[gruez]

Disagree. For certain vendors you can already get unlocked bootloaders and kernel sources. That's how various aftermarket android ROMs are built. However, even for a project like lineageos, there's only one or two maintainers per device. Do you think one or two volunteer maintainer (presumably working in their free time), can keep the entire kernel up to date and patched?

[chasil]

Fine. Let's try another law.

Any locked device must brick itself after 6 months of no patches, to ensure the safety of the network.

A few months of that, and we will arrive at the previous law.

[gruez]

> Fine. Let's try another law.

>Any locked device must brick itself after 6 months of no patches, to ensure the safety of the network.

What does this accomplish? Get people mad? Moreover, what prevents someone from making trivial patches to keep a device "up to date", kind of like how people make trivial changes to their passwords to keep up with password rotation policies?

[chasil]

Yes, aside from finally protecting our networks from hostile traffic, that is the intended purpose.

I was thinking that we could name this law after you.

[kevincox]

To be fair if the devices bricked themselves people would start to value update lufetime even more and sales of devices with short support would drop like a rock.

[gruez]

But this suffers from goodhart's law. "support period" becomes the metric to game, so manufacturers would say they "support" for 10 years or whatever, but what that entails is having an inter bump up the version number every 6 months.

[kevincox]

If they say security updates for 10 years and there are unpatched security vulnerabilities living in the device before that I think they should have to refund the purchase.

[Semaphor]

> Do you think one or two volunteer maintainer (presumably working in their free time), can keep the entire kernel up to date and patched?

Maybe I misunderstand it, but I think it’s not that bad?

The kernel gets kept up-to-date by LineageOS, the device builds (official or unofficial) use the base builds, but add device-specific tweaks, and cherry-pick commits from elsewhere. And actually a level above that is AOSP which is maintained by Google.

Would love if someone could correct me.

[gruez]

>And actually a level above that is AOSP which is maintained by Google.

How do you think the CVEs get discovered? What about CVEs in the qualcomm specific code? How do you know that the amateur kernel developers wouldn't fall prey to c footguns and introduce new vulnerabilities?

Don't get me wrong, this is strictly better than the current state of affairs where there's zero patches, but I think people are underestimating how much effort it takes to keep a huge codebase patched.