GrapheneOS accessed Android security patches but not allowed to publish sources

131 pointsposted 9 hours ago
by uneven9434
(grapheneos.social)

18 Comments

LinAGKar

3 hours ago

So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.

lima

2 hours ago

The stupidest part is that, according to the thread, OEMs are allowed to provide binary only patches before the embargo ends, making the whole thing nonsensical since it's trivial to figure out the vulnerabilities from the binaries.

Fun fact: Google actually owns the most commonly used tool, BinDiff ;)

tester89

an hour ago

How does this work legally? If Android AOSP is open-source, once one OEM updates, surely the owner gets the legal right to request sources. IIRC the maximum delay is 30 days.

Hizonner

2 hours ago

Fuck, and I cannot emphasize this enough, the OEMs.

I am so sick of security being compromised so stupid, lazy people don't have to do their jobs efficiently. Not like this is even unusual.

stebalien

3 hours ago

The bigger headline is that Google is effectively giving attackers 3-4 months of advanced access to security patches: https://grapheneos.social/@GrapheneOS/115164183840111564.

goku12

37 minutes ago

Have you considered the possibility that this may not be motivated by security at all, given the recent spate of similarly illogical and somewhat hostile decisions?

stebalien

2 hours ago

The solution (heavily) alluded to by GrapheneOS in https://grapheneos.social/@GrapheneOS/115164212472627210 and https://grapheneos.social/@GrapheneOS/115165250870239451 is:

1. Release binary-only updates (opt-in). 2. Let the community (a) make GPL source requests for any GPLed components and (b) let the community reverse engineer the vulnerabilities from the binary updates. 3. Publish the source once everything is public anyways.

Which just shows how utterly ridiculous all this is.

mcflubbins

3 hours ago

"They can easily get it from OEMs or even make an OEM."[0]

I agree with their points in the thread, but could Graphene "become" an OEM to get access to the security patches sooner? Just curious.

[0] https://grapheneos.social/@GrapheneOS/115164297480036952

qingcharles

3 minutes ago

They have an OEM partner right now who funnels them the updates, which is how they get access to them.

evgpbfhnr

3 hours ago

They have access to the patches.

They just can't make an official release with it, because they can't publish the patch sources (embargoed) and their releases being open-source must match what they published...

honeybadger1

3 hours ago

i don't understand googles rationale here, what is the point in giving wind to the hackers sails while also driving home the narrative that android is a less secure system, especially after the recent changes related to the security of the latest iphone?

g-b-r

an hour ago

If the smart plan of having others reverse-engineer the fixes won't work, I imagine they'll turn into a delayed-source product.

To my recollection, they always maintained that being open-source doesn't matter for security, after all

g-b-r

an hour ago

(I strongly disagree)

9cb14c1ec0

3 hours ago

This is ridiculous. Makes one wonder about the state of OEM development. It's not hard to build a CI pipeline for android. There is no good reason OEMs can't be running test builds of ROMs with security patches within hours, and have QA done in a day or two, or a week max.

baby_souffle

2 hours ago

> There is no good reason OEMs can't be running test builds of ROMs with security patches within hours

That sounds like it costs money and doesn’t net the mfg new sales.

pixl97

2 hours ago

>Makes one wonder about the state of OEM development.

Why wonder at all, it sucks and it's security is generally in shambles. Security is rarely very high on their priorities as features/prettiness is what sells their phones.