| ▲ | luca020400 2 hours ago | |
I don't think that's a fair comparison. OEMs have quite a lot of extra steps before releasing any build to the public. They have to pass xTS, the set of test suites required before getting certified by Google, possibly carrier certification, regulatory requirements and more depending on where the build will be released. There are "quicker" release channels for security fixes, but I don't think it's common for OEMs to only ship those without any other change to the system. I don't think Graphene does anything of sort, they take what's already certified in the Pixel builds and uses it. Not like they could do much aside testing on the public part of xTS. | ||
| ▲ | raggi 9 minutes ago | parent | next [-] | |
> I don't think that's a fair comparison. Fair? > OEMs have quite a lot of extra steps before releasing any build to the public. AIUI updates are less stringent and burdensome than initial certification. Regardless much of the process is automated. Graphene has CI too. 3PL's taking 4 weeks to run automated tests is also absurd. There are some "manual steps" to run CTS-V but they shouldn't be weeks level burdensome either. This is the point, this is an industry problem. The reason that the OEMs even have to deal with this 3PL test mess is for GMS certification, so again this is a policy decision that enforces a poor process. The bad properties of the process are not inherent to the problem space of validating builds against requirements. An industry problem. > There are "quicker" release channels for security fixes, but I don't think it's common for OEMs to only ship those without any other change to the system. Seems like a decision that is not user-centric. > I don't think Graphene does anything of sort, they take what's already certified in the Pixel builds and uses it. Not like they could do much aside testing on the public part of xTS. Private test suites for software are a toxic idea, it's in the same box as "SSO tax", and other such "pay for security" models. Given the software industry can't be trusted not to do this, I'm almost keen to see legislation to explicitly ban this practice. | ||
| ▲ | yaro330 40 minutes ago | parent | prev [-] | |
Yep. And GrapheneOS's changes to the kernels of devices they ship are laughably small, 20-30 commits at most. I don't think they even do any basic CVE checks on any of the source code. Fuzzing, actual security analysis - all those things are done by Google. | ||