top | item 45918572

(no title)

Before the EU law, Android would release monthly bulletins, and patches would take about a month before being released on Pixel devices, once known as 'best in class' security. GrapheneOS have themselves admitted this has changed from 1 month to 4. This has been done to comply with this new EU law.

Now, we have patches already for March 2026 in November 2025. Once the March 2025 patches are shipped by Google, OEMs have 4 months for all OEMs to ship it (deadline being July 2026).

Consider this scenario:

Patch for bug lands January 2026. Google decides to either release a Pixel OS update or release the source code in 8 months time containing this patch for whatever reason. Then a 4 month timer starts for all OEMs to ship that patch. Meaning a patch that has existed from January 2026 can now be shipped by January 2027 under this system and fully comply with the law. This patch may be under active exploit as OEMs have leaked it which again, GrapheneOS have admitted is happening.

Previously, patches would be landing within the month. All google must do is ensure this patch is not included in any pixel OS update or public source code release.

Yes, Google is responsible, but when the EU touts laws as fining 4% of global turnover (in the case of GDPR), then they are going to be taken seriously, which means OEMs demanding Google not release the update for Pixel/source code until they are ready and use this loophole as they are doing.

The loser is ultimately the end user who has a weaker more exploitable device for months.

discuss

No comments yet.