Please understand if the vendor hasn’t updated, an aftermarket cannot fix those issues.
I describe this here: Patch Levels - DivestOS Mobile
/e/OS also currently hasn’t updated the system webview in 5 months and is a year behind PSB patches.
6 Likes
Thanks for the link. I will read it.
Unfortunately your family is an exception.
I’m with @AvidAlbatross, in my family the general consensus is “Updates suck!”, and thus they are postponed till kingdom come (or till I force them to do them).
Never assume everybody is just like yourself… In the epic ongoing battle of convenience vs. security, convenience wins (almost) every time. You could pay some people, they would still not bother. 
I don’t think their family is different …
… I read that as the devices not having been updated for 1 - 2 years.
At that point I’d move all their devices to a (physically) separate wifi network with no access to the rest, so they at least don’t become a danger to everyone else.
5 Likes
LineageOS 20 seems to be the more sensible choice regarding updates. Along with the respective MindTheGapps package you also can use stuff like banking apps (at least in my case all the apps I need work fine even without locked bootloader) and you get Android 13, working Bluetooth AptX, Material You, working “recent apps” button also with 3-button-navigation and third-party launcher, a good camera app based on CameraX and so on. Only Google Pay won’t work since it has more strict requirements like working SafetyNet and locked bootloader.
So far I did not regret the change to LineageOS.
yet another monthly security updates have been released by google/android, July 2023 update just
shipped even yesterday with high/critical bugs without any user interaction necessary
fairphone really needs to get its act together and invest in their software staff.
please. seriously. this cant be happening that the only fairphone (fp4) product, that is still the retail market, being also your flagship product, is this badly supported for security updates.
we are not even speaking about dang bugs and silly features here any more. this is fundamental security basics.
https://source.android.com/docs/security/bulletin/2023-07-01?hl=en
2 Likes
But think of the workers!
Speaking of nothing, I’m a beta tester and I actually do have the 5 June patch. It would seem this update has been delayed due to a (rare) mobile data issue another beta tester reported 23 June.
If there is no update tomorrow late in the afternoon, then there is truly a delay developing for FP. According to their own standards they are still on time.
1 Like
june patch? who are you kidding. we have the july android security releases as of yesterday. security is a constant process and cant be delayed or postponed. the whole userbase is running dated stuff on the flagship product. sucks.
1 Like
Of course it can be. They will only change their way of operating if people start caring about patches. And people definitely don’t.
I’m seeing an update ready to download just now. Not sure if it’s a beta update or not, but it’s something.
Edit: It’s a beta update
Yes, you are right.
And how much time do you think the QA needs to check the new fixes for regressions?
The news with the patch infos were just posted this morning and you would seriously expect an update ready to be rolled out to the public by the afternoon? Even if FP got the patches earlier this week, this is something no company is capable of.
I guess we will get the June patches in the next days, and we will have to wait for the July update a bit longer. Or they skip the June update in favor of jumping directly on the July patchday.
2 Likes
According to this article, Android Partner vendors receive the monthly Security Patches at least one month in advance:
If you are an Android Partner, you immediately have it a whole lot easier. Android partners are notified of all Android framework issues and Linux kernel issues at least 30 days before the bulletin is made public. Google provides patches for all issues for OEMs to merge and test, though vendor component patches are dependent on the vendor. Patches for the Android framework issues disclosed in the May 2019 security bulletin, for example, were provided to Android partners at least as early as March 20th, 2019*. That’s a lot of extra time.
8 Likes
Till August, actually.
From what I’ve seen in those last 7 months, Fairphone releases those patches always (at least) a month late.
I don’t know if there is only one guy doing software for Fairphone, and he’s swamped between the monthly patches, the fixes and the future v.13 Android release, but I wouldn’t be surprised if it were true… 
The problem is that releasing urgent patches one month later kind of defeats the purpose, because the minute those monthly patches are released, Bad Guys worldwide know exactly what and how to attack, and the still unpatched Fairphones become sitting ducks.
Ideally one should install patches the very minute they are made public, a mere couple hours later those vulnerabilities are actively exploited.
But well, as I’ve already said last month, some phones don’t receive patches at all (even if that’s admittedly no consolation).
8 Likes
It really depends on the vulnerability. Not every vulnerability is equal. For example, there’s StackRot (CVE-2023-3269) and clearly Android and SteamOS (and all the IoT shit you know and not know about) each contain this vulnerability, and its a big issue if you use say OCI such as Docker. But I’m not sure how it affects AOSP.
What? StackRot affects kernels 6.1 and later. I doubt if any Android phone is remotely that recent, and there’s very little chance that the huge ile of changes that StackRot was part of (maple-tree-ization of core parts of mm) would ever have been backported to any of them.
FP4 in particular is running 4.19.157. There’s about as much chance of StackRot affecting that as of it affecting a Commodore 64.
1 Like
True, Android is based on Linux LTS versions.
From Android (operating system) - Wikipedia
Android’s kernel is based on the Linux kernel’s long-term support (LTS) branches. As of 2023, Android uses versions 4.14, 4.19, 5.4, 5.10 or 5.15 of the Linux kernel (and since modified Linux kernels is used, Android names like android13-5.15 or android-4.19-stable are used).[189] The actual kernel depends on the individual device.[190]
According to teltarif.de the rollout of A13 to the FP3(+) has started. In the article (see 
Update-Rollout: Fairphone 3(+) erhalten Android 13 - teltarif.de News ) they write that the rollout for the FP4 is planned for the end of this year. This side note really makes me unhappy
I unterstand your disappointment (in case this info is true). however I would rather like to see a quick fix of the screen dimming issue instead of A13 which I personally don’t mind to wait 6 more month for.
6 Likes
Yes, you are absolutely right. The fixes definitely have priority. On the other hand one does not necessarily exclude the other 