final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ
npub1c9d9...sqfm
Keeping the fight. Community Moderator for #GrapheneOS https://discuss.grapheneos.org/u/final This is a personal account. I do not speak on behalf of GrapheneOS developers as a whole (nor am I) and suggestions shall not be endorsements.
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
An experimental prerelease of #GrapheneOS for the Pixel 8a is now available, including web installer support. Pixel 8a currently uses Android 14 QPR1 instead of Android 14 QPR2, meaning it's missing many improvements from the 2nd quarterly release including important privacy and security enhancements. It's likely Android 14 QPR3 will be released in June which should resolve this problem. Android 14 QPR2 is the largest ever quarterly release of Android, because it's the first trunk-based development release. It brought a lot of what Android 15 is going to ship, largely under the hood with new user-facing features largely disabled but present in the code. Android 14 QPR2 was released on March 4th but had a delay in publishing to AOSP due to issues with pushing the code which was finished by March 5th. GrapheneOS had a release based on it within a day of that, but it took a couple days to reach staging due to regressions we found. One of those regressions was the High severity Bluetooth vulnerability we found which was introduced in Android 14 QPR2. This issue slipped into our Stable channel release due to only coming up with rare configurations but we got it fixed on March 9th. Since the Pixel 8a is still using Android 14 QPR1, our initial release is based on porting our changes from our 2024030300 release which was the last one based on QPR1 (
Releases | GrapheneOS
 It has a current May security patch level, but this doesn't meet our usual standards. It's missing improvements to GrapheneOS from March, April and May in addition to Android 14 QPR2 changes. We backported our change enabling PAC/BTI for userspace and are using a current GrapheneOS 5.15 LTS common kernel source tree. SHOULD be fixed with June update, QPR3 or not. Pixel 8a switched to Samsung GNSS (GPS, etc.) from Broadcom so we need to add Samsung PSDS support to our network services for PSDS to work.
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
Pixel 8a with the latest May 2024 update is running Android 14 QPR1 with backported security patches instead of Android 14 QPR2. Android 14 QPR2 was released in March 2024 and is by far the largest quarterly release so far due to being the first trunk-based quarterly release. We're definitely not going to backport all the changes we've made since March to Android 14 QPR1. That means we can't simply make the usual device support branch to support it. It's going to need to start out being treated as if it's an end-of-life device in extended support. The Pixel 8a doesn't currently meet our expectations. We haven't decided if we want to move development resources from working on new features to providing experimental support for a device with a botched launch. It would be a lot more efficient to wait for it to be fixed first. It might get fixed in the June release. We could put in a bunch of effort to get experimental support for it in the next 24 hours but that will come at a big cost and it won't be anywhere close to something we can consider a production release due to what they released, not us.
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
Our #Vanadium browser (
Features overview | GrapheneOS
 is based on the stable releases of Chromium. We port to the new releases when they're still in Beta/Dev/Canary but we wait until it's Stable to upgrade, particularly since Stable is the only branch with proper security support. Within release channels, Chromium uses staged rollouts where initially only a random subset of users get the new release. Recently, the initial Stable channel release started being done 1 week early and only rolled out to a tiny number of users:
Chrome for Developers
Change in release schedule from Chrome 110 | Blog | Chrome for Developers
From Chrome 110 an early stable version will be released to a small percentage of users.
 Current release status for Android is at
Chromium Dash
 There are 2 variants of a regular Stable release and 2 of an early one, since they enjoy A/B testing changes so much. We've been following the early Stable, but this month they failed to support it properly... After the pair of early Stable releases based on v125 for Android, there were 2 pairs of releases based on v124 with 2 rounds of security patches for issues being exploited in the wild. They failed to update the early Stable release as they have before, so we had to deal with it. Strangely, it appears that the early Stable channel release was only rolled out for Android and the Safari-based iOS app. The 0.2% of Android users receiving the early Stable release aren't getting patches for those 2 vulnerabilities being exploited in the wild. That's not great. These are the 2 patches missing for Android users who get updated to 125.0.6422.34 or 125.0.6422.35:
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 124.0.6367.201/.202 for Mac andΒ  Windows Β andΒ  124.0.6367.201Β  for Linux which will roll out over the...
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 124.0.6367.207/.208 for Mac andΒ  Windows Β andΒ  124.0.6367.207Β  for Linux which will roll out over the...
 Both are marked as having an exploit in the wild. They should really simply make 1 tag and stop making things overly complex. #GrapheneOS
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
#GrapheneOS version 2024050700 released: While it appears the patch level is older, this is due to Google not releasing the full SPL until later. - full 2024-05-05 security patch level rebased onto AP1A.240505.005 Android Open Source Project release - update our backports of mainline APEX Health Fitness patches - kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.213 - kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.151 - TalkBack (screen reader): update dependencies - Vanadium: update to version 124.0.6367.159.0 - PDF Viewer: update to version 18
Releases | GrapheneOS
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
We've pre-ordered a Pixel 8a for our official device testing farm. They push the Android Open Source Project tags and stock OS factory images on the official release day. Should take us a couple hours to add support for it. We'll build, test and make an official release quickly. #GrapheneOS
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
#GrapheneOS receives third Android Security Acknowledgement from Google this year. This time for a high-severity Bluetooth vulnerability: Google has listed the CVE-2024-23694 vulnerability we reported in the security acknowledgements for May 2024:
Android Open Source Project
Android security acknowledgements | Android Open Source Project
 This is the Bluetooth issue we found with memory tagging which they assigned a High severity. We fixed this on March 9th. This vulnerability isn't listed in the baseline Android Security Bulletin despite being an Android Open Source Project issue. It will likely be listed in the Pixel Update Bulletin which should be today with the monthly update of AOSP and the Pixel OS. This vulnerability only impacts Android 14 QPR2 and later. It's possible they only list issues impacting the initial release of Android 14 in Android Security Bulletins and put the rest in Pixel bulletins. It's odd how Pixel bulletins are mostly issues impacting other devices. Last month, Pixels fixed 2 vulnerabilities we reported which were both classified as High severity and were both exploited in the wild by forensic companies to extract data on smartphones. Both also impact non-Pixels but were only fixed for Pixels and listed in the Pixel bulletin. We understand why they didn't list those firmware patches in the Android Security Bulletin (ASB) since other devices with the same issues need their own unique firmware patches for them. The AOSP 14 QPR2 Bluetooth big not being listed means ASB is less complete than we thought though.
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
Android monthly security backports were released this Monday. We expect the full monthly release to be released much later today (Tuesday). It's what happened last month, but last time we expected the monthly release to be delayed a week so we did an early release with backports. Monthly/quarterly/yearly releases include Low/Moderate severity patches not backported to older releases and are needed for Pixel firmware/driver patches. Those aren't published/disclosed for May yet. We'll do an early release with the ASB backports if it's not released today. We've reviewed the backports and can easily ship them if needed. We've included the next set of Linux kernel GKI LTS updates too. We'll have mitigations for the 3rd party VPN app DNS leaks discovered by our community soon, but likely not today's release.
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ's avatar
final [GrapheneOS] πŸ“±πŸ‘οΈβ€πŸ—¨οΈ 1 year ago
#GrapheneOS version 2024050300 released. This update contains various hardening additions, fixes Google Fi eSIM activation (again) and changes OS infrastructure to prepare for an upcoming App Communication Scopes feature. See the changes: - remove special handling of the resolver activity ("Open with..." dialog) which was added to Android in order to support instant apps as preparation for our in-development App Communication Scopes feature - fix Google Fi eSIM activation - improve isolation of the eSIM activation apps - improve GrapheneOS infrastructure for per-app state - enable heap memory tagging for vendor processes by default, remove the user-facing toggle in the Settings and restrict toggling the value to debug builds - disable most handling for instant apps in the package manager as attack surface reduction - disable out-of-band APEX updates as attack surface reduction - only allow first party app source and shell to update system packages - improve robustness of original-package handling - Settings: hide GNSS SUPL and PSDS settings on devices without GNSS hardware - fix regression from our Android 14 QPR2 port causing Storage/Contact Scopes link to disappear after going back to the permissions screen - improve setup wizard theme to more closely match the stock Pixel OS configuration - backport mainline APEX module patches for Android Health, Media Provider, Network Stack, and Wi-Fi - kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.212 - kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.150 - kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.80 - Log Viewer: use human readable UTC time for logcat timestamps - GmsCompatConfig: update to version 109 - Vanadium: update to version 124.0.6367.113.0 - Apps: update to version 23 - work around our app repository client taking ownership of updates for the debug toggle we use to test new Android Auto releases - fix debug build option for testing same versionCode package updates
↑