Blaming Google for not updating your non-Nexus Android phone is like blaming Linus Torvalds for not updating your cisco router from your ISP just because it uses linux.
Android is based on AOSP, which Google does not control because of the license, not sure why especially on HN, people do not seem to understand or want to understand how open source licensing work.
It's not as simple as that. Android may be open source, but Google can set the terms under which manufacturers can use the Android trademark and sell phones with access to the Play store and other Google services.
AFAIK they did amend those licenses to contain mandatory updates for some time after a device first hits the market, so it's definitely something they're actively trying to improve. It's probably not the easiest thing to solve, because manufacturers might decide to fork Android if they'd go too far, so they have to keep a balance.
I don't think this is true. Google could have handled Android licensing in such a way that resellers were required to patch security holes within a certain amount of time after release.
AOSP is a software license, and governs contributions and replication. The agreements whereby various vendors get rights to sell and distribute Android devices are between Google and the various vendors. If Google had so chosen they could have added conditions to those agreements whereby vendors would be required to apply security updates within some reasonable amount of time. They did not do so in order to increase their marketshare. This decision hurt the platform, at least insofar as security is concerned.
It was a choice: marketshare vs. security. Google chose marketshare.
AOSP is not a software license, AOSP is the name of the open source project (like chromium is to chrome), the license of AOSP is Apache Software License, Version 2.0 (and some GPL and LGPL stuff).
They're giving the example and providing the fixes themselves in a "stable patch release" rather than let every other company figure out what and when to patch each in their own way. And it affects the ecosystem because two (for now) others major manufacturers are following it, as said in the very first paragraph of the article ...
> The first update is being pushed out today, and the company said that other Androd handset manufacturers are planning to follow suit and provide monthly updates to carriers. [...] The change from Google, LG, and Samsung [...] Adrian Ludwig, lead engineer for Android security at Google, said the company plans more frequent updates for Nexus users and for other handset makers
> From this week on, Nexus devices will receive regular OTA updates each month focused on security [...] Both LG and Samsung, two of the larger Android manufacturers, have committed to getting those updates to carriers more quickly
It currently can't do anything about the non-Nexus market. This is because the manufacturers and operators are responsible for dealing with sending anything out of the door.
It would be fantastic if Google was able to have a version of Android that was the same across all capable devices and the manufacturer's customizations are all userland.
It helps in exactly the same way the nexus program is supposed to work: it influences the other oems, providing an example of good practices that they will hopefully follow. Samsung also announced yesterday that they would be moving to a monthly schedule for security updates.
Google issues bulletins and security patches to the manufacturers. Nothing is stopping Samsung, HTC, Motorola, etc from having a monthly security update system like this one that the Nexus devices will have.
> Nothing is stopping Samsung, HTC, Motorola, etc from having a monthly security update system like this one that the Nexus devices will have.
Why would they do that when they can just sell new handsets? they have no financial intensive to do that, and that's where the android platform fails.
Because for all these manufacturers android is just a free os they don't have to maintain to begin with. They(Most) are not in the business of selling software services. It's up to Google to find a way to force updates upon consumers , or these manufacturers will just blame Google for their problems.
Google owns android , each time an exploit is found it hurts Google, not HTC nor Samsung.
You can't paint all carriers with one brush like that. Any BYOD phone on a BYOD-friendly network should be upgradeable directly by the manufacturer (or by Google--it would be up to the manufacturer to set that up).
The issue is with networks that don't allow non-carrier approved phones. Don't let them shift blame. They've decided to be bullies in their sandbox, so if you get sand in your eyes, take your money elsewhere.
Verizon may have a great network (I wouldn't know, they won't let me bring my own phone and none of their phones interest me). It helps lock customers in, but their phone policies also leave then vulnerable (and roped into an expensive hidden-cost upgrade treadmill).
The Google ecosystem. If you want to ship a phone with Play, Maps, Gmail etc you have to commit to supporting it with patches for N years where N is greater or equal to 2.
As has been pointed out, Google doesn't do this for the fear that the manufacturers will walk and as such has prioritized market share over security.
Google holds all the cards in solving Androids security patch problem. The fact that they haven't done anything about it says volumes.