Google continues putting nails in the coffin that is the Android Open Source Project. This time, they’re changing the way they handle security updates to appease slow, irresponsible Android OEMs, while screwing over everyone else. The basic gist is that instead of providing monthly security updates for OEMs to implement on their Android devices, Google will now move to a quarterly model, publishing only extremely severe issues on a monthly basis.
The benefit for OEMs is that for most vulnerabilities, they get three months to distribute (most) fixes instead of just one month, but the downsides are also legion. Vulnerabilities will now be out in the wild for three months instead of just one, and while they’re shared with OEMs “privately”, we’re talking tends of thousands of pairs of eyes here, so “privately” is a bit of a misnomer. The dangers are obvious; these vulnerabilities will be leaked, and they will be abused by malicious parties.
Another massive downside related to this change is that Google will now no longer be providing the monthly patches as open source within AOSP, instead only releasing the quarterly patch drops as open source. This means exactly what you think it does: no more monthly security updates from third-party ROMs, unless those third-party ROMs choose to violate the embargo themselves and thus invite all sorts of problems.
Extending the patch access window from one month to three is absolutely insane. Google should be striving to shorten this window as much as possible, but instead, they’re tripling it in length to create a false sense of security. OEMs can now point at their quarterly security updates and claim to be patching vulnerabilities as soon as Google publishes them, while in fact, the unpatched vulnerabilities will have been out in the wild for months by that point.
This change is irresponsible, misguided, and done only to please lazy, shitty OEMs to create a false sense of security for marketing purposes.
Where can I buy shares of NSO Group?
The amount of anti-consumer things Google have agreed to do just to appease OEMs is becoming worse over time.
The Chrome operating system has become practically abandoned thanks to OEMs not implementing major features (like Linux VMs), and everyone targeting the lowest common denominator (cheap $200 school computers)
Google TV (Android TV? whatever the latest name was)… is now serving ads even in premium devices. I have an nvidia shield. Paid almost $200 for it, and it is supposed to be a premium device. However, there is no more control on what I will have on the home screen.
And now this… Android, one of the best things Google has done (or nurtured, the project was acquired during beta stage).
:sad-emoji:
> Android, one of the best things Google has done
You should read Chet Haase’s book about the history of Android development.
I don’t believe it’s the best thing.
a_very_dumb_nickname,
I have read a summary of the book, and they talk about very much standard hindrances for new projects: crunch, distrust from higher ups, internal competition, lack of technical support.
If they were not missing anything major, this would be considered mild for a project this revolutionary.
(Again, you need to look at the alternative, the counter-factual: what would have happened if Google did not take on Android?)
sukru,
Markets tend to converge around two dominant players. If scales of economy were the only factor, it would eventually prefer a single player market, but the “protest votes” can produce a stable second place for an entity with good enough scales of economy. This can be seen in the pendulum effect between democrats versus republicans in the political sphere. Very rarely we might get a 3rd party that’s not overtaken by the scales of economy of the first two, but this is a more precarious balance and likely to collapse long term (absent antitrust intervention)..
Twenty some years ago there were enough companies working on mobile that I think a duopoly outcome was more likely than a monopoly. If google had stayed absent, someone else would have taken their place. Of course it’s hard to extrapolate how different the mobile market would be today if that happened. We might have a more faithful linux phone, or it could have been microsoft taking us in a completely different direction.
Of course it’s all just speculation, but no single player was so important that the industry couldn’t move on without them. All we can say is that it would be different, but it’s very unclear whether the differences would be better or worse.
Alfman,
Yes, Microsoft was very dominant, and surprisingly more open (until Windows Phone 7)
Definitely
Very likely to be worse than better. We already had an open source system, which stayed pretty open for about ~10-15 years, and still partially open.
No other player were going in that direction, including Nokia and Maemo (they “upgraded” N900 to N9, which became Windows Phone Lumia 800. That was the end of Linux for them).
sukru,
Maybe. It’s no secret that android has disappointed many FOSS fans on mobile though. I do appreciate android forks, but I somewhat resent a lot of the missed opportunities to create a mobile platform that’s genuinely as open as linux is on the desktop. Things could have been different with another flag bearer to push FOSS on mobile. Maybe in another universe android succeeded under different ownership, and those owners did a better job promoting open hardware. Or another project like Meego took up the cause and created better opportunities for independent linux distros to join in like they can on PCs. My point isn’t to conclude anything with certainty, because I don’t pretend to know, but it’s clear that android made some mistakes (as it pertains to our FOSS interests) and it’s not really obvious to me that nobody else would have done better.
It really depends on the dates we focus on. Google bought android in 2005. The market was less defined back then, meaning things could go a lot of different ways. I am struggling to find historical market data covering that period, but I don’t believe apple were dominant back then. The market was still fluid and up for grabs.
Alfman,
My first Android phone was HTC G1. It was a breath of fresh air after coming from Windows Mobile 6.5.
Okay, I need to correct myself. My first “Android” phone was HTC HD2:
https://en.wikipedia.org/wiki/HTC_HD2
This was originally Windows Mobile 6.5. But people ported Android (along with Windows Phone — 7-ish, MeeGo and others. Check Wikipedia). And I used it for a while.
However it lacked in sensors. There was no GPS. (A-GPS is basically Wifi based 100-meter accurate location). There was no 6-axis sensor (only 3-axis?) and so on. So basically even though Android “ran” it was limited. — That is why I switched to HTC G1.
Anyway, back then we had:
Windows Mobile -> Windows Phone
iPhone
Nokia MeeGo
Symbian
Blackberry
Might be missing one or two. But the market was already consolidating. Nokia was terrible with updates, pushing people out (I had that unfortunately), Blackberry was a dinosaur, and Symbian? Practically abandoned.
This is roughly 2008 – 2009.
Alfman,
It probably would have been MS and Apple like usual. They had the money and mindshare.
The best timeline probably been Nokia buying Android, folding their Linux efforts into it, and establishing an Android Foundation like the Linux Foundation. Android becomes a real open source project, and Google buys in later.
Nokia still has a networking gear business, so the pitch to unify their stack around parts of Android sounds like something corporate would be interested in.
Flatland_Spider,
After being burned by Nokia multiple times, I would suggest they would be the worst caretakers of Android possible. Probably even less desirable than RIM taking it over.
Why?
I bought the Nokia N800 “Internet Tablet”,. A fully functional Linux device with a custom GDK based UI (Maemo).
What happened?
They released N810 soon after and completely abandoned it. Even the open source community could not keep up (thanks to binary drivers).
What happened to N810 (which I did not buy)?
They had the same fate when the N900 phone version was released.
And guess what? I bought that N900 phone, and… of course it was abandoned soon too.
Basically Nokia saw Linux as a cheap replacement for Symbian, never an ecosystem they would actually nourish and keep developing for. As soon as they had the new hardware they would drop existing ones like a rock. Your best bet would be a half-asses quick port of the new OS, which might or might not work well. And that was the end of support.
Nokia?
Never again.
Well, as an Android app developer for over a decade, I admit that I have a strong bias against it.
> what would have happened if Google did not take on Android?
If they hadn’t bought Android, the world probably would look like this: Apple and Microsoft as dominant players, with “Chrome OS” from Google running as an alternative or on top of other phones, using web technologies as a common denominator for mobile development.
Google defines “high-risk” vulnerabilities as issues that are crucial to address immediately, such as those under active exploitation or that are part of a known exploit chain. This designation is based on real-world threat level and is distinct from a vulnerability’s formal “critical” or “high” severity rating.
This is more inline with how patching works in a company. High-risk CVEs get patched as soon as possible, and others get pushed to the regular patch cycle.
The GrapheneOS thread has more interesting information then the Android Authority article.
From GrapheneOS…
Like a real open source project instead of the corporate source project AOSP is?
AOSP ostensibly looks like an open source project, but it’s just Google throwing code over the fence once in a while. Android is for Google. It’s not for us.
Apple having control over pushing out the iOS updates is one reason I switched. Apple has its own problems, but lagging security updates aren’t one of them.
GrapheneOS again…
They’re merging two different repos that got out of sync, and there’s a bunch of merge conflicts. LOL
We’ve been there. 😀
Can’t wait for Linux Phones to be ready
If we could install the OS, drivers, and OEM customizations independently of each other, this would be a lot less of a problem. Google could ship OS fixes to every phone, and OEMs could ship their own driver and overlay updates when they wanted. Windows works like this. Desktop Linux distros mostly work like this (akmods helps when dealing with third-party drivers).
Pre-building “Android for device XYZ” made more sense back when smartphones were new and hardware was more limited, but that was a long time ago.
Wasn’t there work on splitting the OS and OEM levels being done at some point? Or did they just decide it was easier to keep moving things into Google Play Services instead?