Security patches aren't being delayed for AOSP specifically but rather Android as a whole including the stock Pixel OS. The title is misinterpreting our reply. We didn't say they're delaying patches to AOSP specifically. Stock Pixel OS has delayed patches too.

A more detailed explanation is at https://x.com/GrapheneOS/status/1964754118653952027.

GrapheneOS has an OEM partner and early access to the security patches so our complaint isn't about us not having access. Google has added an exception to the embargo where binary-only patches can be released which we could use for a special security update branch but that's a ridiculous exception and it should be allowed to release the sources. It can be reversed from the security patches anyway and is trivial for Java and Kotlin. We can't break the embargo ourselves but we CAN publish the security patches early under the rules of the embargo via a special branch and people could reverse the patches from there which could then be applied to the regular GrapheneOS branch. The system is ridiculous and our hope is these changes are undone.

The title should really be changed from "for AOSP" to "for Android". There's a binary-only exception in the embargo now but that's not really about AOSP and isn't being used in practice even for Pixels. They've really just delayed all patches 4 months instead of 1 while also destroying any semblance of there being a real embargo (which was already very weak).

Thanks for the clarification. Delaying patches for all Android is even worse than delaying for AOSP. Excerpts below.

  .. Google recently made.. misguided changes to Android security updates.. almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.

 .. Google's existing system for distributing security patches to OEMs was already.. problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar.. The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days. 

  .. Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons.. Android is very understaffed due to layoffs/buyouts and insufficient hiring.. Google does a massive portion of the security work on the Linux kernel, LLVM and other projects.. providing the resources and infrastructure for Linux kernel LTS releases. Others aren't stepping up to the plate.