questions about updates and open source

Meatheadmarty

Are the updates now no longer open source and we need to trust the project developers and have no way to verify the code for months? I didn't understand the latest update about the recent patches.

Dumdum

Meatheadmarty Are the updates now no longer open source

No, they are.

we need to trust the project developers and have no way to verify the code for months?

Until the embargo ends and code can be published, yes.

wizoatk

Meatheadmarty

The following recent announcement should answer your questions.

GrapheneOS security preview releases
https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases

Summary:
Regular releases are still open source. (default)
Security Preview releases are closed source until the embargo ends. (opt-in)
Your choice, full open source or early access to security patches.

GrapheneOS

Meatheadmarty GrapheneOS is open source. Our regular releases have sources published through Git tags before a release is pushed out. Security preview releases are based on the same tags as the regular releases, but have embargoed Android Security Bulletin patches for future months applied on top of it. We tag the patches which were used for security preview releases but are not allowed to publish those until the embargo ends. You can use the regular releases for the same approach as before or you can use the security preview releases to get Android Security Bulletin patches prior to their official release where source code becomes available when the patches are officially released. Security preview releases are off by default but we recommend enabling it. Our latest release provides every new user with an explicit choice in the Setup Wizard and existing users get the same choice provided via a notification opening an activity to explicit choose and save the value. If you don't press save, it will ask again next boot until you choose on or off explicitly. Users who already changed the setting in the system update settings don't get the notification since it's based on whether it was set previously either via the update settings, Setup Wizard or the activity opened by the notification.

Meatheadmarty

wizoatk Is there a way to compare of the closed-source code downloaded and installed prior to the open-source code being released matches?

For example, is it possible to create a hash for the closed source coxe that's downloaded and compare to the open source code once released?

I have no idea how I would even inspect what is downloaded so I could compare it to what is released later.

workeronthewalls

wizoatk Your choice, full open source or early access to security patches.

If it is true what you write and it does seem that way, then the GrapheneOS that people know and got into, is not open source anymore.
One of the core philosophy of GrapheneOS is providing the latest security patches almost immediately WHILE STILL being open source and not "either...or".
The GrapheneOS team is as I can tell not to blame for this, but this still doesn't change the fact, that if my thoughts here are correct, then the "initial GrapheneOS" is now dead.

I heard/read somewhere (can't provide the source) that the intelligence community does not really care too much about vulnerabilities being fixed, but they want a time window like 3 months till it's fixed.
Now that's exactly what they are getting.
And yes, there is the version with the latest security patches, but if that isn't open source anymore because of that embargo, then how can you tell that the apparently more secure version with the latest security patches isn't an intelligence agency putting backdoors in it?

I hope I made a mistake here, because if not, like I said, then the "initial GrapheneOS" is dead now.

wizoatk

Meatheadmarty

My understanding is that it is being considered. Probably it would depend on reproducable builds so that an external idividual could build from new released source and compare one or more hashes of the new build with the corresponding hashes of the original binary release.

GrapheneOS

Meatheadmarty

For example, is it possible to create a hash for the closed source coxe that's downloaded and compare to the open source code once released?

There are reproducible builds and it will be possible to build the security preview releases once the embargo ends and sources are released. Those have delayed open source releases, not closed source. We're tagging each of the sets of patches we use so we can release them when the embargo ends.

GrapheneOS

workeronthewalls No, your claims about this are incredibly wrong. You can choose to keep using the same regular GrapheneOS releases you always used, where you don't actually validate anything based on the source code in practice. Alternatively, you can choose to use the security preview releases where you get patches earlier than you ever could have before. The sources for the security preview releases are going to be published as soon as it's permitted, so they will be open source. You can simply wait to get the patches in the regular releases if you don't want to use those before the patches can be published as source code.

There was originally a 1 month embargo for OEM early access where we didn't have early access and couldn't ship the patches early. For a while, we did have early access but weren't allowed to ship the patches early. The vulnerabilities typically take several months to get fixed so they're reported to the Android issue tracker significantly before they get fixed and then shipped. There was always a long delay for issues getting fixed upstream, similar to other projects. 90 day disclosure deadlines are often missed by software projects / products.

It has nothing to do with intelligence agencies demanding anything, that's a completely baseless and unsubstantiated claim which is clearly false.

It's entirely possible to compare the releases and determine what was fixed, and analyze the details of it. None of it is a black box as you seem to believe. It's not particularly hard to do it. Of course, that doesn't mean people are going to do that thoroughly for each release but the same thing applies to source code.

GrapheneOS is not able to offer an option we weren't before, and you don't have to use it. There's no other OS whether it's an alternate OS or a stock OS offering the full set of the upcoming 3 months of Android Security Bulletin patches early. You can't get it from the stock Pixel OS or anywhere else. This is exclusive to GrapheneOS security preview releases. You can go on using the regular releases as if those don't exist if you don't like the approach.

It's nonsense to claim GrapheneOS is now dead because we offered an opt-in to exclusive early access to patches. A small subset appear to be shipped early by Samsung on a regular basis and it seems Pixels are going to start doing the same, but with GrapheneOS people can get all the available patches early.

We're putting substantial effort and resources into providing both the regular releases and the security preview releases to provide a choice, yet you're attacking us for it.

raccoondad

workeronthewalls I hope I made a mistake here, because if not, like I said, then the "initial GrapheneOS" is dead now.

Incredibly alarmist statement, for no reason. Everything GOS writes is open source, its main stable branch is directly compiled from its source.

The only difference is a 3 month waiting period for a separate branch that has the up to date security patches the GOS didn't write. Yes its not ideal and yes it changes some things but this statement should be reserved for when GOS is deprecated and abandoned, not this.

Upstate1618

workeronthewalls If you don't trust gos, you should do reproducible build as well as audit the whole project yourself to ensure you're secure with gos. If you have not done this for regular builds, then you are trusting gos indeed and there's little reason to worry about security preview builds.

workeronthewalls

GrapheneOS

I understand that it seems like I am attacking you, but that is not my intention. I also said, that as far as I can tell it's not even your fault. You didn't make the embargo.
AND my first language is not English, please keep that in mind. Sometimes I meant it completely differently but my English just wasn't good enough.

On the other hand: There are security patches available for the more secure version of GrapheneOS, but not open source for the end user...which will only become open source after the embargo is lifted after 3 months....I mean in that 3 months it's basically a "trust me bro" or not?

And you can compare the patches, but only in 3 months when they become public, do I understand that correctly? Or can you do it even while it's still not public and I mean do it rather quickly and not sitting there trying to reverse engineer it for 2 months.
Because I don't know...it just seems to me, that a lot can happen in 3 months.
And even if I'm writing here complete nonsense, which I don't think is all I write, then it still has the benefit, that someone came forward and asked the dumb questions. If I hadn't written this, probably someone else would have eventually.

GrapheneOS

workeronthewalls There was a 1 month embargo for years where it wasn't permitted to ship them early. There's also the time from the report they receive or the internal discovery to when it's fixed. The goal time for Project Zero is 90 days and many projects including Android fail to meet that bar in many cases. The 3 months is the time it's available to OEMs and permitted to ship early, although most OEMs don't do it and those that do such as Samsung are only shipping a small subset.

If someone reverse engineers and makes a source patch then it can be applied to the regular release if it's correct.

workeronthewalls

raccoondad

I know that there is a second version (or first version, depending on how you see it) that is completely open source, but that version has not all the security patches. And people that use GrapheneOS are probably rather interested in the most secure version of GrapheneOS and not some version that doesn't have the latest security patches for the next 3 months.

GrapheneOS

workeronthewalls The security preview release has the November 2025, December 2025 and January 2026 patches right now. Previously, we just wouldn't have access to those until the embargo end day when we'd incorporate them. It wasn't permitted for OEMs to ship them early but OEMs did have 1 month early access and there was still the time prior to that.

workeronthewalls

GrapheneOS
A 1 month embargo that existed for years is of course also bad, but a 3 month embargo is just kinda like a nuclear bomb on top of it. Like I and also other people said: 3 months is just too much time.
I know, it's not your fault, but Google's, but that still doesn't change the situation.

And you are talking here and there about reverse engineering but if I haven't overseen it, you still haven't told anyone how much time is needed to reverse engineer a closed source update from GrapheneOS in the future. I understand that it depends on the specific update, but what would your guess be:
How many people and for how long would they need to work on trying to reverse engineer a closed source GrapheneOS update in the future?
Because if you would need a really big team of experts and then also about 3 months of full time work to do it, just hypothetically...I don't really know, then there is really no point of even trying to reverse engineer the closed source GrapheneOS patches if they become public anyway in 3 months.

Another question that I have is: If it is that way that first only Google has the security patches/vulnerability information, then I would assume before they would share it with OEMs, they would first share it with the intelligence agencies and only then with the OEMs, right?
So GrapheneOS can't protect anyone from intelligence agencies anyway, or at least not from the bigger ones.
So what is really the point of going closed source, if probably the only bad actors left will be the non-intelligence-agency-bad-actors. And those "private bad actors" aren't probably making the exploits from the fresh vulnerabilities very fast, so in a sense even waiting 3 months doesn't matter that much, or am I wrong here?

Meatheadmarty

GrapheneOS

I suppose I meant something slightly different.

I mean that if I enable the security preview (to patch critical bugs that OEMs know about and therefore would be knowable to many governments and others), then I am downloading a particular patch early and applying it, without source code being released.

It's very unlikely probably, but I could see this as a way to attack users using threats or coercision. For example, if there were a world war and some societal choas, which isn't an impossible scenario, and the military came and they say "You need to change this patch to something with a backdoor or we will kill all of these puppies and kittens that we've brought with us" and the developer implemented the backdoor because of this threat, and later released open source code, and the open source code didn't have the backdoor, how would the target know that the closed upgrade they downloaded didn't match the open source code later?

So is there was a way to download the code first, check a hash for it, and then apply it, then even if the source code were temporarily closed, I could always check the hash with what was released later? In a worst case scenario it could mean being compromised for a month or two and I would learn about this after the open source code is published.

However, if there is no hash and the source code is open later, I don't know if there is a way to compare what was previously applied. A one month compromise would be less concerning to me than a one year compromise. I also currently do not have that high of a threat model but still value privacy.

Thank you to GrapheneOS and developers for continuing to code during these extraordinary times. I know you have said that forking would not be possible. I do worry for the future of the project with Google escalating hostility towards FOSS and privacy but hope it continues. I also hope that GOS developers can provide their expertise to FOSS mobile developers if requested so that mobile linux will eventually become more robust and usable. I have tried Postmarket OS and Mobian and others before and, back when I tried them they were quite horrible, but Rome wasn't built in a day and something has to start somewhere. GOS is generally a usable operating system for most things, and much safer in BFU than other options, and I appreciate the effort and extra security and features during these challenging times.

polymer_wildcat

Security preview releases are off by default but we recommend enabling it.

Haven't seen what's used during installation screen, since i don't want to reinstall OS.
But once i've pressed the notification today, it was:

Enabled by default
Recommended

At least in notification it definitely feels recommended and opt-out, despite technically being explicit to choose until you press save button - clueless or old people will just blindly trust your recommendations.

My question is, why would you RECOMMEND trust-me-bro unverifiable closed source code for supposed 3 month security benefit?

DeletedUser481

polymer_wildcat

As long all the past security builds can be reproduced after the sources are released, I don't really see a big problem for most people. But it needs to be verifiable. Otherwise there is a risk of government infiltration. GrapheneOS is the most secure operating system there is, which also makes it the biggest target. If the source code of released builds can't be verified in a reasonable amount of time (or at all), it would be problematic and will make people suspicious.

raccoondad

polymer_wildcat My question is, why would you RECOMMEND trust-me-bro unverifiable closed source code for supposed 3 month security benefit?

Recommending applying security patches by the vendor of the device you are using should answer itself, no?

W1zardK1ng

polymer_wildcat In that case you should build every app you use, including GrapheneOS, on your own. That's the only way to ensure that you are running the exact code you reviewed. Ultimately, much of our reliance is on a "trust me, bro" basis. Like many others, I trust GrapheneOS, but trust isn't established overnight.

GrapheneOS

polymer_wildcat Security preview releases are disabled by default, as existing users can see from it not being enabled by default. Our Setup Wizard can provide recommendations which are different from the defaults which is what we've done here. Security preview releases are recommended and that's how we designed the Setup Wizard page. The page shown from the notification is nearly identical to the Setup Wizard page with a Save button for persisting either enabling or disabling it. Leaving the page from the notification without choosing either leaves it disabled, since that's the default. The notification will be shown again each boot until users choose either enabled or disabled via that page or the update settings.

Open source software is not inherently trustworthy and does not inherently provide better privacy or security. The security preview releases can in fact be reviewed and verified. The regular releases can be compared to the security preview releases to determine the differences, and then those differences can be reverse engineer and fully understood. This is very doable and practical, unlike verifying millions of lines of open source code which is not realistic and not actually going to happen. You're not verifying all of the Linux kernel, AOSP, Chromium and other source code. You're putting your faith in it because it's open source and you think open source is good rather than because of verifying it rather than trusting.

Security preview releases provide a bunch of important upcoming Android security patches up to 3 months early and definitely do provide a substantial privacy and security benefit through doing that. The security preview releases are made by applying the set of security patches we've received early on top of the regular release tags. We've tagged the exact set of patches we used for each security preview release and will release those with the script for applying them as soon as the embargo ends, which means the builds can be reproduced once that happens. The differences between the regular and security preview releases are tiny due to being limited to these patches so it's already very straightforward to compare the releases due to reproducible builds. Only components which were changed by the patches will be different, and the differences for those are as minimal as possible.

The hardware and firmware is not open source and neither are some of the driver support libraries, but you're still using those and the official updates to the firmware and driver libraries. There aren't any open source hardware/firmware devices we could be using instead.

JustBeginnez

DeletedUser481

The three-month embargo period is too long, and I believe there is a high risk that malicious third parties, such as governments, could exploit the vulnerability.

The new security patch preview is delayed open source, meaning it won't be released immediately but will eventually become open source.
I prefer this approach over leaving vulnerabilities unpatched for three months.

Meatheadmarty

JustBeginnez i think this is probably how i feel but would like a hash in that casee just so i can compare what i applied to what is later released.

GrapheneOS

JustBeginnez People can make the decision for themselves, but we think most people should use the security preview releases. The privacy and security patches being shared with OEMs up to 3 months early are all categorized High and Critical severity. For Android 16, there's currently 1 Critical severity patch and 58 High severity patches for the AOSP userspace. For GrapheneOS, 1 of those High severity patches has been applied to our regular releases since we determined it was already publicly disclosed.

All of the core kernel security patches in the upcoming bulletins were already shipped by GrapheneOS in the regular releases, which is how it always works in practice. It's only the AOSP userspace patches which are needed.

The small amount of vendor patches in the Android Security Bulletins are listed as part of the early access but early access to those has to come from the vendors and those companies choose how long to provide early access themselves. Most were probably providing 1 month of early access without allowing shipping patches early to match the previous Android security update system which worked that way.

It's important to bear in mind that the previous system was Google sharing patches with all of the OEMs 1 month early without allowing shipping patches early. The new system avoids this period of time where the patches are widely shared but aren't allowed to be shipped, so our security preview releases are a substantial effort over the previous status quo. The new system also means Google is often sharing patches with OEMs earlier since they have more time to adjust or retract them before they're officially released. It's up to each OEM if they want to take the stability risk of shipping them early and how early they want to ship them. These patches generally don't cause any major issues as they're already tested before being shared, but it was relatively common for patches to be changed or retracted due to regressions even in the previous 1 month early access system.

The embargo shouldn't be nearly as long as it is and we'd prefer 1 week or less ourselves. The reason it's so long is because OEMs were not even capable of keeping up with the monthly patches with 1 month of early access. Google changed the system to make it easier for OEMs to keep up with the official pace by having 3 months of early access to most patches instead of 1 combined with only being expected to do 4 security updates per year rather than 12. Doing it properly means releasing all of the patches shortly after receiving them. There are more frequent security updates than before when doing that since patches are gradually added during the 3 month preview period for quarterly and monthly updates, until it's frozen around 1 month ahead. After our 2025100300 release, 5 patches were added to the December bulletin and 1 was temporarily retracted so our 2025100900 release has a total of 4 more High severity patches. The retracted one was because it did not correctly fix the issue and will be added to a future monthly or quarterly release, which we'll receive early access to and will be able to add back as soon as possible. We could also investigate fixing it properly ourselves.

DeletedUser481

It's a double-edged sword really. But as long as all the previous preview builds can be reproduced after the embargo ends its fine imo.