questions about updates and open source

W1zardK1ng

polymer_wildcat In that case you should build every app you use, including GrapheneOS, on your own. That's the only way to ensure that you are running the exact code you reviewed. Ultimately, much of our reliance is on a "trust me, bro" basis. Like many others, I trust GrapheneOS, but trust isn't established overnight.

GrapheneOS

W1zardK1ng Building from source doesn't really mean anything if the sources haven't been thoroughly reviewed. Thoroughly reviewing many millions of lines of source code is dramatically harder and not practical compared to comparing our regular and security preview releases to determine what was changed. Source code is NOT required to analyze what changed and it's a very small scale of changes. There are 59 userspace patches applicable to Android 16 which are not making deep changes or changing how things are built as a whole. None are huge patches. One of those patches is not applicable to GrapheneOS since it was publicly available and we shipped it for the regular releases. We can potentially do this with a few more too.

The kernel patches listed in the upcoming bulletins were already part of the regular releases a while ago so only the userspace patches are relevant. In general, they publish their own kernel patches right away and don't wait for OS releases and they have no control over kernel patches not made by Android.

Meatheadmarty

GrapheneOS

I suppose I meant something slightly different.

I mean that if I enable the security preview (to patch critical bugs that OEMs know about and therefore would be knowable to many governments and others), then I am downloading a particular patch early and applying it, without source code being released.

It's very unlikely probably, but I could see this as a way to attack users using threats or coercision. For example, if there were a world war and some societal choas, which isn't an impossible scenario, and the military came and they say "You need to change this patch to something with a backdoor or we will kill all of these puppies and kittens that we've brought with us" and the developer implemented the backdoor because of this threat, and later released open source code, and the open source code didn't have the backdoor, how would the target know that the closed upgrade they downloaded didn't match the open source code later?

So is there was a way to download the code first, check a hash for it, and then apply it, then even if the source code were temporarily closed, I could always check the hash with what was released later? In a worst case scenario it could mean being compromised for a month or two and I would learn about this after the open source code is published.

However, if there is no hash and the source code is open later, I don't know if there is a way to compare what was previously applied. A one month compromise would be less concerning to me than a one year compromise. I also currently do not have that high of a threat model but still value privacy.

Thank you to GrapheneOS and developers for continuing to code during these extraordinary times. I know you have said that forking would not be possible. I do worry for the future of the project with Google escalating hostility towards FOSS and privacy but hope it continues. I also hope that GOS developers can provide their expertise to FOSS mobile developers if requested so that mobile linux will eventually become more robust and usable. I have tried Postmarket OS and Mobian and others before and, back when I tried them they were quite horrible, but Rome wasn't built in a day and something has to start somewhere. GOS is generally a usable operating system for most things, and much safer in BFU than other options, and I appreciate the effort and extra security and features during these challenging times.

Upstate1618

Meatheadmarty gos is reproducible. You can save every factory image and do reproducible builds once embargo ends.

Meatheadmarty

JustBeginnez i think this is probably how i feel but would like a hash in that casee just so i can compare what i applied to what is later released.

Upstate1618

workeronthewalls If you don't trust gos, you should do reproducible build as well as audit the whole project yourself to ensure you're secure with gos. If you have not done this for regular builds, then you are trusting gos indeed and there's little reason to worry about security preview builds.

GrapheneOS

polymer_wildcat Security preview releases are disabled by default, as existing users can see from it not being enabled by default. Our Setup Wizard can provide recommendations which are different from the defaults which is what we've done here. Security preview releases are recommended and that's how we designed the Setup Wizard page. The page shown from the notification is nearly identical to the Setup Wizard page with a Save button for persisting either enabling or disabling it. Leaving the page from the notification without choosing either leaves it disabled, since that's the default. The notification will be shown again each boot until users choose either enabled or disabled via that page or the update settings.

Open source software is not inherently trustworthy and does not inherently provide better privacy or security. The security preview releases can in fact be reviewed and verified. The regular releases can be compared to the security preview releases to determine the differences, and then those differences can be reverse engineer and fully understood. This is very doable and practical, unlike verifying millions of lines of open source code which is not realistic and not actually going to happen. You're not verifying all of the Linux kernel, AOSP, Chromium and other source code. You're putting your faith in it because it's open source and you think open source is good rather than because of verifying it rather than trusting.

Security preview releases provide a bunch of important upcoming Android security patches up to 3 months early and definitely do provide a substantial privacy and security benefit through doing that. The security preview releases are made by applying the set of security patches we've received early on top of the regular release tags. We've tagged the exact set of patches we used for each security preview release and will release those with the script for applying them as soon as the embargo ends, which means the builds can be reproduced once that happens. The differences between the regular and security preview releases are tiny due to being limited to these patches so it's already very straightforward to compare the releases due to reproducible builds. Only components which were changed by the patches will be different, and the differences for those are as minimal as possible.

The hardware and firmware is not open source and neither are some of the driver support libraries, but you're still using those and the official updates to the firmware and driver libraries. There aren't any open source hardware/firmware devices we could be using instead.

Meatheadmarty

GrapheneOS I don't understand how this would be possible.

So I have regular graphene and enable security preview and then this would be updated with a patch without source code.

Then I have a patched security updates pixel.

So three months later, I would take the script and run it on a seperate GOS pixel without the security update, and then ince this script is done, I then export both images from both pixel phones, hash them, and compare them?

Can images of the entire pixel phone even be exported to hash like that?

Even if I trust GOS developers it would be impirtant for me to be able to theoretically compare hashes or compare values somehow and know that I can do it.

I agree that assuming others will verify source code is not always a good assumltion, but also when backdoors have been put into open source code, like xz utils, it got discovered at the Arch level (which is almost bleeding edge linux) and didn't make it to stable distros. I do think open source hacks are more likely to be noticed, but perhaps that isn't accurate.

polymer_wildcat

GrapheneOS
Thank you for the answer!
Personally, it did opposite of inspiring confidence in decision for such recommendation, but people are different i guess.

The hardware and firmware is not open source and neither are some of the driver support libraries, but you're still using those and the official updates to the firmware and driver libraries. There aren't any open source hardware/firmware devices we could be using instead.

Yes, that's our biggest problem overall right now, in my opinion.
Unfortunately it's outside of discussion, since there's currently no choice, and it's very hard to break that specific dam.

In the future hopefully at lest open source firmware will be widely available norm in some decent devices - the second it will be a thing - i'll definitely switch to such device.

Open-source hardware however is extremely hard problem, given how complex and micro-level modern processors are , especially hard to the point of being nearly impossible is verifiability for the lack of tampering during production / supply chain of chips and boards. As far as i know there are very very very few people working on finding solution for that problem and at best it's very low-tech prototypes so far, just to prove a point.

GrapheneOS

Meatheadmarty Due to reproducible builds, people can already compare the regular releases to the security preview releases to review the small set of changes made by the patches. All of the differences between them are due to the patches, which aren't a large amount of changes and don't change how things are fundamentally built, etc. You can check the current hash of the entire OS via the Auditor verified boot hash, which can be compared to other devices or the factory images and update packages available for download from our update server.

Once the embargo ends, we'll publish the patches and script used to apply them for each security preview release we made and people can reproduce the builds if they want. However, that's not needed to review them and determine what was changed. The builds are not opaque and it's easy to see what was changed due to the fact we have the regular releases side-by-side with 0 differences other than the patches. Build date and build number are also incremented by 1 which doesn't change the built code.

I agree that assuming others will verify source code is not always a good assumltion, but also when backdoors have been put into open source code, like xz utils, it got discovered at the Arch level (which is almost bleeding edge linux) and didn't make it to stable distros. I do think open source hacks are more likely to be noticed, but perhaps that isn't accurate.

This was not discovered via the backdoored source code but rather via the behavior of the binaries built by distributions. The binaries were reviewed after it was found, and then sources, which led to it being discovered they'd been building a complex backdoor into the source code out in the open for a long period of time without it being spotted. The final deployment involved a shortcut of the source tarballs not matching the repository, demonstrating no one reviews the source tarballs or tried to reproduce generating them. However, they could have continued doing what they were already doing and done it via the Git repository which already contained the backdoors and just not quite everything needed to activate it. The way they ended up doing it via modified source tarballs was riskier and more likely to be detected. It seems they did that as a shortcut due to a deadline but it was not their mistake leading to discovery. The mistake leading to discovery was that it performed very badly and added substantial overhead to every SSH login attempt, which resulted in it being noticed and investigated. If they had avoided this problem, which would have been quite easy, it would have lasted longer before discovery, likely much longer. Avoiding what they did with the source tarballs near the end also would have reduced chance of discovery. It's entirely possible it still wouldn't have been noticed if they hadn't made these errors of judgement.

GrapheneOS

JustBeginnez People can make the decision for themselves, but we think most people should use the security preview releases. The privacy and security patches being shared with OEMs up to 3 months early are all categorized High and Critical severity. For Android 16, there's currently 1 Critical severity patch and 58 High severity patches for the AOSP userspace. For GrapheneOS, 1 of those High severity patches has been applied to our regular releases since we determined it was already publicly disclosed.

All of the core kernel security patches in the upcoming bulletins were already shipped by GrapheneOS in the regular releases, which is how it always works in practice. It's only the AOSP userspace patches which are needed.

The small amount of vendor patches in the Android Security Bulletins are listed as part of the early access but early access to those has to come from the vendors and those companies choose how long to provide early access themselves. Most were probably providing 1 month of early access without allowing shipping patches early to match the previous Android security update system which worked that way.

It's important to bear in mind that the previous system was Google sharing patches with all of the OEMs 1 month early without allowing shipping patches early. The new system avoids this period of time where the patches are widely shared but aren't allowed to be shipped, so our security preview releases are a substantial effort over the previous status quo. The new system also means Google is often sharing patches with OEMs earlier since they have more time to adjust or retract them before they're officially released. It's up to each OEM if they want to take the stability risk of shipping them early and how early they want to ship them. These patches generally don't cause any major issues as they're already tested before being shared, but it was relatively common for patches to be changed or retracted due to regressions even in the previous 1 month early access system.

The embargo shouldn't be nearly as long as it is and we'd prefer 1 week or less ourselves. The reason it's so long is because OEMs were not even capable of keeping up with the monthly patches with 1 month of early access. Google changed the system to make it easier for OEMs to keep up with the official pace by having 3 months of early access to most patches instead of 1 combined with only being expected to do 4 security updates per year rather than 12. Doing it properly means releasing all of the patches shortly after receiving them. There are more frequent security updates than before when doing that since patches are gradually added during the 3 month preview period for quarterly and monthly updates, until it's frozen around 1 month ahead. After our 2025100300 release, 5 patches were added to the December bulletin and 1 was temporarily retracted so our 2025100900 release has a total of 4 more High severity patches. The retracted one was because it did not correctly fix the issue and will be added to a future monthly or quarterly release, which we'll receive early access to and will be able to add back as soon as possible. We could also investigate fixing it properly ourselves.

GrapheneOS

polymer_wildcat You don't have to use the security preview releases if you don't want to use them. You aren't missing out on something which would be available via any other alternate OS. Stock Pixel OS and Samsung flagships are only shipping a small subset of these patches yearly at most. Other OEMs do not appear to be shipping any of the patches early. Some of the patches are for external projects so if they're already public we can ship them early, but in some cases the disclosure may be coordinated with Android in which case we need to wait until it's public somewhere.

workeronthewalls

GrapheneOS
A 1 month embargo that existed for years is of course also bad, but a 3 month embargo is just kinda like a nuclear bomb on top of it. Like I and also other people said: 3 months is just too much time.
I know, it's not your fault, but Google's, but that still doesn't change the situation.

And you are talking here and there about reverse engineering but if I haven't overseen it, you still haven't told anyone how much time is needed to reverse engineer a closed source update from GrapheneOS in the future. I understand that it depends on the specific update, but what would your guess be:
How many people and for how long would they need to work on trying to reverse engineer a closed source GrapheneOS update in the future?
Because if you would need a really big team of experts and then also about 3 months of full time work to do it, just hypothetically...I don't really know, then there is really no point of even trying to reverse engineer the closed source GrapheneOS patches if they become public anyway in 3 months.

Another question that I have is: If it is that way that first only Google has the security patches/vulnerability information, then I would assume before they would share it with OEMs, they would first share it with the intelligence agencies and only then with the OEMs, right?
So GrapheneOS can't protect anyone from intelligence agencies anyway, or at least not from the bigger ones.
So what is really the point of going closed source, if probably the only bad actors left will be the non-intelligence-agency-bad-actors. And those "private bad actors" aren't probably making the exploits from the fresh vulnerabilities very fast, so in a sense even waiting 3 months doesn't matter that much, or am I wrong here?

GrapheneOS

workeronthewalls 1 month was also far too much time and our security preview releases eliminate having any delay beyond how long it takes us to integrate the patches and ship a release, which can be done in under a single day if we're prioritizing it.

Read the post at https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/31 from ryrona about reverse engineering the patches for everything related to that.

Bear in mind there are many millions of lines of open source code in the OS which massive upstream changes compared to the small scale of ₆₀ fairly small patches for December 2025.

Another question that I have is: If it is that way that first only Google has the security patches/vulnerability information, then I would assume before they would share it with OEMs, they would first share it with the intelligence agencies and only then with the OEMs, right?

They do not share it with intelligence agencies. If you're claiming that intelligence agencies are paying people at companies to leak them information, that's possible, but it doesn't mean it's happening and there's no reason it would be specific to Google. Google does discover a lot of the issues themselves but a lot is discovered externally and reported to them. Since it takes time to fix the issues and then ship patches, there are often duplicate reports.

So GrapheneOS can't protect anyone from intelligence agencies anyway, or at least not from the bigger ones.

Not accurate even if they did have early access. That doesn't imply getting working exploits bypassing all the exploit protections, sandboxing, etc.

So what is really the point of going closed source, if probably the only bad actors left will be the non-intelligence-agency-bad-actors. And those "private bad actors" aren't probably making the exploits from the fresh vulnerabilities very fast, so in a sense even waiting 3 months doesn't matter that much, or am I wrong here?

GrapheneOS has not become closed source. If you don't want to use the security preview releases where the patches come later, then don't use them. You can pretend they don't exist and have exactly what you had before we started providing these recently.

workeronthewalls

GrapheneOS They do not share it with intelligence agencies.

First of all: Now that's a bold statement.
How exactly do you know that Google isn't sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs?

And in general: Even if there is still the open source version, without the closed source security patches, just by thinking about the psychology here and I mean that of course most people that are interested in the most secure mobile operating system (GrapheneOS) and maybe even developed trust for it by using it for a long time and hearing mostly good stuff about it, wouldn't really choose the less secure open source version, especially not if the closed source patches are even recommended.
If I would work at an intelligence agency I would get to that assessment really fast.
And for an intelligence agency it's a game of numbers: "Do I get everyone? Probably no. But I get many or even most of them. And some of the rest I maybe even get through the people I already catched with the first trap."
Maybe it's also kinda a panic button for intelligence agencies, which they are not really intending to use right now, but having it available in their arsenal. In that scenario they would, like in the famous security meme, just come to you, hold a gun to your head or similar and force you to install a backdoor through the closed source patches. Would that be the end of GrapheneOS? Probably. But that's kinda what panic buttons are known for I guess.

Long story short: I will not say that you are compromised by the intelligence agencies, but as someone interested in security I learned very fast to expect the worst if you can't proof something better. And I can't proof that you are compromised by the intelligence agencies, but I also can't proof that you aren't, although when you went open source only (except some hardware stuff), I guess we came pretty close to the proof that you aren't compromised.

GrapheneOS

workeronthewalls

First of all: Now that's a bold statement.
How exactly do you know that Google isn't sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs?

No, you're making the extraordinarily claim not backed by any evidence and contradicted by leaks. The burden of proof is on you.

And in general: Even if there is still the open source version, without the closed source security patches, just by thinking about the psychology here and I mean that of course most people that are interested in the most secure mobile operating system (GrapheneOS) and maybe even developed trust for it by using it for a long time and hearing mostly good stuff about it, wouldn't really choose the less secure open source version, especially not if the closed source patches are even recommended.

The regular variant is open source with tags pushed before it's released. The security preview variant is nearly entirely the same but with patches applied on top of the code from those tags which are provided under an NDA requiring publishing the sources at a later date. The sources for each security preview release will be published by publishing the patches and the script for applying them once the embargo ends. It will be open source as soon as permitted by the NDA for the patches.

If I would work at an intelligence agency I would get to that assessment really fast.
And for an intelligence agency it's a game of numbers: "Do I get everyone? Probably no. But I get many or even most of them. And some of the rest I maybe even get through the people I already catched with the first trap."
Maybe it's also kinda a panic button for intelligence agencies, which they are not really intending to use right now, but having it available in their arsenal. In that scenario they would, like in the famous security meme, just come to you, hold a gun to your head or similar and force you to install a backdoor through the closed source patches. Would that be the end of GrapheneOS? Probably. But that's kinda what panic buttons are known for I guess.

Long story short: I will not say that you are compromised by the intelligence agencies, but as someone interested in security I learned very fast to expect the worst if you can't proof something better. And I can't proof that you are compromised by the intelligence agencies, but I also can't proof that you aren't, although when you went open source only (except some hardware stuff), I guess we came pretty close to the proof that you aren't compromised.

You've ignored what was posted about and posted unsubstantiated nonsense. You only need to do basic critical thinking to see that you're thoroughly incorrect. All of the patches which are under embargo are for vulnerabilities in open source code. You have all of the open source code with those vulnerabilities. If open source works the way you believe it does, then people should be able to find and fix all of these vulnerabilities very easily. You don't need the patches for the open source code because you already have the open source code, and according to you that means people will find the vulnerabilities or backdoors in it. Therefore, it should already all be found and fixed already. Why are there still security vulnerabilities being fixed in open source projects if it works the way you believe?

It's far more difficult to understand a million lines out of the many millions of lines of open source code in the Linux kernel, LLVM, AOSP, etc. than it is to reverse engineer ₆₀ patches for the upcoming bulletins. They're the ONLY changes in the security preview releases compared to the regular releases, so ALL differences in the compiled code are a consequence of applying the patches. You have access to the code to review and determine what the patches do, why and if they're correct/complete fixes. That's a far easier task than reviewing a massive amount of open source code at even a surface level without any hope of finding most vulnerabilities.

The source code of the patches is not inherently understandable to developers and they'd need to do a form of reverse engineering to figure out what they do and why. Doing it from the compiled code isn't actually as different as you believe it is. The patches do not come with a detailed explanation of the security issues they're fixing and how they're fixing them. They're source code with a basic commit message explaining what it's doing and rarely with much detail on it. You can take a look at the already public patches from the September 2025 bulletin for many examples. Have you reviewed those patches? Have you reviewed the changes made by us in our releases? Why is it trustworthy because it's source code instead of compiled code? Both can be reviewed. Having the source code makes it easier, that's all. There are only ₆₀ patches applied on top of the regular releases for this. It's not a lot of code in total and therefore far easier than reviewing a large amount of open source code.

Your claims about this do not make sense and you're not participating as someone who appears to be acting in good faith. Making unsubstantiated and illogical claims disregarding what has been discussed isn't appropriate. It appears to be concern trolling now.

workeronthewalls

GrapheneOS not backed by any evidence and contradicted by leaks. The burden of proof is on you.

Oh, okay, you can make a baseless claim, but I can't? Because you still didn't answer/shown any evidence on how exactly do you know that Google isn't sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs?
Also I agree to a degree that claims should of course provide evidence. But especially in security and privacy, just alone remembering for example Edward Snowden, that before his revelations, some people knew that something was going on and to a degree even what was going on, but just because they didn't had the proof (or were afraid to share it) didn't mean they were wrong and history has shown it many times.
Especially regarding the intelligence agencies, we got the problem, that many things (not all obviously) will turn out the way how we think it is, but the hard facts for them often come to light many, many years later. So I also believe in providing proof, but that topic is not a black and white issue.

GrapheneOS You only need to do basic critical thinking to see that you're thoroughly incorrect. All of the patches which are under embargo are for vulnerabilities in open source code. You have all of the open source code with those vulnerabilities. If open source works the way you believe it does, then people should be able to find and fix all of these vulnerabilities very easily. You don't need the patches for the open source code because you already have the open source code, and according to you that means people will find the vulnerabilities or backdoors in it. Therefore, it should already all be found and fixed already. Why are there still security vulnerabilities being fixed in open source projects if it works the way you believe?

There is still a big difference:
While it is true, that open source is not perfect, it's still less likely that either a backdoor in general, but especially a really bad backdoor, can be implemented, or if implemented, that it will be found very late, especially in projects that are already somewhat big and additionally focusing on privacy and security like GrapheneOS. Only to very small projects, that also don't even have anything to do with privacy or security in general, the advantage of open source doesn't apply very strongly. But GrapheneOS as I see it, wants to become even bigger in the future, so here comes the advantage of open source into play very strongly.
But with closed source, there is probably a 99,9 percent chance, that it's possible for the intelligence agencies to make up a plan to force you into putting in a backdoor that would be probably very bad, judging by the available ressources of the intelligence agencies.
So like I said, open source is not perfect, but it is still far better in many cases, but especially in the case of GrapheneOS. It is a probability game in the end and I'll take my chances with open source any day of the week, if the project is somewhat big and additionally even focuses on privacy and security.
You might say: Then take the open source version of GrapheneOS. While yes, that is a possibility, the more import issue here is trust. Because trust is maybe the biggest factor in that probability game I was talking about. And can I trust people that started shipping closed source patches?
I don't know.
The story how it came to shipping closed source patches makes sense of course, that bad guy Google made a bad decision AGAIN and you just don't have a choice, you just want to protect your users, you are basically the hero in that story, right?
But you do have a choice. You could have waited for 3 months for the information to become public and in the meantime fight for Google changing their decision, although with maybe not much luck here. Maybe something else would have come up. So the story here also sounds a little like the old tale of the security complex: "Yes, we do something not that good (shipping closed source in this case), but we do it to protect the kids/you from terrorists (in this case protect the GrapheneOS users).

So I guess, although I very much like the security of GrapheneOS, if it would have been my decision I would have probably stayed with open source only.
And if in 3 months Google will say: Oh, you know what, why not make the embargo a whole year or maybe even two. Then what? Will you make the case that people could still reverse engineer it faster then the one or two years?

GrapheneOS

workeronthewalls You're misrepresenting what we've said and are still ignoring the fact that thoroughly reviewing the security preview releases is far easier than thoroughly reviewing a large amount of open source code. It's not clear why you're acting as if it can't be reviewed. It's harder to review than with the sources, but it's such a small amount of code. It's certainly dramatically easier than reviewing the open source code for a major release of Android.

All of the security preview patches are for open source code. That means you already have the open source code to review which contains the vulnerabilities. If it really works as you believe, then why aren't people just finding the vulnerabilities and fixing them? On the other hand, reviewing the security preview patches is quite straightforward and doable.

If you don't want to use the security preview releases, don't use them. The same releases as before as available and we even fixed an extra security issue in those which was already public due to finding out about it from the security preview releases. Other issues with public fixes can also be fixed early.

Compared to the old system, our security preview release users get these security patches 1 month earlier than before. It avoids 1 month of the patches being widely shared with OEMs before we could fix them. It's quite clear that once it's shared with OEMs, it's available to many sophisticated attackers.

We're going through the massive effort of making 2 variants of each release, testing all of those and generating more than 2x as many deltas as before. Why not show some appreciation for the fact that we've provided 2 fully supported release variants?

23Sha-ger

workeronthewalls And if in 3 months Google will say: Oh, you know what, why not make the embargo a whole year or maybe even two. Then what?

You clearly aren't familiar with the infosec industry, disclosures and CVEs. 90 days is pretty much a standard embargo time. That's an unwritten standard to keep a good balance between responsible disclosure and adequate time for users to apply patches before the shit hits the fan. Of course Google is not being transparent here, but at least it might take a little more time for low effort bad actors to weaponize vulnerabilities if they have to reverse the patches or just see it in plain sight. Microsoft did it for decades. You are barking at the wrong tree blaming GOS for it. They made an effort to partner with an OEM to release the patches asap, to mitigate risks.

workeronthewalls

GrapheneOS You don't have to play victim and hero at the same time here. I already told you what the problem is. If you do all this with good intentions and are not compromised by for example the intelligence agencies, then you are really wonderful people and I have huge respect for you. Problem is though, there is just no proof, that this is the case, and nice words are no proof.
Like I already told you, that before, when you were open source only, that also wasn't a 100% proof, but with it we came pretty close to that proof. Now, with closed source patches, even with all the circumstances we discussed here, we still moved farther away from that proof.
That doesn't mean, that you are any of that bad stuff, but we just can't be sure. It's about trust and shipping closed source, whatever the reasons might be, is not making me trust you more, but less.
And for open source to be strong, there needs to be more reviewers. So while reverse engineering is possible, the extra work that is needed, will not get us more reviewers but less.
There are two ways to either destroy or weaken open source: Going as much as possible closed source or making the advantages of open source more impractical.
So with the closed source patches we got kinda both, even if only in mild form.

Again, in the end it's a trust issue, and for me personally, shipping closed source, whatever the circumstances might be, does make me trust you less. That doesn't mean that I will stop using GrapheneOS, but it's definitely very hard to digest.
But to at least somewhat strengthen my trust in you, you could have and still could provide me the evidence on how exactly you know that Google isn't sharing information on vulnerabilities with the intelligence agencies before they share it with OEMs. Because you talked big words, but were evading every time to provide evidence. Like the young kids would say: That's kinda sus.

workeronthewalls

23Sha-ger Then why not just wait the 90 days for the information to become public and therefore stay open source only, if it might take some time for low effort bad actors to weaponize vulnerabilities.
GrapheneOS could still come up with the patches earlier than the low effort bad actors, even if they stayed open source only. Is it more stressful and more work? Sure. But worth it in my opinion if GrapheneOS stays open source only.
(I know, I know, there is still the open source version out there and even in the closed source version, only the security patches are closed source, that will become open source after about 3 months. Let's leave that specific discussion behind already.)

RandByte

workeronthewalls Problem is though, there is just no proof, that this is the case, and nice words are no proof.

workeronthewalls Again, in the end it's a trust issue, and for me personally, shipping closed source, whatever the circumstances might be, does make me trust you less.

Damn! The trouble here is the way you react. You're so overwhelmed by your emotions that you shut down your rationality completely. So let's get back to reality for a minute:

Early security patches are under embargo from Google (for understandable reasons as most manufacturers are big as sea tankers and very slow to move and update their OS) but accessible to the GOS team for them to incorporate in their releases.
These security patches get eventually published. (keep that information in mind as it's relevant in the next point)
GOS releases are reproducible and they have a cryptographic hash
Once the embargo is lifted, guess what? You can build a reproducible GOS with the published patches and check the cryptographic hash is identical

So... unless you're some out of this world wizard who can bend the laws of physics and mathematics to your will, your whole rent on this thread is moot, serves no purpose other than wasting GOS dev team precious time! They kindly and thoroughly answered everything but you're like a dog with a bone, you won't let go!

If one day you catch the GOS team lying about closed source patches being included in the GOS release, then on only then, unleash all your anger! But that (unlikely) day comes, please STFU and stop wasting everyone's time.

« Previous Page Next Page »