pull down to refresh

GrapheneOS gives closed-source op-in option to security patch advance access

534 sats \ 8 comments \ @Scoresby 22h tech

A while back, Android announced a change to how they released security updates (#1217284):

Google recently made incredibly misguided changes to Android security updates. Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.

GrapheneOS developers then said they were able to get advanced access to these security patches so they could work on porting them to Graphene...but they also said they wouldn't be able to do this work in a public repository.

I'm pretty sure this means Graphene security patches become not-open-source until about 3-4 months after they actually release them (correct me if I'm misunderstanding this).

When I did my most reception system update on my phone, I got this notification:

To check the box or not...or what?

view all related items

1870 sats \ 2 replies \ @final 21h

I'm pretty sure this means Graphene security patches become not-open-source until about 3-4 months after they actually release them (correct me if I'm misunderstanding this).

These are strictly Android's upstream patches, not our patches or any code that we create. We only have access to these through a new OEM partnership. They're simply an opt-in for people who want to benefit getting all of these patches the moment they are made, rather than waiting for a quarterly release like every other Android OEM / distribution will do. If you don't want to run embargoed code, then you'll just wait like everyone else / how we used to wait for patches before this month.

Standard GrapheneOS is completely open source and reproducible. This is simply a separate addition to a standard GrapheneOS install and that's why the first boot will give you the choice to do so. We recommend security patches for obvious reasons.

We openly call out people to try and download our update packages to reverse engineer them and review any changes. People can make their own code which standard GrapheneOS and other Android distributions can get earlier. We have source code access but we cannot disclose it ourselves.

What we do and any additions we make are totally open source and will remain that way.

153 sats \ 1 reply \ @final 21h

You can see from our releases page that releases with the patches have their own separate channel. Versions ending in 01, 03, 05 [..] are security preview variants. Their changelogs are separate by listing the CVEs patched in that version.

87 sats \ 0 replies \ @Scoresby OP 18h

Thank you very kindly for the info. I'm sorry if my ignorance stated it stronger than the reality.

102 sats \ 0 replies \ @optimism 12h

Unless you're reviewing patch source code right now, check the box.

If you are reviewing:

checked = chance of malicious code or new vulns in security patches < chance of vuln being exploited

For now, I'd expect this to evaluate to true, but both are non-zero.

The issue isn't with Graphene - they're doing an awesome job. The issue is with the embargo hampering honest players for increasing time, and also reducing eyes on things, while we know for a fact that there are dishonest players inside the embargoed space that will use any vulns in their exploits, who aren't affected by the embargo.

36 sats \ 0 replies \ @anon 18h

Thank you so much for everyone working on GrapheneOS

100 sats \ 0 replies \ @Scoresby OP 22h

It was @optimism who originally pointed this out to me (if I'm understanding it correctly)

0 sats \ 0 replies \ @88b0c423eb 20h

We need real linux phones asap, better hardware suppport for pmOS, mobian and etc

0 sats \ 0 replies \ @035736735e 2h outlawed

stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.