English

Regular Google Android security updates cycle - any speedup?

Is there a chance that with the andoid 6.x base that Fairphone OS is based upon, we can see quicker monthly google android updates rolled out into the Fairphone OS for FP2? Is there any difference from incorporating and rolling out Android 5 updates for FP2 before? Were there more customisations and special modifications to FPOS compared to Android 6 and FPOS now? Is there this nordic software company or service provider that I read in the blog about involved in bringing or continuing with the Android 6 code base? Or was that only a single agreement when migrating over FP2 from Android5 to Android6? Thanks for explaining.

1 Like

I pressume yes. Read below.

Fairphone OS Lollipop had a few custom features that has been removed on Fairphone OS Marshmallow. Such features added a layer of complexity when applying Android security patches. So they pressumably will be able to apply patches more quickly now that the OS is closer to mainline Android*.

*= Although I think they still depend primary on the CodeAurora (Qualcomm) sources.

I don’t now anything about that yet.

1 Like

Okay so Google pushes to SOC or platform vendors first, and only then comes general announcement to the public of their security incidents and such, and hardware vendors such as FP get supplied by the platform/SOC vendors? And then FP needs to push it back to Google for review and Google acknowledges and clears for release thereafter?

Hi,

what exactly have you noticed and are you missing?

So far I see, Fairphone publishes a new update just a few days after Google has released the patches. Though I did not compare the dates of each patch number, I believe they match, so it’s just a fews days which is much faster than most other vendors and telco companies (which are sometimes involved in the update process).

Do you need the updates even quicker?

1 Like

FP is quite regular and nice compared to other major hw vendors, but google just published this months patches some days ago already, and in the past FP mostly needed three weeks or a bit longer to come up with their monthly release. And I wanted to know a bit more about the workflow. The public google android announcements are not the time when the vendors receive their information from google in a more intimate way I suppose, so three weeks might be even a bit underestimated of a timespan. Just wondering if situation is going to speed up with the switch to Android6 code base.

1 Like

FP is not major :wink:

You can’t expect the monthly security updates to come punctually right after FP released a major upgrade. There may be bug fixes they are currently testing and want to put in the next release. Releasing two new updates just a few days apart just to have security fixes a few days earlier may not be a good idea.

I never actually looked when G%§$e released their security fixes, but are you sure you are not confusing it with the delay for FP Open?

I doubt FP and G%§$e have an intimate relationship.

1 Like

Security patches can be applied directly after Google has published them in the Android Security Bulletins and there is no middle(wo)man needed. See this blog post about FP1, for example:

[quote]Now that Fairphone has control over the Fairphone 1 source code, what’s next? First of all, we can say that we have no plans to stop supporting the Fairphone hardware. We will continue to apply security fixes as long as it is feasible for the years to come. We will also keep exploring ways to increase the longevity of the Fairphone 1. [/quote] (bold by me)

The Android Security Bulletin for May 2017 (published on 1st May), for example, says the following:

Partners were notified of the issues described in the bulletin on April 03, 2017 or earlier.

So yes, Qualcomm (the chipset manufacturer) gets notified way earlier about vulnerabilities, but Fairphone receives them, when all other vendors get them too (unless they have other intransparent agreements in place… :thinking: ). Btw., there are always two security patch levels: 2017-xx-01 and 2017-xx-05. The first one is partial and only the second one includes all security fixes for that month.

Fixes for general Android vulnerabilities and for Qualcomm-specific issues are released at the same time in the Security Bulletin. (Also see 4. in the Q&A-section of the bulletins.)

5 Likes

Thanks, @Stefan, I didn’t know that, :slight_smile:

2 Likes

Additionally, I think should be mentioned, Fairphone needs to certify their changes by Google after implmenenting the patches. I don’t know how long that takes, but I assume you may also have something lika a week delay.

2 Likes

Do security updates really need Technical Acceptance (lowest part of the infocgraphic) from Google or does that only apply for featured upgrades (e.g. from Lollipop to Marshmallow)?

This topic was automatically closed after 182 days. New replies are no longer allowed.