We have early access to Android Security Bulletin patches and will be able to set up a workflow where we can have releases already built and tested prior to the embargo ending. For now, we've still been doing the builds after the embargo ends. It will mainly help when they screw up pushing to AOSP.
I don’t understand how in the fuck any of this situation makes sense. We’re closing AOSP, but OEMs (Graphene is an OEM now I guess) still get AOSP, but the changes can be reverse engineered… Why? What middle management fuckery is afoot here? Who do we need to be directing hate towards?
I made a guess at their official reasoning for the policy. I made no comment about my own feelings or beliefs beyond that. And no, I don’t think that would stop anyone.
Do you have a better guess at why they’re doing this? Because I can’t think of another reason why they’d be sharing the patches but prohibiting disclosure of them.
Isn’t that common to not release how a vulnerability can be exploited publicly until you have it patched? Like yeah it won’t stop bad actors familiar with the space, but it would prevent normies like me jumping on the train.
I don’t understand how in the fuck any of this situation makes sense. We’re closing AOSP, but OEMs (Graphene is an OEM now I guess) still get AOSP, but the changes can be reverse engineered… Why? What middle management fuckery is afoot here? Who do we need to be directing hate towards?
probably the OEMs that are slow moving to cut releases.
They don’t want to disclose vulnerabilities, because they know most people are not going to upgrade their ancient phone?
Are you being /s? Genuinely, do you really feel just because vulnerabilities aren’t publicly exposed they can’t be exploited?
I made a guess at their official reasoning for the policy. I made no comment about my own feelings or beliefs beyond that. And no, I don’t think that would stop anyone.
Do you have a better guess at why they’re doing this? Because I can’t think of another reason why they’d be sharing the patches but prohibiting disclosure of them.
Isn’t that common to not release how a vulnerability can be exploited publicly until you have it patched? Like yeah it won’t stop bad actors familiar with the space, but it would prevent normies like me jumping on the train.