TLDR: Google forbids release of security patch souce code until 3 months after it is implemented in Android on a private access repo availabe to OEMs. Graphene now has access to the OEM repo and can make "security preview" updates ahead of the open release that are closed source.
this post was submitted on 12 Oct 2025
30 points (85.7% liked)
Enshittification
455 readers
62 users here now
Welcome to Enshittification
A community for everyone who misspelt it as enshitification.
"I the onceler felt sad as I watched them all go, but business is business and business must grow, regardless of crummies in tummies you know."
This is your space to document the decay, demise, and destruction of the tech world as we know it. Share stories, articles, and firsthand experiences that capture the ongoing decline of once-celebrated platforms, services, and companies in the late stage capitalist landscape.
From monopolistic corporate shifts to anti-user updates and the relentless pursuit of profit over quality—if it’s broken, bloated, or just plain bad, it belongs here. We’re here to spotlight the moves that make the tech world worse, one piece of enshittification at a time.
Guidelines
🔹 Stay on Topic: Only post content about the decline of tech products, platforms, or companies.
🔹 Quality Content: Give some context when posting links or articles to drive quality discussions.
🔹 Respectful Discussion: Critique companies, crappy tech, and capital, not community members.
🔹 Positive Monday: The first Monday of every month is reserved for positive content only that shows enshittification isn't inevitable.
Join us to expose the changes that ruin the things we once loved and to discuss what comes next in a tech world gone wrong.
founded 11 months ago
MODERATORS
Er, this is good right? Graphene has always been lacking in security because it didn't have access to the most recent patches, the team had to constantly play catch-up.
No this is absolutely bad obviously. It would be somewhat good if they actually had access to the source code under NDA, but shipping binary blobs without checking them is horrendeous. Its not graphenes fault and this is the best they can do, but that doesnt make it "good".
This is incorrect, the GrapheneOS devs have access to the source code but they can not make it public until the embargo is lifted. If you don't like that, don't enable the feature.
Hmm looks like you are right, they do have access to source. However that still means that people are expected to install and use software for 3 months, before it becomes possible to check it. A normal embargo even for high severity flaws is usually a few days to weeks.
I guess this is why it is an optional feature. The GrapheneOS team is in a difficult position here, either they comply with the NDA or they don't get any access at all. To be honest, I am surprised they managed to get access in the first place. The choice between closed source security patches and a potentially vulnerable phone is uncomfortable but to me the benefit of the patches outweighs the drawbacks of a potentially vulnerable phone.
I think they made the right call too, especially with ICE having access to Graphite now. But it does show that we definitely need to build up Linux phones as a viable alternative, since Google is virtually guaranteed to fuck us even worse down the road.
It'll take a while to plug up all the security holes to get Linux up to par with GrapheneOS, but its the only way to get back collective control over the future of our mobile devices.