frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

GrapheneOS accessed Android security patches but not allowed to publish sources

https://grapheneos.social/@GrapheneOS/115164133992525834
118•uneven9434•8h ago

Comments

mcflubbins•2h ago
"They can easily get it from OEMs or even make an OEM."[0]

I agree with their points in the thread, but could Graphene "become" an OEM to get access to the security patches sooner? Just curious.

[0] https://grapheneos.social/@GrapheneOS/115164297480036952

evgpbfhnr•2h ago
They have access to the patches.

They just can't make an official release with it, because they can't publish the patch sources (embargoed) and their releases being open-source must match what they published...

stebalien•2h ago
The bigger headline is that Google is effectively giving attackers 3-4 months of advanced access to security patches: https://grapheneos.social/@GrapheneOS/115164183840111564.
goku12•10m ago
Have you considered the possibility that this may not be motivated by security at all, given the recent spate of similarly illogical and somewhat hostile decisions?
LinAGKar•2h ago
So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
lima•1h ago
The stupidest part is that, according to the thread, OEMs are allowed to provide binary only patches before the embargo ends, making the whole thing nonsensical since it's trivial to figure out the vulnerabilities from the binaries.

Fun fact: Google actually owns the most commonly used tool, BinDiff ;)

nroets•1h ago
Unless the OEMs bundle numerous changes with the security patch(es).

(I'm not saying it happens. I just theorise how the policy could have been envisaged)

Hizonner•1h ago
Fuck, and I cannot emphasize this enough, the OEMs.

I am so sick of security being compromised so stupid, lazy people don't have to do their jobs efficiently. Not like this is even unusual.

Zigurd•1h ago
Welcome to Android. It started out a bit undercooked and Google relied on OEMs to make finished polished products. Then the reality that OEMs suck at software hit them in the face. They spent years acquiring more control of their platform while trying not to piss off Samsung.
tester89•43m ago
How does this work legally? If Android AOSP is open-source, once one OEM updates, surely the owner gets the legal right to request sources. IIRC the maximum delay is 30 days.
bri3d•20m ago
Almost all of AOSP is under the Apache or BSD licenses, not the GPL. Very few GPL components remain (the kernel being the large and obvious one).

So, yes, making a GPL request will work for the very few components still under GPL, if a vendor releases a binary patch. But for most things outside of the kernel, patch diffing comes back into play, just like on every closed-source OS.

9cb14c1ec0•2h ago
This is ridiculous. Makes one wonder about the state of OEM development. It's not hard to build a CI pipeline for android. There is no good reason OEMs can't be running test builds of ROMs with security patches within hours, and have QA done in a day or two, or a week max.
baby_souffle•1h ago
> There is no good reason OEMs can't be running test builds of ROMs with security patches within hours

That sounds like it costs money and doesn’t net the mfg new sales.

pixl97•1h ago
>Makes one wonder about the state of OEM development.

Why wonder at all, it sucks and it's security is generally in shambles. Security is rarely very high on their priorities as features/prettiness is what sells their phones.

honeybadger1•2h ago
i don't understand googles rationale here, what is the point in giving wind to the hackers sails while also driving home the narrative that android is a less secure system, especially after the recent changes related to the security of the latest iphone?
Miaourt•1h ago
You mean the changes Pixels phones had since late 2021 ? /s https://grapheneos.social/@GrapheneOS/115176133102237994
honeybadger1•1h ago
we're talking about OEM devices aren't we?
stebalien•1h ago
The solution (heavily) alluded to by GrapheneOS in https://grapheneos.social/@GrapheneOS/115164212472627210 and https://grapheneos.social/@GrapheneOS/115165250870239451 is:

1. Release binary-only updates (opt-in). 2. Let the community (a) make GPL source requests for any GPLed components and (b) let the community reverse engineer the vulnerabilities from the binary updates. 3. Publish the source once everything is public anyways.

Which just shows how utterly ridiculous all this is.

g-b-r•1h ago
If the smart plan of having others reverse-engineer the fixes won't work, I imagine they'll turn into a delayed-source product.

To my recollection, they always maintained that being open-source doesn't matter for security, after all

g-b-r•59m ago
(I strongly disagree)
transpute•57m ago
Related discussion earlier this week, https://news.ycombinator.com/item?id=45158523

GrapheneOS and Forensic Extraction of Data (2024)

https://discuss.grapheneos.org/d/13107-grapheneos-and-forensic-extraction-of-data
199•SoKamil•3h ago•65 comments

Gregg Kellogg has passed away

https://lists.w3.org/Archives/Public/public-json-ld-wg/2025Sep/0012.html
200•daenney•4h ago•29 comments

Spiral

https://spiraldb.com/post/announcing-spiral
15•jorangreef•36m ago•2 comments

Behind the Scenes of Bun Install

https://bun.com/blog/behind-the-scenes-of-bun-install
147•Bogdanp•3h ago•51 comments

Conway's Game of Life, but Musical

https://www.hudsong.dev/digital-darwin
61•hudsongr•2h ago•14 comments

Reshaped is now open source

https://reshaped.so/blog/reshaped-oss
180•michaelmior•6h ago•40 comments

An Engineering History of the Manhattan Project

https://www.construction-physics.com/p/an-engineering-history-of-the-manhattan
49•rbanffy•3h ago•18 comments

The US is now the largest investor in commercial spyware

https://arstechnica.com/security/2025/09/the-us-is-now-the-largest-investor-in-commercial-spyware/
68•furcyd•1h ago•19 comments

The Rise of Async Programming

https://www.braintrust.dev/blog/async-programming
40•mooreds•4h ago•24 comments

Strong Eventual Consistency – The Big Idea Behind CRDTs

https://lewiscampbell.tech/blog/250908.html
10•todsacerdoti•3d ago•1 comments

I Solved PyTorch's Cross-Platform Nightmare

https://svana.name/2025/09/how-i-solved-pytorchs-cross-platform-nightmare/
41•msvana•3d ago•9 comments

Mapping to the PICO-8 palette, perceptually

https://30fps.net/pages/perceptual-pico8-pixel-mapping/
48•ibobev•3d ago•13 comments

DeepCodeBench: Real-World Codebase Understanding by Q&A Benchmarking

https://www.qodo.ai/blog/deepcodebench-real-world-codebase-understanding-by-qa-benchmarking/
63•blazercohen•6h ago•4 comments

GrapheneOS accessed Android security patches but not allowed to publish sources

https://grapheneos.social/@GrapheneOS/115164133992525834
118•uneven9434•8h ago•21 comments

Piramidal (YC W24) Is Hiring Back End Engineer

https://www.ycombinator.com/companies/piramidal/jobs/1HvdaXs-full-stack-engineer-platform
1•dsacellarius•4h ago

KDE launches its own distribution

https://lwn.net/SubscriberLink/1037166/caa6979c16a99c9e/
625•Bogdanp•18h ago•427 comments

PgEdge Goes Open Source

https://www.pgedge.com/blog/pgedge-goes-open-source
69•Bogdanp•8h ago•13 comments

Show HN: Term.everything – Run any GUI app in the terminal

https://github.com/mmulet/term.everything
1004•mmulet•2d ago•135 comments

Show HN: I built a minimal Forth-like stack interpreter library in C

19•Forgret•4h ago•8 comments

DOOMscrolling: The Game

https://ironicsans.ghost.io/doomscrolling-the-game/
378•jfil•17h ago•88 comments

Hashed sorting is typically faster than hash tables

https://reiner.org/hashed-sorting
153•Bogdanp•3d ago•32 comments

ChatGPT Developer Mode: Full MCP client access

https://platform.openai.com/docs/guides/developer-mode
487•meetpateltech•1d ago•268 comments

How the tz database works (2020)

https://yatsushi.com/blog/tz-database/
57•jumbosushi•3d ago•10 comments

CRISPR Offers New Hope for Treating Diabetes

https://www.wired.com/story/no-more-injections-crispr-offers-new-hope-for-treating-diabetes/
35•manveerc•2h ago•10 comments

Germany is not supporting ChatControl – blocking minority secured

https://digitalcourage.social/@echo_pbreyer/115184350819592476
920•xyzal•7h ago•291 comments

Where did the Smurfs get their hats (2018)

https://www.pipelinecomics.com/beginning-bd-smurfs-hats-origin/
121•andsoitis•15h ago•51 comments

C++20 Modules: Practical Insights, Status and TODOs

https://chuanqixu9.github.io/c++/2025/08/14/C++20-Modules.en.html
52•ashvardanian•3d ago•47 comments

Court rejects Verizon claim that selling location data without consent is legal

https://arstechnica.com/tech-policy/2025/09/court-rejects-verizon-claim-that-selling-location-dat...
583•nobody9999•14h ago•69 comments

Brussels faces privacy crossroads over encryption backdoors

https://www.theregister.com/2025/09/11/eu_chat_control/
60•jjgreen•4h ago•18 comments

A desktop environment without graphics (tmux-like)

https://github.com/Julien-cpsn/desktop-tui
138•mustaphah•3d ago•44 comments