Devices receiving security updates only

Foggy

Google’s current update policy for Pixels is 3 years of Android updates and 5 years of security updates. How does GrapheneOS handle devices in the ‘security updates only’ part of the lifecycle, once the Android updates have stopped?

Normally an Android version update would mean things like running the most recent kernel, while I assume the phones in security update only just get patches to whatever their current kernel is. Presumably GOS does the same?

Does this mean those phones are stuck on the old version of Android that was last released for them? How does this affect GOS features? For example, suppose GOS releases Location Scopes or a new backup system - do such phones receive it too, or will they only get the last version of GOS when they were getting Android updates plus any security updates since then?

spiral

Foggy

This is a good question, I hope it gets properly answered.

[deleted]

https://grapheneos.org/faq#device-support

Foggy

[deleted] that doesn’t answer the question because all of the extended support devices are no longer receiving security updates from Google. Because Google has moved from 3 years of security updates to 5, at present you are either receiving full Android updates or no updates at all. (I think)

My question is about what happens when the Pixel 6 stops receiving Android updates: do the GOS feature updates stop too?

de0u

Foggy My question is about what happens when the Pixel 6 stops receiving Android updates: do the GOS feature updates stop too?

Here are details about which devices are getting what: https://grapheneos.org/releases#stable-channel

Foggy

de0u So is the

2023090200-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level

Still receiving GOS feature updates, only with a frozen base Android? Rather than just GOS security patches?

de0u

Please note that I don't speak for the GrapheneOS developers. Also, I'm not adept enough with the AOSP ecosystem, including various nested repositories, to start with the release changelog page and confidently tell you exactly which changes a Pixel 4 XL is getting. So if I really wanted to know, what I would do is follow the directions for building GrapheneOS for the Pixel XL, with two different published release tags, and then I would diff the sources. With that said...

Some changes happen in actual apps, e.g., Vanadium. I think a Pixel 4 XL is still getting new Vanadium releases via the Apps app. A lot of other changes happen in "regular user-space code", e.g. Java or Kotlin code. I think storage scopes happened at that level. I believe code like that is all still being updated out to a Pixel 4 XL.

But I think it's important to keep in mind:

Changes for a Pixel 4 XL are expected to stop -- pretty soon. For example, I believe that the first GrapheneOS based on the next Android version is expected to drop the Pixel 4 XL.
GrapheneOS changes might stop before they are expected to. It might turn out for some surprising reason that something can't easily be shipped to the Pixel 4 XL, in which case it's plausible that nothing would be. Maybe some seemingly-innocuous change to an app would tickle a bug in the GPU firmware for the 4 XL. Might the developers carefully diagnose and separate out that one change? Sure, maybe, but also maybe not. So, on a surprise basis, any release of GrapheneOS might turn out to be the first release that drops some device.
Meanwhile, a bad firmware bug might be discovered -- but never patched -- literally on any day.

Overall, I'd say that once a device hits extended support for GrapheneOS it's probably prudent to decide -- at that point -- on one's next device, and place an order for it, if one hasn't already, because the security of that extended-support device has already at that point seen a probabilistic but very real risk increase.

In other words, I think the extended-support window might be best viewed as a "grace period" in which to decide on a new device, order it, wait for delivery, install GrapheneOS on it, and migrate one's data (which can take a while). I think if one does that then the likelihood of a catastrophic firmware hole being found during the grace period is low.

I don't like dumping a device that is still operating (especially if that device has desirable features, e.g., a headphone jack). But running an OS with extra security is likely to cost something, and dumping a device some months early is probably one of those costs.

[deleted]

Rather than getting super analytical here, all know continuing using device almost at or past EOL is not a way forward.

spammerofspam

[deleted] Isn't this a 2 year long period? That seems like a long time to be "almost EOL."

[deleted]

spammerofspam look here:
https://grapheneos.org/faq#supported-devices
before saying more

spammerofspam

[deleted] I don't think that answers the question asked, though, does it? AFAIK, the project at present only offers long term support for the current major release version, which is typically in line with the official major release version. E.g., at present only Android 13 is supported.

At some point, devices will still be receiving official security updates but will not be receiving official major version updates. Does it say anywhere in that document exactly how that will be handled? E.g., when Pixel 6 doesn't receive Android 15 in October 2024, will it continue to be supported by the major release of GrapheneOS based on Android 15 since the device will still be getting security updates for another 2 years? Or will it continue to receive GrapheneOS security updates for a release based on Android 14 for the next two years while other devices like the Pixel 7 continue to receive major OS updates? Or will support be dropped since it will be declared to be an unsupported device even though it will receives security updates?

I don't see anywhere in the FAQ addressing this exactly.

spiral

[deleted]

Please actually read the OP. The FAQ device support does not address OP's very valid question.

[deleted]

spammerofspam These couple of tweets imply that there are no hard-and-fast rules, and that so far all supported Pixels have always been on the latest release of Android.

Resonate0765

spammerofspam crap you bring up a good point so I'm curious how this will be handled as well. I was under the impression that as long as the device was still getting offical oem updates, security or otherwise, grapheneos will still pipe those in which is what I still suspect to be the case since they do state the eol is 2026 and not 2024 when the os updates end.

Foggy

The reason this is relevant is because it’s important for a buying decision. If I buy a 7/7 Pro today, will it get a support life of 2 years or 4 years? That drastically changes the economics of how much the cost of running GOS would be, by a factor of 2.

You can do the same sums for a 6/6 Pro (factor of 3) or an 8/8 Pro (factor of 1.7, assuming same update policy), adjusted for the current market price of each phone.

Foggy

Resonate0765 The question is whether it will be feasible to support multiple base Android versions to base the GOS changes on top of. For example, suppose Google change the way something works in Android 15. Will GOS maintain an Android 14 version for the Pixel 6 as well as an Android 15 version for later phones? Or will certain features be unavailable if you’re on 14? Will features which used to work when 14 was current be removed from 14 when they’re redone for 15?

GrapheneOS

You're misinterpreting a minimum guarantee as what is going to happen. There's every indication that they'll always be supported via the latest major OS version. There has never been any exception from that and an exception from it would require legacy Android versions to received long-term support in a way that has never happened before. It's much easier for them to update them to the latest release than providing more extended support for older Android branches.

Foggy

GrapheneOS Thanks, I hadn’t considered that possibility. That does make sense, assuming Google are in control of all the driver binary blobs so there’s no restriction on upgrading to a newer kernel.

Does anyone know what other OEMs do? I see announcements from Qualcomm of 3+1 years and Samsung of 4+1 years, but it could be the +1 is just the remaining time of an annual release cycle (ie Android X released in October, supported through to the next September). Does any OEM offer more than 1 year of security updates, and how do they handle it?

DoctorGo

So, will the Pixel 6 receive security updates until " Oct 27 2026 " from GOS?

de0u

DoctorGo So, will the Pixel 6 receive security updates until " Oct 27 2026 " from GOS?

I think it might be easier for an open-source project to discuss aspirations or expectations for device support, as opposed to making commitments. Google is in a position to make commitments, though obviously for most of us what they are willing to commit to isn't exactly to our taste. In theory it would be possible for a company to charge a subscription fee and promise to provide security updates (and maybe other services) to a GrapheneOS fork for some period of time.

GrapheneOS, like most open-source projects, is a cooperative experiment in what will be possible over time.

DoctorGo

de0u Im just asking for a definitive answer from one of the developers. If it's no, that's fine. We all have talked about subscriptions for the last 6 years (and I'm good with that too) but I'm not asking about that. Just a reply from a developer would be great. I don't mind flashing it back and reflashing a newer device next year if that's what I have to do. If a developer could please reply to that specific question with a "yes" or 'no we're not doing that with the P6" it would be greatly appreciated so I can be prepared to purchase new devices, flash the devices with GOS (that will not be supported with security updates while Google is still rolling them out) back to the Google OS so my devices can continue to get security updates from Google. Thank you

de0u

DoctorGo Im just asking for a definitive answer from one of the developers.

If you receive a definitive answer, great. If it happens that you don't, I might have already explained why not. We'll see!