As a practical matter, there is a large difference between google employees fixing something in git vs waking up to find that your carrier has pushed an OTA update to your phone.
The irony of course is that the only way to stay patched on most consumer phones is to exploit one of the current bugs to obtain do it yourself update permissions ;-) jan wrote: > Hi, > > citing http://developer.android.com/guide/appendix/faq/security.html#informed > "We will publicly announce security bugs when the fixes are available > via postings to the android-security-announce group on Google Groups." > > That particular group is empty (except for a welcome post). > I can hardly believe that there were no security bugs in the past - or > are they all unfixed and therefore not published? > > Anyway, Google (through his employee Tavis Ormandy), goes for > "responsible disclosure": > "Serious bugs should be fixed within a reasonable timescale. Whilst > every bug is unique, we would suggest that 60 days is a reasonable > upper bound for a genuinely critical issue in widely deployed > software. > [...] > We of course expect to be held to the same standards ourselves."* > > If I remember correctly, Google is a huge player in the Open Handset > Alliance. Applying this policy to Android security would lead me to > the conclusion that there are no security relevant bugs in Android > that are older than 60 days. > > Is that true? > Regards > jan > > *http://googleonlinesecurity.blogspot.com/2010/07/rebooting- > responsible-disclosure-focus.html -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
