FORUMS

[Discussion] Monthly Security Patch Updates

972 posts
Thanks Meter: 2,055
 
By MishaalRahman, Editor in Chief on 30th January 2018, 04:22 PM
Post Reply Email Thread
The brilliance of Project Treble is that it allows us to flash to /system a generic AOSP Oreo build and have it boot without needing to modify anything else.

However, monthly security patches often require fixes in vendor, boot, or other partitions, which phhusson's ROM won't cover. The AOSP build will only patch vulnerabilities against the Android Framework, but nothing else.

So the question is, what would be the best way to handle monthly security patches? Thinking about it and discussing with phhusson, it seems like it will be a pain in the ass. You would have to download a monthly full OTA, extract all of the non-system partitions, and fastboot flash each of the images. This can probably be automated, but it's not as simple as other ROM updates.
The Following 8 Users Say Thank You to MishaalRahman For This Useful Post: [ View ]
31st January 2018, 01:39 AM |#2  
Senior Member
Flag tucson
Thanks Meter: 370
 
More
That's a good question, and something I've wondered about also. Would a vendor send out updates for just the (new) vendor partition? Would they only be included in full updates (necessitating reflashing an after market rom)?

And, as you mention, what about security updates? If it involves hardware, will the vendors now handle that?

It's pretty confusing, but, if updates and everything all come at once (and we have to wait for them all to be done), then why are we doing Treble anyway?

Seems the answers are YTBD.
The Following User Says Thank You to AsItLies For This Useful Post: [ View ] Gift AsItLies Ad-Free
31st January 2018, 04:28 AM |#3  
MishaalRahman's Avatar
OP Editor in Chief
Thanks Meter: 2,055
 
More
Quote:
Originally Posted by AsItLies

That's a good question, and something I've wondered about also. Would a vendor send out updates for just the (new) vendor partition? Would they only be included in full updates (necessitating reflashing an after market rom)?

And, as you mention, what about security updates? If it involves hardware, will the vendors now handle that?

It's pretty confusing, but, if updates and everything all come at once (and we have to wait for them all to be done), then why are we doing Treble anyway?

Seems the answers are YTBD.


The OEMs are the ones who are still pushing updates. Vendors patch their stuff and then send the source code or the patched binaries to the device maker (OEM).

The stuff we would need would only be included in full OTAs.

We already know how this should be handled, it's just a massive PITA right now because you have to download the full OTA, extract all the patched partitions, then flash them over your existing ones (save for /system which is the AOSP build).
The Following 2 Users Say Thank You to MishaalRahman For This Useful Post: [ View ]
3rd February 2018, 05:17 PM |#4  
rignfool's Avatar
Senior Member
Flag The Poconos
Thanks Meter: 2,748
 
More
Wouldn't... At least for A/B devices... Something like flashfire work exceedingly well...

As @Chainfire wrote the program... It will take OTAs and split them... At least it did on my Nexus 6...

I'm sure flashfire isn't FOSS... But I'd bet that someone could make something similar without stealing... And then the other slot would get the update as a one click...

For the A only... Having it work similar to the way flashfire does now would be acceptable? No?

Sent from my PH-1 using Tapatalk
9th May 2018, 07:36 AM |#5  
CosmicDan's Avatar
Senior Member
Flag Sydney
Thanks Meter: 7,713
 
Donate to Me
More
Hmm, this is probably a big reason why the uptake on Treble has been almost zero. Makes things more difficult to maintain.

Maybe it could be handled in TWRP? If automated at all.

Quote:
Originally Posted by MishaalRahman

Vendors patch their stuff and then send the source code or the patched binaries to the device maker (OEM).

You mean "ODM".
29th July 2018, 01:14 AM |#6  
Senior Member
Flag Frankfurt
Thanks Meter: 112
 
More
Quote:
Originally Posted by CosmicDan

Hmm, this is probably a big reason why the uptake on Treble has been almost zero. Makes things more difficult to maintain.

Maybe it could be handled in TWRP? If automated at all.



You mean "ODM".

Yeah I'm quite surprised that treble is not really popular
Many devices have treble support now and even though there are some issues it means that devices will get many updates in the future
29th July 2018, 11:53 AM |#7  
Junior Member
Thanks Meter: 8
 
More
Quote:
Originally Posted by MishaalRahman

The brilliance of Project Treble is that it allows us to flash to /system a generic AOSP Oreo build and have it boot without needing to modify anything else.

However, monthly security patches often require fixes in vendor, boot, or other partitions, which phhusson's ROM won't cover. The AOSP build will only patch vulnerabilities against the Android Framework, but nothing else.

So the question is, what would be the best way to handle monthly security patches? Thinking about it and discussing with phhusson, it seems like it will be a pain in the ass. You would have to download a monthly full OTA, extract all of the non-system partitions, and fastboot flash each of the images. This can probably be automated, but it's not as simple as other ROM updates.

Is there a reason we can't just copy exactly how the OEM's send their updates?
Post Reply Subscribe to Thread

Tags
project treble

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes