From b9b6e3db160853d0d52bd7df6215c4fa38693184 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Sat, 28 Jun 2025 01:35:14 +0900 Subject: [PATCH] static: remove unused pages There are more potentially unused pages, but these are unlikely to become relevant or reusable in the near future, so remove them. --- generate-donate-qr-codes | 19 - generate-sitemap.py | 18 +- static/.well-known/matrix/client | 1 - static/.well-known/matrix/server | 1 - static/.well-known/security.txt | 24 - static/allowed_signers | 1 - static/allowed_signers.asc | 16 - static/allowed_signers.sig | 2 - .../attestation-compatibility-guide.html | 176 -- static/articles/grapheneos-servers.html | 726 ------ static/articles/index.html | 66 - static/articles/positon-location-service.html | 89 - static/articles/server-traffic-shaping.html | 259 -- ...sitewide-advertising-industry-opt-out.html | 65 - static/donate-bitcoin-bip47.png | Bin 378 -> 0 bytes static/donate-bitcoin-taproot.png | Bin 419 -> 0 bytes static/donate-bitcoin.png | Bin 372 -> 0 bytes static/donate-cardano.png | Bin 371 -> 0 bytes static/donate-ethereum.png | Bin 233 -> 0 bytes static/donate-litecoin.png | Bin 378 -> 0 bytes static/donate-monero.png | Bin 483 -> 0 bytes static/donate-zcash-transparent.png | Bin 373 -> 0 bytes static/donate.html | 422 ---- static/history/copperheados.html | 112 - static/history/index.html | 99 - static/history/legacy-changelog.html | 2169 ----------------- templates/header.html | 16 +- 27 files changed, 10 insertions(+), 4271 deletions(-) delete mode 100755 generate-donate-qr-codes delete mode 100644 static/.well-known/matrix/client delete mode 100644 static/.well-known/matrix/server delete mode 100644 static/.well-known/security.txt delete mode 100644 static/allowed_signers delete mode 100644 static/allowed_signers.asc delete mode 100644 static/allowed_signers.sig delete mode 100644 static/articles/attestation-compatibility-guide.html delete mode 100644 static/articles/grapheneos-servers.html delete mode 100644 static/articles/index.html delete mode 100644 static/articles/positon-location-service.html delete mode 100644 static/articles/server-traffic-shaping.html delete mode 100644 static/articles/sitewide-advertising-industry-opt-out.html delete mode 100644 static/donate-bitcoin-bip47.png delete mode 100644 static/donate-bitcoin-taproot.png delete mode 100644 static/donate-bitcoin.png delete mode 100644 static/donate-cardano.png delete mode 100644 static/donate-ethereum.png delete mode 100644 static/donate-litecoin.png delete mode 100644 static/donate-monero.png delete mode 100644 static/donate-zcash-transparent.png delete mode 100644 static/donate.html delete mode 100644 static/history/copperheados.html delete mode 100644 static/history/index.html delete mode 100644 static/history/legacy-changelog.html diff --git a/generate-donate-qr-codes b/generate-donate-qr-codes deleted file mode 100755 index 915a54dc..00000000 --- a/generate-donate-qr-codes +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -set -o errexit -o nounset -o pipefail - -generate() { - echo $1 - qrencode -s 1 -o $1 $2 - gm identify -format '%w×%h\n' $1 - zopflipng -ym $1 $1 -} - -generate static/donate-bitcoin.png 'bitcoin:bc1q9qw3g8tdxf3dugkv2z8cahd3axehph0mhsqk96?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation' -generate static/donate-bitcoin-taproot.png 'bitcoin:bc1prqf5hks5dnd4j87wxw3djn20559yhj7wvvcv6fqxpwlg96udkzgqtamhry?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation' -generate static/donate-bitcoin-bip47.png 'bitcoin:PM8TJKmhJNQX6UTFagyuBk8UGmwKM6yDovEokpHBscPgP3Ac7WdK5zaQKh5XLSawyxiGYZS2a7HkAoeL6oHg7Ahn1VXX888yRG4PwF1dojouPtW7tEHT' -generate static/donate-monero.png 'monero:862CebHaBpFPgYoNC6zw4U8rsXrDjD8s5LMJNS7yVCRHMUKr9dDi7adMSLUMjkDYJ85xahQTCJHHyK5RCvvRJu9x7iSzN9D?recipient_name=GrapheneOS&tx_description=Donation%20to%20GrapheneOS' -generate static/donate-zcash-transparent.png 'zcash:t1SJABjX8rqgzqgrzLW5dUw7ikSDZ2snD8A?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation' -generate static/donate-ethereum.png 'ethereum:0xC822A62E5Ab443E0001f30cEB9B2336D0524fC61' -generate static/donate-cardano.png 'web+cardano:addr1q9v89vfwyfssveug5zf2w7leafz8ethq490gvq0ghag883atfnucytpnq2t38dj7cnyngs6ne05cdwu9gseevgmt3ggq2a2wt6' -generate static/donate-litecoin.png 'litecoin:ltc1qzssmqueth6zjzr95rkluy5xdx9q4lk8vyrvea9?label=GrapheneOS%20Foundation&message=Donation%20to%20GrapheneOS%20Foundation' diff --git a/generate-sitemap.py b/generate-sitemap.py index 60157658..1f5c9fe7 100644 --- a/generate-sitemap.py +++ b/generate-sitemap.py @@ -2,27 +2,16 @@ from datetime import datetime, timezone from os.path import getmtime from pathlib import Path -base = "https://grapheneos.org" +base = "https://hakurei.app" pages = [ ["/", 0.5], - ["/.well-known/security.txt", 0.0], ["/LICENSE.txt", 0.0], - ["/articles/", 0.5], - ["/articles/attestation-compatibility-guide", 0.5], - ["/articles/grapheneos-servers", 0.1], - ["/articles/positon-location-service", 0.5], - ["/articles/server-traffic-shaping", 0.5], - ["/articles/sitewide-advertising-industry-opt-out", 0.5], ["/build", 0.5], ["/camera-privacy-policy", 0.0], ["/contact", 0.5], - ["/donate", 0.5], ["/faq", 1.0], ["/features", 1.0], - ["/history/", 0.3], - ["/history/copperheados", 0.1], - ["/history/legacy-changelog", 0.1], ["/hiring", 0.2], ["/humans.txt", 0.0], ["/pdfviewer-privacy-policy", 0.0], @@ -38,12 +27,13 @@ entries = [] for page in pages: path = page[0] + if path[-1] != '/' and "." not in path: + path += ".html" + loc = base + path filepath = "static-production" + path if path[-1] == '/': filepath += "index.html" - elif "." not in path: - filepath += ".html" mtime = getmtime(filepath) if mtime > base_mtime: diff --git a/static/.well-known/matrix/client b/static/.well-known/matrix/client deleted file mode 100644 index 367d6f7d..00000000 --- a/static/.well-known/matrix/client +++ /dev/null @@ -1 +0,0 @@ -{"m.homeserver":{"base_url":"https://matrix.grapheneos.org"}} \ No newline at end of file diff --git a/static/.well-known/matrix/server b/static/.well-known/matrix/server deleted file mode 100644 index 744ba48d..00000000 --- a/static/.well-known/matrix/server +++ /dev/null @@ -1 +0,0 @@ -{"m.server":"matrix.grapheneos.org:443"} \ No newline at end of file diff --git a/static/.well-known/security.txt b/static/.well-known/security.txt deleted file mode 100644 index d346f314..00000000 --- a/static/.well-known/security.txt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - -Contact: mailto:security@grapheneos.org -Canonical: https://grapheneos.org/.well-known/security.txt -Encryption: data:application/x-age-public-key,age1dcftzgq00ykgwvxl5te6d5clqgx75h2g54c0u8gjc43mcnea7p7q3ma0yx -Expires: 2026-03-01T00:00:00Z -Preferred-Languages: en ------BEGIN PGP SIGNATURE----- - -iQIzBAEBCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmfDGl4ACgkQ+ecS5Zr1 -8iquHQ//e/Wy0rv3YlGTzzE1bM+h45JKyd+vxYdRmUVM4ic0rLpx+v1vQdIDKUtZ -Bax7wE1dMRu02Tpo8vxoEB5QgilxgLtZIi0y3K68/lQJM1BIl20ieL0YfeB9YZt7 -TZeAbuIMaq0YyzxexTE2GKQQI4qKAIJpMvEnvxmZ2c9dmOiP6T6TYVsYBmiSe7op -YUQZ1j6yElVXiBA9FJg1vpaWqPFeSEmi8X0c0ef5tdNKCai1c2/arhELK4msB3ih -0Wd7MIukudGvH7Xjfb+H8EZ53OTg/3pAhNdf5E7apwlgNPdp/XPK3Uen+8o0wV4r -cQRNBD0gGA8kyEtYfcgndFo5kVkptOZB4OLx7A9wxjDsfMYduknuTGyniZH2DBlH -S/H0aWaoLSO2FCFT7OIkXxYTjXdbKZwgtPf5ba6gCpDL/aXrjIPeqHtmo/l2ruhx -sc6TYiSHBQuFqQg+X2/49GxDap6k13an5ZiRPUw5CoJl3r3Ztg6ZKu4EiFmLjJ5K -AliaN0hjwqxH0AbMc95DLUZ1oRNpk17dlcXl/Fgk7ZI/6GWEqOhEkzf3je9GrZJR -53OTDvcarq+rS8kcZ/bSxoBLaZNcNes3kcinaCnGCTjFPgoy2f6CtuuA37KwMc0V -TMGaKqRMUCj+lJtdM2HuY0FvWMWjrDKdPrprUx8/umrAa0XPX2k= -=WcPV ------END PGP SIGNATURE----- diff --git a/static/allowed_signers b/static/allowed_signers deleted file mode 100644 index 4ff4078f..00000000 --- a/static/allowed_signers +++ /dev/null @@ -1 +0,0 @@ -contact@grapheneos.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUg/m5CoP83b0rfSCzYSVA4cw4ir49io5GPoxbgxdJE diff --git a/static/allowed_signers.asc b/static/allowed_signers.asc deleted file mode 100644 index 003dc24c..00000000 --- a/static/allowed_signers.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEZe7+AiEI4rcIy/z3+ecS5Zr18ioFAmXMmicACgkQ+ecS5Zr1 -8iqOKw//WB9N2C+jT/WmMT4t0+aE/0uHvBqoU9KQFmzFWlixibqF70C3gcBkeZK9 -tvWViI1UhQJktM0A4rwTn3r7T+MvIbwlOzHBKmoWyU2+PSwO3lIO9xbHSvu4/rbp -IVkIimgwi9WTvlDvXRhYdXtfJJyXl+qlfbk5sHCOavuR+/xPx3IUDpEZwPvi33VF -Z1Sl/3yJztLB96ngmhs29WBniTvxa3owYwjMhHNuTnxNf2m8bIavYA2Vraj9gE8O -eTNE5oXkGdv2YJnKW0gbMDV2/F7WBW2/kPZ6yvUxR9texHsFn1dofvf604W09PKP -QaIzCKGsJSAVKx/g9mSXm2Z/+hsXLWlJAVK0hmCEhn+Tnmff5KMG7R1WUes0R0rv -PK6sa0NbvRRNiwxM08PnZ14WrYBggOZdRBlseqHIdwu2UD2X2vTNK4VOhBbaQPYd -EwdIwZxqu0bpUtPIowJqppd/ZWxKOJ4OMcDF/2ENBTqp20RWQnTM1WEV1OoUQeh1 -XfZDNFBRW7CP4zsbFTIK4DEobxbVXCEVtUK4rGRChX3WL8qhVCgxFf4W8Cwjco2y -u40luFdoNyrd2yTVevcX0w2W/4JvJ5reikepYOAbCwbLbWNJnKoRA+0ZgZ0IE1B4 -+RDmB5iIefAPjpD/Do/TtlFjRcyh6g4kNWnS1fTzB9jGNP/PQWs= -=rnsE ------END PGP SIGNATURE----- diff --git a/static/allowed_signers.sig b/static/allowed_signers.sig deleted file mode 100644 index cf242c60..00000000 --- a/static/allowed_signers.sig +++ /dev/null @@ -1,2 +0,0 @@ -untrusted comment: verify with factory.pub -RWQZW9NItOuQYMZY8ZMX9VX4hfy54df7Pt3Yh1qEWTyRlQKH4PdteqeKUk9jljywlcCl8nzKJAj75F70Y5FTsAK4cw2aV+CZcAA= diff --git a/static/articles/attestation-compatibility-guide.html b/static/articles/attestation-compatibility-guide.html deleted file mode 100644 index 92176d04..00000000 --- a/static/articles/attestation-compatibility-guide.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - Attestation compatibility guide | Articles | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% include "header.html" %} -
-

Attestation compatibility guide

- -

Apps using the Play Integrity API or - obsolete - SafetyNet Attestation API to check the authenticity/integrity of the OS can support - GrapheneOS by using the standard Android hardware attestation API instead and - permitting our official release signing keys. Android's - hardware - attestation API provides a much stronger form of attestation than the Play - Integrity API with the ability to whitelist the keys of alternate operating systems. - It also avoids an unnecessary dependency on Google Play services and Google's - Play Integrity servers.

- -

The standard hardware attestation API can be used to verify the authenticity/integrity - of the hardware, firmware, OS and the app running on it. It provides a verified boot key - fingerprint for the OS for permitting secure aftermarket operating systems. The app id, - signing key fingerprint(s) and version code of the app enabling hardware attestation are - included in the signed public key certificate for the generated key. This enables the - app's service to make sure the app is genuine and unmodified along with chaining trust - through the OS to the app which can sign messages with the attested hardware keystore - key to prove they come from their app running on top of a verified OS, firmware and - hardware. The only practical way to bypass hardware attestation is through exploiting - the hardware keystore to obtain attestation signing keys, which is protected against by - the ability to revoke keys that are being misused. Play Integrity API strong integrity - level is directly based on the hardware key attestation API, but apps using it directly - can support aftermarket operating systems, check the hardware attested OS patch level - and other provided information. The hardware attestation API also supports pinning-based - security instead of only root-based security where keys can be leaked and used to fake - attestations. Apps can use pinning to establish a much higher security pairing with a - specific device to obtain fresh attestations with a very high level security based on - the security of the device's own hardware keystore rather than the overall ecosystem. - Hardware attestation also doesn't require using any Google service beyond regularly - fetching the list of revoked keys for root-based attestation. The app's service doesn't - have to go down or start permitting anything if the Google services becomes unavailable - or blocks the app from using it for one reason or another. Using hardware attestation is - therefore more reliable and lower risk for apps.

- -

Devices have been required to ship with hardware attestation support since Android - 8. You can use hardware attestation on devices running Android 8 or later when the - ro.product.first_api_level system property isn't set to 25 or below, - which indicates they launched with Android 8 or later with hardware attestation - support as a mandatory feature. On older devices, you can continue using the Play - Integrity API. Some low quality devices shipped broken implementations of hardware - attestation despite the requirement to have it working for CDD/CTS certification and - the Play Integrity API currently still passes on those devices wrongly claiming them - to be CTS certified. If you don't want to fail on those devices, then you can start - with hardware attestation and fall back to the Play Integrity API or do both and - accept either passing as success.

- -

Google provides a key - attestation library with examples. Our MIT - / Apache 2 licensed Auditor app can be used as a reference implementation for - verifying hardware-based attestations. There are some subtleties in the verification - process such as making sure only the 2nd certificate in the chain (the one signing the - certificate for the key generated by your app) has an attestation extension to prevent - making a fake attestation by extending the chain. You can reuse our code and simply - omit support for an app generated attestation signing key (attest key) and the other - pinning support.

- -

After verifying the signature of the attestation certificate chain and extracting - the attestation metadata, you can enforce that verifiedBootState is - either Verified or SelfSigned. For the - SelfSigned case, you can check that verifiedBootKey matches - one of the official GrapheneOS verified boot keys. These are the base16-encoded - verified boot key fingerprints for the official GrapheneOS releases:

- - - -

The verifiedBootKey field is binary data so you either need to encode - it as base16 to compare with these or convert these to binary. An easy approach is - storing the permitted key fingerprints in a set and enforcing that the verified boot - key is in the permitted set when verifiedBootState is - SelfSigned.

- -

GrapheneOS regularly adds support for new devices so you should have a process for - regularly adding the new verified boot key fingerprints from this page.

- -

The hardware attestation API also provides other useful information signed by the - hardware including the OS patch level, in a way that even an attacker exploiting the - OS after boot to gain root cannot trivially bypass. It's a better feature than the - Play Integrity API which has to be designed for the lowest common denominator.

- -

GrapheneOS users are strongly encouraged to share this documentation with app - developers enforcing only being able to use the stock OS. Send an email to the - developers and leave a review of the app with a link to this information. Share it - with other users and create pressure to support GrapheneOS rather than locking users - into the stock OS without a valid security reason. GrapheneOS not only upholds the - app security model but substantially reinforces it, so it cannot be justified with - reasoning based on security, anti-fraud, etc.

- -
-

Apps banning GrapheneOS

- -

This is a list of the apps banning GrapheneOS with the Play Integrity API with - links to their Play Store pages for leaving feedback:

- -
    -
  • myGov (Australian government app)
    • -
  • gov.br (Brazilian government app)
    • -
  • Ticketcorner
    • -
  • Authy
    • -
  • eBay
    • -
  • McDonald's (International app used for many but not all countries not including the US)
    • -
  • Dott
    • -
  • Swissquote
    • -
  • SwissID
    • -
  • TK-App (German health insurance app which uses it for fingerprint login)
    • -
  • IO (Italian government app which uses it for the digital wallet feature)
    • -
- -

In addition to leaving feedback for these apps on the Play Store, file support - requests and leave feedback on third party review sites. Ask them to stop banning - GrapheneOS and explain that it's a much more secure OS than what they permit which - does not lose any of the standard security model. Explain that they can use the - hardware key attestation API to verify that a device is running GrapheneOS to permit - it alongside an OS licensing Google apps as they do with the Play Integrity API - already. Make sure to push back against false claims that it has something to do - with compatibility or security issues. The only reason they aren't permitting it is - because we do not license Google Mobile Services (GMS) and these apps are enforcing - Google's business interests rather than security.

-
-
- {% include "footer.html" %} - - diff --git a/static/articles/grapheneos-servers.html b/static/articles/grapheneos-servers.html deleted file mode 100644 index 0c7d40c7..00000000 --- a/static/articles/grapheneos-servers.html +++ /dev/null @@ -1,726 +0,0 @@ - - - - - GrapheneOS servers | Articles | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - [[js|/js/redirect.js]] - - - {% include "header.html" %} -
-

GrapheneOS servers

- -

This is a detailed list of the public GrapheneOS servers.

- -

We use hardened local machines for building and signing rather than servers outside - our physical control, so information on that infrastructure is outside the scope of this - page but may be provided in the future elsewhere.

- - - -
-

GrapheneOS website

- - - -

Specs:

- -
    -
  • 3x OVH VPS vps2023-le-2
    • -
  • 2 core
    • -
  • 2 GB memory
    • -
  • 40 GB NVMe SSD storage
    • -
  • 500 Mbit/s bandwidth
    • -
- -
    -
  • 1x BuyVM Slice 1024
    • -
  • 1 core
    • -
  • 1 GB memory
    • -
  • 20 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • grapheneos.org
    • -
  • www.grapheneos.org
    • -
  • grapheneos.app
    • -
  • www.grapheneos.app
    • -
  • grapheneos.ca
    • -
  • www.grapheneos.ca
    • -
  • grapheneos.com
    • -
  • www.grapheneos.com
    • -
  • grapheneos.dev
    • -
  • www.grapheneos.dev
    • -
  • grapheneos.foundation
    • -
  • www.grapheneos.foundation
    • -
  • grapheneos.info
    • -
  • www.grapheneos.info
    • -
  • grapheneos.net
    • -
  • www.grapheneos.net
    • -
  • grapheneos.ovh
    • -
  • www.grapheneos.ovh
    • -
  • grapheneos.page
    • -
  • www.grapheneos.page
    • -
  • vanadium.app
    • -
  • www.vanadium.app
    • -
- -

IPs:

- -
    -
  • 51.222.156.101 (0.grapheneos.org) — OVH bhs6
    • -
  • 2607:5300:205:200::29c6 (0.grapheneos.org) — OVH bhs6
    • -
  • 209.141.35.164 (1.grapheneos.org) — BuyVM Las Vegas
    • -
  • 2605:6400:20:1131:8088:e08:84e6:632 (1.grapheneos.org) — BuyVM Las Vegas
    • -
  • 54.37.41.189 (2.grapheneos.org) — OVH gra8
    • -
  • 2001:41d0:304:200::b109 (2.grapheneos.org) — OVH gra8
    • -
  • 51.79.160.50 (3.grapheneos.org) — OVH sgp2
    • -
  • 2402:1f00:8000:800::16d6 (3.grapheneos.org) — OVH sgp2
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

Staging GrapheneOS website

- - - -

Specs:

- -
    -
  • BuyVM Slice 1024
    • -
  • 1 core
    • -
  • 1 GB memory
    • -
  • 20 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • staging.grapheneos.org
    • -
- -

IPs:

- -
    -
  • 199.195.250.78 — BuyVM New York
    • -
  • 2605:6400:10:9d6:6d84:e183:acda:16d7 — BuyVM New York
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

GrapheneOS release servers

- -

These are the static file servers for GrapheneOS releases and our app - repository. These are used by the releases page and web installer along with the - System Updater and App Store (app repository client) within the OS.

- - - -

Specs:

- -
    -
  • Macarne dedicated server (sponsored by Macarne)
    • -
  • Ryzen 9950X
    • -
  • 128 GB DDR5
    • -
  • 2x 2 TB NVMe SSD storage
    • -
  • 25000 Mbit/s bandwidth
    • -
- -
    -
  • 2x ReliableSite dedicated server (sponsored by ReliableSite)
    • -
  • Ryzen 9900X
    • -
  • 192 GB DDR5
    • -
  • 2x 4 TB NVMe SSD storage
    • -
  • 10000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • releases.grapheneos.org
    • -
  • seamlessupdate.app
    • -
  • www.seamlessupdate.app
    • -
  • apps.grapheneos.org
    • -
- -

IPs:

- -
    -
  • 45.90.185.33 (4.releases.grapheneos.org) — Macarne Amsterdam
    • -
  • 2a14:3f87:6920:250::100 (4.releases.grapheneos.org) — Macarne Amsterdam
    • -
  • 172.96.172.37 (5.releases.grapheneos.org) — ReliableSite Miami
    • -
  • 2605:9880:400:1100:15:1240:515:6e (5.releases.grapheneos.org) — ReliableSite Miami
    • -
  • 104.194.8.203 (6.releases.grapheneos.org) — ReliableSite Los Angeles
    • -
  • 2605:9880:200:20::113 (6.releases.grapheneos.org) — ReliableSite Los Angeles
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

GrapheneOS network servers

- -

These are the default servers used by GrapheneOS for connectivity checks, - secure network time, attestation key provisioning and Predicted Satellite Data - Service (PSDS). These either serve empty responses or provide reverse proxies to - other services.

- - - -

Specs:

- -
    -
  • 3x OVH VPS vps2023-le-2
    • -
  • 2 core
    • -
  • 2 GB memory
    • -
  • 40 GB NVMe SSD storage
    • -
  • 500 Mbit/s bandwidth
    • -
- -
    -
  • 1x BuyVM Slice 1024
    • -
  • 1 core
    • -
  • 1 GB memory
    • -
  • 20 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • grapheneos.network - HTTP/HTTPS connectivity checks
    • -
  • connectivitycheck.grapheneos.network - HTTP/HTTPS connectivity checks
    • -
  • www.grapheneos.network
    • -
  • grapheneos.online - HTTP/HTTPS connectivity checks
    • -
  • connectivitycheck.grapheneos.online - HTTP/HTTPS connectivity checks
    • -
  • www.grapheneos.online
    • -
  • broadcom.psds.grapheneos.org - HTTPS Broadcom PSDS data cache
    • -
  • samsung.psds.grapheneos.org - HTTPS Samsung PSDS data cache
    • -
  • qualcomm.psds.grapheneos.org - HTTPS Qualcomm PSDS data cache
    • -
  • remoteprovisioning.grapheneos.org - HTTPS reverse proxy to remoteprovisioning.google.com
    • -
  • widevineprovisioning.grapheneos.org - HTTPS reverse proxy for Widevine provisioning
    • -
  • time.grapheneos.org - HTTPS time server with millisecond precision X-Time header
    • -
  • supl.grapheneos.org - TLS reverse proxy to supl.google.com
    • -
  • nominatim.grapheneos.org - HTTPS reverse proxy to nominatim.openstreetmap.org, which will become our own instance of Nominatim instead of a proxy
    • -
  • gs-loc.apple.grapheneos.org - HTTPS reverse proxy to Apple's network location service, which will remain an option after we have our own location service
    • -
  • update.vanadium.app - HTTPS reverse proxy to update.googleapis.com for Chromium component updates (will be hosted directly in the future)
    • -
  • dl.vanadium.app - HTTPS reverse proxy to CDNs for Chromium component updates (will be hosted directly in the future)
    • -
- -

IPs:

- -
    -
  • 51.222.159.116 (0.grapheneos.network) — OVH bhs6
    • -
  • 2607:5300:205:200::2584 (0.grapheneos.network) — OVH bhs6
    • -
  • 209.141.37.35 (1.grapheneos.network) — BuyVM Las Vegas
    • -
  • 2605:6400:20:387:72d4:dab9:a369:f351 (1.grapheneos.network) — BuyVM Las Vegas
    • -
  • 54.37.41.188 (2.grapheneos.network) — OVH gra8
    • -
  • 2001:41d0:304:200::902f (2.grapheneos.network) — OVH gra8
    • -
  • 51.79.161.36 (3.grapheneos.network) — OVH sgp2
    • -
  • 2402:1f00:8000:800::1949 (3.grapheneos.network) — OVH sgp2
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • UDP 123 ntp
    • -
  • TCP 443 https
    • -
  • TCP 7275 supl
    • -
-
- -
-

GrapheneOS mail server

- - - -

Specs:

- -
    -
  • OVH VPS vps2023-le-2
    • -
  • 2 core
    • -
  • 2 GB memory
    • -
  • 40 GB NVMe SSD storage
    • -
  • 500 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • mail.grapheneos.net
    • -
  • mail.grapheneos.org
    • -
  • mta-sts.attestation.app
    • -
  • mta-sts.discuss.grapheneos.org
    • -
  • mta-sts.grapheneos.app
    • -
  • mta-sts.grapheneos.ca
    • -
  • mta-sts.grapheneos.com
    • -
  • mta-sts.grapheneos.dev
    • -
  • mta-sts.grapheneos.foundation
    • -
  • mta-sts.grapheneos.info
    • -
  • mta-sts.grapheneos.net
    • -
  • mta-sts.grapheneos.network
    • -
  • mta-sts.grapheneos.online
    • -
  • mta-sts.grapheneos.org
    • -
  • mta-sts.grapheneos.ovh
    • -
  • mta-sts.grapheneos.page
    • -
  • mta-sts.grapheneos.social
    • -
  • mta-sts.mail.grapheneos.org
    • -
  • mta-sts.matrix.grapheneos.org
    • -
  • mta-sts.seamlessupdate.app
    • -
  • mta-sts.vanadium.app
    • -
- -

IPs:

- -
    -
  • 192.99.98.22 — OVH bhs6
    • -
  • 2607:5300:205:200::472f — OVH bhs6
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 25 smtp
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
  • TCP 465 submissions
    • -
  • TCP 993 imaps
    • -
-
- -
-

GrapheneOS discussion forum server

- - - -

Specs:

- -
    -
  • OVH VPS vps2023-le-4
    • -
  • 4 core
    • -
  • 4 GB memory
    • -
  • 80 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • discuss.grapheneos.org
    • -
- -

IPs:

- -
    -
  • 51.222.14.6 — OVH bhs6
    • -
  • 2607:5300:205:200::29e8 — OVH bhs6
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

GrapheneOS Mastodon server

- - - -

Specs:

- -
    -
  • OVH VPS vps2023-le-4
    • -
  • 4 core
    • -
  • 4 GB memory
    • -
  • 80 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • grapheneos.social
    • -
  • www.grapheneos.social
    • -
- -

IPs:

- -
    -
  • 51.222.159.14 — OVH bhs6
    • -
  • 2607:5300:205:200::5e3f — OVH bhs6
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

GrapheneOS Matrix server

- -

This server primarily runs the synapse Matrix server with PostgreSQL behind an - nginx web server. It also runs the mjolnir bot for moderation and matterbridge is - used to implement a bridge between Matrix, IRC and Telegram.

- - - -

Specs:

- -
    -
  • OVH VPS vps2020-comfort-4-8-160
    • -
  • 4 core
    • -
  • 8 GB memory
    • -
  • 160 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • matrix.grapheneos.org
    • -
  • element.grapheneos.org
    • -
- -

IPs:

- -
    -
  • 51.79.51.42 — OVH bhs6
    • -
  • 2607:5300:205:200::26e1 — OVH bhs6
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

GrapheneOS DNS servers

- - - -

Specs:

- -
    -
  • 4x OVH VPS vps2023-le-2
    • -
  • 2 core
    • -
  • 2 GB memory
    • -
  • 40 GB NVMe SSD storage
    • -
  • 500 Mbit/s bandwidth
    • -
- -
    -
  • 3x BuyVM Slice 1024
    • -
  • 1 core
    • -
  • 1 GB memory
    • -
  • 20 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • ns1.attestation.app
    • -
  • ns1.grapheneos.app
    • -
  • ns1.grapheneos.ca
    • -
  • ns1.grapheneos.com
    • -
  • ns1.grapheneos.dev
    • -
  • ns1.grapheneos.foundation
    • -
  • ns1.grapheneos.info
    • -
  • ns1.grapheneos.net
    • -
  • ns1.grapheneos.network
    • -
  • ns1.grapheneos.online
    • -
  • ns1.grapheneos.org
    • -
  • ns1.grapheneos.ovh
    • -
  • ns1.grapheneos.page
    • -
  • ns1.grapheneos.social
    • -
  • ns1.seamlessupdate.app
    • -
  • ns1.vanadium.app
    • -
  • ns2.attestation.app
    • -
  • ns2.grapheneos.app
    • -
  • ns2.grapheneos.ca
    • -
  • ns2.grapheneos.com
    • -
  • ns2.grapheneos.dev
    • -
  • ns2.grapheneos.foundation
    • -
  • ns2.grapheneos.info
    • -
  • ns2.grapheneos.net
    • -
  • ns2.grapheneos.network
    • -
  • ns2.grapheneos.online
    • -
  • ns2.grapheneos.org
    • -
  • ns2.grapheneos.ovh
    • -
  • ns2.grapheneos.page
    • -
  • ns2.grapheneos.social
    • -
  • ns2.seamlessupdate.app
    • -
  • ns2.vanadium.app
    • -
- -

IPs:

- -
    -
  • 185.187.152.9 (anycast), 51.161.34.158 (0.ns1.grapheneos.org) — OVH bhs6
    • -
  • 2a05:b0c4:1::8 (anycast), 2607:5300:205:200::eaa (0.ns1.grapheneos.org) — OVH bhs6
    • -
  • 185.187.152.9 (anycast), 15.204.8.153 (1.ns1.grapheneos.org) — OVH US us-west-or-2
    • -
  • 2a05:b0c4:1::8 (anycast), 2604:2dc0:202:300::23a6 (1.ns1.grapheneos.org) — OVH us-west-or-2
    • -
  • 185.187.152.9 (anycast) 57.129.65.223 (2.ns1.grapheneos.org) — OVH de2
    • -
  • 2a05:b0c4:1::8 (anycast) 2001:41d0:701:1100::245b (2.ns1.grapheneos.org) — OVH de2
    • -
  • 185.187.152.9 (anycast) 15.235.197.61 (3.ns1.grapheneos.org) — OVH sgp2
    • -
  • 2a05:b0c4:1::8 (anycast) 2402:1f00:8000:800::3966 (3.ns1.grapheneos.org) — OVH sgp2
    • -
  • 198.251.90.93 (anycast), 198.98.53.141 (0.ns2.grapheneos.org) — BuyVM New York
    • -
  • 2605:6400:10:102e:95bc:89ef:2e7f:49bb (0.ns2.grapheneos.org) — BuyVM New York
    • -
  • 198.251.90.93 (anycast), 205.185.124.155 (1.ns2.grapheneos.org) — BuyVM Las Vegas
    • -
  • 2605:6400:20:1c8f:a0c9:372d:482e:945b (1.ns2.grapheneos.org) — BuyVM Las Vegas
    • -
  • 198.251.90.93 (anycast), 107.189.3.168 (2.ns2.grapheneos.org) — BuyVM Luxembourg
    • -
  • 2605:6400:30:ec25:102c:af6d:5be:1eb8 (2.ns2.grapheneos.org) — BuyVM Luxembourg
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 53 domain
    • -
  • UDP 53 domain
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
  • TCP 853 domain-s
    • -
-
- -
-

Staging GrapheneOS DNS server

- - - -

Specs:

- -
    -
  • BuyVM Slice 1024
    • -
  • 1 core
    • -
  • 1 GB memory
    • -
  • 20 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • ns1.staging.attestation.app
    • -
  • ns2.staging.attestation.app
    • -
  • ns1.staging.grapheneos.org
    • -
  • ns2.staging.grapheneos.org
    • -
- -

IPs:

- -
    -
  • 198.98.56.238 — BuyVM New York
    • -
  • 2605:6400:10:c41:de92:c534:326a:711a — BuyVM New York
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 53 domain
    • -
  • UDP 53 domain
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
  • TCP 853 domain-s
    • -
-
- -
-

Attestation website and service

- - - -

Specs:

- -
    -
  • OVH VPS vps2023-le-4
    • -
  • 4 core
    • -
  • 4 GB memory
    • -
  • 80 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • attestation.app
    • -
  • www.attestation.app
    • -
- -

IPs:

- -
    -
  • 51.79.66.27 — OVH bhs6
    • -
  • 2607:5300:205:200::7e9 — OVH bhs6
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
- -
-

Staging attestation website and service

- - - -

Specs:

- -
    -
  • BuyVM Slice 1024
    • -
  • 1 core
    • -
  • 1 GB memory
    • -
  • 20 GB NVMe SSD storage
    • -
  • 1000 Mbit/s bandwidth
    • -
- -

Domains:

- -
    -
  • staging.attestation.app
    • -
- -

IPs:

- -
    -
  • 198.98.57.157 — BuyVM New York
    • -
  • 2605:6400:10:aa9:1c0f:44d3:da15:c0ec — BuyVM New York
    • -
- -

Ports:

- -
    -
  • TCP 22 ssh
    • -
  • TCP 80 http
    • -
  • TCP 443 https
    • -
-
-
- {% include "footer.html" %} - - diff --git a/static/articles/index.html b/static/articles/index.html deleted file mode 100644 index 4c2b86ab..00000000 --- a/static/articles/index.html +++ /dev/null @@ -1,66 +0,0 @@ - - - - - Articles | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% with current_page="articles" %} - {% include "header.html" %} - {% endwith %} -
-

Articles

- -

The main documentation for GrapheneOS is at the top-level of the site:

- - - -

Our attestation service has a page - explaining how the Auditor app and attestation service work.

- -

Other articles on assorted topics related to GrapheneOS:

- - -
- {% include "footer.html" %} - - diff --git a/static/articles/positon-location-service.html b/static/articles/positon-location-service.html deleted file mode 100644 index d773bb52..00000000 --- a/static/articles/positon-location-service.html +++ /dev/null @@ -1,89 +0,0 @@ - - - - - Positon location service | Articles | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% include "header.html" %} -
-

Positon location service

- -

The Positon location service is a proprietary and highly privacy invasive service - created by developers tied to /e/OS with their funding. There's a deliberate effort to - hide that it's tied to them in order to convince other projects to adopt it, as opposed - to using the similar service they host for /e/OS itself. Using the service requires - uploading sensitive location data to obtain location estimates, similar to the Apple and - Google location services. As with the Apple and Google services, it's a centralized - proprietary service with fully proprietary data. Unlike those services, the people - behind it have a history of publishing notoriously insecure software such as the /e/OS - operating system itself which massively rolls back standard security, lags years behind - on security updates and covers all of that up. They blatantly scam their users with - false privacy/security claims for /e/OS, and nothing different should be expected from a - location service from the same group of people. Multiple people involved in it are also - actively participating in harassment targeting privacy/security researchers and - engineers including but not limited to GrapheneOS team members.

- -

The people behind the Positon location service have repeatedly talked about the - importance they see in centralizing the whole open source community around using their - service while locking out alternatives to it through proprietary data. They have spread - fear, uncertainty and doubt about making services using open mapping data through - claiming that it's a privacy hazard for people to have access to maps of Wi-Fi networks - publicly broadcasting their SSID despite that data already being available through many - commercial providers including publicly queryable databases such as Wigle. Anyone can - drive around building these maps and many companies have already built them, with the - data available for sale, as Positon shows with them obtaining access to it. The real - privacy hazard is sending your location in real time to a service, particularly a poorly - secured one from people known to cover up and downplay vulnerabilities. Positon has been - built to grab as much market share as possible early on before actual open options can - emerge and gather the necessary data.

- -

The people involved in Positon have only ever cared about their careers, power and - influence. They've consistently been on a side against real privacy and security, but - rather focused on monetizing people's demand for it and grabbing as much market share as - they can as quickly as they can with endless false marketing and attacks on projects - like GrapheneOS. They see GrapheneOS as a huge threat to them due to us striving to - bring people real privacy and security at no cost, which is far easier to obtain and - use. This invalidates the business model of their companies like Murena. They - consistently use their non-profits mainly as a way to earn money and promote their - for-profit initiatives.

- -

The service claims to be free of charge, but a core goal is turning it into a way to - get data from users to build their own database that's largely not going to be available - for use by others. Using it is helping them build a future business at the expense of - user privacy, little different from the Apple and Google services. This is not what the - open source community needs from a location service. The claims of no strings attached - and the implication that it's open are nonsense. Storing as little data as possible - would mean using local database for the region, not a network-based service. They're - opposed to doing a local service well rather than it being their long term goal. They - explicitly aim to lock out other alternatives and deter local location detection via - Wi-Fi.

-
- {% include "footer.html" %} - - diff --git a/static/articles/server-traffic-shaping.html b/static/articles/server-traffic-shaping.html deleted file mode 100644 index 26c0c04b..00000000 --- a/static/articles/server-traffic-shaping.html +++ /dev/null @@ -1,259 +0,0 @@ - - - - - Server traffic shaping | Articles | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% include "header.html" %} -
-

Server traffic shaping

- -

This article covers implementing server traffic shaping on Linux with CAKE. The aim - is to provide fair usage of bandwidth between clients and consistently low latency - for dedicated and virtual servers provided by companies like OVH and others.

- -

Traffic shaping is generally discussed in the context of a router shaping traffic - for a local network with assorted clients connected. It also has a lot to offer on a - server where you don't control the network. If you control your own infrastructure - from the server to the ISP, you probably want to do this on the routers instead.

- -

This article was motivated by the serious lack of up-to-date information on this - topic elsewhere. It's very easy to implement on modern Linux kernels and the results - are impressive from extremely simple test cases to heavily loaded servers.

- -
-

Problem

- -

A server will generally be provisioned with a specific amount of bandwidth - enforced by a router in close proximity. This router acts as the bottleneck and - ends up being in charge of most of the queuing and congestion decisions. Unless - that's under your control, the best you can hope for is that the router is - configured to use fq_codel as the queuing discipline (qdisc) to - provide fair queuing between streams and low latency by preventing a substantial - backlog of data.

- -

Unfortunately, the Linux kernel still defaults to pfifo_fast - instead of the much saner fq_codel algorithm. This is changed by a - configuration file shipped with systemd, so most distributions using - systemd as init end up with a sane default. Debian removes that configuration and - doesn't set a sane default itself, and is widely used. Many server providers like - OVH do not appear to consistently use modern queue disciplines like - fq_codel within their networks, particularly at artificial - bottlenecks implementing rate limiting based on product tiers.

- -

If the bottleneck doesn't use fair queuing, division of bandwidth across - streams is very arbitrary and latency suffers under congestion. These issues are - often referred to as bufferbloat, and fq_codel is quite good at - resolving it.

- -

The fq_codel algorithm is far from perfect. It has issues with - hash collisions and more importantly only does fair queuing between streams. - Buffer bloat also isn't the only relevant issue. Clients with multiple connections - receive more bandwidth and a client can open a large number of connections to - maximize their bandwidth usage at the expense of others. Fair queuing is important - beyond as a solution to bufferbloat and there's more to fair queuing than doing it - only based on streams.

- -

Traditionally, web browsers open a bunch of HTTP/1.1 connections to each server - which ends up giving them an unfair amount of bandwidth. HTTP/2 is much friendlier - since it uses a single connection to each server for the entire browser. Download - managers take this to the extreme and intentionally use many connections to bypass - server limits and game the division of resources between clients.

-
- -
-

Solution

- -

Linux 4.19 and later makes it easy to solve all of these problems. The CAKE - queuing discipline provides sophisticated fair queuing based on destination and - source addresses with finer-grained fairness for individual streams.

- -

Unfortunately, simply enabling it as your queuing discipline isn't enough - since it's highly unlikely that your server is the network bottleneck. You need to - configure it with a bandwidth limit based on the provisioned bandwidth to move the - bottleneck under your control where you can control how traffic is queued.

-
- -
-

Results

- -

We've used an 100mbit OVH server for as a test platform for a case where - clients can easily max out the server bandwidth on their own. As a very simple - example, consider 2 clients with more than 100mbit of bandwidth each downloading a - large file. These are (rounded) real world results with CAKE:

- -
    -
  • client A with 1 connection gets 50mbit
    • -
  • client B with 10 connections gets 5mbit each adding up to 50mbit
    • -
- -

CAKE with flows instead of the default triple-isolate to - mimic fq_codel at a bottleneck:

- -
    -
  • client A with 1 connection gets 9mbit
    • -
  • client B with 10 connections gets 9mbit each adding up to 90mbit
    • -
- -

The situation without traffic shaping is a mess. Latency takes a serious hit - that's very noticeable via SSH. Bandwidth is consistently allocated very unevenly - and ends up fluctuating substantially between test runs. The connections tend to - settle near a rate, often significantly lower or higher than the fair 9mbit - amount. It's generally something like this, but the range varies a lot:

- -
    -
  • client A with 1 connection gets ~6mbit to ~14mbit
    • -
  • client B with 10 connections gets ~6mbit to ~14mbit each adding up to ~86mbit - to ~94mbit
    • -
- -

CAKE continues working as expected with a far higher number of connections. It - technically has a higher CPU cost than fq_codel, but that's much more - of a concern for low end router hardware. It hardly matters on a server, even one - that's under heavy CPU load. The improvement in user experience is substantial and - it's very noticeable in web page load speeds when a server is under load.

-
- -
-

Implementation

- -

For a server with 2000mbit of bandwidth provisioned, you could start by trying - it with 99.75% of the provisioned bandwidth:

- - 
tc qdisc replace dev eth0 root cake bandwidth 1995mbit besteffort
- -

On a server, setting it to use 100% of the provisioned bandwidth may work fine - in practice. Unlike a local network connected to a consumer ISP, you shouldn't - need to sacrifice anywhere close to the typically recommended 5-10% of your - bandwidth for traffic shaping.

- -

This also sets besteffort for the common case where the server - doesn't have appropriate Quality of Service markings set up via Diffserv. Fair - scheduling is already great at providing low latency by cycling through the hosts - and streams without needing this kind of configuration. The defaults for Diffserv - traffic classes like real-time video are set up to yield substantial bandwidth in - exchange for lower latency. It's easy to set this up wrong and it usually won't - make much sense on a server. You might want to set up marking low priority traffic - like system updates, but it will already get a tiny share of the overall traffic - on a loaded server due to fair scheduling between hosts and streams.

- -

You can use the tc -s qdisc command to monitor CAKE:

- - 
tc -s qdisc show dev eth0
- -

If you want to keep an eye on how it changes over time:

- - 
watch -n 1 tc -s qdisc show dev eth0
- -

This is very helpful for figuring out if you've successfully moved the - bottleneck to the server. If the bandwidth is being fully used, it should - consistently have a backlog of data where it's applying the queuing discipline. - The backlog shouldn't be draining to near zero under full bandwidth usage as that - indicates the bottleneck is the server application itself or a different network - bottleneck.

- -

If you use systemd-network, you can add a CAKE configuration section to the - network configuration file instead of manually running the tc command - with a Type=oneshot service on boot:

- - 
[CAKE]
-Bandwidth=1995M
-PriorityQueueingPreset=besteffort
-
- -
-

Quicker backpressure propagation

- -

The Linux kernel can be tuned to more quickly propagate TCP backpressure up to - applications while still maximizing bandwidth usage. This is incredibly useful for - interactive applications aiming to send the freshest possible copy of data and for - protocols like HTTP/2 multiplexing streams/messages with different priorities over - the same TCP connection. This can also substantially reduce memory usage for TCP - by reducing buffer sizes closer to the optimal amount for maximizing bandwidth - use without wasting memory. The downside to quicker backpressure propagation is - increased CPU usage from additional system calls and context switches.

- -

The Linux kernel automatically adjusts the size of the write queue to maximize - bandwidth usage. The write queue is divided into unacknowledged bytes (TCP window - size) and unsent bytes. As acknowledgements of transmitted data are received, it - frees up space for the application to queue more data. The queue of unsent bytes - provides the leeway needed to wake the application and obtain more data. This can - be reduced using net.ipv4.tcp_notsent_lowat to reduce the default and - the TCP_NOTSENT_LOWAT socket option to override it per-socket.

- -

A reasonable choice for internet-based workloads concerned about latency and - particularly prioritization within TCP connections but unwilling to sacrifice - throughput is 128kiB. To configure this, set the following in - /etc/sysctl.d/local.conf or another sysctl configuration file and - load it with sysctl --system:

- - 
net.ipv4.tcp_notsent_lowat = 131072
- -

Using values as low as 16384 can make sense to further improve latency and - prioritization. However, it's more likely to negatively impact throughput and will - further increase CPU usage. Use at least 128k or the default of not limiting the - automatic unsent buffer size unless you're going to do substantial testing to make - sure there's not a negative impact for the workload.

- -

If you decide to use tcp_notsent_lowat, be aware that newer Linux - kernels (Linux 5.0+ with a further improvement for Linux 5.10+) are recommended to - substantially reduce system calls / context switches by not triggering the - application to provide more data until over half the unsent byte buffer is - empty.

-
- - - -
-

Future

- -

Ideally, data centers would deploy CAKE throughout their networks with the - default triple-isolate flow isolation. This may mean they need to use - more powerful hardware for routing. If the natural bottlenecks used CAKE, setting - up traffic shaping on the server wouldn't be necessary. This doesn't seem likely - any time soon. Deploying fq_codel is much more realistic and tackles - buffer bloat but not the issue of fairness between hosts rather than only - streams.

-
-
- {% include "footer.html" %} - - diff --git a/static/articles/sitewide-advertising-industry-opt-out.html b/static/articles/sitewide-advertising-industry-opt-out.html deleted file mode 100644 index ad8eef06..00000000 --- a/static/articles/sitewide-advertising-industry-opt-out.html +++ /dev/null @@ -1,65 +0,0 @@ - - - - - Sitewide advertising industry opt-out | Articles | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% include "header.html" %} -
-

Sitewide advertising industry opt-out

- -

The ads.txt specification - provides a way to list the authorized sellers of ads for a domain. The - app-ads.txt specification - extends this to cover apps tied to the domain. As a domain owner, this is a valuable - way to crack down on fraudulent usage of your domain including by adware.

- -

For domains without any third party advertising including those without any ads at - all, you should serve both /ads.txt and /app-ads.txt from a - web server with the placeholder record defined by the specification:

- - 
placeholder.example.com, placeholder, DIRECT, placeholder
- -

The placeholder record formally disallows buying and selling ads on behalf of the - domain including for any subdomains. This prevents fraudulently buying / selling ads - for your domain anywhere that ads.txt / app-ads.txt are enforced.

- -

It's in the interest of most ad tech companies to enforce these standards due to - losses from ad fraud so adoption is increasingly widespread.

- -

Browser extension malware injecting ads into sites is very common and this is a way - for sites to hurt those malware developers where it hurts: their pocketbook.

- -

These standards have a limited scope and were primarily created to address the cost - of ad fraud for the advertising industry, but they do offer value for domain owners to - protect their reputation and discourage adware.

-
- {% include "footer.html" %} - - diff --git a/static/donate-bitcoin-bip47.png b/static/donate-bitcoin-bip47.png deleted file mode 100644 index cce3eff5a5bcb4780c4ab3a15165f549b647f1e3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 378 zcmeAS@N?(olHy`uVBq!ia0y~yU@!z>Mg|53hUn)t8yOfF9X(wfLn;`PfAF*MTD;_E zN{vx_!^?C3ef$%?zxNJ&Q0@8tF|<%Y_RGEu-44FL7nX4^*?&K|%b)dBy#OySZzB7v z|BnmGtvvp-p3`6M_(?zXs`piCi8>eQ-Cgt8yQKH*mYB{TV*Wbhz4d>#Hvjc$GOO(F z9r$o_|BK(7pF4bN}DTlO|SeB3{+q3x+d?WdR4tDZ_r{Ciswn{2SZ z@nQObd97xDd3oZ6`zx2MVE)?r{~hl&_AY(F^;OJU{$H2XoL>Him#02-D&I%uv%hPt z5AC=ryP|$#-2J0p9lmp4+i6|PzN-HBb>&>U3v(WKuNS$&{8o3zk3M&~75o36a%Qhz zuyg+W%-P48-%jVswLQiE<^0)e3tqo;_&YIjz1#ld{* k*<0OrUU~9|&FLWz!wrXPymz+=`+@@1)78&qol`;+0H-3c@c;k- diff --git a/static/donate-bitcoin-taproot.png b/static/donate-bitcoin-taproot.png deleted file mode 100644 index e3ed74b0a95979c3011e95b1b2ba98ad0e5d9ba6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 419 zcmeAS@N?(olHy`uVBq!ia0y~yU@!$?Mg|53hLdyW-DO~4%<^<`45?sj6?9I}4$!&3 zE%!DU{mhnGHr3xP%;oM}t;(_aS|0ny4-Sq3@S$bEzi+j~}eZjBk ze{28Mv)p}jwJ9)(&ySM}|)*#$4h4sH=hT?lTr2ow#JbtYzv?L6)Q2Cg|DOX2xyuUjNT_@t)@6 za`|?h3)bBKo%6K#)#Hrm@9wNKSst8!HGOuc{m);U|4UuobM9R1OQ&znO@||1-nc2( Yv#ROM(h00FVdQ&MBb@03qDX5dZ)H diff --git a/static/donate-bitcoin.png b/static/donate-bitcoin.png deleted file mode 100644 index 9fcd063b2c4814a8cd33c04d9db587287b634600..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 372 zcmeAS@N?(olHy`uVBq!ia0y~yU@!z>Mg|53hUn)t8yOfFtvy{FLn;`PfAF*MTD;^J zO46Rc!Q7x`{{*>$@72tQr=Q3U&OX{$VsN~1tAf?4jD6Y@{?+BK4bTku*PM}&!C@Wn zzkf^SbH`t@7Wq(W?>QxN9%9z&a3Bp^8e{PiM@Yom=E`Ve|nPd znM2j585Y;?3ZqSt_VKW_{`w@ttsD_&&GdTVj3=+ac}Og z=p=`~^*#1RS{sg_8&cQAjwn|F`p(*MB9 zm-~+V<>k45Zr-jhzw4L}Uth|$lF#Amee3)0Z)Na{tk=89dzroKw6|@_2liLLza6x{ zEBj=B&gSL697?ypo4s>3^I!Q%r3uaU6ZrNodwrdM33JTZl)H_eruW^Rww`^J_@jM0 e9@Q}~EMQ|u&^_CxT>Lf>6r7%}elF{r5}E+bn6qR6 diff --git a/static/donate-cardano.png b/static/donate-cardano.png deleted file mode 100644 index c80a751f28c4087e5a070dd9864594151d1afac7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 371 zcmeAS@N?(olHy`uVBq!ia0y~yU@!z>Mg|53hUn)t8yOfFtvp>ELn;`PfAF*MTD;`{ z>WE_r6TEDdq+>PwJ|2AN^%(vp@N8O{hY(O|kNmKIW&><*Mhe zxOd<~w{P7su?0Ww$A-U6dMhol?`uSr$@%<*AG;DJRrysgAAW!M4rAFThf-DTO2666 zXZKgy6x^;{P}yx-A$eI^qRy{gOE{80Bz^wzY6cbgRTYhY?Jmsesourq@bkQTuzBPu z=BMTJ^LaP0f7)9tRCbsB()`;$A|3wi4BM?Lu_W%bxBouN3H2GpEsXXT=H6FZqp#0C zOZ~>*=b8cczu#u7zI?UuQ{!#n=9`xB7p0)FGc~P+kKfIly%Y5OCzxC;cXWh5k{v`aUdmhCZ;9H|$J%MMhB!h|ix<>{l lc<*^Rlygbl_(V8#Fd diff --git a/static/donate-litecoin.png b/static/donate-litecoin.png deleted file mode 100644 index ae8f1d9232090727dd56085f6e9e58870b873b2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 378 zcmeAS@N?(olHy`uVBq!ia0y~yU@!z>Mg|53hUn)t8yOfF9X(wfLn;`PfAF*MTD;^p z3f$v=Lt0{AeC^-VSKry%^ab;N@9$!M`QfL1h-1m0lII}`fB){<9;*@XuQ?+lgTp%D z|N6yd_Z@%T-P^t9nz_NB=-5LullVfezsxYR+~4@H-1XPB^54=D|5!>)-tE7C;KS!q z&t2Y?%!k9j|FgaSSXyG=%(jnWSDDYw*MGY59-m0~j6*LM+&l20vglv$>(`CXwC+r< z-7Bkc?`UP=|H=hBZ{GhQd#UkLa7gc}|IA-)tM%qHg?!JIOMklTy~F4GImv#kv%Y`N zc-%ktv$TYro$c(^?K&3+2WbiE0}*4&-eQ!%5SpWqNaPc)r5UIf(sw; ze>uNB^Yz`Ijo-RH-?Ev?eyiL%HE)+~KzzX6wVWRvtUfe1*V%W>w^d~miJQJppZg;F kD)GnrPFnA846tBkxaNHM7r&``0Vq&CUHx3vIVCg!0Qfw%6aWAK diff --git a/static/donate-monero.png b/static/donate-monero.png deleted file mode 100644 index 9f0adeb2e42982e7f55d826b6016c910e1a90c8b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 483 zcmeAS@N?(olHy`uVBq!ia0y~yV6X&XMg|53h9$}SG#D5dS9!WPhEy;n{orTh{UOnC zYz5=CZ5kZ&@^5d;y}d1WGnl-+E!UyaHXE;fxaZ2+A3vwpvb7=bYFc{I@dMWux%bQ2&T+asG4kslj?(27KklrO%S!7{ z{hoE6(e+SeP|>6m)&-aB_T2ey6y?0VZfDgxy#N)T`zK9a-V7Jvw4c5|E2x2ysekwX z>vF*XDqE)9+$Qx*RrSj4EZ;&$z{esQ(f>8dERS2|AC_k5dB!0|SGntDnm{r-UW|B--M$ diff --git a/static/donate-zcash-transparent.png b/static/donate-zcash-transparent.png deleted file mode 100644 index 2513055dc822aeb55dfda7e192c4b0721c33036f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 373 zcmeAS@N?(olHy`uVBq!ia0y~yU@!z>Mg|53hUn)t8yOfFZ9H8ZLn;`PfAF*MTD;^} zs?H6)AuX}*zHv1*+0MJ<(bdhb?aJQ ze!>samlv<9zjY{Fyx#2VQ(m6^Kda~FGoJl9Tj1@M)OzN_{&CNgcK>wvE6ws>>nroo zYSm}2PBCAtJ@?RV5#JSiWeanejCa=$t>wJl_-o(Cs=Xn_?7N(AKJ|NFzTn4A-tGRn z?6K6RSe*W0%t;1(M*&7y&Pv+-K z=Uh76`0T`tZ+5IZf9G9&`ds1v5qW-*2ke&|KW}5%%>44gj;f>29e#G(sa^lt_^LJM f$?far0$k|~*(_JwieK*T1%;=ltDnm{r-UW|+3mBf diff --git a/static/donate.html b/static/donate.html deleted file mode 100644 index cc2fe853..00000000 --- a/static/donate.html +++ /dev/null @@ -1,422 +0,0 @@ - - - - - Donate | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% with current_page="donate" %} - {% include "header.html" %} - {% endwith %} -
-

Donate

- -

GrapheneOS is an open source project supported via donations from individuals, - companies and other organizations. Donations are used for paying developers, - purchasing hardware (workstations, test devices, debugging cables/boards, etc.), - paying for infrastructure (domains, virtual/dedicated servers) and paying legal - fees.

- -

The multiple ways to donate are listed in the sections on this page.

- - - -
-

GitHub Sponsors (credit card)

- -

GrapheneOS can be sponsored with recurring or one-time donations via credit - cards through GitHub - Sponsors. There are standard tiers from $5 to $5,000 or you can donate a custom - amount.

-
- -
-

Bitcoin

- -

Bitcoin can be used to make donations to the non-profit GrapheneOS - Foundation.

- -

You can send Bitcoin donations to the following Bech32 (Segwit) address:

- -
- - Bitcoin donation QR code -

bc1q9qw3g8tdxf3dugkv2z8cahd3axehph0mhsqk96

- -
- -

Alternatively, you can donate to the following Bech32m (Taproot) address if - your wallet supports it (preferred):

- -
- - Bitcoin Taproot donation QR code -

bc1prqf5hks5dnd4j87wxw3djn20559yhj7wvvcv6fqxpwlg96udkzgqtamhry

- -
- -

You can donate to the following BIP47 payment code (stealth address) or PayNym - if your wallet supports it:

- -
- - Bitcoin BIP47 payment code QR code -

PM8TJKmhJNQX6UTFagyuBk8UGmwKM6yDovEokpHBscPgP3Ac7WdK5zaQKh5XLSawyxiGYZS2a7HkAoeL6oHg7Ahn1VXX888yRG4PwF1dojouPtW7tEHT

- -
- -

PayNym: +GrapheneOS

-
- -
-

Monero

- -

Monero can be used to make donations to the non-profit GrapheneOS - Foundation.

- -

You can send Monero donations to the following address:

- -
- - Monero donation QR code -

862CebHaBpFPgYoNC6zw4U8rsXrDjD8s5LMJNS7yVCRHMUKr9dDi7adMSLUMjkDYJ85xahQTCJHHyK5RCvvRJu9x7iSzN9D

- -
-
- -
-

Zcash

- -

Zcash can be used to make donations to the non-profit GrapheneOS - Foundation.

- -

You can send Zcash donations to the following transparent address:

- -
- - Transparent Zcash donation QR code -

t1SJABjX8rqgzqgrzLW5dUw7ikSDZ2snD8A

- -
-
- -
-

Ethereum

- -

Ethereum can be used to make donations to the non-profit GrapheneOS - Foundation.

- -

You can send Ethereum donations to the following address:

- -
- - Ethereum donation QR code -

0xC822A62E5Ab443E0001f30cEB9B2336D0524fC61

- -
- -

We aren't looking for donations of tokens, only Ethereum itself.

-
- -
-

Cardano

- -

Cardano can be used to make donations to the non-profit GrapheneOS - Foundation.

- -

You can send Cardano donations to the following address:

- -
- - Cardano donation QR code -

addr1q9v89vfwyfssveug5zf2w7leafz8ethq490gvq0ghag883atfnucytpnq2t38dj7cnyngs6ne05cdwu9gseevgmt3ggq2a2wt6

- -
- -

We own the $grapheneos handle with this address so you can also send to the handle.

- -

We aren't looking for donations of tokens, only Cardano itself.

-
- -
-

Litecoin

- -

Litecoin can be used to make donations to the non-profit GrapheneOS - Foundation.

- -

You can send Litecoin donations to the following Bech32 (Segwit) address:

- -
- - Litecoin donation QR code -

ltc1qzssmqueth6zjzr95rkluy5xdx9q4lk8vyrvea9

- -
-
- -
-

Local Bank Transfer to Wise

- -

You can donate to the non-profit GrapheneOS Foundation via local bank transfers - to our Wise account in the EU/SEPA, UK, US, Australia, New Zealand, Canada, - Hungary and Turkey.

- -
-

EU/SEPA (EUR)

- -
-
Account holder
-
GrapheneOS Foundation
- -
IBAN
-
BE20 9677 1140 7056
- -
BIC
-
TRWIBEB1XXX
- -
Bank name
-
Wise Europe SA
- -
Wise and Bank address
-
Rue du Trône 100, 3rd floor
Brussels
1050
Belgium
-
-
- -
-

UK (GBP)

- -
-
Account holder
-
GrapheneOS Foundation
- -
Account number
-
49883070
- -
IBAN
-
GB68 TRWI 2314 7049 8830 70
- -
Sort code
-
23-14-70
- -
Bank name
-
Wise Payments Limited
- -
Wise and Bank address
-
56 Shoreditch High Street
London
E1 6JJ
United Kingdom
-
-
- -
-

US (USD)

- -
-
Account holder
-
GrapheneOS Foundation
- -
Account number
-
8313560023
- -
Routing number
-
026073150
- -
Account type
-
Checking
- -
Wise address
-
30 W. 26th Street, Sixth Floor
New York NY
10010
United States
- -
Bank name
-
Community Federal Savings Bank
- -
Bank address
-
89-16 Jamaica Ave
Woodhaven NY
11421
United States
-
-
- -
-

Australia (AUD)

- -
-
Account holder
-
GrapheneOS Foundation
- -
Account number
-
213524417
- -
BSB code
-
774-001
- -
Bank name
-
Wise Australia Pty Ltd
- -
Wise address
-
Suite 1, Level 11, 66 Goulburn Street
Sydney
2000
Australia
-
-
- -
-

New Zealand (NZD)

- -
-
Account holder
-
GrapheneOS Foundation
- -
Account number
-
04-2021-0151878-36
- -
Wise address
-
56 Shoreditch High Street
London
E1 6JJ
United Kingdom
- -
Bank name
-
JPMorgan Chase
- -
Bank address
-
Head Office, Pwc Tower
Auckland
1010
New Zealand
-
-
- -
-

Canada (CAD)

- -
-
Account holder
-
GrapheneOS Foundation
- -
Account number
-
200110745303
- -
Transit number
-
16001
- -
Institution number
-
621
- -
Wise address
-
99 Bank Street, Suite 1420
Ottawa ON
K1P 1H4
Canada
- -
Bank name
-
Peoples Trust
- -
Bank address
-
595 Burrard Street
Vancouver BC
V7X 1L7
Canada
-
-
- -
-

Hungary (HUF)

- -
-
Account holder
-
GrapheneOS Foundation
- -
Account number
-
12600016-11020392-99827322
- -
Bank name
-
Wise Europe SA
- -
Wise and Bank address
-
Rue du Trône 100, 3rd floor
Brussels
1050
Belgium
-
-
- -
-

Turkey (TRY)

- -
-
Account holder
-
GrapheneOS Foundation
- -
IBAN
-
TR43 0010 3000 0000 0057 4294 70
- -
Wise address
-
56 Shoreditch High Street, London, E1 6JJ, United Kingdom
- -
Bank name
-
Fibabanka A.Ş.
- -
Bank address
-
Büyükdere Cad. 129
Esentepe Mah.
Sisli
Istanbul
Turkey
-
-
-
- -
-

PayPal

- -

PayPal can be used to make one-time, monthly or yearly donations to the - non-profit GrapheneOS Foundation.

- -

If possible, use the donation link for your currency. If it's not listed, - please use the CAD donation link.

- -

Donation links:

- - - -

PayPal charges a base fee of 30 cents and 2.9% of the donation amount within - Canada. There's an additional 0.8% fee for donations from the US and 1% for other - countries. Currency conversion adds an additional 4% fee as opposed to the usual - PayPal conversion fee of 3%.

-
- -
-

Interac e-Transfer

- -

If you have a Canadian bank account, you can send Canadian dollar donations to - the non-profit GrapheneOS Foundation via Interac e-Transfer to - contact@grapheneos.org. The email address has Interac e-Transfer - Autodeposit support enabled so no security question is necessary. If your bank - doesn't support Autodeposit, set the answer to the security question to - GrapheneOS.

-
-
- {% include "footer.html" %} - - diff --git a/static/history/copperheados.html b/static/history/copperheados.html deleted file mode 100644 index 3d3bc4e1..00000000 --- a/static/history/copperheados.html +++ /dev/null @@ -1,112 +0,0 @@ - - - - - CopperheadOS | History | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% include "header.html" %} -
-

CopperheadOS is now GrapheneOS

- -

CopperheadOS was renamed to GrapheneOS in 2019. It was temporarily known as the - Android Hardening project in 2018 before a permanent name had been chosen. For more - details on why the project was renamed, see our history page. - For the historical release notes of the original CopperheadOS, see - our legacy changelog page. The - /r/CopperheadOS subreddit was - historically the central hub of the community along with a bridged IRC/Matrix channel - that's no longer available.

- -

GrapheneOS is the continuation of the original open source project by the original - development team. Our source code repositories have been used - since CopperheadOS transitioned to being directly based on the Android Open Source - Project in 2015. The prior repositories predate the CopperheadOS branding and were - also owned by us. It can be confirmed that our repositories are the original ones from - the GitHub network graphs showing the forks over the years.

- -
-

Ownership

- -

We own the historical CopperheadOS source code, documentation and accounts tied - to the open source project. Our legacy Twitter account still needs to be returned - to us so that it can be renamed and made into an archive.

- -

Copperhead has no valid claim over the ownership of the source code. It was not - developed for them. They were involved as a sponsor for the work and had - permission to sell products based on it, similar to companies selling devices with - GrapheneOS. We've learned a lot of lessons from what happened and are being very - careful to avoid being strongly associated with any particular company in the - future.

-
- -
-

New closed source product reusing the legacy branding

- -

The new product branded as CopperheadOS is closed source and not associated with - the original project. They took our project's previous name and copied our legacy - source code and documentation. Attribution to us has been stripped away and they - pretend to be the ones who created it.

- -

They've essentially stolen the identity of our open source project and have - invested substantial resources into misrepresenting GrapheneOS as being a new - project. They've built a business based on taking credit for research and - development not done by them. Substantial damage has been done to GrapheneOS - through an organized campaign of misinformation and harassment.

-
- -
-

New CopperheadOS vs. GrapheneOS

- -

The new CopperheadOS is a shadow of the historical GrapheneOS code. They've - continued copying portions of our newer generation code but haven't developed any - significant privacy or security improvements on their own. It's a poor imitation - of the original. It has a fraction of the privacy and security improvements and - lacks a team with an understanding of how they work. It often doesn't receive - timely security updates. It has made serious mistakes compromising user privacy - and security.

- -

CopperheadOS is a paid product and has license enforcement compromising user - privacy and security through tracking devices to implement DRM. They use the - outrageous business model of charging users for security updates rather than - simply selling them the software or devices with it.

- -

GrapheneOS devices can be purchased from a bunch of different companies, - organizations and individuals. Many of these offer customer support. Unlike - CopperheadOS, it's still open source software and you aren't being charged to - simply get the OS updates. Anyone can sell devices with GrapheneOS without - permission from the project due the open source licensing. Many of these sellers - voluntarily contribute back to the project.

- -

GrapheneOS is far more actively developed than the new CopperheadOS and has - substantially more resources available, including significantly more funding.

-
-
- {% include "footer.html" %} - - diff --git a/static/history/index.html b/static/history/index.html deleted file mode 100644 index 516598b4..00000000 --- a/static/history/index.html +++ /dev/null @@ -1,99 +0,0 @@ - - - - - History | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% with current_page="history" %} - {% include "header.html" %} - {% endwith %} -
-

History

- -

GrapheneOS was founded by Daniel Micay in late 2014. It started as a solo project - incorporating his previous open source privacy/security work. The project initially - created a port of OpenBSD malloc to Android's Bionic libc and a port of the PaX kernel - patches to the kernels for the supported devices. It quickly expanded to having a - large set of homegrown privacy and security improvements, particularly low-level - hardening work on the compiler toolchain and Bionic. Work began on landing code - upstream in AOSP and other upstream projects. A substantial portion of these early - changes were either successfully landed upstream or heavily influenced the upstream - changes which replaced them. The project was able to move very quickly in these days - because there was so much low hanging fruit to address and it wasn't yet trying to - produce a highly robust, production quality OS.

- -

In late 2015, a company was incorporated which became the primary sponsor of the - project. GrapheneOS was previously known as - CopperheadOS while it was sponsored by this company. The intention was to use the - company to build a business around GrapheneOS selling support, contract work and - customized proprietary variants of the OS. The company was supposed to serve the needs - of the open source project, rather than vice versa. It was explicitly agreed that - GrapheneOS would remain independently owned and controlled by Daniel Micay. This - company failed to live up the promises and is no longer associated in any way with - GrapheneOS. The company ended up holding back the open source project and taking far - more from it than was provided to it.

- -

In 2018, the company was hijacked by the CEO who attempted to take over the project - through coercion, but they were rebuked. They seized the infrastructure and stole the - donations, but the project successfully moved on without them and has been fully - revived. Since then, they've taken to fraudulently claiming ownership and authorship - of our work, which has no basis in fact. They've tried to retroactively change the - terms of their involvement and rewrite the history of the project. These claims are - easily disproven through the public record and by people involved with the open source - project and the former sponsor. This former sponsor has engaged in a campaign of - misinformation and harassment of contributors to the project. Be aware that they are - actively trying to sabotage GrapheneOS and are engaging in many forms of attacks - against the project, the developers, contributors and supporters. Meanwhile, they - continue profiting from our open source work which they falsely claim as their own - creation.

- -

After splitting from the former sponsor, the project was rebranded to - AndroidHardening and then to GrapheneOS and it has continued down the original path of - being an independent open source project. It will never again be closely tied to any - particular sponsor or company.

- -

GrapheneOS now has multiple full-time and part-time developers supported by - donations and multiple companies collaborating with the project.

- -

GrapheneOS Foundation was created as a non-profit organization in Canada in March - 2023 to handle the intake and distribution of donations.

- -
-

Releases

- -

A history of releases for the current incarnation of GrapheneOS is available - via the releases changelog.

- -

An archive of changelogs for the earlier releases is available via the - legacy changelog page.

-
-
- {% include "footer.html" %} - - diff --git a/static/history/legacy-changelog.html b/static/history/legacy-changelog.html deleted file mode 100644 index 0e51a98c..00000000 --- a/static/history/legacy-changelog.html +++ /dev/null @@ -1,2169 +0,0 @@ - - - - - Legacy changelog | History | GrapheneOS - - - - - - - - - - - - - - - - - - - - - - [[css|/main.css]] - - - - - - {% include "header.html" %} -
-

Legacy changelog

- -

These are the old changelogs for production releases of GrapheneOS. See the current - releases changelog for more recent releases.

- -

The release notes before the Nougat 2016.12.06.05.21.23 release should be taken - with a grain of salt since we weren't really publishing them yet so it wasn't being - done very carefully.

- -

GrapheneOS started in 2014 based on Android KitKat but we only started keeping more - user friendly changelogs late in the Marshmallow era.

- -

The Nexus 9 maintenance branch is not included. It split off when the other devices - moved to nougat-mr2-release and continued after the other devices moved to Oreo-based - releases. It may be included here in the future but we wanted to avoid confusion.

- -

Since Pixels, there are separate release channels including the public Stable and - Beta channels. Each Stable release made it through the Beta channel and our internal - Testing channel. The Nexus 5X and 6P moved to the current update system with release - channels with the Oreo-based 2017.09.24.15.

- -

Experimental releases are not listed here.

- - - -
-

Oreo

- -
-

2018.06.05.00

- -

Changes since 2018.05.15.17:

-
    -
  • 2018-06-01 security patch level including recommended updates
    • -
  • 2018-06-05 security patch level including recommended updates
    • -
  • 2018-06 Pixel/Nexus functional updates
    • -
  • Pixel 2, Pixel 2 XL: increase rollback index for 2018-06-05 patch level
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.108 to 3.18.109
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.109 to 3.18.110
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.110 to 3.18.111
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.111 to 3.18.112
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.131 to 4.4.132
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.132 to 4.4.133
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.133 to 4.4.134
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.134 to 4.4.135
    • -
  • Chromium: update from 66.0.3359.158 to 67.0.3396.68
    • -
-
- -
-

2018.05.15.17

- -

Changes since 2018.05.08.01:

-
    -
  • Chromium: update from 66.0.3359.126 to 66.0.3359.158
    • -
  • add back Nexus 6P support now that the kernel tag is available
    • -
-
- -
-

2018.05.08.01

- -

Changes since 2018.04.19.04:

-
    -
  • 2018-05-01 security patch level including recommended updates
    • -
  • 2018-05-05 security patch level including recommended updates
    • -
  • 2018-05 Pixel/Nexus functional updates
    • -
  • Pixel 2, Pixel 2 XL: increase rollback index for 2018-05-05 patch level
    • -
  • Chromium: prevent popular sites field trial from overriding changed default
    • -
  • Chromium: prevent non-secure origin field trial from overriding changed default
    • -
  • Chromium: update from 66.0.3359.106 to 66.0.3359.126
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.105 to 3.18.106
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.106 to 3.18.107
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.107 to 3.18.108
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.128 to 4.4.129
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.129 to 4.4.130
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.130 to 4.4.131
    • -
  • Silence: update from 0.15.12 to 0.15.13
    • -
  • Net Monitor: update from 1.2 to 2.0
    • -
  • F-Droid: update from 1.1 to 1.2 (held back earlier due to bugs)
    • -
  • F-Droid: update from 1.2 to 1.2.1 (held back earlier due to bugs)
    • -
  • F-Droid: update from 1.2.1 to 1.2.2
    • -
-
- -
-

2018.04.19.04

- -

Changes since 2018.04.02.21:

-
    -
  • Settings: expose audio recording user restriction
    • -
  • Settings: expose install apps user restriction
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.102 to 3.18.103
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.103 to 3.18.104
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.104 to 3.18.105
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.126 to 4.4.127
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.127 to 4.4.128
    • -
  • Nexus 5X, Nexus 6P: fix ro.control_privapp_permissions=enforce setup (works fine on Pixels already)
    • -
  • use Cloudflare DNS as the default fallback: Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS so it won't be a downgrade when Android ships one of them
    • -
  • tethering: use Cloudflare DNS servers as the default fallbacks
    • -
  • NetworkDiagnostics: switch to Cloudflare DNS
    • -
  • SettingsLib: use Cloudflare DNS servers as hints
    • -
  • Chromium: update from 65.0.3325.109 to 66.0.3359.106
    • -
-
- -
-

2018.04.02.21

- -

Changes since 2018.03.27.11:

-
    -
  • 2018-04-01 security patch level including recommended updates
    • -
  • 2018-04-05 security patch level including recommended updates
    • -
  • 2018-04 Pixel/Nexus functional updates
    • -
  • Pixel 2, Pixel 2 XL: increase rollback index for 2018-04-05 patch level
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.124 to 4.4.125
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.125 to 4.4.126
    • -
-
- -
-

2018.03.27.11

- -

Changes since 2018.03.13.20:

-
    -
  • include TalkBack and Switch Access accessibility services since they're now open source
    • -
  • switch dummy values for ro.build.user/ro.build.host from user/host to the OS name
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.121 to 4.4.122
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.122 to 4.4.123
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.123 to 4.4.124
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.99 to 3.18.100
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.100 to 3.18.101
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.101 to 3.18.102
    • -
  • PDF Viewer: make prerendering work again after refactoring
    • -
  • PDF Viewer: fix prerendering previous page
    • -
  • PDF Viewer: switch from getTextContent to streamTextContent
    • -
  • PDF Viewer: move maybeRenderNextPage check earlier
    • -
  • PDF Viewer: use a single task variable
    • -
  • PDF Viewer: overhaul document properties and parsing (from @Tommy-Geenexus)
    • -
  • PDF Viewer: switch to Java 8
    • -
  • PDF Viewer: improve error logging
    • -
  • PDF Viewer: update version to 3
    • -
  • F-Droid: update to 1.1
    • -
-
- -
-

2018.03.13.20

- -

Changes since 2018.03.10.15:

-
    -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.120 to 4.4.121
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.98 to 3.18.99
    • -
  • PDF Viewer: use CSS scaling while waiting for zoomed rendering
    • -
  • PDF Viewer: implement Least Recently Used (LRU) rendering cache
    • -
  • PDF Viewer: prerender the next page
    • -
  • PDF Viewer: use an opaque canvas for performance
    • -
  • PDF Viewer: add basic render logging
    • -
  • PDF Viewer: add error logging for promises
    • -
  • PDF Viewer: only use offscreen rendering
    • -
  • PDF Viewer: prerender the previous page too
    • -
  • PDF Viewer: reset scroll position for new pages
    • -
  • Pixel 2 only (not Pixel 2 XL): include the right default APN database
    • -
-
- -
-

2018.03.10.15

- -
    -
  • Chromium: disable showing popular sites by default
    • -
  • Chromium: disable article suggestions feature by default (not supported by us and wastes UI space)
    • -
  • Chromium: fix the default value displayed for the hyperlink auditing flag
    • -
  • Chromium: update to 65.0.3325.109
    • -
  • Updater: add support for testing streaming updates (not in a useful way yet)
    • -
  • SELinux policy: fix overly noisy app_data_file execute auditallow for third party apps (untrusted_app rather than untrusted_base_app) where it's still permitted
    • -
  • Pixel 2 XL: kernel: fix upstream bug in lge_battery module breaking fast charging with a monolithic kernel build (found by @nathanchance)
    • -
  • Launcher3: stop disabling icon normalization
    • -
  • Launcher3: stop wrapping legacy icons into adaptive icons
    • -
  • base frameworks: use round adaptive icon mask and parse round icons
    • -
-
- -
-

2018.03.05.23

- -

Changes since 2018.03.01.14:

-
    -
  • 2018-03-01 security patch level including recommended updates
    • -
  • 2018-03-05 security patch level including recommended updates
    • -
  • 2018-03 Pixel/Nexus functional updates
    • -
  • Pixel 2, Pixel 2 XL: increase rollback index to 3 for 2018-03-05 patch level
    • -
  • Settings: update_engine downgrade attack we reported is now fixed upstream, remove from extra security patches field
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.119 to 4.4.120
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.97 to 3.18.98
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable KPTI (already enabled for the Pixel and Pixel XL in AOSP, Google disabled it for the Pixel 2 and Pixel 2 XL since it's not crucial on the Snapdragon 835 but it's still useful hardening and fixes a known way to leak system registers)
    • -
-
- -
-

2018.03.01.14

- -

Changes since 2018.02.18.00:

-
    -
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL: drop unused google_camera_app SELinux domain: Google Camera isn't available in a useful way so exposing the Hexagon DSP tech stack as attack surface via Google Camera is unnecessary. HDR+ is provided via the Pixel Visual Core to compatible apps already on the Pixel 2 and Pixel 2 XL.
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.116 to 4.4.117
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.117 to 4.4.118
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.118 to 4.4.119
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "staging: android: ashmem: Fix possible deadlock in ashmem_ioctl" fix for "staging: android: ashmem: Fix a race condition in pin ioctls" commit in 4.4.118
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.95 to 3.18.96
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.96 to 3.18.97
    • -
  • include Stk package for all devices, not just the Pixel and Pixel XL
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable unnecessary ramdisk compression support (bzip2, lzma)
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable FTRACE support in production builds
    • -
  • F-Droid: update to 1.0.3
    • -
  • Silence: update to 0.15.12
    • -
-
- -
-

2018.02.18.00

- -

Changes since 2018.02.05.23:

-
    -
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: fix uninitialized scatterlist in qce detected by DEBUG_SG
    • -
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: enable DEBUG_SG
    • -
  • Pixel, Pixel XL: kernel: reduce one DEBUG_SG check to a warning for now
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.93 to 3.18.94
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel commits from 3.18.94 to 3.18.95
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel commits from 4.4.115 to 4.4.116
    • -
  • Pixel 2, Pixel 2 XL: kernel: Revert "ANDROID: Revert "arm64: move ELF_ET_DYN_BASE to 4GB / 4MB"" (spotted by @nathanchance)
    • -
  • lower pid_max to 1/4 of the default to guarantee a 4x higher max_map_count is theoretically safe despite the kernel being broken (not enough memory on real devices to matter but still)
    • -
  • Pixel 2, Pixel 2 XL: android-prepare-vendor: fix vendor.img AB_OTA_PARTITIONS inclusion
    • -
  • Settings: sort applications in sensors and clipboard background permission toggle lists (@rascarlo noticed the sorting code in the location/audio lists was missing for these)
    • -
  • Updater: add generated icons
    • -
  • Updater: bump version
    • -
  • PDF Viewer: replace launcher icon
    • -
  • PDF Viewer: bump version
    • -
  • Camera app: properly handle INFO_SUPPORTED_HARDWARE_LEVEL_3 (enables support for Zero-Shutter-Lag on the Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2 and Pixel 2 XL)
    • -
-
- -
-

2018.02.05.23

- -

Changes since 2018.01.26.22:

-
    -
  • 2018-02-01 security patch level including recommended updates
    • -
  • 2018-02-05 security patch level including recommended updates
    • -
  • 2018-02 Pixel/Nexus functional updates
    • -
  • Pixel 2, Pixel 2 XL: increase rollback index to 2 for 2018-02-05 patch level
    • -
  • Silence: update to v0.15.11
    • -
  • Pixel 2, Pixel 2 XL: kernel: cherry-pick stable kernel changes up to 4.4.115
    • -
  • Pixel, Pixel XL: kernel: cherry-pick stable kernel changes up to 3.18.93
    • -
  • Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: switch user / host for reproducible builds from 'user' and 'host' to OS name
    • -
  • Pixel, Pixel XL: kernel: use a more targeted workaround for bogus GCC warning
    • -
  • improvements to repository management scripting
    • -
  • Chromium: icon recolor
    • -
  • Chromium: update to 64.0.3282.123 from 64.0.3282.116
    • -
  • Chromium: update to 64.0.3282.137 from 64.0.3282.123
    • -
-
- -
-

2018.01.26.22

- -

Changes since 2018.01.25.17:

-
    -
  • move isAppForeground check outside of the AppOpsService lock scope to avoid occasional deadlocks between ActivityService and AppOpsService
    • -
-
- -
-

2018.01.25.17

- -

Changes since 2018.01.23.20:

-
    -
  • Chromium: update to 64.0.3282.116
    • -
  • remove separate WebView again
    • -
  • add per-app setting to disallow background location access
    • -
  • add per-app setting to disallow background sensors access
    • -
  • Pixel 2, Pixel 2 XL: increase rollback index
    • -
-
- -
-

2018.01.23.20

- -

Changes since 2018.01.03.02:

-
    -
  • android-prepare-vendor changes for Pixel 2 and Pixel 2 XL support
    • -
  • add Alpha quality Pixel 2 and Pixel 2 XL support
    • -
  • add AVB (Android Verified Boot 2.0) support to the release signing script for taimen and walleye
    • -
  • Pixel 2, Pixel 2 XL: use custom boot logo
    • -
  • Pixel 2, Pixel 2 XL: use SHA256_RSA2048 as the AVB algorithm for test keys to match production
    • -
  • Pixel 2, Pixel 2 XL: use sane value for PRODUCT_MODEL
    • -
  • Pixel 2, Pixel 2 XL: add Updater app
    • -
  • Pixel 2, Pixel 2 XL: remove messaging app
    • -
  • Pixel 2, Pixel 2 XL: disable the system_other odex split
    • -
  • Pixel 2, Pixel 2 XL: add release signing script support
    • -
  • Pixel 2, Pixel 2 XL: update for proc_net split
    • -
  • Pixel 2, Pixel 2 XL: update for isolated_app split
    • -
  • Pixel 2, Pixel 2 XL: fix enabled_networks_values / enabled_networks_except_gsm_values
    • -
  • Pixel 2, Pixel 2 XL: adjust for LTE only addition
    • -
  • Pixel 2, Pixel 2 XL: switch to in-tree kernel builds
    • -
  • Pixel 2, Pixel 2 XL: make kernel builds reproducible
    • -
  • Pixel 2, Pixel 2 XL: split wahoo kernel configuration
    • -
  • Pixel 2, Pixel 2 XL: build in device-specific kernel modules instead of loading them from vendor.img
    • -
  • Pixel 2, Pixel 2 XL: strip out infrastructure for modular kernel builds
    • -
  • Pixel 2, Pixel 2 XL: switch to clang-compiled kernels
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable the custom Clang -fsanitize=local-init feature
    • -
  • Pixel 2, Pixel 2 XL: split debug and production kernel configuration
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable SECURITY_SELINUX_DEVELOP for user builds
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable SLUB_DEBUG_ON for debug kernels
    • -
  • Pixel 2, Pixel 2 XL: kernel: replace SECURITY_SMACK with SECURITY_NETWORK
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable SECURITY_YAMA
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable ptrace_scope by default
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable protected_{symlinks,hardlinks} by default
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable AIO
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable DEBUG_LIST
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable DEBUG_CREDENTIALS
    • -
  • Pixel 2, Pixel 2 XL: kernel: remove module build support
    • -
  • Pixel 2, Pixel 2 XL: kernel: wcnss: fix 3 byte buffer overflow on MAC change
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable brk system call
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "init/main.c: extract early boot entropy from the passed cmdline" which was upstreamed by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: gather extra early boot entropy
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm/slab.c: fix SLAB freelist randomization duplicate entries" to fix Google's disabled FREELIST_RANDOM backport
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm/slub.c: fix random_seq offset destruction" to fix Google's disabled FREELIST_RANDOM backport
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable SLAB_FREELIST_RANDOM
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm/slub: query dynamic DEBUG_PAGEALLOC setting" to make other changes apply cleanly
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm: add SLUB free list pointer obfuscation" including the per-slab randomization upstreamed by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm/slub.c: add a naive detection of double free or corruption"
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable SLAB_FREELIST_HARDENED
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm: allow slab_nomerge to be set at build time"
    • -
  • Pixel 2, Pixel 2 XL: kernel: disable SLAB_MERGE_DEFAULT
    • -
  • Pixel 2, Pixel 2 XL: kernel: add a SLAB_HARDENED configuration option
    • -
  • Pixel 2, Pixel 2 XL: kernel: add missing cache_from_obj !PageSlab check
    • -
  • Pixel 2, Pixel 2 XL: kernel: real slab_equal_or_root check for !MEMCG_KMEM
    • -
  • Pixel 2, Pixel 2 XL: kernel: bug on kmem_cache_free with the wrong cache
    • -
  • Pixel 2, Pixel 2 XL: kernel: always perform cache_from_obj consistency checks
    • -
  • Pixel 2, Pixel 2 XL: kernel: bug on !PageSlab && !PageCompound in ksize
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mm/mmap.c: mark protection_map as __ro_after_init"
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "mark most percpu globals as __ro_after_init" including the extensions by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: randomize lower bits of the argument block
    • -
  • Pixel 2, Pixel 2 XL: kernel: restrict device side channels
    • -
  • Pixel 2, Pixel 2 XL: kernel: add toggle for disabling newly added USB devices
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "arm64: vdso: add __init section marker to alloc_vectors_page"
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "arm64: vdso: constify vm_special_mapping used for aarch32 vectors page"
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "arm64: apply __ro_after_init to some objects"
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "arm64, vdso: Define vdso_{start,end} as array"
    • -
  • Pixel 2, Pixel 2 XL: kernel: add kmalloc/krealloc alloc_size attributes
    • -
  • Pixel 2, Pixel 2 XL: kernel: add vmalloc alloc_size attributes
    • -
  • Pixel 2, Pixel 2 XL: kernel: add percpu alloc_size attributes
    • -
  • Pixel 2, Pixel 2 XL: kernel: add alloc_pages_exact alloc_size attributes
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "include/linux/string.h: add the option of fortified string.h functions" which was upstreamed by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "replace incorrect strscpy use in FORTIFY_SOURCE" which was upstreamed by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: enable FORTIFY_SOURCE
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "random,stackprotect: introduce get_random_canary function"
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "arm64: ascii armor the arm64 boot init stack canary" which was upstreamed by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: add simpler page sanitization
    • -
  • Pixel 2, Pixel 2 XL: kernel: add support for verifying page sanitization
    • -
  • Pixel 2, Pixel 2 XL: kernel: slub: add basic full slab sanitization
    • -
  • Pixel 2, Pixel 2 XL: kernel: slub: add support for verifying slab sanitization
    • -
  • Pixel 2, Pixel 2 XL: kernel: slub: add multi-purpose random canaries
    • -
  • Pixel 2, Pixel 2 XL: kernel: backport "arm64/mmap: properly account for stack randomization in mmap_base" which was upstreamed by us
    • -
  • Pixel 2, Pixel 2 XL: kernel: arm64: determine stack entropy based on mmap entropy
    • -
  • Pixel 2, Pixel 2 XL: kernel: Revert "Revert "arm: move ELF_ET_DYN_BASE to 4MB""
    • -
  • Pixel 2, Pixel 2 XL: kernel: Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes"
    • -
  • Pixel 2, Pixel 2 XL: kernel: add specialized associated MAC randomization for qcacld-3.0
    • -
  • Pixel, Pixel XL: kernel: simplify specialized associated MAC randomization for qcacld-2.0 to match taimen/walleye implementation
    • -
  • set clang vendor string to indicate -fsanitize=local-init and future extensions are present
    • -
  • simplify clang build environment
    • -
  • rebuild clang prebuilt
    • -
  • system/core/libutils/RefBase.cpp: fix build with debugging
    • -
  • F-Droid privileged extension: whitelist taimen / walleye releasekeys
    • -
  • move pthread_internal_t out of the stack mapping again
    • -
  • Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2 (everything but the Pixel 2 XL): replace default wallpaper
    • -
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL: kernel: disable module support in production builds
    • -
  • VTS: drop requirement to support kernel modules
    • -
  • malloc: drop workaround for use-after-free in init now that it's fixed upstream
    • -
-
- -
-

2018.01.03.02

- -

Changes since 2017.12.17.21:

-
    -
  • 2018-01-01 security patch level
    • -
  • 2018-01-05 security patch level
    • -
  • PackageInstaller: add back fix for upstream bug preventing toggling off current permissions in review
    • -
  • disable exec spawning for apps that are being debugged until the debug features are compatible (upstream bug)
    • -
  • improve robustness of the code implementing toggles for background audio recording and clipboard access
    • -
  • Updater: bump API level to 27
    • -
  • PDF Viewer: bump API level to 27
    • -
  • F-Droid: update to 1.0.2
    • -
-
- -
-

2017.12.17.21

- -

Changes since 2017.12.12.16:

-
    -
  • Silence: update to 0.15.10
    • -
  • Chromium: update to 63.0.3239.111
    • -
  • Google WebView (included until Android 8.1 WebView stable release is open source): update to 63.0.3239.111
    • -
  • Pixel, Pixel XL: remove AOSP Updater package inclusion
    • -
-
- -
-

2017.12.12.16

- -

Changes since 2017.12.10.21:

-
    -
  • set the default for the background audio recording toggle to allowed for the time being
    • -
- -

Blocking background audio recording by default ended up hitting far more app - compatibility issues than expected. The goal is still to disable it by - default but we need to whitelist Phone services and figure out if anything can - be done to improve compatibility with apps like Signal and WhatsApp.

-
- -
-

2017.12.10.21

- -

Changes since 2017.12.07.19:

-
    -
  • Updater: reduce update check rate to every 4 hours from 1
    • -
  • Updater: reduce retry rate to every 4 minutes from 1
    • -
  • DeskClock: fix broken upstream fix in Android 8.1 to match our fix for Android 8.0
    • -
  • Nexus 5X: update stock update-binary to OPM1.171019.011
    • -
  • stop disabling brotli compression for legacy format over-the-air updates
    • -
  • replace global toggle for background clipboard access with a per-app toggle (still disabled by default)
    • -
  • add toggle for background audio recording (now disabled by default)
    • -
- -

Apps can still start recording audio in the foreground and continue in the - background even with background audio recording disabled. This will end up - being mitigated in the future but it isn't fully implemented yet.

- -
- -
-

2017.12.07.19

- -

Changes since the 2017.12.06.06 release:

-
    -
  • SELinux policy: allow system_app to read selinuxfs for the Settings SELinux status display
    • -
  • Chromium: update to 63.0.3239.83 from 62.0.3202.84
    • -
  • update android-prepare-vendor to the latest revision
    • -
  • add back Nexus 5X and Nexus 6P support
    • -
  • replace obsolete brotli command line syntax
    • -
  • disable OTA update brotli compression since it breaks on the 5X and is only for legacy pre-Pixel devices anyway
    • -
-
- -
-

2017.12.06.06

- -

Changes since the 2017.11.20.01 release:

-
    -
  • 2017-12-01 security patch level
    • -
  • 2017-12-05 security patch level
    • -
  • update android-prepare-vendor to the latest revision
    • -
  • migrate from Android 8.0 to Android 8.1 (MR1)
    • -
  • Settings: stop marking KRACK fixes as extra security patches since Google included the fixes in AOSP
    • -
  • kernel (Pixel, Pixel XL): add fixes for GCC builds until time is available to migrate to using Clang like Google
    • -
  • Launcher3: revert broken upstream commit
    • -
  • overhaul exec spawning to work with the new spawning infrastructure
    • -
  • overhaul SELinux policy changes to cope with Treble ABI compatibility layer
    • -
  • temporarily switch to official WebView build (63.0.3239.83) due to temporary lack of published Chromium sources with API 27 WebView support
    • -
  • set up the slightly hardened Clang / LLVM toolchain for mr1
    • -
- -

Known upstream issues for Android 8.1:

-
    -
  • Settings app wrongly displays the SELinux status as Permissive because SELinux prevents Settings from reading the SELinux enforce mode
    • -
  • Pixel verified boot fingerprint display has been fixed but the fingerprint is not yet meaningful (verified boot does continue to work and automatically enforces that the key doesn't change, it's only a fingerprint display issue)
    • -
  • android-prepare-vendor may not work properly without manual intervention
    • -
-
- -
-

2017.11.20.01

- -
    -
  • script: include directory for python2 workaround
    • -
  • limit platform signature permissions to system again
    • -
  • dr1 only: rebuild clang with our patch adding support for the local-init sanitizer and enable it again in build/make and build/soong
    • -
  • update android-prepare-vendor to latest upstream revision
    • -
  • PDF Viewer: minor UX improvements (from @Tommy-Geenexus)
    • -
  • Updater: add warning about illegitimate resellers for legacy devices (Nexus 5X, Nexus 6P)
    • -
-
- -
-

2017.11.06.22

- -
    -
  • 2017-11-01 security patch level
    • -
  • 2017-11-05 security patch level
    • -
  • other November 2017 security update changes for Nexus/Pixel devices from AOSP
    • -
  • Chromium (including the WebView): update to 62.0.3202.84 from 62.0.3202.73
    • -
  • F-Droid: update base code to 1.0.1
    • -
  • PDF Viewer: update pdf.js to 1.9.426 including fixing a conflict with our change to allow sane style-src Content Security Policy
    • -
  • SELinux policy: disallow execmem for ephemeral_app
    • -
  • SELinux policy: auditallow execmem for untrusted app domains again
    • -
  • SELinux policy: auditallow app_data_file execute for untrusted app domains again
    • -
  • SELinux policy: restore missing dalvikcache_data_file execute rules for non-base-system apps
    • -
  • sdcard service: enable the object-size sanitizer again (our integer sanitizer change is now upstream)
    • -
-
- -
-

2017.10.31.17

- -
    -
  • Chromium (including the WebView): update to 62.0.3202.73 from 62.0.3202.66
    • -
  • Settings: mark anti-theft protection as not available if file-based encryption isn't supported to avoid confusion
    • -
  • replace decentralized python2 workarounds with a global workaround in our envsetup wrapper
    • -
  • HiKey: remove broken bootloader requirement for now (the bootloader isn't passing a version on the kernel command line)
    • -
  • svox: drop fix for CTS failure and use the upstream fix from oreo-dr1-release
    • -
  • assorted tweaks to minimize conflicts when cherry-picking from oreo-r3-release to oreo-dr1-release
    • -
  • add oreo-dr1-release branch
    • -
  • dr1 only: manually port changes with conflicts from oreo-r3-release: platform_bionic, platform_bootable_recovery, platform_build, platform_build_soong, platform_external_svox, platform_external_sqlite, platform_frameworks_base, platform_packages_apps_Bluetooth, platform_packages_apps_Settings, platform_prebuilts_clang_host_linux-x86, platform_system_sepolicy
    • -
  • dr1 only: add HiKey 960 support
    • -
  • dr1 only: backport upstream fix for bad merge in services/surfaceflinger/DisplayHardware/FramebufferSurface.cpp
    • -
  • dr1 only: backport upstream fix for hwc1 support for HiKey / HiKey 960
    • -
  • dr1 only: apply SettingsProvider fix from r3 that was missing to keep the settings db version in sync
    • -
  • dr1 only: backport upstream fixes for HiKey 960 gralloc
    • -
  • dr1 only: backport upstream changes for HiKey 960 SELinux support in enforcing mode
    • -
  • SELinux policy: backport changes for timerslack support
    • -
  • dr1 only: backport removal of device-specific timerslack support
    • -
  • HiKey, HiKey 960: stop disabling malloc junk on free
    • -
  • dr1 only: temporarily use zero fill on free in debug builds to work around unidentified bugs on HiKey / HiKey 960
    • -
  • dr1 only: backport stub memtrack HAL for HiKey / HiKey 960
    • -
  • dr1 only: backport add dt.img into BOARD_PACK_RADIOIMAGES
    • -
  • dr1 only: fix release.sh for hikey960 target
    • -
  • HiKey 960: update vendor files to 20170523
    • -
  • drop device/linaro/hikey fork from non-dr1 branches as we'll only be maintaining it in dr1
    • -
-
- -
-

2017.10.21.14

- -
    -
  • Settings: add WPA2 issues fixed in the last release (2017.10.16.22) to the "Extra security patches" field
    • -
  • HiKey: add boot animation
    • -
  • SELinux policy: backport init configfs fix for HiKey
    • -
  • Settings: handle devices without factory reset protection
    • -
  • HiKey: disable malloc junk on free until use-after-free bugs are addressed
    • -
  • SELinux policy: fully remove base system dalvikcache_data_file execute again
    • -
  • Chromium: update base version to 62.0.3202.66 from 61.0.3163.98 and port the hardening changes
    • -
-
- -
-

2017.10.16.22

- -
    -
  • Net Monitor: update to v1.2 from v1.1.4 (fixes the major issues of missing connections when it was running in the background and wrongly attributing connections to apps with shared uids like assigning all system uid connections to atfwd)
    • -
  • enable LOCAL_DEX_PREOPT for apks in vendor.img again
    • -
  • SELinux policy: allow vendor apps to execute vendor_framework_file for dexpreopt to avoid needing /data/dalvik-cache
    • -
  • backport wpa_supplicant security fixes for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088 (CVE-2017-13084 is not applicable) to Oreo's current post-2.6 revision
    • -
-
- -
-

2017.10.11.21

- -
    -
  • Updater (Pixel, Pixel XL): stop setting the notification to CATEGORY_SYSTEM
    • -
  • Silence: update from 0.15.7 to 0.15.8
    • -
  • SELinux policy: auditallow legacy execmod
    • -
  • Nexus 5X, Nexus 6P: only add Updater to PRODUCT_PACKAGES in official builds
    • -
  • work around latent F-Droid bug with privileged extension app installation (bug is still present but no longer worse than before)
    • -
-
- -
-

2017.10.07.23

- -
    -
  • SELinux policy: split out base system isolated_app again
    • -
  • SELinux policy: begin purge of base system dalvikcache_data_file execute again
    • -
  • SELinux policy: remove webview_zygote apk_data_file access
    • -
  • Nexus 5X, Nexus 6P: add back missing vendor apps via improved android-prepare-vendor Oreo compatibility
    • -
  • refactor checks for added runtime permissions (previously only used to make INTERNET into a runtime permission)
    • -
  • add new permission for non-body-related sensors
    • -
-
- -
-

2017.10.02.22

- -
    -
  • 2017-10-01 kernel security patch level
    • -
  • 2017-10-05 kernel security patch level
    • -
  • Nexus 5X, Nexus 6P: enforce privileged permission whitelisting (already enforced on Pixels)
    • -
-
- -
-

2017.10.01.17

- -
    -
  • Updater: Update settings → System update settings
    • -
  • SELinux policy: remove execmem for privileged app domains again
    • -
  • SELinux policy: add seinfo tag for generic base system apps again
    • -
  • SELinux policy: split out untrusted base app domains again
    • -
  • SELinux policy: remove base system execmod again
    • -
  • SELinux policy: remove base system untrusted app execmem again
    • -
  • SELinux policy: remove base system app_data_file execute again
    • -
  • kernel (Pixel, Pixel XL): add specialized MAC randomization for Pixel phones
    • -
  • Settings (Pixel, Pixel XL): add new toggle for associated MAC randomization to Wi-Fi preferences
    • -
-
- -
-

2017.09.29.01

- -
    -
  • SELinux policy: split out domain for Updater from priv_app domain again
    • -
  • SELinux policy: remove ota update access from priv_app domain again
    • -
  • SELinux policy: split netmonitor domain from untrusted_base_app again
    • -
  • SELinux policy: split out basic routing / iface info from proc_net again
    • -
  • SELinux policy: remove non-netmonitor untrusted_app_all / isolated_app proc_net access again
    • -
  • Nexus 6P: update vendor files to OPR6.170623.019 from OPR6.170623.017 (2nd published September release)
    • -
  • add support for HiKey as a build target
    • -
  • Nexus 5X, Nexus 6P: log privileged permission whitelisting violations (already fully enforced on Pixels)
    • -
  • F-Droid privileged extension: update to 0.2.7
    • -
  • Nexus 6P: get audio_effects.conf from vendor instead again
    • -
  • Nexus 6P: remove wpa_supplicant scanning MAC randomization as it no longer works
    • -
  • Nexus 6P: remove kernel associated MAC randomization as it no longer works
    • -
  • remove infrastructure for legacy kernel associated MAC randomization
    • -
  • kernel: wcnss: fix 3 byte buffer overflow on MAC change
    • -
-
- -
-

2017.09.24.15

- -
    -
  • Contacts: remove no-op help & feedback menu entries
    • -
  • keyboard: rebranding
    • -
  • fix logging for denials of background clipboard access
    • -
  • Updater (Pixel, Pixel XL): always wait for reboot after completing an update
    • -
  • Updater (Pixel, Pixel XL): switch to new system update icon for notification
    • -
  • Updater (Nexus 5X, Nexus 6P): add makeshift legacy update system support (This update client was designed to run on top of the update_engine A/B update system and file-based encryption. It can't offer the same user experience and robustness elsewhere. However, due to some recent changes it's possible to hack in support for the legacy recovery-based update system. It will handle edge cases like a normal reboot after an update is downloaded strangely but the basics can work.)
    • -
  • Updater (Nexus 5X, Nexus 6P): use legacy update server
    • -
  • Nexus 5X, Nexus 6P: replace LegacyUpdater with Updater
    • -
  • Chromium: update to 61.0.3163.98 from 61.0.3163.81
    • -
-
- -
-

2017.09.19.23

- -
    -
  • keyboard: disable personalized suggestions by default
    • -
  • Updater (Pixel, Pixel XL): use the standard update settings intent
    • -
  • Nexus 5X, Nexus 6P: port to oreo
    • -
  • LegacyUpdater (Nexus 5X, Nexus 6P): use the standard update settings intent
    • -
  • Settings: use standard update settings mechanism
    • -
  • Nexus 5X, Nexus 6P: vendor: remove system partition bytecode packages until they work properly (loses transparent WiFi / LTE switching on both and Qualcomm time service on 5X)
    • -
  • wpa_supplicant: enable WiFi scanning MAC randomization for non-Qualcomm WiFi devices again (Qualcomm WiFi devices already have a better implementation in firmware)
    • -
  • DeskClock: drop targetSdkVersion to 25 since Google released it as targeting 26 without handling the breaking changes
    • -
  • Nexus 5X: fix preferred network settings
    • -
-
- -
-

2017.09.13.21

- -
    -
  • full 2017-09-01 kernel security patch level (not just the kernel)
    • -
  • full 2017-09-05 kernel security patch level (not just the kernel)
    • -
-
- -
-

2017.09.13.02

- -
    -
  • 2017-09-01 kernel security patch level (other sources are inexplicably not published yet)
    • -
  • 2017-09-05 kernel security patch level (other sources are inexplicably not published yet)
    • -
  • Pixel, Pixel XL: remove fstab override made unnecessary by the wonders of Treble (still necessary for Nexus)
    • -
  • Pixel, Pixel XL: build PresencePolling app (IMS / RCS related)
    • -
  • Pixel, Pixel XL: build nanotool, libion and libminui from source instead of extracting with android-prepare-vendor
    • -
  • Pixel, Pixel XL: avoid stripping out PixelThemeOverlay from vendor but don't enable it by default (AOSP keyboard doesn't support the theme like Gboard)
    • -
  • Pixel, Pixel XL: remove unnecessary DiagMon priv-app
    • -
  • libc: add back dynamic object size checking support without actually wiring it up to any system calls yet
    • -
  • use permanent fingerprint lockout immediately
    • -
  • Updater (Pixel, Pixel XL): reject any serialno constraint for stable / beta (serialno constraint is only for alternate update channels not exposed as standard update channel choices)
    • -
-
- -
-

2017.09.10.17

- -
    -
  • Settings: do not allow disabling Chromium (it's very common for people to disable it without realizing Chromium provides the WebView to other apps)
    • -
  • Settings: do not allow disabling the main keyboard (it's not obvious that disabling it after installing another keyboard is a very bad idea. Other keyboards rarely support Direct Boot and won't work for entering the password, forcing recovery by plugging in a physical keyboard)
    • -
  • Updater (Pixel, Pixel XL): replace the notification channel to move away from deprecated APIs
    • -
  • Updater (Pixel, Pixel XL): add permissions whitelist file
    • -
  • disable OpenGL preloading again
    • -
  • disable preload ICU cache pinning again
    • -
  • disable JCA provider preloading again
    • -
  • disable resource preloading again
    • -
  • disable class preloading again
    • -
  • add missing /system/etc/permissions and /system/etc/sysconfig configuration files from stock (via android-prepare-vendor)
    • -
  • omit stock Android libtinyxml2 since it's part of AOSP (via android-prepare-vendor)
    • -
  • remove CarrierSetup app as it appears to be unnecessary and tied to Verizon bloat / Google Play
    • -
  • fix com.android.launcher3 permissions whitelist
    • -
  • fix com.android.dialer permission whitelist
    • -
  • fix android.ext.services permissions whitelist
    • -
  • add com.android.apps.tag permission whitelist
    • -
  • F-Droid privileged extension: update to 0.2.6
    • -
  • F-Droid privileged extension: whitelist privileged permissions
    • -
  • Pixel, Pixel XL: enforce privileged permission whitelisting
    • -
  • backport upstream fix for the wrap debug feature
    • -
-
- -
-

2017.09.08.04

- -
    -
  • Chromium: update to 61.0.3163.81 from 60.0.3112.116
    • -
  • Chromium: backport support for the Android Oreo WebView
    • -
  • Chromium: bump MonochromePublic targetSdkVersion to 26 to match the internal Monochrome metadata (needed to provide the WebView on Oreo among other things)
    • -
  • remove Google WebView since our hardened Chromium builds provide the WebView again
    • -
  • remove Google WebView from the WebView provider whitelist
    • -
  • PDF Viewer: adopt targetSandboxVersion 2 to use the much stronger instant app style sandbox for the app itself (rendering already happened in the stronger WebView sandbox)
    • -
  • Updater (Pixel, Pixel XL): migrate to Build.getSerial() API for enforcing update zip serialno constraints in anticipation of it becoming mandatory
    • -
  • grant Updater app on Pixel and Pixel XL Phone permissions for Build.getSerial()
    • -
  • leave deprecated Build.SERIAL field set to UNKNOWN (only support fetching the serial number via the new Build.getSerial() requiring the READ_PHONE_STATE permission)
    • -
-
- -
-

2017.09.06.03

- -
    -
  • Chromium: update to 60.0.3112.116 from 60.0.3112.107
    • -
  • Chromium WebView (temporarily included until Oreo WebView support is pushed): update to 60.0.3112.116 from 60.0.3112.107
    • -
  • add two forms of ASLR for secondary stacks again
    • -
  • make the minimum secondary stack gap size one page again
    • -
  • kernel: getrandom: make blocking until init configurable (disabled temporarily to mimic the AOSP urandom fallback)
    • -
-
- -
-

2017.09.03.17

- -
    -
  • move to Android Oreo OPR6.170623.013 the base OS (tip of oreo-r6-release branch)
    • -
  • port of many of our features to Android Oreo (8.0), requiring many changes to the implementations (details not listed here)
    • -
  • android-prepare-vendor port to Android Oreo / Treble and new vendor files
    • -
  • add missing ro.hardware.egl property
    • -
  • stop clobbering stock audio_effects.conf
    • -
  • temporarily bundle and whitelist the AOSP WebView until Android Oreo support is pushed to Chromium
    • -
  • add ambient capability support to exec-based spawning
    • -
  • use exec-based spawning for com.android.bluetooth now that there's ambient capability support
    • -
  • fix upstream issue with replacing the fingerprint of the boot image
    • -
  • handle -ftrapv like the signed integer sanitizer options (signed-integer-overflow, integer, undefined) by not passing -fwrapv
    • -
  • build new Clang toolchain
    • -
  • switch back to using speed mode for dexpreopt globally rather than only for certain core code
    • -
  • Launcher3: disable icon normalization for now as most icons aren't prepared for it
    • -
  • disable aapt2 for LatinIME (the keyboard) to work around a known aapt2 bug
    • -
  • increase padding from 16 to 32 bytes for the new AES_256_HEH filename encryption mode to match our increase from 4 to 32 bytes for the old AES_256_CTS mode (content is still encrypted with AES_256_XTS)
    • -
  • Contacts: remove no-op help and feedback option
    • -
  • Contacts: make add account message neutral about service choice
    • -
  • Settings: add back extra security patch level field
    • -
  • Settings: add back bootloader version field
    • -
  • Settings: add back verified boot status field
    • -
  • Settings: add back anti-theft protection status field
    • -
  • Updater (Pixel, Pixel XL): add support for battery not low job scheduling
    • -
  • remove shared relro support again
    • -
  • Launcher3: work around keyboard not being hidden
    • -
  • ExactCalculator: revert to the old Apache2 icon from before Google went out of the way to regress it in AOSP
    • -
  • Contacts: remove logo meant for the Google app based on this
    • -
  • recovery: rebranding
    • -
  • script: remove minutes/seconds from generated BUILD_NUMBER
    • -
  • temporarily bundle and whitelist the latest Google WebView until support for providing the WebView on Android Oreo is in Chromium
    • -
  • bionic: replace brk/sbrk/__bionic_brk with stubs again
    • -
  • Updater (Pixel, Pixel XL): move to new APIs provided at API level 26
    • -
  • Updater (Pixel, Pixel XL): add a notification channel
    • -
  • Updater (Pixel, Pixel XL): increase targetSdkVersion to 26
    • -
  • stop disabling unprivileged ptrace by default for compatibility with the new crash dump system
    • -
  • kernel (Pixel, Pixel XL): stop enabling ptrace_scope by default for compatibility with the new crash dump system
    • -
  • CarrierConfig (Pixel, Pixel XL): update vendor.xml configuration overlay for Android Oreo
    • -
  • roll back non-firewall network hardening too for the time being in case it's the source of carrier compatibility issues
    • -
  • add toggle for disabling native code debugging support (toggles kernel.yama.ptrace_scope between 0 and 2, with more restrictions coming later)
    • -
  • replace SELinux policy in vendor.img with our policy
    • -
  • sepolicy: remove permissions tied to the Dalvik / ART JIT compiler again
    • -
  • sepolicy: remove app_data_file execute for priv_app again
    • -
  • sepolicy: add back fine-grained policy for /proc/vmstat
    • -
  • sepolicy: disallow text relocations for API 26+
    • -
  • sqlite: enable shift, signed-integer-overflow and object-size sanitizers in trapping mode again
    • -
  • make some function pointer tables read-only again
    • -
  • PDF Viewer: update targetSdkVersion to 26
    • -
  • PDF Viewer: update pdf.js to 1.8.188
    • -
  • fix undefined out-of-bounds accesses in sched.h again
    • -
  • switch pthread_atfork handler to mmap again
    • -
  • add memory protection for pthread_atfork handlers again
    • -
  • add memory protection for at_quick_exit handlers again
    • -
  • clean up string formatting in libc again
    • -
  • increase pthread stack size to 8MiB on 64-bit again
    • -
  • add XOR mangling mitigation for thread local destructors again
    • -
  • avoid some variable length arrays again
    • -
  • make __stack_chk_guard read-only at runtime again
    • -
  • replace pthread_attr junk filling pattern again
    • -
  • add explicit_memset and fix explicit_bzero with it again
    • -
  • add a proper issetugid implementation again
    • -
  • add back hardened malloc with assorted changes and integration
    • -
  • temporarily disable junk on free for init
    • -
  • whitelist getrandom system call for media seccomp sandboxes since hardened malloc triggers regular calls to it
    • -
  • Updater (Pixel, Pixel XL): get payload offset from new streaming metadata
    • -
  • zero sensitive data (512 byte hardware generated random seed) with explicit_memset in init again
    • -
  • tighten up mount permissions again
    • -
  • use blocking getrandom to prevent urandom fallback to prevent arc4random abort before urandom is available and to guarantee high quality early boot entropy
    • -
-
- -
- -
-

Nougat

- -
-

2017.08.21.00.41.27

- -
    -
  • Chromium (including the WebView): update to 60.0.3112.107 from 60.0.3112.97
    • -
  • kernel (Nexus 5X, Nexus 6P, Pixel, Pixel XL): use kernel command-line as early boot entropy since it has the serial number and bootloader stage timings
    • -
  • Updater (Pixel, Pixel XL): open updater settings when the notification is touched
    • -
-
- -
-

2017.08.14.23.14.24

- -
    -
  • Chromium (including the WebView): update to 60.0.3112.97 from 60.0.3112.78
    • -
  • Chromium (no impact on WebView): hide passwords.google.com link when not supported
    • -
  • Camera2: remove no-op help and feedback button
    • -
  • mark added frameworks APIs as hidden to avoid API stability warnings
    • -
  • assorted cleanup / reorganization in preparation for porting to Android 8.0
    • -
-
- -
-

2017.08.07.22.43.31

- -
    -
  • 2017-08-01 security patch level
    • -
  • 2017-08-05 security patch level
    • -
  • enable Verizon visual voicemail support
    • -
  • add CNEService for the Nexus 5X and Nexus 6P to bring them in line with the Pixel and Pixel XL
    • -
  • Pixel, Pixel XL: add CarrierConfig vendor.xml other than the Verizon entries from stock, resolving remaining non-Sprint / non-Verizon carrier compatibility issues (VoLTE / VoWiFi now work where supported, other than on Verizon where it requires proprietary apps / remote admin backdoor)
    • -
  • fix upstream bug in the permissions review activity (toggles only worked for new permissions, not previously granted / rejected ones)
    • -
-
- -
-

2017.08.04.01.56.14

- -
    -
  • make sure https is used for all references to izatcloud
    • -
  • stop marking the LTE only mode as experimental (caveats still apply: VoLTE needed for voice calls to work, modem may have bugs allowing downgrade)
    • -
  • Chromium (including the WebView): update to 60.0.3112.78
    • -
  • Chromium (impacts browser only): enable dubious Do Not Track feature by default
    • -
  • Chromium (impacts browser only): stop enabling search engine geolocation by default
    • -
  • disable camera gestures while locked if camera is disabled on the lockscreen, to avoid needing to toggle off the gesture feature
    • -
  • ContactsCommon: remove irrelevant privacy policy / terms of use
    • -
  • disable firewall hardening until contributors with access to other carriers are willing to test it
    • -
  • disable bounds sanitizer for libc_dns until an overflow there is fixed
    • -
-
- -
-

2017.07.27.03.08.18

- -
    -
  • fix bug causing permission review to no longer grant permissions by default at install time
    • -
  • set tether_dun_required to 0 by default (using net.tethering.noprovisioning=true isn't enough for every standard APN configuration)
    • -
  • require unlocking to use nfc quick tile
    • -
  • require unlocking to use bluetooth quick tile
    • -
  • require unlocking to use airplane mode quick tile
    • -
  • require unlocking to use wifi quick tile
    • -
  • require unlocking to use rotation lock quick tile
    • -
  • require unlocking to use data saver quick tile
    • -
  • require unlocking to use hotspot quick tile
    • -
  • require unlocking to use cellular quick tile
    • -
  • require unlocking to use battery quick tile
    • -
-
- -
-

2017.07.26.12.53.31

- -
    -
  • rework how the INTERNET permission works (Network permission group will need to be toggled off again as desired)
    • -
  • make SET_TIME_ZONE require signature|privileged like SET_TIME (it's much less sensitive but shouldn't be a 'normal' permission)
    • -
  • stop granting location to Chromium by default for fresh installs (it works fine without it and requests it after the user grants access to a site)
    • -
  • add toggle to Settings → Security for disabling camera usage from the lockscreen
    • -
  • Updater (Pixel, Pixel XL): set minimum latency for idle reboot job to 5 minutes
    • -
  • Settings: remove irrelevant wallpaper copyright information
    • -
-
- -
-

2017.07.23.16.40.26

- -
    -
  • extend support for toggling the Network permission group to apps targeting API level < 23
    • -
  • mark all JNINativeMethod tables in modules that are used as read-only
    • -
-
- -
-

2017.07.22.14.48.26

- -
    -
  • Pixel, Pixel XL: add missing system/lib/soundfx/libfmas.so library (via android-prepare-vendor)
    • -
  • mark INTERNET as a dangerous permission, but granted by default for apps with runtime permission support for compatibility
    • -
  • add a NETWORK permission group for the INTERNET permission
    • -
  • add NETWORK permission group to the list with user-facing toggles
    • -
-
- -
-

2017.07.18.08.53.56

- -
    -
  • Nexus 5X, Nexus 6P, Pixel, Pixel XL: fix enabled_networks_values / enabled_networks_except_gsm_values
    • -
  • add an experimental LTE only preferred network option
    • -
  • switch from deprecated ro.permission_review_required property to config_permissionReviewRequired resource
    • -
  • kernel (Pixel, Pixel XL): enable protected_{symlinks,hardlinks} by default rather than later via sysctl
    • -
  • kernel (Pixel, Pixel XL): replace CONFIG_FORTIFY_SOURCE implementation with the newer revision that landed in mainline
    • -
  • sdcard: rm poison on free since malloc does it
    • -
  • Pixel, Pixel XL: add SafetyRegulatoryInfo to packages (for Settings → About device → Safety and regulatory manual)
    • -
  • Pixel, Pixel XL: use regulatory information from stock for SafetyRegulatoryInfo
    • -
  • Settings (Pixel, Pixel XL): use regulatory labels from stock (for Settings → About device → Regulatory labels)
    • -
  • Updater (Pixel, Pixel XL): use Settings theme
    • -
  • Updater (Pixel, Pixel XL): set release channel summary
    • -
  • Updater (Pixel, Pixel XL): set permitted networks summary
    • -
  • PDF Viewer: add support for showing document properties (from @Tommy-Geenexus)
    • -
  • Music: revert Google's upgrade of targetSdkVersion from 9 to 24 since it's broken
    • -
-
- -
-

2017.07.06.18.26.24

- -
    -
  • disable bluetooth toggle permission review for now due to upstream issues
    • -
  • disable wifi toggle permission review for now due to upstream issues
    • -
-
- -
-

2017.07.06.00.04.39

- -
    -
  • 2017-07-01 security patch level
    • -
  • 2017-07-05 security patch level
    • -
  • replace default device policy manager maximum password length with 64 (was 16), which recently started to override the limit in Settings
    • -
  • Pixel, Pixel XL: include com.qualcomm.timeservice app to sync the hardware clock on time changes (via android-prepare-vendor)
    • -
  • only disable ART --abort-on-hard-verifier-error for the Nexus 5X and 6P, not Pixel phones where SoC support is less horrifying
    • -
  • PDF Viewer: preserve number picker state after being killed (from Tommy-Geenexus)
    • -
  • backport fix for NFC quick tile initialization from AOSP master
    • -
  • backported assorted memory corruption and other bug fixes
    • -
  • enable PERMISSIONS_REVIEW_REQUIRED to enforce user review of dangerous permissions pre-launch for apps targeting API levels less than 23 (pre-6.x)
    • -
  • Chromium (including the WebView): update to 59.0.3071.125
    • -
  • Chromium: build MonochromePublic instead of ChromeModernPublic
    • -
  • remove standalone Chromium WebView
    • -
  • switch WebView provider from com.android.webview to org.chromium.chrome
    • -
  • Chromium: build full Monochrome library for 64-bit and WebView-only library for 32-bit instead of vice versa, and set 64-bit as the preferred ABI to spawn all Chromium and WebView renderers as 64-bit as was the case before we used Monochrome (unlike stock Android)
    • -
  • Chromium: depend on WebView frameworks libraries
    • -
-
- -
-

2017.06.29.02.31.13

- -
    -
  • Updater (Pixel, Pixel XL): cancel pending idle reboot when disabling setting
    • -
  • Updater (Pixel, Pixel XL): disable app for non-system users to save resources (already does nothing as non-system)
    • -
  • fix upstream recovery logging bug
    • -
  • enable dex preopt for apks in vendor.img
    • -
  • Pixel, Pixel XL: remove remnants of the disabled system_other odex split
    • -
  • wire up Android Runtime debug configuration for exec-based spawning
    • -
  • fix cached pid invalidation by vfork assembly code
    • -
  • F-Droid: update to 0.104
    • -
  • F-Droid: stop suggesting / attempting incompatible updates
    • -
-
- -
-

2017.06.18.22.04.37

- -
    -
  • enable boot/bootloader/radio version checks
    • -
  • Settings: add device info field with bootloader version
    • -
  • Settings: enable showing SELinux status in device info
    • -
  • Settings: add device info field with verified boot status
    • -
  • Settings: add device info field with anti-theft protection status
    • -
  • add logging for denials of background clipboard access
    • -
  • Updater (Pixel, Pixel XL): fine tune logging
    • -
  • Updater (Pixel, Pixel XL): restore permitted network preference state (display issue only)
    • -
  • Updater (Pixel, Pixel XL): improve robustness against file permission inconsistencies in /data/ota_package
    • -
  • Updater (Pixel, Pixel XL): only run for the system user
    • -
-
- -
-

2017.06.15.06.09.53

- -
    -
  • Updater (Pixel, Pixel XL): extend post-verification metadata sanity checking beyond the device/timestamp (not strictly necessary)
    • -
  • Updater (Pixel, Pixel XL): verify that serialno metadata matches if present (for debug/wipe builds accepted only by one device)
    • -
  • Updater (Pixel, Pixel XL): fine tuning of job scheduling
    • -
  • add scripts to the source tree (generating signed releases, incrementals and update server metadata; repository management)
    • -
  • recovery: remove recovery logs access in user builds
    • -
  • Settings: remove unused automatic update toggle
    • -
  • Settings: remove unsupported FBE conversion option (Nexus 5X, Nexus 6P)
    • -
  • kernel (Pixel, Pixel XL): disable brk system call since it's unused
    • -
  • add QuickSettings NFC toggle tile from AOSP master (written by Anas Karbila)
    • -
  • Chromium (including the WebView): update to 59.0.3071.92
    • -
  • Pixel, Pixel XL: add extracted bootloader and radio firmware for generating complete over-the-air updates without a non-standard process
    • -
-
- -
-

2017.06.06.00.02.24

- -
    -
  • add back workaround for upstream race between camera services and flashlight quick tile
    • -
  • Etar: update to 1.0.12
    • -
  • F-Droid: update to 0.103.2
    • -
  • 2017-06-01 security patch level
    • -
  • 2017-06-05 security patch level
    • -
-
- -
-

2017.05.27.09.20.58

- -
    -
  • kernel (Pixel, Pixel XL): add more __ro_after_init (partially from PaX)
    • -
  • kernel (Pixel, Pixel XL): randomize lower bits of the argument block like PaX
    • -
  • kernel (Pixel, Pixel XL): properly account for stack randomization in mmap base
    • -
  • kernel (Pixel, Pixel XL): determine stack entropy based on mmap entropy (11 → 16 bits for 32-bit processes, 18 → 24 bits for 64-bit processes) - note: arm64 4-level page tables could improve this significantly on 64-bit, but they aren't usable yet
    • -
  • kernel (Pixel, Pixel XL): move ET_DYN base lower in the address space
    • -
  • kernel (Pixel, Pixel XL): fix qcacld-2.0 buffer read overflows in userdebug builds caught by CONFIG_FORTIFY_SOURCE
    • -
  • update F-Droid privileged extension to 0.2.5
    • -
  • revert workaround for upstream race between camera services and flashlight quick tile (no longer needed)
    • -
-
- -
-

2017.05.01.22.35.44

- -
    -
  • 2017-05-01 security patch level
    • -
  • 2017-05-05 security patch level
    • -
  • Silence: update to 0.15.7
    • -
-
- -
-

2017.04.27.21.03.07

- -
    -
  • kernel (Pixel, Pixel XL): apply large series of arm64 improvements from the marlin O Preview 1 kernel including PAN emulation
    • -
  • kernel (Pixel, Pixel XL): add vmalloc alloc_size attributes
    • -
  • kernel (Pixel, Pixel XL): add fortified strlen/strnlen
    • -
  • only include the Updater app if OFFICIAL_BUILD is true (Pixel, Pixel XL)
    • -
  • initialize threaded malloc
    • -
  • refine malloc pthread_atfork integration
    • -
  • Chromium (including the WebView): update to 58.0.3029.83
    • -
-
- -
-

2017.04.15.10.49.50

- -
    -
  • kernel (Pixel, Pixel XL): implement an equivalent to _FORTIFY_SOURCE=1 for buffer reads/writes via string.h functions
    • -
  • kernel (Pixel, Pixel XL): add kmalloc alloc_size attributes
    • -
  • kernel (Pixel, Pixel XL): avoid buffer overflow in Qualcomm display code
    • -
  • kernel (Pixel, Pixel XL): apply __ro_after_init changes from marlin O Preview 1 kernel
    • -
  • kernel (Pixel, Pixel XL): apply HARDENED_USERCOPY changes from marlin O Preview 1 kernel
    • -
  • kernel (Pixel, Pixel XL): slub: check cookies in __check_heap_object to detect use-after-free and heap corruption via user copy functions
    • -
  • PDF Viewer: update pdf.js to v1.8.170
    • -
  • PDF Viewer: create a fresh canvas for each page
    • -
-
- -
-

2017.04.06.23.05.54

- -
    -
  • libc: malloc: use zero-based junk filling in production
    • -
  • F-Droid privileged extension: update to 0.2.3
    • -
  • F-Droid: update to 0.102.3
    • -
  • enable F-Droid privileged extension
    • -
  • Silence: update to 0.15.6
    • -
  • fix upstream buffer overflow in the Bluetooth stack caught by our dynamic system call overflow checks (fix from @ScottyBauer1)
    • -
-
- -
-

2017.04.04.01.07.02

- -
    -
  • migrate to nougat-mr2-release (Android 7.1.2) and drop Nexus 9 support from this branch as it will remain on nougat-mr1.1-release
    • -
  • 2017-04-01 security patch level
    • -
  • 2017-04-05 security patch level
    • -
  • Chromium (including the WebView): update to 57.0.2987.132
    • -
  • kernel: fix CVE-2017-7184
    • -
  • kernel: slub: add back random cookies
    • -
  • kernel: use slab_equal_or_root checks without memcg kmem
    • -
  • kernel: always perform cache_from_obj sanity checks
    • -
  • kernel: slub: add check for write-after-free
    • -
  • Updater (Pixel, Pixel XL): delete corrupt update packages
    • -
  • Updater (Pixel, Pixel XL): resume installation of completed downloads
    • -
-
- -
-

2017.03.30.01.11.28

- -
    -
  • kernel: slub: roll back random cookies until more resources are available to cope with fallout
    • -
-
- -
-

2017.03.28.23.38.21

- -
    -
  • Chromium (including the WebView): upgrade to 57.0.2987.126
    • -
  • kernel: arm64: zero the leading stack canary byte to mitigate non-terminated C string overflows
    • -
  • kernel: panic on kmem_cache_free with the wrong cache
    • -
  • kernel: panic on !PageSlab && !PageCompound in ksize
    • -
  • kernel: slub: add multi-purpose random cookies
    • -
-
- -
-

2017.03.18.04.46.03

- -
    -
  • kernel: gather extra early boot entropy like PaX
    • -
  • Updater (Pixel, Pixel XL): add the option to reboot once idle after updating
    • -
  • Updater (Pixel, Pixel XL): add support for Direct Boot to enable updates before unlocking
    • -
  • enable notification light by default (Nexus 5X, Nexus 6P, Pixel, Pixel XL)
    • -
  • Silence: update to 0.15.5
    • -
  • F-Droid: update to 0.102.2
    • -
  • F-Droid privileged extension: update to 0.2.2
    • -
  • Chromium: update to 57.0.2987.108
    • -
-
- -
-

2017.03.13.18.50.01

- -
    -
  • Updater (Pixel, Pixel XL): extract care_map.txt for update_verifier
    • -
  • Updater (Pixel, Pixel XL): sanity check device name to mitigate key reuse
    • -
  • Updater (Pixel, Pixel XL): hold wake lock for update_engine
    • -
  • privacy-friendly-netmonitor: update to 1.1.4
    • -
  • SELinux policy: split out updater domain for the Updater app from priv_app
    • -
  • SELinux policy: remove priv_app OTA update access
    • -
  • on 64-bit, zero the leading stack canary byte: trade 8 bits of entropy (64 → 56) for mitigating non-terminated C string overflows
    • -
  • on 64-bit, zero the leading heap canary byte: trade 8 bits of entropy (64 → 56) for mitigating non-terminated C string overflows
    • -
  • use fully random stack and heap canaries in eng/userdebug builds
    • -
-
- -
-

2017.03.06.21.33.13

- -
    -
  • 2017-03-01 security patch level
    • -
  • 2017-03-05 security patch level
    • -
  • Pixel, Pixel XL: whitelist Updater in power save modes
    • -
-
- -
-

2017.03.02.10.47.25

- -
    -
  • Updater (Pixel, Pixel XL): add support for opting into the Beta channel
    • -
  • Updater (Pixel, Pixel XL): improve the code for resuming downloads
    • -
  • Updater (Pixel, Pixel XL): reschedule on failure to speed up retry
    • -
  • Etar: update to 1.0.10
    • -
  • privacy-friendly-netmonitor: update to 1.1.1
    • -
  • LegacyUpdater (Nexus 9, Nexus 5X, Nexus 6P): replace sys.update.test with the sys.update.channel property used by Updater
    • -
  • SELinux policy: remove sys.update.test property policy
    • -
  • enable preoptimization for system vendor files again
    • -
  • Silence: update to 0.15.2
    • -
  • initial 'stable' Pixel release (not Pixel XL)
    • -
-
- -
-

2017.02.23.07.20.31

- -
    -
  • Chromium: avoid breaking other first run experience pages when disabling the welcome page
    • -
  • further work on Pixel / Pixel XL vendor files
    • -
  • rename Updater to LegacyUpdater
    • -
  • add new Updater app for A/B devices (Pixel / Pixel XL) implementing automatic background updates
    • -
  • Settings: integrate the new Updater for A/B devices instead of LegacyUpdater
    • -
  • LegacyUpdater: drop experimental A/B update support
    • -
  • drop SELinux policy workaround for the experimental A/B update support in LegacyUpdater
    • -
  • Etar: update to 1.0.9
    • -
  • Silence: update to 0.15.1
    • -
  • Camera: disable location tagging by default again
    • -
  • add a partial workaround for the upstream Pixel / Pixel XL flashlight quick tile race condition
    • -
  • PDF Viewer: Enable/disable zoom menu items based on zoom-level (from @Tommy-Geenexus)
    • -
  • PDF Viewer: Enable/disable menu entries based on whether a PDF is loaded (from @Tommy-Geenexus)
    • -
  • PDF Viewer: Show actual/max page numbers on page change (from @Tommy-Geenexus)
    • -
  • PDF Viewer: update pdf.js to 1.6.210
    • -
  • PDF Viewer: revert an insignificant upstream pdf.js micro-optimization to preserve strong Content Security Policy
    • -
-
- -
-

2017.02.12.02.58.40

- -
    -
  • SELinux policy: split out basic routing / iface info from proc_net
    • -
  • SELinux policy: remove proc_net access for untrusted_app/untrusted_base_app
    • -
  • bundle org.secuso.privacyfriendlynetmonitor app
    • -
  • SELinux policy: add a domain for org.secuso.privacyfriendlynetmonitor based on untrusted_base_app with proc_net read access
    • -
  • Chromium: mark non-secure origins as non-secure
    • -
  • marlin / sailfish vendor file improvements
    • -
  • PDF Viewer: improve asynchronous request handling
    • -
  • PDF Viewer: add support for cancelling rendering
    • -
  • PDF Viewer: disable saving form data in the WebView
    • -
  • PDF Viewer: disable WebView cache
    • -
  • PDF Viewer: disable WebView URL loading
    • -
  • PDF Viewer: disable WebView cookies (already disallowed, but might as well disable it)
    • -
  • PDF Viewer: load a fresh viewer for each PDF (improve robustness/security by isolating the pdf.js environment for each document)
    • -
  • PDF Viewer: avoid content URL access within the WebView
    • -
-
- -
-

2017.02.07.00.27.27

- -
    -
  • February security update
    • -
  • auditallow untrusted_app/untrusted_base_app /proc/net usage to assess the scope of the problem
    • -
  • ported marlin device repository changes from nougat-mr1.3-release
    • -
-
- -
-

2017.02.04.15.16.45

- -
    -
  • remove unused Google development key from the marlin/sailfish kernel
    • -
  • Updater: initial support for A/B updates
    • -
  • Updater: remove Tv theme/layout
    • -
  • Updater: remove changelog support in anticipation of moving towards ChromeOS-style updates
    • -
  • Updater: remove unused VIBRATE permission
    • -
  • Updater: remove redundant system information
    • -
  • Updater: drop translations in anticipation of an overhaul
    • -
  • hash pthread_self when using it to select the malloc pool
    • -
  • Settings: hide MAC randomization toggle when not supported
    • -
  • use dummy values for ro.build.host ("host") and ro.build.user ("user") to match the kernel values
    • -
  • PDF Viewer: only reset page number for new documents
    • -
  • PDF Viewer: add support for text selection
    • -
  • rework hiding passwords by default (setting may need to be toggled off in Security for existing installs)
    • -
  • Chromium: update to 56.0.2924.87
    • -
-
- -
-

2017.01.26.14.27.36

- -
    -
  • PDF Viewer: extend Content-Security-Policy to allow loading images from blobs
    • -
  • PDF Viewer: switch to default-src 'none' from 'self'
    • -
  • PDF Viewer: implement zoom actions
    • -
  • PDF Viewer: save/restore page number
    • -
  • PDF Viewer: implement jump to page action
    • -
  • PDF Viewer: remove extra whitespace below the canvas
    • -
  • PDF Viewer: save/restore zoom level
    • -
  • PDF Viewer: reset page number to 1 for new documents
    • -
  • kernel: enable SLUB_DEBUG_ON for debug kernels
    • -
  • kernel: only enable SLUB_DEBUG for debug kernels (match vanilla Android for production + make the Nexus 9 kernel consistent)
    • -
  • kernel: add back page sanitization with verification too this time around
    • -
  • kernel: add missing slab.h corruption check from PaX
    • -
  • kernel: add slub free list XOR encryption (tweaked from grsecurity 4.8+ feature)
    • -
  • kernel: add back slub sanitization (new post-4.5 PaX style without memory overhead, but with zeroing since it's production only)
    • -
  • disable the system_other odex split for marlin/sailfish
    • -
  • add missing property to make the marlin/sailfish fingerprint scanner work
    • -
  • add --replace_verity_keyid to release signing script to fix marlin/sailfish verified boot
    • -
  • add public keys for releases to the marlin/sailfish kernel to fix marlin/sailfish verified boot
    • -
  • revert the AOSP change for marlin/sailfish disabling dm-verity for the vendor partition
    • -
  • Chromium: update from 55.0.2883.91 to 56.0.2924.78
    • -
  • Chromium: stop forcing WebView renderers to be 32-bit (revert of an upstream change in v56)
    • -
-
- -
-

2017.01.17.23.45.11

- -
    -
  • marlin/sailfish custom in-tree kernel builds
    • -
  • Chromium: disable form autofill by default
    • -
  • disable slub merging by default for non-PaX kernels too
    • -
  • stop disabling slub debugging support for the angler, bullhead and marlin/sailfish kernels
    • -
  • ignore slub_debug on the kernel line for the Nexus 5X since LG's bootloader passes slub_debug=FZP unconditionally
    • -
  • add back support for scrambling PIN layout
    • -
  • add PDF Viewer app based on pdf.js and content providers (no permissions)
    • -
-
- -
-

2017.01.04.05.44.59

- -
    -
  • update Silence from 0.14.6 to 0.14.8
    • -
  • bluetooth disabled by default (patch from Jon Richards)
    • -
  • sailfish / marlin vendor files generated by android-prepare-vendor instead of the nonsense from Google
    • -
  • latin keyboard: disable keypress sound by default across all form factors
    • -
  • enable integer sanitizer for sdcard again, with sanitizers disabled in a problematic function
    • -
  • rename SMSSecure apk / module to Silence
    • -
  • sensitive notification content hidden on the lockscreen by default again
    • -
  • January security update (android-7.1.1_r9)
    • -
  • migrate from nougat-mr1-release (android-7.1.1_r9) to nougat-mr1.1-release (android-7.1.1_r11)
    • -
-
- -
-

2016.12.25.22.27.39

- -
    -
  • SELinux policy: split system untrusted_app into untrusted_base_app
    • -
  • SELinux policy: untrusted_base_app: forbid text relocations
    • -
  • SELinux policy: untrusted_base_app: forbid dynamic code generation
    • -
  • SELinux policy: untrusted_base_app: remove asec access
    • -
  • SELinux policy: untrusted_base_app: remove dalvik cache execute
    • -
  • SELinux policy: untrusted_base_app: remove app_data_file execute
    • -
  • SELinux policy: split system isolated_app into isolated_base_app
    • -
  • SELinux policy: isolated_base_app: remove dalvik cache execute
    • -
  • Etar: update from 1.0.7 to 1.0.8
    • -
  • disable dynamic object size checks for getcwd with NULL (non-standard GNU extension)
    • -
  • QuickSearchBox: disable widget
    • -
  • Chromium: enable -fwrapv for clang
    • -
  • add missing whitelisting for LocalTransport backup service (upstream AOSP bug)
    • -
  • Nexus 6P: switch to /vendor/etc/audio_effects.conf from android-prepare-vendor
    • -
  • move compression from factory images generation to the release signing script
    • -
  • fix build with /usr/bin/python as python3
    • -
  • add our F-Droid repository to the defaults (it can be manually added for existing installs)
    • -
-
- -
-

2016.12.17.07.29.30

- -
    -
  • move from NMF26O (android-7.1.1_r4) to NMF26Q (android-7.1.1_r6)
    • -
  • enable bounds sanitizer for bluetooth.default.so again
    • -
  • disable bounds sanitizer for libbt-stack for now
    • -
  • hide keyboard gesture settings due to missing Google Play dependency
    • -
  • hide keyboard voice input key due to missing Google Play dependency
    • -
  • switch from default 4 byte file name padding for file-based encryption to 32 bytes (from @thegrugq)
    • -
  • add missing WallpaperPicker app
    • -
-
- -
-

2016.12.12.04.03.44

- -
    -
  • Chromium (including the WebView): update to 55.0.2883.91
    • -
  • fix detection of system apps updates by F-Droid
    • -
  • update Silence to 0.14.6
    • -
  • fix accessibility integration for the Extra security patch level field
    • -
  • fix some build non-determinism so target_files_diff.py detects no changes in a rebuild (i.e. smaller incrementals)
    • -
  • add back QuickSearchBox app to fulfill CTS requirements
    • -
  • disable QuickSearchBox launcher icon
    • -
  • disable QuickSearchBox launcher widget
    • -
  • disable bounds sounds for bluetooth.default until it's fixed
    • -
  • incremental updates are now considered stable and are being deployed over-the-air
    • -
-
- -
-

2016.12.07.07.47.51

- -
    -
  • regenerated vendor files with android-prepare-vendor now that it has proper API level 25 support
    • -
  • enabled gesture settings
    • -
  • updated F-Droid to 0.102
    • -
  • removed placeholder QuickSearchBox widget in the launcher
    • -
  • disabled reserved area for the QuickSearchBox widget in the launcher
    • -
  • fixed upstream PackageInstaller bug introduced in 7.1.1 showing unknown sources dialogs for first-party interactive installs
    • -
-
- -
-

2016.12.06.05.21.23

- -
    -
  • December security update, including migration to nougat-mr1-release (initial Android 7.1.1 branch) from nougat-mr0.5-release
    • -
  • disable integer sanitizer for sdcard service due to problems introduced with 7.1.1
    • -
  • fix Linux kernel CVE-2016-8655 (local privilege escalation)
    • -
  • Chromium: disabled hyperlink auditing by default
    • -
  • Chromium: added DuckDuckGo as the default search engine, including search suggestions
    • -
  • Chromium: updated to 55.0.2883.77
    • -
  • Chromium: mark the internal channel as stable rather than unknown due to not being com.android.chrome
    • -
  • fixed F-Droid version name
    • -
  • added signature verification to the over-the-air update client as an extra layer before recovery verifies them
    • -
  • remove redundant hash verification from the over-the-air update client now that it checks signatures
    • -
  • added compatibility with incremental (delta) updates from the update server
    • -
  • updated Silence to 0.14.5
    • -
  • remove priv_app app_data_file execution
    • -
  • bundle offline-calendar so that calendar functionality works out-of-the-box instead of adding an account failing without explanation
    • -
  • replace unmaintained AOSP Calendar app with Etar
    • -
-
- -
-

2016.11.27.21.33.03

- -
    -
  • Chromium: disabled contextual search, network prediction, navigation error correction and metrics by default
    • -
  • Chromium: disabled first run welcome (metrics) and data reduction proxy opt-in pages
    • -
  • Chromium: disabled other forms of data reduction proxy promotions
    • -
  • Chromium: update to 55.0.2883.63 (Beta channel)
    • -
  • changed update server domain (old server will continue to work)
    • -
  • permit shell user to enable the test update channel
    • -
  • send device type in the delta update request
    • -
-
- -
-

2016.11.21.18.36.19

- -
    -
  • rm a message from Settings referencing Google Play
    • -
  • stop incorrectly marking android.hardware.location.network as a supported feature (could be supported down the road)
    • -
  • removed mremap from Chromium system call whitelist
    • -
  • switched Chromium/WebView from -fstack-protector to -fstack-protector-strong
    • -
  • updated Chromium/WebView to 55.0.2883.53 (Beta channel)
    • -
  • marked F-Droid updates to system apps signed with different keys as incompatible
    • -
  • switched from ChromePublic.apk to ChromeModernPublic.apk (backported from master)
    • -
  • set a proper Chromium apk version name/code (rather than the default of "Developer Build" and "1")
    • -
  • implemented an initial way to test update infrastructure
    • -
-
- -
-

2016.11.16.11.42.49

- -
    -
  • disable unused AssetAtlas service
    • -
  • worked around upstream Pico TTS bugs by building it as 32-bit
    • -
  • updated Chromium and Chromium WebView to 55.0.2883.45 (switched from Stable channel → Beta channel for now so that WebView can be built from source again)
    • -
-
- -
-

2016.11.10.09.53.38

- -
    -
  • preload android.graphics.Typeface class to work around an upstream race condition (avoids Conversations crash)
    • -
  • updated Chromium WebView to 54.0.2840.85
    • -
-
- -
-

2016.11.07.22.55.37

- -
    -
  • disable bounds sanitizer for libstagefright_amrwbenc
    • -
  • added back __dynamic_object_size executable fast path
    • -
  • updated Chromium to 54.0.2840.85
    • -
  • removed ipset support from the Nexus 9, as IP blacklisting is unlikely to be reimplemented any time soon
    • -
  • temporarily disabled exec-based spawning for com.android.systemui
    • -
  • November security update (2016-11-06 patch level, unlike stock's 2016-11-05 patch level)
    • -
-
- -
-

2016.10.27.20.13.46

- -
    -
  • replaced several uses of strlen on untrusted binary data without a guaranteed NUL terminator
    • -
  • updated Chromium WebView to 54.0.2840.68
    • -
  • updated Chromium to 54.0.2840.68
    • -
  • set Chromium release channel to "stable" to disable StrictMode and fix the version information
    • -
  • added a field to Settings → About device listing vulnerability fixes not included in the latest Android patch level (does not include those without ids, and it's incomplete)
    • -
  • added back preloadResources to work around upstream bugs causing CtsWidgetTestCases to fail (100ms app start latency cost)
    • -
  • fixed a use-after-free in MediaHTTP
    • -
-
- -
-

2016.10.21.23.10.25

- -
    -
  • roll back the CyanogenMod CMUpdater base for the Updater app to the last working revision
    • -
-
- - - -
-

2016.10.19.01.33.44

- -
    -
  • backported commit from AOSP master removing access to /dev/snd/{seq,timer}
    • -
  • bumped Updater app to API level 24 due to a fix from CyanogenMod
    • -
  • disabled background clipboard access (can be reactivated in Settings → Security)
    • -
  • enabled doze and app standby
    • -
  • fixed early boot and recovery failures due to a subtle compatibility issue triggering out-of-memory
    • -
  • updated OpenBSD malloc to new version with multi-pool (not yet enabling it) and lighter junk-on-free for large allocations
    • -
  • made dynamic object size checks work for static executables again
    • -
  • add back __dynamic_object_size stack fast path
    • -
-
- -
-

2016.10.13.23.14.08

- -
    -
  • migrated from nougat-bugfix-release to nougat-mr0.5-release (no-op rename by Google)
    • -
  • extended dynamic object size checks to work with _FORTIFY_SOURCE functions
    • -
  • fixed dynamic object size queries to be fully async signal safe
    • -
  • extended dynamic object size checks to work inside libc itself
    • -
-
- -
-

2016.10.05.01.09.35

- -
    -
  • enabled up-front compilation again rather than relying on background compilation
    • -
  • extended new dynamic overflow checks to cover the same system calls as before
    • -
  • added missing initializer in surfaceflinger
    • -
  • added missing overflow checks in binder (caught by -fsanitize=integer regardless)
    • -
  • migrated from nougat-release to nougat-bugfix-release branch as the base
    • -
  • October security update
    • -
  • added more bounds sanitizer exceptions
    • -
-
- -
-

2016.10.01.19.24.44

- -
    -
  • add back madvise to the media seccomp policies (called by libbinder)
    • -
  • disabled bounds sanitizer for libsvoxpico (text to speech)
    • -
  • disabled bounds sanitizer for libstagefright_amrnbenc
    • -
  • reimplemented __dynamic_object_size/__malloc_object_size API
    • -
  • added back dynamic overflow checks for the read and write system calls (not yet the rest)
    • -
  • backported arc4random atfork fixes
    • -
  • backported patch to only set the stack guard value once
    • -
-
- -
-

2016.09.27.15.19.19

- -
    -
  • reimplemented changes preventing ART from trying to map oat files from /data/dalvik-cache
    • -
  • reimplemented removal of SELinux policy allowing reads of dalvikcache_data_file symlinks
    • -
  • reimplemented maximum password length increase (16 → 64)
    • -
  • reimplemented Settings app toggle for MAC randomization so that it can be disabled again
    • -
  • reimplemented debug and production kernel split for the Nexus 6P
    • -
  • disabled tethering provisioning again
    • -
  • removed widevine library (via android-prepare-vendor)
    • -
  • added vendor-board-info.txt to enforce bootloader/radio versions (via android-prepare-vendor)
    • -
  • drop madvise from the media seccomp whitelists since it isn't used by OpenBSD malloc by default
    • -
  • disable bounds sanitizer for libunwind due to a regularly invoked undefined behavior on at least arm64
    • -
  • disable bounds sanitizer for keystore due to a regularly invoked undefined behavior
    • -
  • reverted a broken upstream zygote-based spawning optimization to get keystore working again
    • -
-
- -
-

2016.09.23.17.14.14

- -
    -
  • force enable multiprocess sandboxed WebView (hidden as a developer option in stock)
    • -
  • removed obsolete developer options multiprocess WebView toggle
    • -
  • further reduce execmem based on not using the ART JIT and having out-of-process WebView
    • -
  • added back setting to control USB peripheral denial
    • -
  • pulled in minor upstream bug fix for the Updater app
    • -
  • disabled bounds sanitizer for libjni_latinime until the issues there are fixed
    • -
-
- -
-

2016.09.21.10.30.07

- -
    -
  • enabled bounds sanitizer by default for C++ again
    • -
  • enabled object-size sanitizer for SQLite
    • -
  • updated Chromium to 53.0.2785.124
    • -
  • updated Chromium WebView to 53.0.2785.124
    • -
  • fixed some undefined array accesses in bionic libc
    • -
  • added more exceptions from the bounds sanitizer
    • -
  • removed malloc configuration property handling for now due to property initialization changes in Nougat
    • -
-
- -
-

2016.09.17.19.33.24

- -
    -
  • enabled shift and signed-integer-overflow sanitizers for SQLite
    • -
  • disabled bounds sanitizer for a few more modules to work around bugs
    • -
-
- -
-

2016.09.16.14.31.32

- -
    -
  • add Qualcomm build utilities again, to restore missing hardware features
    • -
  • begin bringing back selective use of the object-size sanitizer
    • -
  • add back -fsanitize=bounds -fsanitize-trap=bounds by default for C code (not yet C++ again)
    • -
  • fix AndroidID-29431260 vulnerability (moderate severity)
    • -
-
- -
-

2016.09.14.05.23.28

- -
    -
  • updated Chromium to 53.0.2785.97
    • -
  • updated WebView to 53.0.2785.97
    • -
  • proprietary blob generation improvements
    • -
  • fix for CVE-2016-5343 for the 5X and 6P (does not impact Nexus 9)
    • -
  • added back -fwrapv for code where signed integer overflow checking is not enabled
    • -
-
- -
-

2016.09.09.07.12.48

- -
    -
  • switch ART from profile-based AOT compilation to full compilation since JIT profiling is disabled (verify-profile changed to interpret-only, speed-profile changed to speed)
    • -
  • initial Nexus 6P Nougat support
    • -
  • reverted upstream commits disabling dm-verity for the Nexus 5X and Nexus 6P vendor partition in AOSP (Nexus 9 not impacted)
    • -
-
- -
-

2016.09.07.19.27.04

- -
    -
  • September security update
    • -
  • replace our WebView builds with Google builds for now (Nougat support code is not public yet)
    • -
  • disable mremap code path in the OpenBSD malloc port to avoid violating standard seccomp whitelists
    • -
  • fix remaining Updater app Nougat compatibility issue
    • -
-
- -
-

2016.09.05.03.48.51

- -
    -
  • initial Nexus 5X port to Nougat, with some proprietary carrier nonsense missing
    • -
  • narrower scope for execmod/execmem in the SELinux policy
    • -
  • allow dalvikcache_data_file execute for isolated_app again (removed by mistake)
    • -
-
- -
-

2016.09.02.14.16.41

- -
    -
  • initial release based on Android Nougat, which has substantial security improvements in the base OS
    • -
  • ported many past features ported to the new base (not yet close to all features)
    • -
  • fixed various new AOSP issues
    • -
  • fixed / worked around various new compatibility issues with our features
    • -
-
- -
- -
-

Marshmallow

- -
-

2016.08.23.15.51.31

- -
    -
  • backport replacement of AT_RANDOM with arc4random for the ART base address
    • -
  • backported dlopen support for PIC oat files
    • -
  • backported dexpreopt support for prebuilt Java libraries
    • -
  • enabled WITH_DEXPREOPT_PIC for boot.oat
    • -
  • removed execmem auditallow for mediaserver (can be revisited with the mediaserver split in N)
    • -
  • removed dalvikcache_data_file execute access for everything other than shell, untrusted_app and isolated_app
    • -
  • enabled the stackable Yama Linux Security Module for ptrace_scope
    • -
  • added a system property for controlling ptrace_scope, usable by the adb shell user
    • -
  • set ptrace_scope=2 by default, disabling unprivileged access to ptrace
    • -
-
- -
-

2016.08.16.05.14.52

- -
    -
  • enabled WITH_DEXPREOPT_PIC to reduce the need for /data/dalvik-cache for the base system
    • -
  • minor kernel configuration adjustments (enable DEBUG_LIST, enable DEBUG_CREDENTIALS, disable INET_DIAG)
    • -
  • disabled unused kernel AIO support
    • -
  • updated Chromium-based WebView to 52.0.2743.98
    • -
  • updated Chromium to 52.0.2743.98
    • -
  • applied fix for CVE-2016-3866 to the Nexus 5X and 6P kernels (Nexus 9 not impacted, Nexus 5 does not appear to be)
    • -
  • extended fine-grained SELinux restrictions to /proc/vmstat and /proc/zoneinfo (only a few core services)
    • -
  • removed obsolete recovery menu entry for applying updates from SD card
    • -
-
- -
-

2016.08.09.06.24.33

- -
    -
  • removed some infrastructure for the unused shared relro feature (incompatible with exec spawning)
    • -
  • removed support for partial junk-on-free, making full junk-on-free into the default
    • -
  • implemented and enabled Clang sanitizer for zeroing uninitialized local variables
    • -
  • applied fix for CVE-2016-5340 to the Nexus 5X and 6P kernels (Nexus 9 is not impacted)
    • -
-
- -
-

2016.08.05.15.15.34

- -
    -
  • extended access to /proc/interrupts and /proc/stat to msm_irqbalance on the 5X and 6P
    • -
  • updated Chromium-based WebView from 52.0.2743.83 to 52.0.2743.91
    • -
  • updated Chromium from 52.0.2743.83 to 52.0.2743.91
    • -
  • only support SELinux enforcing mode in production (user) builds
    • -
  • worked around use-after-free caught by page cache protection in the proprietary 5X/6P camera service
    • -
-
- -
-

2016.08.02.00.49.57

- -
    -
  • restrict access to /proc timing information to prevent sensitive data leaks via timing side channels
    • -
  • backported fix for get_nproc() to avoid depending on /proc/stat
    • -
  • enabled malloc canaries by default and moved them from 70% to 50% on the performance vs. security slider
    • -
  • backported a tiny patch series for Parcel to reduce noise from SELinux denials
    • -
  • August security patch level
    • -
  • perf events restrictions landed upstream and were backported, so they're now part of the AOSP base
    • -
-
- -
-

2016.07.24.12.17.03

- -
    -
  • updated WebView to 52.0.2743.83
    • -
  • updated Chromium to 52.0.2743.83 and re-enabled Chromium linker to bypass bugs
    • -
  • added back shared library preloading to work around Chromium linker bug
    • -
-
- -
-

2016.07.21.04.12.20

- -
    -
  • made stack canary global read-only after initialization
    • -
  • began purging alloca and variable length arrays across Android
    • -
  • added Qualcomm utility functions used but not provided by AOSP's build system (fixes a few bugs, and should improve 5X/6P power usage)
    • -
-
- - - -
-

2016.07.03.03.18.57

- -
    -
  • updated F-Droid to v0.100.1 from v0.100
    • -
  • enable netfilter rpfilter support on the Nexus 6P
    • -
  • port of grsecurity's DEVICE_SIDECHANNEL feature
    • -
  • set malloc to abort on out-of-memory by default (see technical overview for rationale)
    • -
  • fixed libdmengine.so symlinks (does not appear to fix Sprint support)
    • -
-
- -
-

2016.06.17.11.52.32

- -
    -
  • disabled unused AssetAtlas service (incompatible with exec-based spawning)
    • -
  • disabled Zygote preload step again
    • -
  • built-in Exchange support was removed upstream for the Nexus 5 and 9, similar to the 5X and 6P
    • -
  • fixed build for the generic x86/x86_64 targets
    • -
  • updated the baseline updater code from CyanogenMod, fixing a changelog-related crash
    • -
  • ported a minimal version of grsecurity's DENYUSB feature to the kernels (kernel.deny_new_usb sysctl)
    • -
  • hooked up deny_new_usb to the lockscreen to offer automatic toggling based on lock state
    • -
  • exposed deny_new_usb in Settings → Security → Device Security with 3 states: enabled, dynamic, disabled
    • -
  • updated F-Droid to 0.100 from 0.99.2
    • -
  • set deny_new_usb feature to the dynamic mode by default
    • -
-
- -
-

2016.06.06.21.23.39

- -
    -
  • tweaked perf_harden property handling to avoid potential races
    • -
  • exposed perf_harden to the shell user, made it non-persistent and removed the Settings app toggle
    • -
  • updated Chromium apks (arm, arm64) to 51.0.2704.81
    • -
  • updated WebView apks (arm, arm64) to 51.0.2704.81
    • -
  • dropped PaX support for the deprecated (but still supported) Nexus 5 target
    • -
  • June security update
    • -
-
- -
-

2016.05.28.01.02.27

- -
    -
  • removed leftover legacy permission model toggle on the 5X/6P
    • -
  • fixed upstream bug in AppCompat support to avoid a NullPointerException in DeskClock
    • -
  • fixed support for non-platform signature permissions in third party apps
    • -
  • minimal port of grsecurity's PERF_HARDEN feature (kernel.perf_event_paranoid=3)
    • -
  • added a toggle for profiling support in developer options
    • -
-
- -
-

2016.05.24.21.38.49

- -
    -
  • use -fstack-protector for the Nexus 9 kernel (required backports)
    • -
  • updated Silence to 0.14.3
    • -
  • roll back DeskClock translation changes from AOSP on the 5X/6P to work around various issues
    • -
-
- -
-

2016.05.17.11.18.09

- -
    -
  • ignore persist.security.perf_harden values less than 1 to avoid adding system→root attack surface
    • -
  • set persist.security.perf_harden=2 by default, rather than writing to /proc/sys directly
    • -
  • enable -fstack-protector-strong for the Nexus 5X and 6P kernels
    • -
-
- -
-

2016.05.17.00.50.04

- -
    -
  • disabled scanning MAC randomization on the Nexus 5X to avoid authentication failure (requires network settings reset)
    • -
-
- -
-

2016.05.14.04.14.03

- -
    -
  • compression disabled in the inner factory images zip, resulting in a significantly smaller tar.xz
    • -
  • removed forced disabling of malloc junk filling for mediaserver on the Nexus 5X for now
    • -
  • full MAC randomization for the Nexus 6P (no builds yet)
    • -
  • remove legacy permission toggle feature for now, as it needs to be reimplemented
    • -
-
- -
-

2016.05.08.05.30.34

- -
    -
  • add back Exchange to marshmallow-mr2-release (Nexus 5, 9), since Google published tags
    • -
  • switch to xz from gzip for factory images (not a big improvement yet due to inner zip compression)
    • -
  • expose malloc quarantine size as a setting in Security → Advanced
    • -
  • wire up the malloc quarantine size option to the performance vs. security slider
    • -
  • avoid abort when the malloc quarantine is set to zero size
    • -
  • fix use-after-free/double-free mitigations with the maximum malloc quarantine size
    • -
-
- -
-

2016.05.03.18.54.15

- -
    -
  • May security update (MTC19T for 5X, MOB30J for 5 and 9)
    • -
  • custom boot animation
    • -
  • configurable malloc quarantine size (not yet exposed in Settings)
    • -
-
- -
-

2016.04.26.16.55.03

- -
    -
  • avoid benign unsigned overflow in sdcard service caught by -fsanitize=integer
    • -
-
- -
-

2016.04.25.16.44.01

- -
    -
  • always randomize pre-associated MAC address via wpa_supplicant (requires WiFi settings reset to kick in)
    • -
  • hide the no-op legacy grant toggle for non-owner users
    • -
  • improved heap canary generation (each unique, not unique per-page)
    • -
  • enable bounds, integer and object-size sanitizers for sdcard service
    • -
  • migrated the Nexus 5 and 9 to marshmallow-mr2-release branch (first tag is 6.0.1_r30)
    • -
  • updated SMSSecure to 0.14.1 (note that it has been renamed to Silence upstream)
    • -
-
- -
-

2016.04.15.02.07.53

- -
    -
  • added setting for disabling legacy handling of dangerous permissions
    • -
-
- -
-

2016.04.10.03.35.03

- -
    -
  • updated Chromium to 49.0.2623.105
    • -
  • updated WebView to 49.0.2623.105
    • -
-
- -
-

2016.04.06.11.37.02

- -
    -
  • migrated Nexus 5X to the new marshmallow-dr1.5-release branch
    • -
  • significant upstream performance and battery life improvements
    • -
-
- - - -
-

2016.03.27.04.15.10

- -
    -
  • set default SQLite journal mode to TRUNCATE, not PERSIST
    • -
  • hostname is now randomized by default on boot
    • -
  • applied fix for CVE-2016-0774 to the kernel
    • -
  • updated F-Droid to 0.99.1
    • -
-
- -
-
- {% include "footer.html" %} - - diff --git a/templates/header.html b/templates/header.html index 0ab95a71..f73a3eb1 100644 --- a/templates/header.html +++ b/templates/header.html @@ -2,17 +2,13 @@