Will this negatively affect GrapheneOS in any way nostr:nprofile1qqstnr0dfn4w5grepk7t8sc5qp5jqzwnf3lejf7zs6p44xdhfqd9cgspzpmhxue69uhkummnw3ezumt0d5hszrnhwden5te0dehhxtnvdakz7qgawaehxw309ahx7um5wghxy6t5vdhkjmn9wgh8xmmrd9skctcnv0md0?
It doesn't change much. Most of the stuff we need for porting the OS is from stuff they mostly developed in the internal branch they plan to move the remaining components to, so the main branch was largely unhelpful regardless. Too little is published ahead of time.
Some stuff was developed in the open so we could backport some fixes early, but now we won't be able to although that wasn't a common thing we did often.
If we had partner access through an OEM, this wouldn't matter -- but we don't.
This just means we won't submit vulnerability reports or upstream fixes.
We've reported many serious vulnerabilities in Android upstream and gotten them fixed, but we gradually reduced how many of the vulnerabilities we report to them after our security partner access was revoked in the past.
There are a growing number of serious Android vulnerabilities currently only fixed in GrapheneOS because of them revoking our security partner access. They're hurting themselves more than they're hurting us with their approach. We can get partner access via an OEM.
We successfully helped them block Magnet Forensics (Graykey) and MSAB (XRY Pro) from doing AFU exploits on Pixels in 2024 when they shipped a feature we proposed in January 2024 in April 2024. We've helped get a lot of other vulnerabilities closed since we started in 2024 along with some major privacy and security improvements landed. Contributing to AOSP has been a poor experience so them breaking that is fine. We'll focus 100% on defending our users, not Android users.
Easy to say hurting themselves more than you, but I don't think that's true from their perspective.
Not because you aren't improving security with your fixes, but because a secure device isn't their goal.
Thanks for your explanations!
Should also have clarified that when GrapheneOS do backports for fixes in Beta Android builds, those Android beta builds are already closed source excluding GPL licensed components.
We decompile the shipped code from the beta builds and port fixes ourselves. This won't change getting backports from such versions, nor would it affect us.
