Is the new EU regulation responsible for AOSP changes?

gostemp9394

Over the last few days GrapheneOS has been active on their socials regarding the state of AOSP. Google has essentially changed their entire development model, including developing in private. My theory, which GOS hasn't linked the changes to, are because of the recent EU legislation that recently came into effect:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AJOL_2023_214_R_0003

If you read 1.2 (6), it states:

Operating system updates:

(a) from the date of end of placement on the market to at least 5 years after that date, manufacturers, importers or authorised representatives shall, if they provide security updates, corrective updates or functionality updates to an operating system, make such updates available at no cost for all units of a product model with the same operating system;

(b) the requirement referred to in point (a) shall apply both to operating system updates offered voluntarily by manufacturers, importers or authorised representatives and to operating system updates provided to comply with Union law;

(c) security updates or corrective updates mentioned under point (a) need to be available to the user at the latest 4 months after the public release of the source code of an update of the underlying operating system or, if the source code is not publicly released, after an update of the same operating system is released by the operating system provider or on any other product of the same brand;

(d) functionality updates mentioned under point (a) need to be available to the user at the latest 6 months after the public release of the source code of an update of the underlying operating system or, if the source code is not publicly released, after an update of the same operating system is released by the operating system provider or on any other product of the same brand;

(e) an operating system update may combine security, corrective and functionality updates.

To me, this would make sense as to why Android is now private, and why Google, as GrapheneOS stated didn't push updates to AOSP. They are bound by this legislation that would then force OEMs to ship the updates within a set time frame.

It would therefore make sense, if the December 2025 patches were 'already done', to ship them in December 2025 (the first public release, triggering the 4 month legislative window), and therefore give OEMs until April 2026 to get them onto end devices. If the patches were completed say September 2025 (but not released until December), that would give about 7 months in total. The obvious downside being, as Graphene has already alluded to, attackers are also able to get access to these patches and use them maliciously. I also expect this is why there is an 'embargo' they have been talking about, as if it's released to the public, that would trigger the 4 month window (although, I am doubtful of any 'leak' being sufficient to trigger this legislation)

What seems bonkers is that OEMs are expected to provide updates for 5 years AFTER the device leaves the market. Google can do this by putting each Pixel on the market for 2 years, and discontiune the product, and provide another 5 years of updates (making the typical 7 total they already advertise).

However, for your average 200 euro basic smartphone is also expected to be given the same support window. If it was on the market for 1 year, they would be obligated to provide another 5 years of updates. As Kernel trees themselves are only supported for 4 years, I expect every device to have to update their kernel at least once (which historically has not happened).

So when GrapheneOS says that it's for 'marketing', I actually believe it's due to the new EU law. Google's hand has essentially been forced as there is legislation around functionality and security updates.

Viewpoint0232

gostemp9394 What seems bonkers is that OEMs are expected to provide updates for 5 years AFTER the device leaves the market.

Why is that "bonkers"? A cheap Windows laptop sold 10 years ago is still getting Windows updates today. If this is somehow a problem for Android phones then it is because Google or the OEMs are doing something wrong.

gostemp9394

Viewpoint0232

The whole meme of Android was devices, including Google's own, would only get about 2 years of updates, which is what lead to the fragmentation when new APIs were released (and that's still a problem today). A new Android release, essentially required a new handset. Supporting devices beyond 2 years was seen as a low cost of return. It's more profitable to sell a shiny new device than support an old one.

Google has done a lot of work (Treble, HALs, GKI, APEX) to get Android to a position where updates are possible. However I believe Qualcomm is responsible for not being willing to support their own SOCs (until recently) this making longer support unviable.

I still don't think devices will get 6 years of updates as that would be a substantial on-going cost, it's not like Google can push updates themselves like Microsoft can (apart from play system updates which are not OS updates), OEMs still need to do substantial work. If an OEM keeps a device on the market for 3 years, they would need to provide updates for 8 years total (3+5) according to the legislation. Not even the Google Pixel 10 offers 8 years of updates.

All this means is devices in the EU will be on the market for 1 maybe 2 years at most (6/7 years total support). If a device was on the market for 5 years, that would be 10 years total support which at this current time is not possible. That's why I believe the legislation is bonkers, because the implication is more than what Google offers themselves. They are essentially forcing devices to be on the market for as short time as possible. It won't work in practice.

archbtw

Viewpoint0232

Right? I hate that so much. On the pc, the manufacturer has to support the firmware, but the OS is separate and not tied to the device.

Phones are way too locked down and not universal like the ibm pc platform at all. It's a problem.

I THINK the issue is because of the proprietary drivers built into the kernel and the device trees needing to be included in the kernel, which is why phone OS's have to be created specifically for a device, and they aren't universal.

It's an issue in the ARM device world, but some arm platforms (like the ones with socketable cpu) are more similar to x86, even having uefi and stuff...

spammerofspam

gostemp9394 It's possible to support a device for 10 years, but it's not being done. Maybe the goal is to get devices supported for 10 years? Realistically, it's gotten to the point where, aside from the battery, most of the hardware for a device stays usable for years. If the chipset maker and OEM bothered, it could be done. On the PC side, it's not completely unheard of for devices to get 10 years of support. Nvidia is still providing driver updates for the 900-series GPUs from 2014 until next month (and still providing security updates quarterly for a while longer after that).

dc32f0cfe84def651e0e

spammerofspam aside from the battery, most of the hardware for a device stays usable for years

Nothing prevents manufacturers from using removable batteries.

DeletedUser396

dc32f0cfe84def651e0e profit does.
I don't see that Californian manufacturer in particular or any manufacturer, willingly giving longevity to a phone device with removable batteries, when they glue them in, with the prospect of causing damage to screens, when trying to remove them yourself. That way more devices are sold not more batteries.
Simple economics, sell more devices

barding

DeletedUser396...which is exactly why you need legislation to force manufacturers to behave in ways that are less harmful to consumers and the environment. Sometimes it might have some unintended consequences, but often there really isn't any way to know exactly what those consequences are without just getting the law out there and start making plans to fix the holes.

wizoatk

DeletedUser396
I think one of the more prominent exceptions might be Fairphone 6. Removable battery, 5 year warrant, 8 year software updates.

n3t_admin

wizoatk too bad it's complete shit.

wuseman

wizoatk
Now all it needs is a functioning customer support and software support.

archbtw

n3t_admin

So are pixels for the price, but they are secure, while fairphone is not nearly as secure.
Both give you freedom though (or as much freedom as you can get on android device)

n3t_admin

archbtw while Pixels have many shortcomings and are indeed overpriced (at least the last 2 generations, it was fine before), they still offer many components at flagship level quality, like their screens, fingerprint scanners, great cameras, good speakers.

The FairPhone is literally outdated shit scraped together and sold for 3x the price it's worth (while they don't even pay for the marketing Google does!), that also has abysmal security and cooperates with the likes of eOS (or whatever the fuck they're called) to mislead potential customers by promising them "privacy" they can never achieve with that garbage phone and that equally garbage OS.

I don't know why people still defend them to this day because they have a "rEmOvaBle BatTeRy" or what not, when in reality you get an outdated, subpar experience in every level. I had one of these FairPhones in my hands already and they gave me a nostalgia trip back to 2009. You really can't shit enough on this product, it's just so bad.

archbtw

n3t_admin

People probably buy them because of the "fair" sourcing of the materials.

If pixels started locking the bootloaders, they will become a good option as they would probably be the only ones that are open.

I wouldn't even care about how trash it is. I have daily driven pinephone pro for more than a year, but the only dealbreaker (and why I have stopped using it) was the abysmal battery life of 1 hour

Elysium

EU wants sustainability for smartphones. This means smartphone companies will sell less phones, as 'right to repair' EU laws etc. and longer support updates, will further impact their sales. Now we see the downside of it, that these OEMs are apparently not ready to currently patch devices in such "quick" time frames for long term. Security is not really trendy or profitable after all. So they were selling insecure phones in EU and were obviously quite happy about that, because it made good profit.

In one way Google is appeasing OEMs, maybe the better ones need time to recruit ITsec specialists, the worse ones will leave EU market. But this will ensure that Google keeps their market share.

I hope this phase is temporary and that it will go to faster releases again. But tbh, it is a required step to force OEMs to make a more secure phones!? EU could have be more strict with the "x months" - this still allows companies to adjust if they want to stay in EU market or not, before stricter laws apply.

But there is also geopolitical component...EU is still dependent on Google etc. while they are fining them billions. State actors will be able to exploit the vulnerabilities easier if there is more time for it... Almost feels like blackmail "You want secure devices, where is my protection money?"

Somebody hire the layed off Google ITsec people in EU, and make an alternative please lol idk why EU still doesn't take big steps to do their own ecosystems, they still bow down to US big tech even now - corruption/lobbyists?

mttc

I heard there is also another new EU law forcing manufacturers to disallow unlocking bootloaders or changing Roms. Ist this true? Should I open a new strap about this topic? I can't find this point in this document. Where can I find it?

mttc

Ok, already found a thread: https://discuss.grapheneos.org/d/24740-the-european-union-prohibits-unlocking-the-bootloader
https://discuss.grapheneos.org/d/24601-eu-is-banning-bootloaders-unlock