FP Security Updates need to be more frequent

I guess for the FP4 everybody is

Yup, that’s the case for the FP4 at the moment.

FP5 is up to date though:

I’m really looking forward to seeing the FP6. They won’t have a hipster SoC so hopefully it will have better software support. But since it will presumably also be outsourced, I doubt it.

FP5 Users on German Telekom and Vodafone are still waiting for this update, we’re also still stuck on the March patch.

The same here: FP3+, VF Germany, build 6.A.031.7 - released in February!

Where does the Information about the “Normal” SoC come from?

Does anyone know, when the next security update for the FP4 will come?
We are still on the 05.03.25 security patch level.

Security is important.

“Eventually”… :roll_eyes:
They have always been (more and more) late on releasing them. Security updates have never been Fairphone’s priority, at least not since I’ve bought my FP4 end of 2022. :frowning_face:

Don’t get your hopes up. I would assume they are hard at work working on Android 15 at the moment. It’s been awfully quiet when it comes to that project as well, hmm.

Rather on FP6 I guess, after all (security) updates for already sold kit are just a loss leader…

Whatever it is, as of today they are officially one full month late on their “2 months” promise: We are June 5th, and our phones are still on the March 5th patch. :angry:

And as usually, deafening silence from Fairphone.

That’s not how a two month promise works. They promise an update every two months. Fairphone released the last update for FP4 on the 31st of March [0] (patching up to the level of March 5th, as the April 1st level didn’t exist yet). The next update would thus have been due on the 31st of May. It’s now 5 days late, not a month.

[0] https://support.fairphone.com/hc/en-us/articles/4405858220945-Fairphone-4-Release-Notes

but that only applies to users not using a Deutsche Telekom (and some others) network: For users of those networks, Fairphone still has not published an Android update since the one containing Security Patch Level March 5th, see also: Software Update: FP5.UT2M.B.113.20250319 - #41 by janweiss (not blocked by Deutsche Telekom, but apparently by Fairphone)
Therefore, also 3 months delay by today

You are talking about different devices FP4 and FP5 and for both devices there is a different roadmap reg. Update frequency.

For the Fp4 they just published a statement

Let’s agree to disagree. What is important for security patches is not when Fairphone deigns releasing them, but the patch date, i.e. the cutoff date for fixes included.
Our current patch date is “March 5th”, and that is today exactly 3 months ago.
In other words, it means we’re missing every exploit fix released in the last 3 months. And since they just announced they will release that May patch around June 17th, by then our pones will be outdated by 3.7 months, nearly 4 months! Great!

“Security patches every 2 months” my eye. :angry:

As linked above, there are 3 exploits being used in the wild as we speak. That is bad. Whether or not we are 5 days late, or a month late, doesn’t really matter. Until we have the May patch we are still vulnerable.

What is important for security patches is not when Fairphone deigns releasing them, but the patch date, i.e. the cutoff date for fixes included.

As linked above, there are 3 exploits being used in the wild as we speak. That is bad. Whether or not we are 5 days late, or a month late, doesn’t really matter. Until we have the May patch we are still vulnerable.

I agree completely with you. I’m merely making an appeal for precision: when it comes to Fairphone’s promise of one update every two months (with no mentions of patch level), they’re 5 days late and make an apology for it. The thing they are 2 months late with (in both your and my view) is something they haven’t promised. What you should thus be trying to do is not call them out on not meeting their promise, but trying to persuade them to do better than their current promise for the sake of security.
…And then you run into the fact that releasing an update is a mountain of work. Google needs to release the patches, Fairphone needs to integrate them in their tree with or without help from Qualcomm, build, test for regressions with any supported telecom provider, probably fix issues with builds, then get them certified before they can release. It’s an iterative process that takes weeks, partially due to the nature of Android being an OS for all phones (as opposed to iOS) and the SoC manufacturers appaling track record at working with upstream kernels and drivers which would vastly reduce the burden of applying patches if done well.
The only thing I can feasibly see Fairphone do to improve the latency of distributing fixes is to go back to a monthly release schedule. I would applaude such a move, but that will take up a lot of extra time from testers and engineers that is presumably in limited supply and currently spread between the regular updates and the Android 15 upgrades.

The problem is this allows them to play with the calendar, and what you get in the end is a totally unsafe device. And if you wanted such a device, you could had bought one for half the price. :angry:

As the saying goes, “if you can’t stand the heat, stay out of the kitchen”.
What I’m saying is that they don’t do any heroics, they simply do their job, that’s what they’re paid for. No need to admire them, especially since they make such an appalling job out of it.
Yes, tech/telecom is hard, I know, I’m working in it myself. That is no excuse for anything: If you can’t get the job done, your boss will hire somebody who can, it’s as simple.

There is a snowball’s chance in hell that might happen! :roll_eyes:
Fairphone always had problems with releasing security patches in time, just re-read this very thread which the PTB desperately try to contain and limit as much as possible… This thread started in a period in which Fairphone had once again been exceptionally late (3 months) with their patches, and at the time patches were monthly!..
So no, the only thing which will speed up things is if Fairphone hires some more developers. Which is unlikely to happen since they have already culled their support. Anything which doesn’t bring immediate profit is terminated, or at least reduced to the minimum.

So, unfortunately it’s much more likely they will soon announce patches will come every 3 months, which will immediately slip to become 4 months, and so on: If they do it slowly enough people won’t react too much. Past experience says you can not trust Fairphone, they will usually try to renege on their promises. :frowning_face:
In the 3 years I have a FP4, they have disappointed me at least three times as often as they have pleasantly surprised me. Hm, actually they have pleasantly surprised me only once (camera update). …Yes, I’m bitter. And to think I initially was a rabid fanboi and Fairphone evangelist… I’m still horribly ashamed of all those people I convinced to buy a Fairphone. :frowning_face:

Admiration, heroics… that’s all emotions. I’m personally not very interested in those.
Looking at the release history, there’s about a 3.5 week turnaround time between Google releasing the patches for a patch level and Fairphone delivering it. This is following the process that Google laid out for it, with the integration and the certification. At least for part of that process Fairphone is dependent on third parties, be it Google or the telecom companies, so if you have a problem with a 3.5 week turnaround time then your problem is with the entire Android supply chain, not just with Fairphone. I doubt FP can reduce this turnaround time much on their own accord. And frankly if they could they would have done that by now because spending less time on an update will probably make them less costly.
One question that does arise is: when does a phone manufacturer get access to the patches for a given patch level? Can it start integrating earlier?

That said, the once-every-two-months decision on the other hand is 100% within FPs control. If you want improvement in getting patches for CVEs to your phone earlier, that’s IMHO where the opportunity lies.

Some details from FP here

I talked to ChatGPT due to another discussion where it was (as many times before here and in many different other topics) stated every other OEM is doing better than Fairphone

So while ChatGPT is surely not 100% reliable I’m surprised how well it gets the point.

I asked for roll-out times of HMD for EU and especially for the new Fusion and this is the final summary, which hits it quite well in my eyes:

Technically, Fairphone 5 and HMD Fusion both receive updates about 4–6 weeks after Google’s monthly security patches.
So from a pure timing perspective, they are comparable.It’s not that Fairphone 5 performs worse — it’s that expectations are higher, and perceived delays feel more disappointing to a more vocal, invested community.
If we purely rate update speed, they’re on par.
If we factor in trust, transparency, and expectation management, Fairphone gets more criticism.

and to back-up with data from HMD directly

It is actually 90% unreliable… :roll_eyes:
And that applies to all chatbot/AI actually available. They might occasionally and accidentally be right, but all AIs can do is smooth talking, better than most humans, and that is usually enough to give it credibility. Unfortunately AIs suffer from what one would call “severe intellectual disability”, and their output should never ever be trusted…

The sad thing is we’re living in a post-factual society where actual truth/reality is increasingly becoming unimportant, so AI sycophants have a bright future (check “AI chatbots tell users what they want to hear”, Ars Technica).