DivestOS/LineageOS security updates

Jojojo

What's the difference between the security updates you'd get from DivestOS/LineageOS on an end-of-life phone vs what you would get from GrapheneOS on a modern device?
I've heard that the former only receives security patches for some things and none for others, making it relatively insecure, but I'm still confused about what those "things" are.
I have an old Pixel 4a 5g I'd like to flash DivestOS (a more security-focused fork of LineageOS and supports bootloader relocking) onto, and before I do that I'd just like to know what to expect in terms of security and privacy.
What is actually getting updated and what is being left behind with these updates?

[deleted]

Jojojo

SkewedZeppelin, DivestOS developer, is a regular over at https://discuss.privacyguides.net if you want to ask.

de0u

Jojojo What is actually getting updated and what is being left behind with these updates?

My understanding is that DivestOS is the best security available once a manufacturer ends firmware support (and, in the case of GrapheneOS, once GrapheneOS ends extended support).

The fundamental problem is that firmware does contain bugs, including remote code execution bugs, and once a manufacturer stops supporting firmware for a given device they also stop tracking and reporting bugs in the firmware. So a user of an EOL device should expect that threat actors (people who want to steal banking credentials, but also forensic companies) will over time build up a portfolio of effective attacks against an EOL device, and users will not be able to track those attacks to decide when a device is "compromised enough".

A 4a 5G is already probably risky enough that it shouldn't contain any data one wishes to remain private, including, arguably, the password to one's home Wi-Fi network. That is true regardless of which OS one runs on it, because none of them will have fixes for firmware RCEs.

RIght now GrapheneOS is more secure on a 4a 5G than DivestOS, and DivestOS is more secure than LineageOS, but neither of them are anywhere near as secure as GrapheneOS on a 5a (for the next week) or a 6 (for the next two years).

Jojojo

[deleted] Thanks!