Up/down side not opt in for previeuw security release

qpwoei

I somehow not have a great feeling to opt in for the security previeuw releases so didn't do it.. now I been wondering how insecure the device would be.. is there a security risk to walk around for 3 months with a device who is not up to date with the latest security update? I kind a try to weigh the up and downside of not opt in for the security previeuw.. There is allready almost 2 months passed since the realise and wonder if there where any critical issues found

dhhdjbd

qpwoei

i personally made the decision based on the fact, that i personally did not verify the source code of grapheneOS myself, and that i essentially already have to trust them (and others).
So if they suddenly "turn evil", i already would not be able to tell myself.

And i think a theoretical attack secenario, where someone steals the credentials of a grapheneOs developer/ hijacks it and pushes an malicouse update to the security preview channel,
(which then would take longer to get spotted by someone else because no source code is avaible),

is much less likely then someone trying to simply use an exploit, not covered in the non-security preview releases...

02673853

Skorp Yes, we get the source for the security patches that are included in the security releases. These are the same type of releases that were previously monthly updates from Google as part of the Android Security Bulletin. The only difference is that we cannot publish the source until:

Google pushes it to public AOSP
Someone reverse-engineers the patches from the builds and makes them public
Google allows the OEM partner to release the sources ahead of Google's schedule

We do recommend opting in to the Security Preview releases, but understand that since the source isn't available it should remain opt-in, not opt-out or mandatory.

qpwoei is there a security risk to walk around for 3 months

qpwoei allready almost 2 months passed since the realise

Is the time window really that big?

raccoondad

qpwoei is there a security risk to walk around for 3 months with a device who is not up to date with the latest security update?

Yes

qpwoei

Its not about trusting the developers of grapheneos like you say that you didn't verify yourself.. There is a difference in trusting the developers of grapheneos wat the 99% of us do since we using it and trusting the security or preview who is made by somebody else and can't be verified by nobady... With all the pressure and attacks on encryption and control I don't think its very wrong to not just trust them to be honest and not trying to harm our privacy and or security.. So I was actually asking if its a big security issue to not opt in for the preview so if anybody has a idea would be happy to hear the thoughts

dhhdjbd

qpwoei trusting the security or preview who is made by somebody else and can't be verified by nobady

i dont think this is how it works,
i think grapehenOs team gets the source code for the security releases, but is only allowed to publish them as binary releases

Edit:

GrapheneOS The patches are made by Google and shared with every Android OEM with partner access. They're not in any way GrapheneOS specific patches. We're reviewing and applying the the patches. We have 2 developers working on it together.

userofgos

qpwoei trusting the security or preview who is made by somebody else and can't be verified by nobady... With all the pressure and attacks on encryption and control

Please give this a read: https://discuss.grapheneos.org/d/10150-not-your-average-why-pixel-thread/7

Also, to clarify about what the Security Preview releases are, and what is included in them, please read the discussion in response to this comment: https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/28

And I'll quote this comment https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/66

The patches are made by Google and shared with every Android OEM with partner access. They're not in any way GrapheneOS specific patches. We're reviewing and applying the the patches. We have 2 developers working on it together.

Skorp

Yes, we get the source for the security patches that are included in the security releases. These are the same type of releases that were previously monthly updates from Google as part of the Android Security Bulletin. The only difference is that we cannot publish the source until:

Google pushes it to public AOSP
Someone reverse-engineers the patches from the builds and makes them public
Google allows the OEM partner to release the sources ahead of Google's schedule

We do recommend opting in to the Security Preview releases, but understand that since the source isn't available it should remain opt-in, not opt-out or mandatory.

userofgos

Skorp These are the same type of releases that were previously monthly updates from Google as part of the Android Security Bulletin.

Exactly! And I think some don't realise this, that we were already receiving these patches before Google made those changes allowing for 1-3 months delay.

userofgos

02673853 are you asking about the time window for the Google code embargo?

See: https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases

Previously, Android had monthly security patches with a 1 month embargo not permitting early releases. For GrapheneOS users enabling security preview releases, you'll get patches significantly earlier than before. We'd greatly prefer 3 day embargoes over 3 month embargoes but it's not our decision.

Android now discloses patches around 3 months prior to their inclusion in a bulletin requiring them to raise the Android security patch level. However, OEMs are allowed to ship the patches as soon as they're receive. We're doing this in our security preview release, but with the full set of patches.

qpwoei

I am not sure if I understand this good?? So the source code to verify the build is already in hands of the gos team just they not allowed to publish it?? Is the team also reviewing it or is that a but too much work to do? If that's the case then I change my mind because I tought that google kept it for thereselfs for 3 months before providing things to audit from outside

GrouchyGrape

qpwoei the source code to verify the build is already in hands of the gos team just they not allowed to publish it?

Yes

qpwoei Is the team also reviewing it

Of course

With a moderate amount of "know-how", one can easily compare builds to see what changed and figure it out for themselves. I don't posses the "know-how" nor time to do this, but I definitely opt-in to the security releases.

From my perspective, there's nothing but benefits compared to the previous way we received updates. We're getting security patches faster than ever.

I don't audit any of the GOS source code. There are very few of us that do. So, anybody not applying the security preview releases because they're not "open source" yet, is either misinformed on how they work or are lying to themselves.

I trust the GOS team one infinity times more than any other manufacturer/developer out there. If they've reviewed the code and say it's good, then it gets a big thumbs up and endorsement from me.

qpwoei

But I still don't have a answer on the question if its a big srcurity risk to not opt in with the security preview release

raccoondad

GrouchyGrape So, anybody not applying the security preview releases because they're not "open source" yet, is either misinformed on how they work or are lying to themselves

Tbf FSF types would want it to be FOSS on principal even if they don't personally audit

qpwoei

Anybody please a answer.. Is it a big security risk to not opt in on the security preview release??