
Mitigations are attack surface, too - archimag0
https://googleprojectzero.blogspot.com/2020/02/mitigations-are-attack-surface-too.html
======
pjmlp
The irony of Google security blog giving advice to a problem that the company
is responsible for it happening in first place.

Had they placed update requirements as part of the Play Store contract,
vendors would be more keen in providing the said updates.

~~~
CiPHPerCoder
The irony is real, but I appreciate P0's transparency here.

------
CiPHPerCoder
> On Android, it is normal for vendors to add device-specific code to the
> kernel.

[https://i.imgur.com/DnRNrZe.png](https://i.imgur.com/DnRNrZe.png)

Normal for Android : Normal in general :: Madness : Sanity

> This code is a frequent source of security vulnerabilities.

If the first sentence was the shot, that's the chaser.

~~~
izacus
Your snark is very welcome, but do you have any proposal of how do you add
support for a new Qualcomm SoC, GPU and it's camera modules without modifying
the kernel? Or for their basebands?

Linux still has pretty much no path of adding these in userspace, neither it's
interested in a stable ABI.

And no, forcing the only big SoC manufacturer in the world to opensource their
drivers isn't really going to work.

~~~
tasogare
Why Linux doesn't have a driver framework? That's seems the problem here. It
exists in Windows, FreeBSD and probably elsewhere too.

~~~
adrianN
To encourage people to either open source their drivers so that they can be
maintained inside the kernel tree, or to pay the cost of updating their stuff
themselves so that Linux kernel hackers don't have to pay for backwards
compatibility.

~~~
pjmlp
It does wonders for those stuck with AMD cards on their laptops not supported
by the open sourced driver.

~~~
underlines
if i understand the discussion correctly user space drivers could not help,
right? and sadly, user space drivers in android are fairly limited.

[https://developer.android.com/things/sdk/drivers](https://developer.android.com/things/sdk/drivers)

