I don’t really see how delaying patches makes android any more secure than a monthly release.
Sure, it’s probably a tradeoff between the time it takes to ship security patches and might help some vendors to at least ship quaterly updates, but … it keeps known vulnerabilities unpatched for up to three months.
Even with this lead time, some OEMs struggle to roll out security updates for all their devices each month. In fact, many don’t even commit to monthly security updates for their entire lineup; their update policies often stipulate that budget and mid-range devices only qualify for bi-monthly or quarterly patches.
Which is to say that most OEMs aren’t making monthly releases. It’s a sad state of affairs.
Google has put a lot of effort into making the process for OEMs easier. Project Trebel to simplify updates. Project Mainline to move updates to be pushed via Google Play. (The small downside being you now need Google Play, but users do now get security updates.
Now the answer seems to be fewer updates. OEMs weren’t doing them, but maybe if they’re smaller? It’s probably better that end users get some updates rather than none.
I don’t really see how delaying patches makes android any more secure than a monthly release.
Sure, it’s probably a tradeoff between the time it takes to ship security patches and might help some vendors to at least ship quaterly updates, but … it keeps known vulnerabilities unpatched for up to three months.
Which is to say that most OEMs aren’t making monthly releases. It’s a sad state of affairs.
Google has put a lot of effort into making the process for OEMs easier. Project Trebel to simplify updates. Project Mainline to move updates to be pushed via Google Play. (The small downside being you now need Google Play, but users do now get security updates.
Now the answer seems to be fewer updates. OEMs weren’t doing them, but maybe if they’re smaller? It’s probably better that end users get some updates rather than none.