[mschuster91]

Seriously I'm beyond pissed at the state of Android, patches and open-source compliance. If we are lucky 10% of current phone models will get any form of update. The rest will be vulnerable for years until the devices finally break.

And that's only the Qualcomm stuff. There is another CPU vendor beginning with M who is big in el-cheapo hardware - look at their Android kernel leaks, wherever you dig you find horrid, HORRID code.

Google should mandate full open source disclosure of all GPL'd components as part of the Play Store certification and unlockable bootloaders, otherwise this shit is never going to change.

[f00zz]

> horrid, HORRID code

Heh, I once found a "feature" in a kernel driver in my Xperia (with a SoC from the company with a name starting in M) that allowed you to read arbitrary kernel memory from userspace, by passing the appropriate structures via a ioctl interface. Didn't even have to dig around too much.

Ah well, at least I got a t-shirt from Sony.

[evilos]

The fuck? Is there any documentation for this? CVE?

[f00zz]

I have a detailed report on HackerOne (with some proof-of-concept code), but visibility of the report is set to private. Not sure if it's possible to change it to public, to be honest.

Anyway, the issue is fixed in recent firmware versions.

[pjmlp]

That is never going to happen, when Treble came out we thought it would change, but since they don't force OEMs to actually deliver updates, everything stayed the same.

When questioned about this on the Android Platform 11 AMA last month, they stated that they think OEMs freedom is what makes Android a rich ecosystem.

So there you have it. Can check by yourself on Reddit.

[Polylactic_acid]

Treble was meant to be the key to making android roms easy to support but now the ROM scene is a fraction of what it was 5 years ago.

[pjmlp]

The architecture is a cool design, where Linux gets encapsuble in a kind of micro-kernel where classical drivers are "legacy" drivers, and Treble drivers get their own process, can be implemented in C++ or java, talking with the kernel via Android IPC.

However not forcing OEMs to provide updates, even with Project Mainline and GSI now as Treble updates, doesn't change anything from consumer point of view.

[gsich]

Google did it with their Chromebook. So it is possible.

[pjmlp]

Naturally it is possible, but they aren't willing to do so with Android.

[daneel_w]

Are you referring to the fabless bunch whose name starts with M and ends with ediaTek? :)

[stefan_]

Google are the ones that went on an Apple-esque crusade to extinguish all GPL in AOSP.

[BiteCode_dev]

Still getting updates for my one plus 6. YMMV.

[ChuckNorris89]

That phone is barely 2 years old from a reputable brand, I sure as hell hope it's still getting updates.

My older OnePlus 3 got updates for almost 4 years I think. Not bad, but it's not like apple's 5-6 years. Still, it was half the price of an iPhone with better hardware to boot so fair trade I guess.

I don't like frivolous spending on phones but I never keep a phone more than 4 years anyway. The progress of camera, microphone and speaker quality alone across 4 years is enough of a quality of life improvement for me to upgrade.

At this rate of Android security issues, my next phone will probably be the next iPhone SE but only if they update the display to a larger 1080p 90Hz panel and add an ultrawide camera lens, I don't care about anything else.

[Polylactic_acid]

Still getting updates for my 7 year old ipad air 2. About to get ios 14 as well. Android has warped peoples perspectives on how long a device would get updated. On PC you can just keep installing updates until the device can't keep up anymore.

[lorenzhs]

The iPad Air 2 was introduced just under six years ago. But even the original iPad Air, which was introduced nearly seven years ago, still gets security updates. The last update was released less than a month ago. It's stuck on iOS 12, though.

[Iolaum]

You are getting updates for the OS and kernel but not for device drivers. That's a big surface area for someone to hack your phone.

[Polylactic_acid]

Imagine how good things would be if the drivers were open source and in the kernel. We would still have bugs but at least it would be possible to fix them.

[mschuster91]

Aside from the massive maintenance effort: what is keeping the community from taking all the driver code from the tons of official and unofficial code dumps and bringing them to mainline?

[Polylactic_acid]

You can't just drop leaked code in to the kernel due to legal reasons. And even if the vendor does provide an open source dump of the source you still can't just drop it in to the kernel because it will not meet the code quality standards for linux. Vendors just hack it until it works and call it a day since they don't have to worry about unmaintainable code if they never plan to maintain it.

[corty]

You definitely can drop crappy drivers to the kernel devs for later improvement as somebody else's problem. It is called "staging".

[phjesusthatguy3]

I just put Android 10 on my OnePlus One (via LineageOS). Best phone I've ever owned.

[liuyong]

Be quite，Don't let Trump know!