GrapheneOS version 2025092500 released

DeletedUser481

Looks like no public information has been released at all about most of these CVE's. So it's kinda hard to know if it's worth changing to a proprietary release for fixes to vulnerabilities I don't even know apply to the way I use the device.

de0u

DeletedUser481 Looks like no public information has been released at all about most of these CVE's. So it's kinda hard to know if it's worth changing to a proprietary release for fixes to vulnerabilities I don't even know apply to the way I use the device.

Unfortunately, that is Google's new security plan. High-risk individuals need a way to get the patches ASAP, so the large amount of extra work that the GrapheneOS team has taken on to make that possible will likely be appreciated.

abednego

xxx I suppose October 1, 2025 is the last official patchset. May the November and December security updates remain open to new fixes, before being properly called "November 1, 2025" and "December 1, 2025" respectively? Just guessing...

xxx

abednego

Makes sense. I got a new build (number) after switching the toggle. Stellar work by the team! I'm very happy to get security patches in time.

GrapheneOS

Vuraze abednego abednego The patch level is still supposed to be set to 2025-10-01. There could be 2025-10-05 Pixel patches and the patch level can't be raised above the point at which all patches have been provided. Android Security Bulletins list both AOSP patches in the 01 section and kernel/vendor patches in the 05 section. Devices are also meant to have additional OEM bulletins with more vendor patches not covered in the small subset included in the ASB. If there's a 2025-10-05 Pixel patch, then the overall Pixel patch level is still 2025-10-01 even if the Android patch level could be 2025-10-05 already. We do get previews of what's going to be included in the vendor subset of the ASB but not the Pixel bulletin.

The November 2025 and December 2025 bulletins are also not fully frozen yet. The November patches should be considered frozen in terms of new patches no longer being added after early October. We don't know at exactly which point they're officially frozen with patches not allowed to be added anymore and at which point they can no longer change or remove patches. It may be they can remove patches up to the last day. This is something we need to figure out, although it's not particularly important.

We also don't want to set the security preview patch level higher since then people can't switch back to the next regular OS release since the patch level can't be downgraded. We would need to teach the update client to check patch level and prevent trying to update to a release with a lower one. This would be confusing and if people switched back to regular updates, they would stop getting updates until the patch level caught up to the security preview release. It's best to simply leave the patch level alone. You can see you're on the security preview release from the displayed OS version in the "Build number" field.

Watermelon

DoctorB0NG Vuraze abednego xxx Curious abednego

I suggest you to read my explanation of the topic :) a moderator liked it so together with my belief that it's accurate I presume it's accurate.

https://discuss.grapheneos.org/d/26476-backports-quarterly-releases-security-patches-embargoes/9
https://discuss.grapheneos.org/d/26476-backports-quarterly-releases-security-patches-embargoes/10

Pavestone2734 Personally I would advise against making non-open source security updates opt-in by default, even though I recognise that there is a case to be made about the importance of these updates and the need for the maximum possible amount of users to recieve them. But jnstalling non-foss code by default would come off as a breach of trust to a significant amount of users.

I disagree. The GrapheneOS team has gained my trust through their extremely professional conduct, care for user data and stability, care for security and quick patching… I don't do anything with GrapheneOS's source code, so I don't see what prevents me from getting closed-source patches (written by the GrapheneOS developers) quicker on top of an open source OS from a vendor I trust.

EndoPlant

I can't tell if it's because of the update, or the fact that my apps "optimized" following the update for the first time in weeks, but the general performance and smoothness of my pixel 7 pro seems noticeably better compared to yesterday.

alentia

de0u Proton VPN

alentia

NetRunner88 happens on proton, many times already

CGG

GrapheneOS version 2025092500 in Pixel 9 pro XL running without any issues here.

HecticHector

8 Pro using preview releases. Smooth as silk.

chinook

Franckienogotobollywood

how is GrapheneOS more secure than /e/OS

https://discuss.grapheneos.org/d/9399-biggest-differences-eos-and-grapheneos

GOS:

it's still not cracked by Cellebrite: https://discuss.privacyguides.net/t/updated-cellebrite-google-pixel-matrix-leak-february-2025/25911
It's using hardware secure by design in the secure way
it patches vulnerabilities and releases changes promptly

/e/OS:

offers ancient, no longer patched versions: https://doc.e.foundation/devices
only a very few of the devices supported offer verified boot or relocking bootloader
don't offer Android 16 (GOS rolled it out to stable channel I think within 2 weeks from the public release?)

Do we agree that GrapheneOS only updated the open source part

Hm? If you are asking about auditing the code, https://grapheneos.org/source might be your first step.

But let's not talk about all that here, as it's entirely off topic.

GrapheneOS

Franckienogotobollywood

/e/ does not share the same updates but rather lags incredibly far behind on Android, Chromium, Linux kernel, driver and firmware privacy/security patches. /e/ also rolls back the standard privacy/security model and features. It isn't as secure as a regular Android-based OS. GrapheneOS is a hardened OS preserving the standard privacy/security model and providing massive privacy and security improvements on top of that baseline. Privacy and security patching is only one part of providing those, but /e/ is atrocious at it compared to GrapheneOS doing much better than the standard approach.

/e/ isn't a safe option due to lacking basic privacy/security patches and protections. It's far worse in most ways than using an iPhone. /e/ even sends user data to OpenAI without consent and has other invasive services.

Despite the misleading marketing, /e/ always uses multiple Google services and integrates them into the OS with privileged access unavailable to other services. They automatically download and run Google code with privileged access along with giving privileged access to certain Google apps when they're installed including Android Auto.

Article from Mike Kuketz about /e/ including covering user tracking in their update client, still using Google services with privileged integration into the OS and major delays for important privacy/security patches:

https://kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/

Apple and Google both provide support for offline speech-to-text using local models. Apple uses it by default Users can configure it to be fully offline. /e/ sends the user's audio to OpenAI which is hidden away in their terms of service:

https://community.e.foundation/t/voice-to-text-feature-using-open-ai/70509

Information from the founder of the Divested projects:

Issues with /e/: https://codeberg.org/divested-mobile/divestos-website/raw/commit/c7447de50bc8fadd20a30d4cbf1dcd8cf14805a0/static/misc/e.txt
ASB update history: https://web.archive.org/web/20241231003546/https://divestos.org/pages/patch_history
Chromium update history: https://web.archive.org/web/20250119212018/https://divestos.org/misc/ch-dates.txt
Chromium update summary: https://infosec.exchange/@divested/112815308307602739

There's a high quality privacy/security focused comparison between Android-based operating systems at https://eylenburg.github.io/android_comparison.htm. The author has comparisons between a bunch of different types of software and reviews corrections/suggestions from the public including projects covered by it. If there are inaccuracies, users or developers can report them which has resulted in the accuracy being high.

We have our own post about the very misleading marketing for this device and OS:

https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private

chinook There's no device where /e/ provides proper privacy/security patches which they heavily mislead users about including misrepresenting the Android patches as only being the AOSP security backports when in reality there are far more than those patches.

/e/ doesn't provide working verified boot for any device. The list you've linked is a list of devices where they say relocking is supported, not a list where verified boot is supported. /e/ uses publicly available private keys for signing the OS on the Fairphone 4 and other devices which of course doesn't provide working verified boot. Verified boot also requires more than simply signing the OS with non-public keys and then locking it. /e/ doesn't preserve the standard security model required for verified boot. Lack of working verified boot is a very tiny part of why /e/ is substantially less secure. It's a far bigger issue that they're consistently so far behind on patches such as still being on Android 13 without 2 years of driver/firmware patches on the Pixel 7 and having a year of missing patches for the Fairphone 5 kernel which will be end-of-life in December 2025 with Fairphone not having any plan to support a newer kernel version, similar to how the Fairphone 4 and earlier Fairphones already have end-of-life kernels. They also roll back

There's a misconception that verified boot is a larger portion of what matters from hardware-based security and the OS than it is. Our hardware requirements are listed at https://grapheneos.org/faq#future-devices and verified boot is a small part of that.

Franckienogotobollywood

chinook In February 2025 GOS could not be compromised but since then, Google has released a lot of security patches allowing increases in privileges. But to say that /e/OS is not updated since the latest security patch is the same as GrapheneOS, hence my question, is the latest GOS update only an update of open source components?

abednego

bagel Do you really build and examine the source code for anything you install on your computers and network appliances?

How do you check that the binaries that are downloaded and installed in your Pixel are built from the unmodified sources you can get from the GrapheneOS repository? Up to my knowledge, GrapheneOS builds are not reproducible, so it is difficult to verify.

Sometimes operating system snapshots (and I am mostly talking about Linux and BSDs here) include experimental code that has not yet been committed. It is usually code that needs to reach a wide audience before being incorporated to a repository because it is highly experimental and may break some things.

In short, there is a line in which we must trust the software developers. Publishing source code is a requirement for a software project to be trusted, as it helps finding bugs (something where an active community and security experts is extremely useful), and assessing the quality of the code, But it does not stop a rogue development team from building and distributing backdoored software by just adding some unpublished source code modifications before compiling.

GrapheneOS

abednego

Up to my knowledge, GrapheneOS builds are not reproducible, so it is difficult to verify.

GrapheneOS builds are reproducible are reproducible.

The sole reason that we've provided security preview updates as a separate set of releases requiring substantially more build time, testing and other work from us is because we didn't want the regular GrapheneOS releases to no longer be open source with reproducible builds. We do strongly recommend using the security preview updates and we plan to add the choice into the setup wizard followed by adding a notification for existing users who didn't get the setup wizard choice to inform them about it. The recommended option in both cases can be opting into security preview updates, but we won't opt existing users into it automatically.

GrapheneOS

chinook No, that's incorrect. We shipped the September security patches in https://grapheneos.org/releases#2025090200. You should read the information we provided above and below the list of CVEs fixed in the security preview release. These are November 2025 and December 2025 Android Security Bulletin patches. We're shipping the patches early, not late.

GrapheneOS

UseLinux Google isn't shipping the patches early for the stock Pixel OS and we're not aware of any OEM shipping the patches early. A tiny subset of patches are still being put into monthly Android Security Bulletins which are shipped by Pixels and other OEMs. Pixels are also still fixing some Pixel hardware related patches on a monthly basis. Nearly all security patches are now quarterly instead. The quarterly Android Security Bulletins are backports to older releases which come alongside the quarterly and yearly releases including those patches and also the Moderate/Low severity patches. The previews of the backported patches now allow us to ship those early, but it can't be properly open source so we've made a separate security preview release system for it. In the near future, we're going to provide a setup wizard opt-in for the security preview releases which will likely be enabled by default in the setup wizard. Existing users won't be automatically moved to it, but we could make a notification which asks people to choose and is sent once each boot until a choice either way is made.

They've allowed shipping the patches early in binary-only releases which we're now doing via our security preview releases. We can provide the patches we used after the embargo ends. We're doing the preview releases by preparing a set of patches based on the partner preview patches in a Git repository where we're tagging the security preview releases so we can release the additional patches we applied to the source tree with the script needed to apply them once the embargo ends. In some cases we need to resolve conflicts, etc.

What about lower tier, med-/low CVEs on stock Android on a Pixel phone, I presume GrapheneOS is better but by how much?

Android Security Bulletins are backports of patches to the initial yearly releases of Android. Only Critical/High severity patches are backported since quite a while ago, not Moderate/Low severity. There are no Moderate/Low patches in the Android Security Bulletins anymore. The Moderate/Low severity patches are shipped through the new yearly and quarterly releases of Android.

GrapheneOS

Pavestone2734 Security preview updates are remaining disabled by default for existing users, but we can add a notification for people who haven't enabled it asking to choose. For fresh installs, we plan to add it to the setup wizard so people get an explicit choice and the default recommendation can be having security preview updates enabled. For existing users, we can make a notification for people who haven't opted into it where you're given an explicit choice. The notification could be once per boot until an explicit choice is made one way or the other at which point it can be permanently dismissed. New users would have the setup wizard choice so the notification would only be for existing users prior to that being added.

Franckienogotobollywood

GrapheneOS Thank you very much for your reply. If you can delete my previous message... thank you

abednego

GrapheneOS It is great to know GrapheneOS has reproducible builds, what a nice surprise! Only a few —in fact, very few— open source projects have this property, that makes software verifiable. In any case, advantages of staying in the security preview updates surpasses the advantages of ensuring software binaries are built from the exact source code we have in the repository.

fid03

abednego It is great to know GrapheneOS has reproducible builds, what a nice surprise!

It is in the build guide: https://grapheneos.org/build#reproducible-builds
FYI

« Previous Page Next Page »