Pixel 5:
"receive extended support from GrapheneOS via a legacy branch based on Android 14 with only the Android Open Source Project security backports, certain other security patches, and other minimal changes to keep them working"

Do I understand it right, there are

  • updates from vendor (for vendor specific things, whatever this is?) - and
  • updates of OS (major and patches).

And because there are no vendor updates Graphene drops OS updates too? Why?
What does the LOS people do? They have ported even A15 to Pixel1, right?

Don't misunderstood me - I highly appreciate work on GOS and my deepest respect to the team/maintainers behind it. I am not demanding anything. But that is my serious question:
If I for several reason don't want to drop my Pixel 5 phone, am I better with LOS?
How long does AOSP supports A14 and GOS will provide at least some updates?

Latest release was in Dec 2024 (very good), but it shows Android Patch level Dec 2023 (?). Does it mean Android Patch level is not OS, but vendor?
I hope I don't mix up too many things, sorry - I am just asking.

My son owns an 8a (check its dimensions), to me it looks tiny in comparison with main line of Pixels. I mean come on, is money the issue? 0.1 inch difference in screen size is negligible. Security issue should worry you more than that. Remember, 8a will still be up to date in 2031. Stubbornness is not in the right place here for your own good.

No, it is not about the money. (8a is even bigger, not just count the display size!).
I even had a 6a here, which is one of the (now) smaller one and even cheaper than 5.
I would go for 9 pro because if it's tele lens, but hey, even 6a was to heavy with 180g .The 9/9pro is even 200g! That's a lot.
Different people have different priorities, I just ask, what I can expect - nothing else.
And finally it is very critical to dump a less than 4 year old phone. (It was in production til 20 Aug 2021 !!!)
That is a waste of resources I can't support.

    starbright when you bought it, you were aware how long it was going to be supported. Why does it come as a surprise to you now? It makes sense being reasonable and choosing one of the officially supported devices (the longer the better) that best suits your needs. There are no other options if you want to stay with GrapheneOS (and it doesn't make sense not to).

    It was my fault, I am a LOS-guy and hear about GOS - and simply thought they follow same update strategy. Again - my fault - I didn't checked it in advance - I don't blame anyone else.

    As long G doesn't return to less-weighted device I am off. It might be the best phone in the wold, its useless if it is not with me. That is why I sold my big camera 15 years ago for a compact one.

    Nevertheless, instead of arguing forth an back, the clear question was:
    Is there an estimate how long there are at least backports/updates? Learning from Pixel 4 and below maybe another 1..2 years? Am I better with LOS in terms of long term support?

      starbright Is there an estimate how long there are at least backports/updates?

      No.

      The GrapheneOS project generally does not issue roadmaps or other forward-looking statements. Once a device is EOL it is not possible to project that the vendor will or will not patch any given vulnerability, and it is also not possible to predict when a truly awful vulnerability might become publicly known. Each legacy-support release for an EOL device may turn out to have been the final release for that device.

      Please note that I do not speak for the GrapheneOS project.

      starbright it's not just software. The 5 runs on the Titan M1 security chip, 6+ have the M2. 8+ adds MTE support and the 9+ has additional modem hardening. It's fine to like the 5, but it's not really a secure device once it's end of life.

        @de0u
        It is not just about the vendor updates - this is nothing me, you or GOS Team can change.
        But it is obviously possible to bring new major Android updates without support of vendor (Google).

        Exhort14
        I am aware that after EOL it's not the safest option (in comparison to other models).
        Don't always be focused on "max safety"! My focus is "best safety for a certain model". Please try to respect this different approach, I am sick of defend myself to not dump a 3.5 year old phone!
        Myself on the other hand will respect that GOS team says: either full update or none - that is a valid approach too. Bad luck for me, but I can/have to live with that.
        So now I know - there is no roadmap. Topic closed from my end. Maybe I am back with Pixel 10 ;)

          starbright It is not just about the vendor updates - this is nothing me, you or GOS Team can change.
          But it is obviously possible to bring new major Android updates without support of vendor (Google).

          It is indeed possible, but would cost time and effort, and the result would be below the GrapheneOS project's standards for security. If the project chooses to spend that same time and effort on improving the security, privacy, and even usability of devices that do meet the project's security standards, that seems like a defensible choice. The project has EOL'd devices before and presumably will continue to do so.

          starbright Topic closed from my end. Maybe I am back with Pixel 10 ;)

          Best wishes!

          starbright I ran EOL 3 until the 7 came out, so I do get where you're coming from. I loved that tiny little thing.

          But it isn't about max safety (or I wouldn't still be using a 7). It's about whether the device exceeds the minimum threshold for being considered for inclusion in the "safe" category. Just as my 3 wasn't, your 5 isn't.

          Unfortunately, support for non Google/Apple devices is so terrible that, by comparison, an EOL 5 might seem great. But it still doesn't pass the minimum bar.

          I feel for you, I do, and hope we see you around with a 10.

          MarsTrue I heard somewhere that 105.3% of statistics are just made up on the spot...*

          I have a 6a and when the time comes will probably got to an 8a, for the reason that it is almost as small. My pref is for the phone to be compact. If GOS supported the Sony Xperia XA2, which is slightly smaller than the 6a (and which I still have) that would have been great. But -- you can't re-lock the bootloader once you unlock it, so that's the dealbreaker for GOS devs. And fair enough, too.

          * Humour alert! That was a whimsical off-hander.

          @starbright There was no need to revive this thread to downplay the insecurity of end-of-life devices without extremely important privacy and security patches and complain about us discouraging using it.

          We provide harm reduction releases for people who can't afford a new device as a temporary lifeline until they can replace it. Those don't exist for people able to afford a secure device. Using a non-hardened OS rolling back security rather than improving it will not solve the problem for you and will only make you worse off than you are now. If you're still using a Pixel 5 by choice rather than because you can't afford to replace it, then you apparently don't care about privacy and security. In that case, you might as well use something else. It's not clear why you were using GrapheneOS in the first place if you don't care about basic privacy and security.

          @Plobberfroth You're repeatedly downplaying the insecurity end-of-life devices and outright spreading misinformation about it. Using an insecure device is your prerogative but don't promote doing it to other people by downplaying the risks. These devices have very severe vulnerabilities without patches available and can no longer provide a reasonable level of privacy and security. You're spinning this as only mattering to people with high threat models but that's really not the case at all. You apparently care enough about privacy and security to consider using a different OS on your device and yet for some reason you don't think having basic privacy and security patches matters. You would be far better off using an old iPhone that's still supported than an end-of-life Pixel. It's a waste of your time to migrate to something else and will not in fact be a good way of testing what the GrapheneOS experience would be like on a supported device. Get a supported device if you want a private and secure device. Extended support releases are harm reduction releases for existing users while they save up money to move to a secure device.

          The past 2 generations of devices have 7 years of support from launch which is a very long time for a smartphone. Not clear where you got the highly inaccurate support time numbers you posted.

          I think your are condensing, so I won't be installing GOS on my Pixel 5 or on the Pixel 8 that I bought after careful consideration.

          I have not seen any empathy from the main contributions from any of the regular members that offer answers to questions. The common response is your phone is end of life, deal with it and buy a new one , you can get one finance.

            BTW, money wasn't for me in buying a phone, I've owned pixels since the first pixel , and a 6A and 7A but ditched due to size.
            I've gone for the P8 for it size, though its apart from the 6A and 7A is now the largest and heaviest Pixel I've ever had.
            I'll give a try but may sell due to its weight and get a Asus Zenfone 10 as this is more comparable to the P5. I know its less secure, but but it a convenient size, and I can remove/disable a lot of google apps as I've done on my P5 and will do on the P8, if I keep.

            • Edited

            Plobberfroth I don't know where the discussion started, but if you've been considering GrapheneOS but decided to give up simply because the GrapheneOS project account explained to you the importance of not downplaying the insecurity of a mobile device at the end of its life, you shouldn't take it that way because it's very valuable advice and many users ignore it, your Pixel 8 is perfect for GrapheneOS, I understand that the more compact format of the Pixel 5 may suit you better than the format of the Pixel 8, your Pixel 5 might even still be of some use to you, if I take myself as an example, I've installed GrapheneOS on the Pixel 8 which is my daily driver, and I haven't thrown away my old Pixel 4a because I use it as an NFC device, unfortunately, my bank uses Google Pay, it doesn't use its own implementation for contactless payment, so I can't pay when I do my shopping with my Pixel 8 running GOS

            Using an Asus Zenfone 10 would be far worse than using an old iPhone that's still supported.

              Xtreix

              Thanks, for the advice but I don't need a seriously hardenised OS like GOS, which requires a phone change on eol.

              My threat model is non existanct, though some secure features wouldn't go amiss.
              I have NFC turned off, only card, kept in RFID wallet, touch pay, found it inconvenient keeping phone in a RFID case.

              Having full security updates rather than a phone that is getting an ever growing number of publicly known critical vulns is not 'seriously hardenised' its a very basic security measure that should be taken for any hardware/software that handles data which you may wish to remain private.