237
MacBook Air owner?
(cdn.masto.host)
KDE is an international technology team creating user-friendly free and open source software for desktop and portable computing. KDE’s software runs on GNU/Linux, BSD and other operating systems, including Windows.
If you encounter a bug, proceed to https://bugs.kde.org, check whether it has been reported.
If it hasn't, report it yourself.
PLEASE THINK CAREFULLY BEFORE POSTING HERE.
Developers do not look for reports on social media, so they will not see it and all it does is clutter up the feed.
@mox @manualoverride while I absolutely agree with your position, also keep in mind that this has security implications.
Beside the fact that most vendors dont even use all the patches available from AOSP, no custom ROM project can backport all patches. Sooner or later this means there are devices that cant be securely used anymore, unless someone does the effort.
a vendor concept with a subscription could solve this I guess or enough support for an open project e.g. @GrapheneOS
@brahms @mox @manualoverride
OEM support for the device is needed because an alternate OS cannot provide firmware updates otherwise. In practice, driver updates also come from the OEM. Providing the Android Open Source Project backports is nowhere close to full security patches. It's unfortunate that most alternate operating systems mislead users about this by setting an inaccurate Android security patch level field, not being honest about what's missing and downplaying the importance of it.
@brahms @mox @manualoverride
Firmware and driver patches are not any less important than generic OS patches. A high portion of critical severity patches are for drivers.
Android Open Source Project has a new release every month. These are monthly, quarterly and yearly releases. Yearly releases move forward around 3 months on the development branch. Since Android 14 QPR2, quarterly releases also do the same and just leave most new feature flags disabled. These are required for full patches.
@brahms @mox @manualoverride
Android Open Source Project provides backports of most but not all High/Critical severity patches to the initial yearly releases of Android 12, 13 and 14 for devices which have not updated to the latest release (currently Android 14 QPR3). The combination of these backports with baseline firmware/driver patches form the Android Security Bulletins referred to by the security patch level. This is not the full set of security patches, just absolute bare minimum.
Firmware and drivers can be made open, just as other software can be made open. It's really just a matter of incentives. In my experience, law tends to be a pretty effective incentive.
If the bill of materials included the legal requirements discussed here, then a component supplier would either start producing open firmware/specs, or they would lose that market to another supplier.
Obviously, Android would not be the only project/product affected by such a legal change.
@mox
Firmware being open or closed doesn't make any difference to the OEM needing to provide updates since it has to be signed as part of the basic security model. Having the source code doesn't mean you can update it.
Having the source code and the ability to update it also doesn't mean anyone is going to do it. See the kernel drivers which are entirely open source.
The firmware that's part of the Android project is open source such as Trusty OS. The firmware doesn't come from Android.
@mox
Open source does not solve this even if all the code could be updated. There are not people who take over maintaining all of it.
There are alternate operating systems which mislead users about what they provide including setting an inaccurate Android security patch level. They don't take over maintenance/development of a whole bunch of device specific components but rather hack around their lack of maintenance/development to get new OS versions running on top of abandoned code.
@mox
Landing kernel drivers in upstream projects doesn't magically give them any real maintenance. Upstream Linux kernel source tree is full of broken drivers which have bitrotted due to the immense churn. Most of the drivers aren't tested as part of the development process. This is why essentially all production usage of the Linux kernel outside VMs is stuck using an LTS branch very long term with the need to do a lot of stabilization and bug fixing to move to a newer LTS branch.
@mox
Offloading work to an imagined community of people who are going to take over maintaining firmware and drivers isn't a solution. There are generally not people who are going to take it over. They're only going to do the bare minimum to keep devices mostly working while telling people everything is fine and they don't actually need those pesky security patches despite how important they are.