd for Android 13, 14 and 15 as expected.
More information is available at x.com/GrapheneOS/sta… explaining the situation with security patches. It would be better to have a thread linking to that instead. We have early access to the security patches, but we can't break the embargo. We can only release the sources once source release is allowed. We could make a security preview branch but the system simply doesn't make sense.
Android 16 QPR1 is a new major release, not a security patch release. Our reply is talking about 2 different issues. Android 16 QPR1 is what was delayed for AOSP and we don't currently know why. It's possible it was a mistake and it will be pushed on Monday.
https://x.com/GrapheneOS/status/1964754118653952027
They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.The title of this post linking our reply is inaccurate and is not what we said ("Delayed Security Patches for AOSP"). It should really be changed from "for AOSP" to "for Android". Security patch backports were pushed to AOSP on September 2nd for Android 13, 14 and 15 as expected. The issue isn't the security patches being delayed for AOSP. We didn't say patches are being delayed for AOSP.
Security patches for Android are being delayed as a whole. The delays aren't specific to AOSP. They're moving to quarterly security updates with 4 months of early OEM access instead of monthly security updates with 1 month of early OEM access. They realize that the patches distributed to OEMs are hardly secret once they're so broadly distributed. Therefore, they've relaxed the rules of the embargo and permitted releases of patches under certain rules without being allowed to providing a description or the sources for the patch. This is ridiculous because it's easy to reverse the patches from binary-only releases.
Google trying to cover for OEMs not keeping up with patches by making it seem as if the patches are now quarterly and largely being delivered on time while actually broadly disclosing them 4 months early and permitting quietly fixing them early.
We posted a much more detailed explanation at https://x.com/GrapheneOS/status/1964754118653952027. It would be better to link to our more detailed post.
delecti•21h ago
strcat•18h ago