27 comments

[ 3.9 ms ] story [ 47.2 ms ] thread
"No tags were pushed to AOSP for the July 2025 monthly release of Android. We asked about this on the android-building group but each of our posts was rejected. We emailed people at Google we've previously contacted about mistakes pushing tags but received no response this time."

https://xcancel.com/GrapheneOS/status/1952413110947430786

"July monthly release was not pushed to AOSP and then neither was the August monthly release. September quarterly release hasn't been pushed yet."

https://xcancel.com/GrapheneOS/status/1963812920673861981

That's about the monthly and quarterly releases of Android, not the Android security patches. The post title is misinterpreting what's wrong. There is a lot wrong but that's not it. The baseline Android security patches are being delayed for Android as a whole, not AOSP specifically.

Not having the very tiny monthly updates pushed to AOSP is an annoyance which will delay a subset of non-security bug fixes until the quarterly releases. It's a bad change, although we know have a good idea why it happened and need the reason it happened to be reversed for them to push those again.

We've been told by multiple people at Google that the quarterly releases would still be pushed and that monthly releases are largely being phased out. However, the quarterly update was not pushed as expected on September 3rd. If it's pushed on Monday, it will be 6 days late. There hasn't been a similar delay for quarterly and yearly releases in the past.

GrapheneOS can still provide security updates but not having the quarterly release is a major problem and it's not clear why it wasn't pushed when they said it was going to be pushed.

There's a separate issue not specifically tied to AOSP impacting security patches which is what the initial part of our reply was about. See https://x.com/GrapheneOS/status/1964754118653952027 for an explanation.

̶D̶o̶n̶'̶t̶ ̶b̶e̶ ̶e̶v̶i̶l̶
And so, Google's war on open Android continues.

Fucking hell. Can Google stop being evil for like 5 minutes? It's like they can't go a week without coming up with some new fucked up thing to do to their already tormented mobile ecosystem.

"Why should people believe what you say about /^.*$/?"

That regex derived from the tweet seems apt.

This is entirely unsurprising. It's been clear that Google has been into their Android duopoly-abusive stage for a while now, with more and more of their Android changes moving into GMS or non-AOSP Google apps (like camera, messages, location services, etc) over the last decade. Graphene has been doomed to this fate for a long time, and anyone who thought otherwise was naively optimistic.

The same is clearly coming for Chromium forks, which is why I've always thought the privacy and ad-blocking forks are a joke - if they ever gain enough marketshare, or if google just tires of the public open source charade, they have no chance of maintaining a modern browser on their own.

This is all the more likely now that Google has been emboldened by not having to sell off Chrome for anticompetitive reasons.

Security patches aren't being delayed for AOSP specifically but rather Android as a whole including the stock Pixel OS. The title is misinterpreting our reply. We didn't say they're delaying patches to AOSP specifically. Stock Pixel OS has delayed patches too.

A more detailed explanation is at https://x.com/GrapheneOS/status/1964754118653952027.

GrapheneOS has an OEM partner and early access to the security patches so our complaint isn't about us not having access. Google has added an exception to the embargo where binary-only patches can be released which we could use for a special security update branch but that's a ridiculous exception and it should be allowed to release the sources. It can be reversed from the security patches anyway and is trivial for Java and Kotlin. We can't break the embargo ourselves but we CAN publish the security patches early under the rules of the embargo via a special branch and people could reverse the patches from there which could then be applied to the regular GrapheneOS branch. The system is ridiculous and our hope is these changes are undone.

The title should really be changed from "for AOSP" to "for Android". There's a binary-only exception in the embargo now but that's not really about AOSP and isn't being used in practice even for Pixels. They've really just delayed all patches 4 months instead of 1 while also destroying any semblance of there being a real embargo (which was already very weak).

Google sold Android to nerds as open source. We thought that mobile operating systems would be won by the "Linux of mobile OSs."

But Google has made sure that didn't happen and we're left with devices more locked down than the proprietary Windows ecosystem we were hoping to leave in the past - and with a company in charge looking to exert even more power over us than Microsoft did.

> We want to make sure that if you download an app from a developer, regardless of where you get it, it's actually from them. That's it.

In what scenario is this a serious threat because I can't think of any.

I hope that this action, along with Google's refusal to correctly safeguard and segregate apps, costs Google all of Android in the long term. Neither deserves to exist.

Any thoughts on Linux phones?

Seems like there needs to be a split of both hardware and software. Mobile phones morphed into something else lately. Not all of us need all the features of a smart phone, but still need a comms device. We need a simpler OS with simpler hardware that focuses on comms and less features. Simpler OS, lower attack surface, simpler to maintain without the help of a gigantic corporation. I don't need a supercomputer in my pocket.
Security of the Android ecosystem should not be compromised just to make the lives of Googlers easier in handling the public, internal, and pixel branches of AOSP.

Edit: The HN title is false and security patches were released. But this is more about Google trying to appease OEMs who aren't capable with keeping up with a monthly OS release schedule.

The only reason that would make me fear from an antitrust judgement splitting Android from Google is that it may lose the Google contributions to AOSP.

Google is more and more showing that they really don't want to contribute to AOSP.

So for me, Android should be split out of Google. Maybe the other Android manufacturers will start contributing to AOSP, and maybe Android will die. But let me be honest: if Google keeps going this way, I will move to an iPhone (and I've been using and developing for Android forever). We may as well try the split, and if it fails I'll end up with an iPhone anyway.

Looks like PostmarketOS (mainline Linux for phones, with choice of frontend, such as Plasma Mobile or Phosh) has demoted all their previous "Main"-tier devices to "Community" or lower tier:

https://wiki.postmarketos.org/wiki/Devices#Main

Anyone know whether this is a sign of a push for being daily driver quality? Or a sign that volunteers previously doing promising work have drifted away, and they're acknowledging that?

(comment deleted)
(comment deleted)
I am the pmOS maintainer for the PinePhone. It was demoted from main to community because I was the only maintainer and one of the criteria for main is to have two or more maintainers. ( https://gitlab.postmarketos.org/postmarketOS/pmaports/-/merg... ) Originally many pmOS core devs were maintainers, which is why it was in main, but they all lost interest and it was about to be demoted to testing / unmaintained, so I volunteered to become the maintainer to stop that from happening.

A blanket statement of a phone being "of daily driver quality or not" is impossible to make because everyone has different expectations of a "daily driver". I have been daily-driving the PinePhone since 2021 (it is my first and only smartphone) but that doesn't mean everyone else will be happy with it.

(comment deleted)
FYI the poster this story links to says that this title is incorrect:

https://x.com/grapheneos/status/1964757878910136346?s=46

They say this:

Our reply here was linked on Hacker News with an inaccurate title ("Delayed Security Patches for AOSP"). Security patch backports were pushed to AOSP on September 2nd for Android 13, 14 and 15 as expected.

More information is available at x.com/GrapheneOS/sta… explaining the situation with security patches. It would be better to have a thread linking to that instead. We have early access to the security patches, but we can't break the embargo. We can only release the sources once source release is allowed. We could make a security preview branch but the system simply doesn't make sense.

Android 16 QPR1 is a new major release, not a security patch release. Our reply is talking about 2 different issues. Android 16 QPR1 is what was delayed for AOSP and we don't currently know why. It's possible it was a mistake and it will be pushed on Monday.

This is an official response from GrapheneOS:

The title of this post linking our reply is inaccurate and is not what we said ("Delayed Security Patches for AOSP"). It should really be changed from "for AOSP" to "for Android". Security patch backports were pushed to AOSP on September 2nd for Android 13, 14 and 15 as expected. The issue isn't the security patches being delayed for AOSP. We didn't say patches are being delayed for AOSP.

Security patches for Android are being delayed as a whole. The delays aren't specific to AOSP. They're moving to quarterly security updates with 4 months of early OEM access instead of monthly security updates with 1 month of early OEM access. They realize that the patches distributed to OEMs are hardly secret once they're so broadly distributed. Therefore, they've relaxed the rules of the embargo and permitted releases of patches under certain rules without being allowed to providing a description or the sources for the patch. This is ridiculous because it's easy to reverse the patches from binary-only releases.

Google trying to cover for OEMs not keeping up with patches by making it seem as if the patches are now quarterly and largely being delivered on time while actually broadly disclosing them 4 months early and permitting quietly fixing them early.

We posted a much more detailed explanation at https://x.com/GrapheneOS/status/1964754118653952027. It would be better to link to our more detailed post.