Trying to understand how system update work on GOS

tempproc

I just almost had a freak out when I checked my Pixel to continue testing different sec/privacy settings and saw that the UI had completely changed, I immediately went to look at the system logs to see if I could find trace of a system update but wouldn't know what to search for, and there isn't any update history available either. I currently in fact have no idea besides the UI changing without any input or changes done on my part.

So I just went to system update option to check if there was any choice or toggle to choose how updates are done in the first place, which I'd assume were manual since there's a button to check for update, and that separate security and policy update without updating the whole OS was possible, which I had assume was the "security preview" toggle.

Now I wonder if, unless you disable system updater and assuming the OS doesn't go around your back to reactivate package without consent like AOSP or Samsung do, there's however setting to selectively choose how or when it is being updated? Namely to continue having security and policies updates without having to update version until you manual consent to?

I personally never update to a whole new version at release to have time to check for regressions, things breaking or added bloat, and didn't realize that GOS only seem to have automatic update or no-update in my understanding.

23Sha-ger

tempproc Namely to continue having security and policies updates without having to update version

How do you imagine that happening? Can you name a system where this is possible?
You get security updates with minor version updates, or a somewhat major update every quarter.
If you don't want to take risks stay on the stable channel with security updates enabled.

Quantum

tempproc The updater will say if an update is ready to be installed and that your phone has been updated. Sounds like youve turned off notifications for that.
If you know which build nummer youre on you could just go to Settings>About phone>Then scroll all the way down.
Its also worth keeping an eye on the changelog

de0u

tempproc I just almost had a freak out when I checked my Pixel to continue testing different sec/privacy settings and saw that the UI had completely changed.

Historically that happens once a year. Recently Google has been shifting from one big yearly update toward two.

tempproc Now I wonder if, unless you disable system updater and assuming the OS doesn't go around your back to reactivate package without consent like AOSP or Samsung do, there's however setting to selectively choose how or when it is being updated? Namely to continue having security and policies updates without having to update version until you manual consent to?

The system is too integrated. Security bugs can appear in system apps, or the UI layer, drivers (perhaps especially the GPU driver), kernel, or firmware. Most releases patch all of those, and they are designed to work together. Some vendors may maintain multiple Android versions in an overlapping fashion, but the hidden cost of that is that they are generally very slow to issue updates.

A very large and wealthy organization could afford to keep multiple major OS versions up to date with security fixes, but it's not easy.

GrapheneOS

tempproc tempproc It sounds like you were substantially behind on updates and didn't have Android 16 QPR1 yet. Our first release with Android 16 QPR1 was 2025112100. The migrations to new major releases are definitely covered in the release notes. You should have received an update notification asking you to reboot much earlier than this month and you should have another notification to reboot for the latest update now.

tempproc

23Sha-ger Previous Samsung and Xiaomi phones, as well as on Mac but not on iPhone that I can see.

I have all notification active for system update but notification history was disabled so can't see past the last reboot

tempproc

Quantum I'm seeing a security update on Dec 1. but not major update, yet the UI changed without me touching the phone, idk where else I could check

Quantum

tempproc Im asking about the build number where I said it was. You can then look at the changelog and compare it

GrapheneOS

tempproc tempproc No, none of that provides a serious update channel with only security patches. Only the latest major version of Android, iOS and macOS have full security patches. iOS and macOS barely provide any backported patches for older releases, only the highest severity patches.

Android OEMs not on Android 16 QPR2 do not have most of the Moderate or Low severity patches along with being behind on many Critical and High severity patches. Only Critical and High severity patches are backported for AOSP. Many patches are not classified as Critical or High severity. Many high importance privacy and security improvements are not considered bug fixes and not candidates for being backported regardless of severity. Many things would simply be too hard to backport.

Pixels follow along with the stable releases of Android and therefore the firmware, kernel driver and userspace drivers/services for hardware support require the latest stable releases.

Android has 4 major releases per year: 1 yearly release and 3 quarterly releases. Quarterly releases are similar in size to yearly releases and can contain as many user-facing changes. Android 16 QPR1 is the update which overhauled the user interface substantially, not the recent Android 16 QPR2 update.

Non-Pixel Android OEMs don't keep up with the major OS updates and therefore don't keep up with privacy and security patches even if they ship the Android Security Bulletins each month which are only best effort backports, not the complete patches. They're also made available and allowed to be shipped prior to the assigned month which is how our security preview releases work based on the official Android security preview patches which we have access to.

Quantum

Quantum https://grapheneos.org/releases#2025121000

tempproc

Quantum I have build 20250400, check the release page but doesn't indicate when that update was pushed. In fact I don't have the latest update even though I didn't disable the system updater.

Right now it seem the update is manual as I have to click on check system update, which is a bit of a misnomer since it doesn't provide information on the current build and available update but goes straight to updating the OS.

Not understanding the overall behavior

tempproc

de0u Im not so much talking about different OS version but separating the security patches channel from the other which was definitely an option on Samsung/Xiaomi and even Macs.

de0u

de0u A very large and wealthy organization could afford to keep multiple major OS versions up to date with security fixes, but it's not easy.

tempproc Im not so much talking about different OS version but separating the security patches channel from the other which was definitely an option on Samsung/Xiaomi and even Macs.

As indicated by the project account (GrapheneOS), this is substantially an illusion.

Samsung makes monthly security releases for newer devices and quarterly security releases for older devices (source), and may issue occasional releases for devices older than that, but there is no guarantee that devices running an older OS are up to date with security fixes.

There may not be a simple statement about how often updates are issued for which Apple devices, but Apple has stated officially that older OS versions do not get all security fixes at the same time as the current OS (source).

At present I am unaware of any Android device that is up-to-date with security fixes without being up-to-date with all OS changes. The situation is somewhat different for some desktop/server Linux distributions, that spend gigantic amounts of money backporting security and bug fixes to produce long-term-service (LTS) releases, but so far that is not an Android practice.

GrapheneOS

tempproc

Right now it seem the update is manual as I have to click on check system update, which is a bit of a misnomer since it doesn't provide information on the current build and available update but goes straight to updating the OS.

No, updates are automatic. Each production release goes through internal testing, then Alpha, then Beta and then reaches Stable if no major issues are identified. Releases are announced a bit before they go into Alpha once basic internal testing is largely completed.

The current release in the Stable channel for most devices is 2025121200. It's the first release based on Android 16 QPR2, the next major release. It's not in Stable for the Pixel 7a due to an upstream Wi-Fi regression leading to them cancelling the stock Pixel OS release for December 2025. It's not in Stable for 10th gen Pixels due to kernel stability issues, but 10th gen Pixels are still experimental for GrapheneOS.

de0u

tempproc I have build 20250400, check the release page but doesn't indicate when that update was pushed.

A GrapheneOS build number is of the form YYYYMMDDNN, where NN is typically 00, so 20250400 is missing two digits. That may be why it's not showing up on the release changelog.

tempproc Right now it seem the update is manual as I have to click on check system update, which is a bit of a misnomer since it doesn't provide information on the current build and available update but goes straight to updating the OS.

The build number is shown at the bottom of the "About phone" settings page.

The "check" button in System Updater does indeed trigger the downloading of a new update if there is one. The GrapheneOS "Info" app displays information about the current release (for the device's channel, I believe) and former releases.

tempproc

de0u it seem I know have 2025121201, which im not sure what the 01 corresponds to

GrapheneOS

de0u

The situation is somewhat different for some desktop/server Linux distributions, that spend gigantic amounts of money backporting security and bug fixes to produce long-term-service (LTS) releases, but so far that is not an Android practice.

Those only backport a small portion of overall security-relevant patches too and there are huge delays. Their previous approach was to try to backport everything with a CVE assigned but they can no longer keep up with those at all particularly with the Linux CNA assigning so many CVEs. Patched vulnerabilities with CVEs assigned are a small portion of overall patched vulnerabilities. Most projects do not actively seek out CVE assignments. Many try to avoid valid assignments happening at all. For many projects, it's only the externally found issues which receive them.

de0u

GrapheneOS That is alarming! Thanks for the link.

GrapheneOS

tempproc See the release notes, you opted into the security preview releases so you get Android Security Bulletin patches early. It means you have the current January 2026, February 2026, March 2026, April 2026, May 2026 and June 2026 patches already. There are going to be a lot more June 2026 patches but they added one already. March 2026 may also get more added, we don't know. January 2026 is finalized as an empty Android Security Bulletin already.

de0u

tempproc it seem I know have 2025121201, which im not sure what the 01 corresponds to

https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases