The Android bug reporting/fixing process is well understood, it's just that it ends with 'released into source tree.'
As far as the Android team are concerned, they seem to feel that this is where their reponsibility ends. It seems that it is up to the oems to figure out how to create a patch from the source and push it I personally think this is a fundamental error in the Android model, as there is no mechanism to ensure that oems and carriers distribute fixes and updates in a timely fashion. I get that there are a myriad of devices of all kinds that have vrious ports and flavours of Android so universal patching may never be possible, but the major players that are licensed to distribute Google apps and access the Market have to conform to a minimum copmpatibilty level in order to be certified, so how hard would it be to require them to implement a standardised pactch mechanism? On Jan 17, 5:58 am, Hadi Nahari <[email protected]> wrote: > I do care and echo R_NZ and Jan's sentiments. I do realize that a > responsible policy or process could look something like: > > 1. Collect/find vulnerability (V) > 2. Inform device manufacturers & partners (P) first, if V is critical > 3. Agree on the fix (F) and delivery vehicle/time (T) > 4. Push F at T > 1. Or ensure P members push F > 5. Disclose the V and F sometime after T > > Lack of response from the Google team on this topic is out of character. > I've never liked the following strategy but there are situations like this > that encourage white hats and security researchers to find a vulnerability, > call the vendors and give them only 24 hours to fix, and then disclose the > details next day in IRC. This is an opportunity for the Android team to work > closer and in a more open manner with the community. > > -Hadi > > This email reflects my personal opinion. > > On Sun, Jan 16, 2011 at 5:39 AM, Jan Niggemann <[email protected]>wrote: > > > > > The problem is that you don't realize that there are issues to be patched > > or bugs to be fixed in the first place! > > > I already tried to bring attention to that problem, please read this thread > > and draw your own conclusions. > > >http://groups.google.com/group/android-security-discuss/browse_thread... > > > I'm still using my android phone 'cause it was an expensive device, but the > > only one I'll remotely consider will be one from Google itself. At least you > > can be sure to get some updates. > > > As much as I dislike them, Microsoft really did well with the update > > mechanism for their phone OS... > > > I'm still waiting for these issues to be resolved: > > - Google doesn't provide information about security problems (mailing list, > > google group, web page) > > - Google has no means to force the manufacturers to push out updates to the > > phones > > - You have no means to get updates on your own either > > > 2011/1/14 R_NZ <[email protected]> > > > In practice it looks like no-one has cared about it since day one. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<android-security-discuss%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en.- Hide quoted > >text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
