Skip to main content

mastodon - Link to source
Our security preview releases have provided the December 2025 security patches for the Android Open Source Project since September 2025. December 2025 security patches are now public and being integrated into our regular releases while our security previews have up to March 2026.
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
A bunch of the patches previously scheduled for December 2025 were made optional and deferred to future months so they're not listed in the public bulletin. That's why even our September 2025 security preview releases list CVEs which are still not public in December 2025.
in reply to GrapheneOS

LΞX/NØVΛ 🇪🇺
mastodon - Link to source
LΞX/NØVΛ 🇪🇺

will never understand google, self impose 3 month delay and when delay finish even when they already have the fix made it optional and delay it even more :/

happy to have your preview to avoid this madness from google

This entry was edited (5 days ago)
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
The reason patches get deferred is because OEMs aren't capable of quickly integrating, testing and shipping patches. When issues are identified including an OEM having trouble with it, they'll often defer it to a future month. Our security previews can continue shipping these.
in reply to GrapheneOS

LΞX/NØVΛ 🇪🇺
mastodon - Link to source
LΞX/NØVΛ 🇪🇺

So if i understand corretly the OEM excuse is "we cannot do it in time" when Graphene a community project do it ?

for me it's an excuse to justify they (OEM) don't have enough people assigned to the maintenance part of the OS

This entry was edited (5 days ago)
in reply to LΞX/NØVΛ 🇪🇺

GrapheneOS
mastodon - Link to source
GrapheneOS
@lexinova OEMs usually have a tiny overstretched team working on this. They're extremely focused on adding tons of features to differentiate them from other OEMs and invest very little in security. The major changes they make from AOSP make it much harder to keep up with the patches and often lead to patches well tested by Google already causing additional issues due to their changes. Google will then often defer the patches to a future bulletin and declare them optional for the current one.
@LΞX/NØVΛ 🇪🇺
in reply to GrapheneOS

LΞX/NØVΛ 🇪🇺
mastodon - Link to source
LΞX/NØVΛ 🇪🇺
yeah i see the issue, but it remain funny as majority of people i know on samsung (to not cite them), that have installed another OS, did it because they don't like those ton of added feature xD
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
@lexinova From around 4 months ahead to 2 months ahead, many patches get added. That stops around 2 months ahead due to the patches going into the next quarterly bulletin instead. They continue deferring patches to future bulletins until the bulletin is about to come out. The bulletin that's made public and the set of patches that's released to AOSP is what they didn't defer to future months. They don't really care much about the deferred patches and often end up pushing them to a public tag...
@LΞX/NØVΛ 🇪🇺
in reply to GrapheneOS

LΞX/NØVΛ 🇪🇺
mastodon - Link to source
LΞX/NØVΛ 🇪🇺

frankly thanks to you all to maintain this mess for us so we can have a secure OS.

Because simply by your explanation, i would not want to be in your place to manage that 😅

in reply to LΞX/NØVΛ 🇪🇺

GrapheneOS
mastodon - Link to source
GrapheneOS
@lexinova There are daily changes to the patches. Stuff is endlessly being added, changed and deferred to future updates for a long time. They fully switch to only deferring them to future updates by 1 month ahead but it gradually turns into that prior to it too. We then need to decide what to do about what gets deferred, which is generally keeping it anyway. The main reason stuff gets deferred is that it caused an issue for OEMs with out-of-tree code we wouldn't have in GrapheneOS.
@LΞX/NØVΛ 🇪🇺
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
@lexinova Stuff also gets deferred if they decided the patch was incomplete. That's quite silly since it's widely disclosed to OEMs. They're really handling things in a misguided way where they treat patches disclosed extremely broadly as being completely private and not available to adversaries. They treat deferring it to a future month as not letting an attacker use the vulnerability but they can discover it themselves or get access to the security preview patches fairly easily.
@LΞX/NØVΛ 🇪🇺
in reply to GrapheneOS

2babcc
mastodon - Link to source
2babcc
@lexinova The biggest problem is that most people don't care about security, and OEMs see no return on their investments in this area.
@LΞX/NØVΛ 🇪🇺
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
GrapheneOS is the only Android-based OS providing the full security preview patches. Samsung ships a small subset of their flagship devices. Pixel stock OS gets a portion of it early but we aren't sure exactly how much since they don't follow their guidelines for listing patches.

J. Alfred Prufrock reshared this.

in reply to GrapheneOS

LΞX/NØVΛ 🇪🇺
mastodon - Link to source
LΞX/NØVΛ 🇪🇺

"since they don't follow their guidelines for listing patches." 😂

"Do what i say but don't do what i do" - Google 2025

in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
Providing our security preview patches is a lot of work for us. It requires a full time developer spending a significant fraction of their time on it. It's hard to understand why large companies can't keep up with these patches but what matters is that we can provide them early.
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
Android security preview patches are currently backports to Android 13, 14, 15 and 16. Since GrapheneOS is based on Android 16 QPR1, we need to forward port the patches from 16 to 16 QPR1. Our understanding is they're going to start backporting to some quarterly releases too.
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
Android 16 QPR2 appears to be the first quarterly release of Android which is going to be shipped by non-Pixel devices. If that's the case, they'll need to start providing security preview patches backported to it too. It's not clear if it will happen for every quarterly release.
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
Spending a significant amount of time on this is part of the reason GrapheneOS feature development has slowed down. Expanding our servers and now migrating away from OVH is another. We'll be hiring more people and improving our organization structure to get things moving better.
in reply to GrapheneOS

GrapheneOS
mastodon - Link to source
GrapheneOS
We would greatly prefer it if patches were disclosed to OEMs 1 week ahead instead of 2-4 months ahead so our security preview releases would only need to exist for a week and regular releases would get the patches much faster. OEMs should just hire far more people and do better.
in reply to GrapheneOS

48kRAM but with parity
mastodon - Link to source
48kRAM but with parity
thank you all for doing this work. I will use this as my reminder to donate to the project now
in reply to GrapheneOS

Zahox
mastodon - Link to source
Zahox
I wish we could get notifications to the other profiles when there is a system update. Because now we always need to look in to the info app sometimes.
in reply to Zahox

GrapheneOS
mastodon - Link to source
GrapheneOS
@zahox There's a notification forwarding feature you can enable in each user profile to send them to other profiles. You can also use Private Spaces and a work profile for nested profiles.
@Zahox
in reply to GrapheneOS

Daniel
mastodon - Link to source
Daniel
I am not sure to understand the consequences, you distribute security update a few months before the public release?
in reply to Daniel

GrapheneOS
mastodon - Link to source
GrapheneOS
@DanielDNK A more accurate way to put it is that the March 2026 security patches were available in November 2025 to be shipped early and we did that. Most OEMs are going to ship them in March 2026 while some OEMs such as Fairphone tend to take an additional 1-2 months beyond that to ship it. The dates corresponding to the patches are the date for the regular scheduled release but most is available to ship 3-4 months earlier. By around 2 months ahead, it's near finalized. 1 month is finalized.
@Daniel
in reply to GrapheneOS

Daniel
mastodon - Link to source
Daniel
ok but I understand that is not public so it means the last release with march security patch is not open source anymore only old one are?
in reply to Daniel

GrapheneOS
mastodon - Link to source
GrapheneOS
@DanielDNK We have the sources for the patches, but the sources aren't allowed to be published until the public disclosure. That's a bit more complex than it sounds because they often defer patches to future months but still allow shipping them for the current month. We aren't sure if we're allowed to publicly disclose it on the original disclosure date or if we have to wait. Based on what they do for AOSP quarterly and yearly releases, it should be okay to publish it on the original date.
@Daniel
in reply to GrapheneOS

Roxxor
mastodon - Link to source
Roxxor
@DanielDNK may i ask how you obtain the source? Are you registered as an OEM at Google?
@Daniel
in reply to GrapheneOS

Angie
mastodon - Link to source
Angie
I just bought a refurbished Pixel 8 last week specifically so I could install GrapheneOS on it. The process couldn't be much easier, and I'm really loving it.
in reply to GrapheneOS

suomynona1405
mastodon - Link to source
suomynona1405
I finally brought my brother to GrapheneOS. The third person I was able to move away from stock software😃
in reply to GrapheneOS

Zahox
mastodon - Link to source
Zahox
I plugged my phone to displayport and noticed that it immediately showed the GrapheneOS Logo. It was in a loop trying to start GrapheneOS but was not possible, until I removed the cable. And it showed 2 crashes when it opened. And this 2 crashes even happened with deskop mode too. I hope this can be fixed.
in reply to GrapheneOS

topcaser
mastodon - Link to source
topcaser
you are the best. Thanks for sharing and please keep up the extra ordinary work.