GrapheneOS Organization Discusses How Pixel Update Bulletin Should Be Improved

Every patch in the May 2024 Pixel Update Bulletin is also relevant to a lot of other devices including the High severity Bluetooth issue we reported:

source.android.com/docs/security/…/2024-05-01grapheneos.social/

Android Security Bulletin SHOULD be expanded. All of this should be in it.

OEMs are only required to fix the issues listed in the Android Security Bulletin (ASB). The main section is a list of what gets backported to older AOSP releases, but they should include all Pixel Update Bulletin patches relevant to other devices in the 2nd section of the ASB.

Android Security Bulletin simply assumes other OEMs don’t bother shipping monthly and quarterly updates but rather only use the initial yearly release and backport a subset of the security patches to it. Having such low expectations for other OEMs plays a role in what they do.

Low/Moderate severity AOSP patches are no longer listed in bulletins and rarely backported to the older versions.

Quarterly and yearly releases used to list dozens of Low/Moderate severity AOSP patches in Pixel bulletins, often over a 100, all needed by other devices too.

Android security patches are essentially 2 different worlds. There are Pixels shipping all of the AOSP and other Android security patches and then everything else shipping only the subset backported to older releases including Android 14 which is NOT the current Android version.

In general, other OEMs are missing nearly all Low/Moderate security patches until they move to the next yearly release. They won’t get most of the Moderate severity patches released this month until they move to Android 15. Many significant privacy issues are classified Moderate.