GrapheneOS security preview releases

GrapheneOS

GOS21606 The patches are included in the regular releases since the first 2025-12-01 security patch release. Security preview patches are the same patches the regular releases end up getting. The major quarterly/yearly Android releases get a lot of the patches before the official Android Security Bulletin launch dates and our current list of security preview patches in the release notes are only the ones applicable to Android 16 QPR2. It would be a significantly longer list if the OS was based on Android 16 instead.

GOS21606

GrapheneOS Thanks for your reply.

So it is not a big risk to run the regular release or is it still recommended to switch to the security patch release?

de0u

GOS21606 So it is not a big risk to run the regular release or is it still recommended to switch to the security patch release?

I think the question asked was whether pixnapping is patched in the regular release and the answer is that it is patched in recent (December) regular-release images. But that means it was not patched in the November regular releases, so in November running the security-preview release was necessary to resist that attack.

At any moment in time the security-preview release has many patches that the regular release does not, including some that will be unpatched in the regular releases for three months.

GOS21606

de0u Yes that was the indeed the question and that's is clear to me.

The GOS team is doing a very good job to adapt this since the embargo.

Maybe Google will change there policy (again) in the future regarding security updates?

de0u

GOS21606 Maybe Google will change there policy (again) in the future regarding security updates?

Sure, maybe. But I can imagine that after all the effort of switching to this model they're likely to try it for at least a year or two before making changes.

ryrona

GrapheneOS Yes, it will be possible to reproduce the builds after the fact as can be done with the regular releases at launch. We've implemented the security preview releases by using the same sources we used for the regular releases and running a script which applies patches we've saved in a repository for the preview patches with the conflicts resolved by us in advance and a script to apply them. It also patches it into being a security preview release by renaming the channel metadata. We're tagging the security preview releases in this repository, so we can make a public variant of the repository where we push the same stuff once the embargo ends.

Since December has passed, the first batch of patches for releases 3 months ago should have been released by now to reproduce those builds. Are they? Where are they located? I couldn't find them.

xxx

ryrona releases 3 months ago should have been released by now to reproduce those builds.

I think they will be in the next (non-preview) update.

GrapheneOS

ryrona Many of the December patches were delayed to future bulletins and we continued shipping those. The deferred patches were included in Android 16 QPR2. We should be able to release the preview patches up until it started including beyond December but haven't set it up yet. We tagged each release in the private repository but there isn't a way to partially open the repository on GitHub. We likely need to make a new repository with only the processed patches we used and copy over all of the patches for each tagged release to a new tagged release there. We've had a lot of extremely high priorities and still do so we haven't gotten to it yet. A lot of unforeseen things happened including needing to leave multiple server providers and many severe upstream bugs we had to deal with ourselves.

Falcon

I know there is a dedicated thread for the "pixnapping attack" here https://discuss.grapheneos.org/d/27296-pixnapping-rendering-side-channel-attack, but my question is more about Security Preview Release:

CVE-2025-48561 appears to be fixed permanently in the release https://grapheneos.org/releases#2025122500
Does this mean that stock Android (and all other manufacturers) will only receive a fix for this bug 3 months after the embargo ends?

Cpt_FLAM

Thank you for all your hard work!!!!!

JMP

My thanks also to you all for the time and effort put into the project for us. Very much appreciated.

« Previous Page