questions about updates and open source

polymer_wildcat

Security preview releases are off by default but we recommend enabling it.

Haven't seen what's used during installation screen, since i don't want to reinstall OS.
But once i've pressed the notification today, it was:

Enabled by default
Recommended

At least in notification it definitely feels recommended and opt-out, despite technically being explicit to choose until you press save button - clueless or old people will just blindly trust your recommendations.

My question is, why would you RECOMMEND trust-me-bro unverifiable closed source code for supposed 3 month security benefit?

DeletedUser481

polymer_wildcat

As long all the past security builds can be reproduced after the sources are released, I don't really see a big problem for most people. But it needs to be verifiable. Otherwise there is a risk of government infiltration. GrapheneOS is the most secure operating system there is, which also makes it the biggest target. If the source code of released builds can't be verified in a reasonable amount of time (or at all), it would be problematic and will make people suspicious.

raccoondad

polymer_wildcat My question is, why would you RECOMMEND trust-me-bro unverifiable closed source code for supposed 3 month security benefit?

Recommending applying security patches by the vendor of the device you are using should answer itself, no?

W1zardK1ng

polymer_wildcat In that case you should build every app you use, including GrapheneOS, on your own. That's the only way to ensure that you are running the exact code you reviewed. Ultimately, much of our reliance is on a "trust me, bro" basis. Like many others, I trust GrapheneOS, but trust isn't established overnight.

GrapheneOS

polymer_wildcat Security preview releases are disabled by default, as existing users can see from it not being enabled by default. Our Setup Wizard can provide recommendations which are different from the defaults which is what we've done here. Security preview releases are recommended and that's how we designed the Setup Wizard page. The page shown from the notification is nearly identical to the Setup Wizard page with a Save button for persisting either enabling or disabling it. Leaving the page from the notification without choosing either leaves it disabled, since that's the default. The notification will be shown again each boot until users choose either enabled or disabled via that page or the update settings.

Open source software is not inherently trustworthy and does not inherently provide better privacy or security. The security preview releases can in fact be reviewed and verified. The regular releases can be compared to the security preview releases to determine the differences, and then those differences can be reverse engineer and fully understood. This is very doable and practical, unlike verifying millions of lines of open source code which is not realistic and not actually going to happen. You're not verifying all of the Linux kernel, AOSP, Chromium and other source code. You're putting your faith in it because it's open source and you think open source is good rather than because of verifying it rather than trusting.

Security preview releases provide a bunch of important upcoming Android security patches up to 3 months early and definitely do provide a substantial privacy and security benefit through doing that. The security preview releases are made by applying the set of security patches we've received early on top of the regular release tags. We've tagged the exact set of patches we used for each security preview release and will release those with the script for applying them as soon as the embargo ends, which means the builds can be reproduced once that happens. The differences between the regular and security preview releases are tiny due to being limited to these patches so it's already very straightforward to compare the releases due to reproducible builds. Only components which were changed by the patches will be different, and the differences for those are as minimal as possible.

The hardware and firmware is not open source and neither are some of the driver support libraries, but you're still using those and the official updates to the firmware and driver libraries. There aren't any open source hardware/firmware devices we could be using instead.

JustBeginnez

DeletedUser481

The three-month embargo period is too long, and I believe there is a high risk that malicious third parties, such as governments, could exploit the vulnerability.

The new security patch preview is delayed open source, meaning it won't be released immediately but will eventually become open source.
I prefer this approach over leaving vulnerabilities unpatched for three months.

Meatheadmarty

JustBeginnez i think this is probably how i feel but would like a hash in that casee just so i can compare what i applied to what is later released.

GrapheneOS

JustBeginnez People can make the decision for themselves, but we think most people should use the security preview releases. The privacy and security patches being shared with OEMs up to 3 months early are all categorized High and Critical severity. For Android 16, there's currently 1 Critical severity patch and 58 High severity patches for the AOSP userspace. For GrapheneOS, 1 of those High severity patches has been applied to our regular releases since we determined it was already publicly disclosed.

All of the core kernel security patches in the upcoming bulletins were already shipped by GrapheneOS in the regular releases, which is how it always works in practice. It's only the AOSP userspace patches which are needed.

The small amount of vendor patches in the Android Security Bulletins are listed as part of the early access but early access to those has to come from the vendors and those companies choose how long to provide early access themselves. Most were probably providing 1 month of early access without allowing shipping patches early to match the previous Android security update system which worked that way.

It's important to bear in mind that the previous system was Google sharing patches with all of the OEMs 1 month early without allowing shipping patches early. The new system avoids this period of time where the patches are widely shared but aren't allowed to be shipped, so our security preview releases are a substantial effort over the previous status quo. The new system also means Google is often sharing patches with OEMs earlier since they have more time to adjust or retract them before they're officially released. It's up to each OEM if they want to take the stability risk of shipping them early and how early they want to ship them. These patches generally don't cause any major issues as they're already tested before being shared, but it was relatively common for patches to be changed or retracted due to regressions even in the previous 1 month early access system.

The embargo shouldn't be nearly as long as it is and we'd prefer 1 week or less ourselves. The reason it's so long is because OEMs were not even capable of keeping up with the monthly patches with 1 month of early access. Google changed the system to make it easier for OEMs to keep up with the official pace by having 3 months of early access to most patches instead of 1 combined with only being expected to do 4 security updates per year rather than 12. Doing it properly means releasing all of the patches shortly after receiving them. There are more frequent security updates than before when doing that since patches are gradually added during the 3 month preview period for quarterly and monthly updates, until it's frozen around 1 month ahead. After our 2025100300 release, 5 patches were added to the December bulletin and 1 was temporarily retracted so our 2025100900 release has a total of 4 more High severity patches. The retracted one was because it did not correctly fix the issue and will be added to a future monthly or quarterly release, which we'll receive early access to and will be able to add back as soon as possible. We could also investigate fixing it properly ourselves.

DeletedUser481

It's a double-edged sword really. But as long as all the previous preview builds can be reproduced after the embargo ends its fine imo.

GrapheneOS

W1zardK1ng Building from source doesn't really mean anything if the sources haven't been thoroughly reviewed. Thoroughly reviewing many millions of lines of source code is dramatically harder and not practical compared to comparing our regular and security preview releases to determine what was changed. Source code is NOT required to analyze what changed and it's a very small scale of changes. There are 59 userspace patches applicable to Android 16 which are not making deep changes or changing how things are built as a whole. None are huge patches. One of those patches is not applicable to GrapheneOS since it was publicly available and we shipped it for the regular releases. We can potentially do this with a few more too.

The kernel patches listed in the upcoming bulletins were already part of the regular releases a while ago so only the userspace patches are relevant. In general, they publish their own kernel patches right away and don't wait for OS releases and they have no control over kernel patches not made by Android.

Meatheadmarty

GrapheneOS

I suppose I meant something slightly different.

I mean that if I enable the security preview (to patch critical bugs that OEMs know about and therefore would be knowable to many governments and others), then I am downloading a particular patch early and applying it, without source code being released.

It's very unlikely probably, but I could see this as a way to attack users using threats or coercision. For example, if there were a world war and some societal choas, which isn't an impossible scenario, and the military came and they say "You need to change this patch to something with a backdoor or we will kill all of these puppies and kittens that we've brought with us" and the developer implemented the backdoor because of this threat, and later released open source code, and the open source code didn't have the backdoor, how would the target know that the closed upgrade they downloaded didn't match the open source code later?

So is there was a way to download the code first, check a hash for it, and then apply it, then even if the source code were temporarily closed, I could always check the hash with what was released later? In a worst case scenario it could mean being compromised for a month or two and I would learn about this after the open source code is published.

However, if there is no hash and the source code is open later, I don't know if there is a way to compare what was previously applied. A one month compromise would be less concerning to me than a one year compromise. I also currently do not have that high of a threat model but still value privacy.

Thank you to GrapheneOS and developers for continuing to code during these extraordinary times. I know you have said that forking would not be possible. I do worry for the future of the project with Google escalating hostility towards FOSS and privacy but hope it continues. I also hope that GOS developers can provide their expertise to FOSS mobile developers if requested so that mobile linux will eventually become more robust and usable. I have tried Postmarket OS and Mobian and others before and, back when I tried them they were quite horrible, but Rome wasn't built in a day and something has to start somewhere. GOS is generally a usable operating system for most things, and much safer in BFU than other options, and I appreciate the effort and extra security and features during these challenging times.

Upstate1618

Meatheadmarty gos is reproducible. You can save every factory image and do reproducible builds once embargo ends.

Upstate1618

workeronthewalls If you don't trust gos, you should do reproducible build as well as audit the whole project yourself to ensure you're secure with gos. If you have not done this for regular builds, then you are trusting gos indeed and there's little reason to worry about security preview builds.

Meatheadmarty

GrapheneOS I don't understand how this would be possible.

So I have regular graphene and enable security preview and then this would be updated with a patch without source code.

Then I have a patched security updates pixel.

So three months later, I would take the script and run it on a seperate GOS pixel without the security update, and then ince this script is done, I then export both images from both pixel phones, hash them, and compare them?

Can images of the entire pixel phone even be exported to hash like that?

Even if I trust GOS developers it would be impirtant for me to be able to theoretically compare hashes or compare values somehow and know that I can do it.

I agree that assuming others will verify source code is not always a good assumltion, but also when backdoors have been put into open source code, like xz utils, it got discovered at the Arch level (which is almost bleeding edge linux) and didn't make it to stable distros. I do think open source hacks are more likely to be noticed, but perhaps that isn't accurate.

polymer_wildcat

GrapheneOS
Thank you for the answer!
Personally, it did opposite of inspiring confidence in decision for such recommendation, but people are different i guess.

The hardware and firmware is not open source and neither are some of the driver support libraries, but you're still using those and the official updates to the firmware and driver libraries. There aren't any open source hardware/firmware devices we could be using instead.

Yes, that's our biggest problem overall right now, in my opinion.
Unfortunately it's outside of discussion, since there's currently no choice, and it's very hard to break that specific dam.

In the future hopefully at lest open source firmware will be widely available norm in some decent devices - the second it will be a thing - i'll definitely switch to such device.

Open-source hardware however is extremely hard problem, given how complex and micro-level modern processors are , especially hard to the point of being nearly impossible is verifiability for the lack of tampering during production / supply chain of chips and boards. As far as i know there are very very very few people working on finding solution for that problem and at best it's very low-tech prototypes so far, just to prove a point.

GrapheneOS

Meatheadmarty Due to reproducible builds, people can already compare the regular releases to the security preview releases to review the small set of changes made by the patches. All of the differences between them are due to the patches, which aren't a large amount of changes and don't change how things are fundamentally built, etc. You can check the current hash of the entire OS via the Auditor verified boot hash, which can be compared to other devices or the factory images and update packages available for download from our update server.

Once the embargo ends, we'll publish the patches and script used to apply them for each security preview release we made and people can reproduce the builds if they want. However, that's not needed to review them and determine what was changed. The builds are not opaque and it's easy to see what was changed due to the fact we have the regular releases side-by-side with 0 differences other than the patches. Build date and build number are also incremented by 1 which doesn't change the built code.

I agree that assuming others will verify source code is not always a good assumltion, but also when backdoors have been put into open source code, like xz utils, it got discovered at the Arch level (which is almost bleeding edge linux) and didn't make it to stable distros. I do think open source hacks are more likely to be noticed, but perhaps that isn't accurate.

This was not discovered via the backdoored source code but rather via the behavior of the binaries built by distributions. The binaries were reviewed after it was found, and then sources, which led to it being discovered they'd been building a complex backdoor into the source code out in the open for a long period of time without it being spotted. The final deployment involved a shortcut of the source tarballs not matching the repository, demonstrating no one reviews the source tarballs or tried to reproduce generating them. However, they could have continued doing what they were already doing and done it via the Git repository which already contained the backdoors and just not quite everything needed to activate it. The way they ended up doing it via modified source tarballs was riskier and more likely to be detected. It seems they did that as a shortcut due to a deadline but it was not their mistake leading to discovery. The mistake leading to discovery was that it performed very badly and added substantial overhead to every SSH login attempt, which resulted in it being noticed and investigated. If they had avoided this problem, which would have been quite easy, it would have lasted longer before discovery, likely much longer. Avoiding what they did with the source tarballs near the end also would have reduced chance of discovery. It's entirely possible it still wouldn't have been noticed if they hadn't made these errors of judgement.

GrapheneOS

polymer_wildcat You don't have to use the security preview releases if you don't want to use them. You aren't missing out on something which would be available via any other alternate OS. Stock Pixel OS and Samsung flagships are only shipping a small subset of these patches yearly at most. Other OEMs do not appear to be shipping any of the patches early. Some of the patches are for external projects so if they're already public we can ship them early, but in some cases the disclosure may be coordinated with Android in which case we need to wait until it's public somewhere.

workeronthewalls

GrapheneOS
A 1 month embargo that existed for years is of course also bad, but a 3 month embargo is just kinda like a nuclear bomb on top of it. Like I and also other people said: 3 months is just too much time.
I know, it's not your fault, but Google's, but that still doesn't change the situation.

And you are talking here and there about reverse engineering but if I haven't overseen it, you still haven't told anyone how much time is needed to reverse engineer a closed source update from GrapheneOS in the future. I understand that it depends on the specific update, but what would your guess be:
How many people and for how long would they need to work on trying to reverse engineer a closed source GrapheneOS update in the future?
Because if you would need a really big team of experts and then also about 3 months of full time work to do it, just hypothetically...I don't really know, then there is really no point of even trying to reverse engineer the closed source GrapheneOS patches if they become public anyway in 3 months.

Another question that I have is: If it is that way that first only Google has the security patches/vulnerability information, then I would assume before they would share it with OEMs, they would first share it with the intelligence agencies and only then with the OEMs, right?
So GrapheneOS can't protect anyone from intelligence agencies anyway, or at least not from the bigger ones.
So what is really the point of going closed source, if probably the only bad actors left will be the non-intelligence-agency-bad-actors. And those "private bad actors" aren't probably making the exploits from the fresh vulnerabilities very fast, so in a sense even waiting 3 months doesn't matter that much, or am I wrong here?

GrapheneOS

workeronthewalls 1 month was also far too much time and our security preview releases eliminate having any delay beyond how long it takes us to integrate the patches and ship a release, which can be done in under a single day if we're prioritizing it.

Read the post at https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/31 from ryrona about reverse engineering the patches for everything related to that.

Bear in mind there are many millions of lines of open source code in the OS which massive upstream changes compared to the small scale of ₆₀ fairly small patches for December 2025.

Another question that I have is: If it is that way that first only Google has the security patches/vulnerability information, then I would assume before they would share it with OEMs, they would first share it with the intelligence agencies and only then with the OEMs, right?

They do not share it with intelligence agencies. If you're claiming that intelligence agencies are paying people at companies to leak them information, that's possible, but it doesn't mean it's happening and there's no reason it would be specific to Google. Google does discover a lot of the issues themselves but a lot is discovered externally and reported to them. Since it takes time to fix the issues and then ship patches, there are often duplicate reports.

So GrapheneOS can't protect anyone from intelligence agencies anyway, or at least not from the bigger ones.

Not accurate even if they did have early access. That doesn't imply getting working exploits bypassing all the exploit protections, sandboxing, etc.

So what is really the point of going closed source, if probably the only bad actors left will be the non-intelligence-agency-bad-actors. And those "private bad actors" aren't probably making the exploits from the fresh vulnerabilities very fast, so in a sense even waiting 3 months doesn't matter that much, or am I wrong here?

GrapheneOS has not become closed source. If you don't want to use the security preview releases where the patches come later, then don't use them. You can pretend they don't exist and have exactly what you had before we started providing these recently.

workeronthewalls

GrapheneOS They do not share it with intelligence agencies.

First of all: Now that's a bold statement.
How exactly do you know that Google isn't sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs?

And in general: Even if there is still the open source version, without the closed source security patches, just by thinking about the psychology here and I mean that of course most people that are interested in the most secure mobile operating system (GrapheneOS) and maybe even developed trust for it by using it for a long time and hearing mostly good stuff about it, wouldn't really choose the less secure open source version, especially not if the closed source patches are even recommended.
If I would work at an intelligence agency I would get to that assessment really fast.
And for an intelligence agency it's a game of numbers: "Do I get everyone? Probably no. But I get many or even most of them. And some of the rest I maybe even get through the people I already catched with the first trap."
Maybe it's also kinda a panic button for intelligence agencies, which they are not really intending to use right now, but having it available in their arsenal. In that scenario they would, like in the famous security meme, just come to you, hold a gun to your head or similar and force you to install a backdoor through the closed source patches. Would that be the end of GrapheneOS? Probably. But that's kinda what panic buttons are known for I guess.

Long story short: I will not say that you are compromised by the intelligence agencies, but as someone interested in security I learned very fast to expect the worst if you can't proof something better. And I can't proof that you are compromised by the intelligence agencies, but I also can't proof that you aren't, although when you went open source only (except some hardware stuff), I guess we came pretty close to the proof that you aren't compromised.

GrapheneOS

workeronthewalls

First of all: Now that's a bold statement.
How exactly do you know that Google isn't sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs?

No, you're making the extraordinarily claim not backed by any evidence and contradicted by leaks. The burden of proof is on you.

And in general: Even if there is still the open source version, without the closed source security patches, just by thinking about the psychology here and I mean that of course most people that are interested in the most secure mobile operating system (GrapheneOS) and maybe even developed trust for it by using it for a long time and hearing mostly good stuff about it, wouldn't really choose the less secure open source version, especially not if the closed source patches are even recommended.

The regular variant is open source with tags pushed before it's released. The security preview variant is nearly entirely the same but with patches applied on top of the code from those tags which are provided under an NDA requiring publishing the sources at a later date. The sources for each security preview release will be published by publishing the patches and the script for applying them once the embargo ends. It will be open source as soon as permitted by the NDA for the patches.

If I would work at an intelligence agency I would get to that assessment really fast.
And for an intelligence agency it's a game of numbers: "Do I get everyone? Probably no. But I get many or even most of them. And some of the rest I maybe even get through the people I already catched with the first trap."
Maybe it's also kinda a panic button for intelligence agencies, which they are not really intending to use right now, but having it available in their arsenal. In that scenario they would, like in the famous security meme, just come to you, hold a gun to your head or similar and force you to install a backdoor through the closed source patches. Would that be the end of GrapheneOS? Probably. But that's kinda what panic buttons are known for I guess.

Long story short: I will not say that you are compromised by the intelligence agencies, but as someone interested in security I learned very fast to expect the worst if you can't proof something better. And I can't proof that you are compromised by the intelligence agencies, but I also can't proof that you aren't, although when you went open source only (except some hardware stuff), I guess we came pretty close to the proof that you aren't compromised.

You've ignored what was posted about and posted unsubstantiated nonsense. You only need to do basic critical thinking to see that you're thoroughly incorrect. All of the patches which are under embargo are for vulnerabilities in open source code. You have all of the open source code with those vulnerabilities. If open source works the way you believe it does, then people should be able to find and fix all of these vulnerabilities very easily. You don't need the patches for the open source code because you already have the open source code, and according to you that means people will find the vulnerabilities or backdoors in it. Therefore, it should already all be found and fixed already. Why are there still security vulnerabilities being fixed in open source projects if it works the way you believe?

It's far more difficult to understand a million lines out of the many millions of lines of open source code in the Linux kernel, LLVM, AOSP, etc. than it is to reverse engineer ₆₀ patches for the upcoming bulletins. They're the ONLY changes in the security preview releases compared to the regular releases, so ALL differences in the compiled code are a consequence of applying the patches. You have access to the code to review and determine what the patches do, why and if they're correct/complete fixes. That's a far easier task than reviewing a massive amount of open source code at even a surface level without any hope of finding most vulnerabilities.

The source code of the patches is not inherently understandable to developers and they'd need to do a form of reverse engineering to figure out what they do and why. Doing it from the compiled code isn't actually as different as you believe it is. The patches do not come with a detailed explanation of the security issues they're fixing and how they're fixing them. They're source code with a basic commit message explaining what it's doing and rarely with much detail on it. You can take a look at the already public patches from the September 2025 bulletin for many examples. Have you reviewed those patches? Have you reviewed the changes made by us in our releases? Why is it trustworthy because it's source code instead of compiled code? Both can be reviewed. Having the source code makes it easier, that's all. There are only ₆₀ patches applied on top of the regular releases for this. It's not a lot of code in total and therefore far easier than reviewing a large amount of open source code.

Your claims about this do not make sense and you're not participating as someone who appears to be acting in good faith. Making unsubstantiated and illogical claims disregarding what has been discussed isn't appropriate. It appears to be concern trolling now.

« Previous Page Next Page »