Availability of devices to the people working on the port. Don't worry, they'll get GrapheneOS at the same time too.

Today is the official release day for Android 17. We've already fully ported #GrapheneOS to Android 17 and are in the process of pushing the code to our public repositories. We're building a final official release based on Android 16 QPR2 today and we'll do an initial Android 17 release tomorrow. We've already tested the Android 17 port of GrapheneOS on the Pixel 6a, 7, 7a, 8, 10a, 10 and 10 Pro Fold. It will be possible for people to start building and testing it themselves later today once we finish pushing the code. We'll start the process of public testing for official releases tomorrow.

Today is the official release day for Android 17. We've already fully ported #GrapheneOS to Android 17 and are in the process of pushing the code to our public repositories. We're building a final official release based on Android 16 QPR2 today and we'll do an initial Android 17 release tomorrow. We've already tested the Android 17 port of GrapheneOS on the Pixel 6a, 7, 7a, 8, 10a, 10 and 10 Pro Fold. It will be possible for people to start building and testing it themselves later today once we finish pushing the code. We'll start the process of public testing for official releases tomorrow.

2. It's a Google / AOSP issue they deliberately hold back patches to critical / high vulnerabilities for over a month. It's also an issue of the OEMs who have these early access but don't issue all the patches. GrapheneOS Security Preview does.

OEMs get early access to the patches and are allowed to push them on their OS, but no one does them all. Google and Samsung do a small amount of them. Since they are embargoed and not open source immediately, they aren't released into AOSP until months later with their scheduled security patch level.

Not really needed, Molly is just a Signal fork with some added privacy and security features. If you use Signal you can use Molly too.

Molly (hardened Signal client) is building a Signal server software called Flatline. This will allow creating Signal deployments with servers that aren't Signal's. They'll also be working on features such as supporting accounts without phone numbers.

Doesn't mean much if the source is uploading a malicious app and the hash for the malicious app. The hash would match but it's obviously not Telegram. You'd have to compare the APK's signer to that of Telegram.

The big issue that the post is trying to address is that AOSP and therefore derivatives like LineageOS are also missing these patches for up to 6 months. When OEMs get security preview patches, they may only push ~10% of them earlier than their assigned date too. When switching you could be *less* patched, and it is the upstream's fault. GrapheneOS on the security preview channel is the ONLY Android distribution delivering all available patches on a regular basis. Despite the embargo preventing releasing the sources, it is easy to use reverse engineering tools to compare differences between standard and security preview builds to find the vulnerability AND the embargo doesn't protect against a resourceful threat actor somehow getting that access.

June 2026 Android Security Bulletin notes CVE-2025-48595 is being exploited in the wild. It's being widely misreported in tech media as a 0-day vulnerability being exploited. That's a major misunderstanding of Android Security Bulletins and how poorly OEMs keep up with patches. Google disclosed CVE-2025-48595 to OEMs in a security preview release near the end of September 2025. Those patches are allowed to be shipped right away, so it was included in our 2025092501 release. We noted it was already publicly fixed so it was added to our regular releases too in 2025100300. We quickly shipped the patch after it was disclosed to OEMs by Google but we plan to do better in the future. SQLite 3.44.5 was released with this backport on 2025-07-24. We weren't previously aware SQLite maintained upstream LTS branches for Android but our plan is to closely follow those now. In this case, Google slipped up and took 2 months to add the patch to the security preview releases. We plan to avoid that in the future by handling this ourselves because this happens too often. It's also a nice example of how Android Security Bulletins are set extremely low expectations for OEMs. #GrapheneOS quickly ships all security preview patches. Every AOSP patch included in the Android Security Bulletins was already available in GrapheneOS for over a month. We end up shipping patches 2-3 months earlier. Google having such low expectations for OEMs and even themselves is ridiculous. Android's security patch system doesn't make any sense and is completely at odds with how quickly people can discover and exploit vulnerabilities with the help of LLMs. The security preview release system would be far more reasonable if the embargo for sources and details was no more than 48 hours. Google's embargo system harms security for nearly all Android users by setting the expectation of patches taking 2 to 6 months for OEMs to ship after disclosure. Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense.