Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> 2: Every OEM would be required to release those same patches 4 months to the day GrapheneOS releases them.

I don't think that's true since the regulation you linked says:

> (c) security updates or corrective updates mentioned under point (a) need to be available to the user at the latest 4 months after the public release of the source code of an update of the underlying operating system or, if the source code is not publicly released, after an update of the same operating system is released by the operating system provider or on any other product of the same brand;

(emphasis mine)

GrapheneOS is not the OS provider in this context, Google is.



You're not reading the interpretation correctly:

> at the latest 4 months after the public release of the source code of an update of the underlying operating system

So if somebody reverse engineers the patch, or releases the patch under embargo (which the OEMs would have the source code) that would count as a 'public release'. So GrapheneOS can ship closed source patches as you are right, they are not the provider. If GrapheneOS released the source code they are getting from their OEM then it would count as a 'public release of the source code'.

A patch in itself can be considered an 'update of the underlying operating system' and therefore the moment it becomes public it needs to be patched by all OEMs within 4 months.

GrapheneOS have themselves said that if somebody did reverse engineer the closed source blobs and posted them publicly they could then ship the patches openly at that point but not until.

It must be stated a lot of the wording of this clause and interperetation of what is/is not considered 'publicly releasing source code' is up for debate/courts to settle.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: