Security Updates

[alanupson]

Hi Could someone kindly provide advice relating to security aspects of the Android part of Maru OS? Is a Nexus 5 running Maru v 0.6.6 Android v Oreo 8.1.0 safe to use via the mobile network or Wi-Fi as a daily phone to check emails and browse the internet on the phone? The current Security Patch is dated 5 February 2019. For comparison, Lineage OS on an original Pixel has nightly updates. Regards Alan.

[pdsouza]

Hi Alan! I wrote up a wiki page with all the details on this. In short, Maru will merge security patches once a month from upstream AOSP. For legacy devices that have passed their official security update period (like the Nexus 5), we will continue to merge the device-independent security patches but cannot update the closed vendor binaries since the vendor has discontinued support for them. This is essentially the same policy that LineageOS uses.

We have been late getting the security patches out the past few months and I apologize for that. We are about to release v0.6.7 which contains the security patches up through August 2019 and this will be available shortly. Going forward, I will make it a point to release updates once a month as the Android security patches come out. We have recently made some improvements in our build process to automate a large portion of the work to get new releases out so we can get these releases out on time in the future.

Also, note that LineageOS's nightly updates do not usually contain security patches every night - as mentioned in the wiki, these come out once a month from the Android Open Source Project (AOSP) and LineageOS pulls those patches once a month. Since Maru 0.6 is based on LineageOS, we in turn pull these patches from LineageOS once a month as well.

[alanupson]

Hi Preetam, thanks for the information. As suggested, I have managed to update to MaruOS v0.6.7 which has given me android security update 5 August 2019. The Linux part displays well. However, it uses kernel 3.4.0, and I wonder if this might be a security risk bearing in mind that many Linux OS's are now using kernel 5.1 or similar versions (which apparently offer a bit more protection against spectre and meltdown for example). Same question for Firefox ESR v60.9 (although Firefox is not currently working for me with Maru). I also wonder if systems of the type offered by Samsung DeX and Oreason Keydock might turn out to be more secure (if used with a phone less than say no more than two years old). Your advice will be welcomed. Sorry I have more questions than answers!

[pdsouza]

Yes, the N5 kernel is old...unfortunately upgrading the device kernel is a huge undertaking due to custom Android patches. The two things that can't feasibly be updated when a device is outside the official support period is the kernel and proprietary device binaries.

If you are concerned about this, I would suggest picking up newer hardware well within the security support period for your daily driver and using your N5 at home as a Linux workstation or experimental device. If you do pick up new hardware, I would suggest devices that supports native HDMI as Maru will likely support them first. We will do our best to support newer devices in the future.

Regarding Firefox, I will be releasing a fix for Firefox on 0.6.7 in 0.6.8 shortly. There is a workaround if you read our release notes. We will also be upgrading to Debian Buster soon, which will contain a more recent version of FF.

[luka177]

idk but nexus 5 have good mainline support ...