That makes Google’s promise here so key. 5 years of updates is 5 years of kernel level fixes. After that, it’s probably left up to the community.
I really don’t recommend people to go out and buy abandoned Android phones to flash software. LineageOS and other community projects are a blessing in many many ways, but they don’t make your phone completely up to date. And that’s something one should make an informed decision about (buying an iPhone, I decided against that).
> LineageOS and other projects can’t fix things in kernels they can’t compile
I think that you're wrong on this, that is unless you decided to use term "kernel" above too liberally, referring to all software running on a device. AFAIK, alternative Android images, such as LineageOS, include relevant - and quite up-to-date! - AOSP common kernels (aka Android common kernels or ACKs; https://source.android.com/devices/architecture/kernel/andro...), which are open source, plus some manufacturer-specific proprietary binary drivers and firmware (though there exist a related, but slowly-moving, project Replicant focused on creating and maintaining a fully open, i.e., kernel + drivers + firmware, Android distribution: https://replicant.us).
Some diligent LineageOS projects are known to incorporate some open source kernel fixes sometimes, or grab newer blobs from other phones from other devices. But there’s only so much to they can do. In general, it’s true to say that older devices with community Android support are not completely up to date - the kernels are old, and vendor drivers are not getting updated. Outside of making big usability concessions in projects like Replicant, the community can’t do much here.
AFAIK, the only way to run it with working drivers for all hardware components, are ROMs which use the rusty 3.0.101 Linux kernel from back in the day and I think that is what DCKing is referring to. If you want to create a new ROM, you either have to use the old kernel and have an upper Limit of Android 7.x (in this case) or you have to accept, that not all components are supported (e.g. no GPS).
I would be glad if the situation would be different. Maybe it is different for phones you buy today?
Having said that, I ran across the following post that describes successful installation of LineageOS 18.1 (Android 11) ROM on Samsung Galaxy S3 i9300: https://devsjournal.com/install-lineage-os-in-galaxy-s3-i930.... This is just FYI. So, if you understand relevant risks and feel adventurous, you can try to install it on your device. Disclaimer: I'm neither affiliated with the author of the post, nor responsible for any damage that might be associated with following the advice contained in the above-linked post.
So, Nexus6 released in 2014 will be able to run the latest android, fully security patched including kernel (which is not that important), till about 2026.
Now let's keep in mind that I replied to a guy who said how great it is that ios has more longevity.
This is why CalyxOS now makes it clear what devices they support are still getting full security updates (kernel + firmware blobs) or just kernel updates. I believe the most recent CalyxOS patch added the ability for the user to see in settings the month and year of the last firmware security update for their device vs their current kernel security update.
In addition, I'm unsure why you think you can't update the kernel on a phone. In fact, updating the kernel is standard procedure for... pretty much all directions on flashing a custom ROM. I had my nexus6 on kernel 4.9.3. There are literally new phones, right now, selling with that kernel version and earlier, with android11.
This is like saying windows server 2016 has a kernel that's outdated, or that windows 10 which came out in 2015 is outdated.
I think you are extremely confused.
>I really don’t recommend
Which is a good thing, because you should not be recommending about things you do not understand on even a basic level.
>After that, it’s probably left up to the community.
right. the entire point of my post. you can load stuff from the community. which includes the community of things like lineage - a big official community that's an llc - a corporation like redhat.
A phone is not a server. It is not a security risk to run an outdated kernel. there are no services running a hacker can connect to. You don't connect to a kernel over the internet. A kernel which is by no means out of date, and is currently running in many datacenters.
The kernel also still plays a vital and security-meaningful role in processing calls from applications.
Running an out of date kernel could mean strangers ransoming your data, or could mean an attack becomes persistent and starts logging and uploading through reboots.
Running an out of date kernel often does not result in this, and that higher level security matters first.
However, the kernel does have an attack surface through those higher levels, and pwning the kernel still means something.
Those datacenters are running LTS kernels with minor versions updated, or have security patches backported, or have far more limited connections to the world than your phone — only one protocol, one port, one service, for example.
One example, since you asked: https://thehackernews.com/2019/10/android-kernel-vulnerabili...
> Smartphones aren’t servers, but they run tons of services that
> interact with the surrounding world. Bluetooth, WiFi, etc…
The issue you note is only exploitable via a bug if you have an outdated version of the chrome browser. You don't need to update the kernel, in order to update an application.
Seriously, I feel like I'm talking to my wife here, who is not a tech person. Why are you and the other couple of people being purposely dense, and purposely ignoring the content of your own links that doesn't fit your viewpoint?
BTW, after you said smartphones aren't servers, you go on to talk about why an older kernel is bad on servers.
But since you asked, the latest 4.9.3 kernel running on that nexus6 from 2014, that's been compiled appears to be from the end of the year 2019.
This is after one hasty search. https://source.android.com/security/bulletin/2016-10-01
There are various kernel level vulnerabilities listed. Some weakening privacy over tcp connections, others locally exploitable via a malicious app such as Pegasus.
I don't understand why you call him confused. Perhaps you can approach with curiosity instead.
In those five minutes of looking through your garbage dump, I found Zero vulnerabilities that do not need either you installing a virus, which then gets root (the vulnerability), or a bug in an application running as root that's out of date, which then of course gives the attacker of the application root. None of those are valid examples, and I'm now bored digging through random garbage.
Any hack, in Any application, will give the attacker root - we're running rooted phones (for the extra functionality).
If you want to make a point, note the actual bug listed that does not need a compromised application. You installing a virus then the virus getting root does not count. The thread is about a kernel bug giving a remote attacker control of your phone. Applications and drivers like your modem can be updated without you updating the kernel. The latest N6 kernel is 4.9.3, with updates from the end of 2019.
> I had my nexus6 on kernel 4.9.3.
I find this very hard to believe, as no evidence of Nexus 6 kernels that are not Google's original 3.10 shipped exists that I can find. Even PostmarketOS that looks to update kernels links to LineageOS fork of the 3.10 kernel on their page for shamu/Nexus 6.
Unless you mean a custom kernel from "some guy on XDA" that names itself 4.9.3 like this one - which is just kernel 3.10 with some branding on it. It says so right in its description: https://forum.xda-developers.com/t/kernel-sm-4-9-3-o3-graphi... . Kernel 4.9.3 is a weirdly specific point release to be on in modern times anyway - there's kernel 4.9.0 all the way up to 4.9.287 - so it'd definitely be oddly specific if that's what you had.
Outside of valiant community efforts like Replicant and PostmarketOS, who have an extremely hard time getting working or feature complete kernels running, Android devices getting new kernels is almost unheard of. Even with vendor support. Community ROMs have to stick with what the vendor gave them to have a functional device.
Your car has pieces that run linux too. Guess an attacker can make you crash.
> drivers
since this is about iphone and android comparison, guess what has those same driver blobs form those same exact manufacturers. apple doesn't make their own bluetooth chips. oh, btw, the drivers get updated just fine, since that's part of the kernel and os, which all get updated just fine.
google supports kernel 4.1 till 2024 for android 11. the nexus from 2014 runs 4.9. so probably 2026 kernel and android, fully patched - 12 years.
oh, sorry, did you forget this thread started with a guy claiming ios is great because you can put later versions of the OS on there? where's that iphone from 12 years ago running the latest version of ios, and still performing fast? because that's what this thread is about.