Comment by botanical76

We have the sources for the patches which is how they get applied the source tree. We have both the regular releases and security preview releases so it's easy to see what was changed since it's a small amount of code: currently 59 security patches for Android 16, similar to the size of typical Android security patches, although 1 was already public elsewhere so we applied to the regular release.

> does not even include the keys for providing alternative web views or the ability to switch the location provider.

Trusting third parties with this is a privacy and security risk. GrapheneOS uses our Vanadium fork of Chromium for the WebView and LineageOS has their own builds of Chromium for it. We provide our own network location implementation using a semi-offline approach based on Apple's location service. We plan to add fully offline support for both Wi-Fi and cell tower network location via downloading regional databases. SUPL is essentially obsolete for GrapheneOS since all supported devices have PSDS and the network location service is already used to help accelerate GNSS when enabled, so we could just remove that instead of making our own SUPL service based on the same data.

We're making progress in fighting the Play Integrity API but governments and regulators move slowly. Courts also move slowly but we haven't brought it to a court yet and would prefer not having to do that. We would greatly prefer if Google worked it out with us and other AOSP-based operating systems but it doesn't appear there's much chance of that ever happening. It's strange since we were never hostile towards them, earned them a lot of money via hardware sales and made substantial upstream contributions.

A major Android OEM is working with us because unlike Google, they're able to see the significant benefits of working with us and selling a lot of devices based on it once they have official GrapheneOS support. Google could have worked with us and others instead of the path they're taking. They could have sold a lot more Pixels by opening up the devices more and improving them. Instead, they'll sell a lot fewer Pixels than they could have as one of the main reasons people buy them goes away. A lot of people who bought them and used the stock OS still bought them because they knew they could get first class support for another OS. They're shooting themselves in the foot. Our userbase will be buying devices from another OEM instead once they meet our requirements.

The preview patches are source code patches we're applying to the source tree used for the regular GrapheneOS releases. We have the sources for the patches, but we need to wait to the embargo end date to publish the security preview patches as source code. We keep the patches in a dedicated Git repository with a script for applying them to the source tree from the regular release. Each security preview release is tagged there, so we can release the sources which were used as soon as the embargo date is reached.

No, GrapheneOS is partnered with a major Android OEM and has security partner access through them. Our security preview releases are in full compliance with the terms set by Google. It's permitted to ship the patches early with delayed source releases for the patches on the dates the embargoes end. The current patches are from the November 2025, December 2025 and January 2026 bulletins. We've shipped the full set of currently available patches for those 3 months.

See https://discuss.grapheneos.org/d/24134-devices-lacking-stand... for a more detailed explanation.

The access comes from GrapheneOS' OEM partner who isn't breaking any kind of NDA.

I don't know the exact terminology, but they described what they currently have as security partner access or at least advanced access to security patches. To my knowledge they are still working on full partner access that would grant them timely access to the AOSP source code.