Changes to Android Open Source Project
Key topics
The Android Open Source Project is shaking things up by ditching its quarterly release schedule in favor of bi-annual updates, sparking heated debate among developers. Some commenters, like Groxx, are up in arms, claiming this move is a deliberate attempt to strangle Android forks by delaying bug fixes for six months. Others, like cyberax, are more ambivalent, pointing out that security fixes will still be published on schedule, while lamenting the overall decline of recent Android releases. As the discussion devolved into a mix of humor and outrage, it became clear that many are worried about the implications for the Android ecosystem.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1s
Peak period
83
72-84h
Avg / period
26.7
Based on 160 loaded comments
Key moments
- 01Story posted
Jan 7, 2026 at 4:35 AM EST
4d ago
Step 01 - 02First comment
Jan 7, 2026 at 4:35 AM EST
1s after posting
Step 02 - 03Peak activity
83 comments in 72-84h
Hottest window of the conversation
Step 03 - 04Latest activity
Jan 11, 2026 at 6:16 PM EST
4h ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
I'm on year 5 of my Samsung s21u that I can replace the Samsung ux slop with asop ports
The 17 Pro (non-Max) only comes with up to 1TB of storage, but that's still more than my 15 of before.
I'm truly sorry about you having to re-live the trauma of using iPhone all the time.
Of course if I really cared about privacy, I would just install GrapheneOS or LineageOS on supported Android device, so no Apple in that case either.
My question is then the same of anyone who prefer to give up freedoms to centralized seemingly benevolent dictators: What happens when you are told you can no longer do something you were previously allowed to do, that is only in the interest of the centralized power?
Now I run a S23 Ultra and after two years it still does everything I need. OneUI 8.0 and Android 16. For work (app de) I also have a Pixel 7a, always with the newest Android Beta. Also works well.
Even the entry level phones work OK to pretty good now. My Samsung A16 5G (also for work) functions surprisingly well for 150€.
Maybe, but it is fully under Google and Samsung's control, and is choke full of spyware. You couldn't pay me to use a stock (Googled) Android phone for this reason alone.
There's no way this isn't intentional hostility towards forks.
All those years back I started calling it, since I built software for (long-lived) HMI devices that ran on Android
“Phone by Google” is disgusting.
Except for RCS, that's completely locked down and is pretty solidly becoming literally just Google. Fuck RCS.
Implementing them independently is extremely difficult and even if you manage to do it you cannot have them commercially available due to radio regulation and patents. Even academic research can only be done with collaboration of those huge companies.
It is impossible to make a phone that is LTE capable completely independently (or even without nation state support). You cannot implement VoLTE or RCS without support from the carriers. They all have their own proprietary protocol on top of the standards.
Google has basically infinite money and their own patents and industry relationships and government support so they can figure out RCS. An indie company, even with infinitely motivated engineers and good funding do not have any of it.
/s
Of course it is. But it isn't new. This was declared in March last year. We discussed it a lot here. It's only now that it's going into effect.
Android will soon become fully closed source. The writing is on the wall.
https://news.ycombinator.com/item?id=46550366
If a user asks for the source, and the distributor says "sure" and then delivers it 12 months later, have they violated the license?
And since Project Treble you wouldn't even get the drivers, because Android Linux is a pseudo-microkernel now, where drivers run in userspace and talk via Android IPC (Binder) with the kernel, enforced since Android 8.
They are trying to avoid it, but I doubt the EU will let this stand:
https://www.developer-tech.com/news/google-alters-play-store...
Android is open source partly because they can fund it from Play Store profits. Google is thinking that their Play Store profits are going to be cut, and they want to make the profit up elsewhere - and importantly, maintain control of the platform. This is their method.
They've already used this playbook in the past with Google Play Services, and even before that when they abandoned all the built-in open source apps (Email, Calendar, etc.).
Aka "We will do less releases because certain OEMs don't want to be seen as outdated as they don't want to spend the resources to rebase even 4 times per year."
In other words, the result is still open, but the development process is not.
Is the source code available at all times? This is a genuine question, I don't know right now.
[edit] based on the other comments, I surmise that public pushes were already infrequent.
When it comes to large bureaucracies, always assume laziness over malice or strategic competence.
With android 16 introducing "mid releases" (QPR2), they expect OEMs to start shipping those as well, QCOM already has a QPR2 BSP release, and Samsung is expected to release QPR2 based builds soon.
As far as contributions go, google usually wanted patches to apply to main, I don't think that ever changed. And even there now that AOSP development is fully closed, it's even easier as partners will likely just upload patches against internal main instead. Less integration work there as well.
There really isn't a good explanation as to why they want to do move code drop cadence, other than they can and want to avoid wasting time releasing QPR1/3 that no OEM ever shipped (expect Pixels that is)
Note, not impossible: You can always carry cash to avoid phone-based bank payments (which would be needed at e.g. my local farmer's market, where nobody has a card payment terminal), some taxi services (Yandex Go for example) provide a web view with some of the features, you can open map services in the browser ...
But for the browser-based cases the experience will be even worse than the standard app experience, and friction is overall much higher.
As a result, only a very small fraction of nerds are committed enough to buy and use these devices. You then have a chicken&egg problem about getting a third option to work.
The only way this has been done semi-successfully in recent years is Huawei's HarmonyOS - and they did it by way of a) already being an absolutely massive phone company, and b) keeping around an expensive Android-compatibility core for many years.
There is https://postmarketos.org/
Maybe 2026 will be the year of Linux on mobile phone.
And yeah, you can even buy phones with a non-android linux pre-installed, e.g. from pine64. But they come with all kinds of "for early adopters" warning labels. Deservedly so, in my opinion.
Considering the ongoing DRAM and SSD crunch, I won't hold my breath.
[0] https://news.ycombinator.com/item?id=25504641
GrapheneOS is a much more practical open source OS to use Linux on a phone.
BTW, hardware support on postmarketOS "community" class devices has seen some nice improvements as of late. Once these improvements meaningfully stabilize (avoiding the risk of regression/breakage; there's been some of that even in the recent testing for the 2025-12 stable release) it's quite possible that some "community" devices might finally reach "main" class, marking them as OK for daily-driver use. Something to watch for as we approach 2026-06.
Consumers don't care how interesting the developer's problems are. They want their own problems to be solved and GrapheneOS does a better job of that.
>running on an entirely mainline kernel
Google already did that work years ago. Android will work on a mainline kernel. Just like with x86 the mainline kernel needs to support the hardware e you want to use though.
While Google is allowing that.
> Just like with x86 the mainline kernel needs to support the hardware e you want to use though
Librem 5 runs on all free drivers. This is why it will never be tied to an old kernel. This doesn't work with GrapheneOS.
And while Linus allows Linux to be open source. A benefit of open source is that you can fork it if upstream decides to stop development or go closed source.
>This doesn't work with GrapheneOS.
GrapheneOS can use free drivers too. It literally is using Linux.
Linus can't close the kernel. He would need to ask all contributors for a signed agreement for that. This is the benefit of GPL.
See also: https://news.ycombinator.com/item?id=46177148
> GrapheneOS can use free drivers too. It literally is using Linux.
Except there is no device with free drivers that it supports. They just refuse to support Librem or Pinephone without a good reason. (I strongly disagree with their "security" arguments.)
> A benefit of open source is that you can fork it if upstream decides to stop development or go closed source
Android is already semi-closed (see this submission). Are GrapheneOS developers forking it? (No)
That's not how it works. GPL only prevents old versions from becoming closed source. If Linus added code to the kernel which required a $100k license to redistribute then people could no longer freely distribute the code of the kernel. People could not freely distribute compile kernels because they would need that license. GPL doesn't magically make all licensing issues go away. He could also make a required kernel module that was not GPL licensed that Linux could require to operate.
>Except there is no device with free drivers that it supports.
Having a working system providing competitive value to others is much more important.
>They just refuse to support Librem or Pinephone without a good reason.
The good reason is that those devices can't provide industry standard security.
See my other reply concerning this: https://news.ycombinator.com/item?id=46569163
> hardware isn't quite worth the price tag in-and-of-itself
https://puri.sm/posts/the-danger-of-focusing-on-specs/
> We need a third alternative, based on freedom with your device.
We does not refer only to HN users, and there is no implication as such.
The default assumption is that 'we' refers to the general population.
However, even if I'm charitable and go with your assumption that 'we' referred to HN users, I will confidently say most HN users also don't care about FSF approval.
> See also: https://news.ycombinator.com/item?id=46569163
You like to post a lot of HN links without ever giving an indication of what they point to. As a habit, I don't waste my time clicking random links that people post without context.
In my linked post I explain why the public doesn't matter at this point of time. Also I explain that the public doesn't need the alternative before it works flawlessly, i.e., before it becomes popular among technical users.
That's a rather ridiculous assumption on your part. As a tech-literate crowd, it's quite likely they are aware of them, if for no other reason those alternatives make the front page semi-frequently.
> If you say that those who know don't care, I will ask you for some evidence.
As soon as you provide evidence for the premises for your argument. As my position is simply saying yours is false, the onus is on you to support yours.
> "we" are aware of the problem and care about the freedom.
Sure, maybe, but caring about freedom isn't the same as caring about FSF approved software.
Users - there is a broad scope of users. For sustainable eco-system you need also user interest and support of such.
Developers - that sounds funny. I know. But you need enough leverage to get apps or services to be open.
Companies/Software - a modern mobile device takes place in almost any interaction. Commuting, payment, banking, grocery shopping, social messaging, doom scrolling.
Biggest hope for the future is ensuring PWA becomes standardized enough. That way the OS lock-in could be reduced.
Well, you're right, however badly I don't want to admit it. Google broke that cycle once with Android. I'm sure that Apple would have too, even if they were not the first mover. And there's no question that their wealth and influence had a massive role in it - something an open platform cannot match realistically.
But the current situation is simply untenable anymore. I want out, no matter how many others don't care for it. The open platform has to be just functional enough (including app support, even as PWAs), for us to break free from this duopoly. Just like how Linux and BSDs are on desktops. I'm able to do everything on it from work to netbanking. I would hate it really badly if I was forced to use Windows or MacOS these days.
We never had one on desktop; no real issues. Hardware attestation is primarily in the interest of the vendor, not the user. The user relies on chains of trust. This is how the world works.
My worry is one fine day Microsoft, Samsung Apple, and Google (rest of SV Media companies like Netflix etc) will join hands in bringing security and force a ChromeOS or macOS type totally- we decide everything for you.
And in what concerns the mainstream desktop/laptop market, macOS Linux VMs, WSL, ChromeOS, versus GNU/Linux OEM devices, proves most people doesn't care either what they can get at regular computer stores, otherwise GNU/Linux configurations would not be online only at very specific shops.
OpenMoko & friends are selling devices which basically only run Firefox, and sometimes make calls as well. The only people interested in that are diehard FLOSS enthusiasts, which means they have to use ancient hardware because new stuff doesn't have open drivers, which means that even if you ignore the app ecosystem they compare incredibly poorly to mainstream smartphones. No wonder they keep failing.
Interestingly, the desktop/laptop market is heading the other way. The move to cloud SaaS products means a decent number of people now only need a browser. What's keeping a lot of people on Windows is often literally one or two applications. Valve's push for Proton is the perfect example of this: the Steam Deck is providing a huge incentive to fix those last few bugs keeping a game from running on Linux, and with the way Microsoft is screwing up W11 it is now ironically the gamers who are moving to Linux.
What you are seeing in "regular computer stores" is mostly irrelevant. That market is basically dead. Corporate gets its machines directly from Dell/HP/Lenovo, PC enthusiasts mostly get custom builds, and casual people stick with smartphones and tablets. In-store PC sales is now reduced to a university student's Google Docs machine - and Microsoft is doing a pretty good job bribing the manufacturers to push Windows there.
Most of them have no clue that something like System 76 or Tuxedo exists in first place.
Likewise on corporate world, I have long moved into Windows/macOS as official desktops for the last decade, GNU/Linux is only available on VM or servers, and usually it is the cloud provider's own distro.
Those customers where IT allowed the use of GNU/Linux desktops, it was with zero support from them, it was up to us to deal ourselves with any issues preventing our work, and to deal with upper management, in case it impacts delivery.
Until SteamDeck gets rid of its dependency on Windows as source, it is pretty much irrelevant. Games developers will keep using their Windows workstations, while a community smaller than Switch, will get those games thanks to Proton.
And it remains to be seen for how long Microsoft will tolerate Steam, or use their weight as OS vendor, and one of the biggest publishers.
Mobile GNU/Linux might end up in a similar situation if projects like Waydroid[0] can be well-integrated into the system, or if the mobile hardware becomes powerful enough to run it well.
[0]: https://waydro.id
I'm pretty sure my Linux desktop version of Signal runs great on small screens.
At least for mean almost everything has moved into the browser except, Whatsapp, maps, and music
It's because people like you are constantly repeating this mantra of security nihilism, instead of spreading the word about true alternatives existing today, Librem 5 and Pinephone.
The answer for most of those questions is no for both Librem and Pinephone. You cannot even buy Pinephones anymore. This is not nihilism.
No, they are very much an experiment at the moment.
> Does the cost reflect the value that the customer gets out of them?
Also no, for what they are they are vastly overprices. It makes much more sense to buy an old device that an run Lineage or PMOS.
It doesn't matter. We are not on a mainstream website, we're on HN. You and me can use it as a daily driver (I do). Nothing becomes mainstream and usable by public at the launch (except things advertised by the big tech of course).
> This is not nihilism.
Did you read the linked article? It's not about getting to 100% security/freedom without any effort. This is about giving up, as you did.
> How much does Librem 5 cost?
Yes, it's expensive. If you can't buy it, you can help in many other ways, e.g., by spreading the word or contributing to the free software.
> Can you still buy them?
Yes: https://shop.puri.sm/shop/librem-5/
> Are they able to deliver reasonably up-to-date set of features that general population care?
It doesn't matter. It can provide you with the main features you may need and add something you can't get anywhere else, https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F....
Further development can deliver most required features to the public, too, https://puri.sm/posts/closing-the-app-gap-momentum-and-time/.
> Will they deliver in a reasonable amount of time?
Yes, 10 working days, according to their website, https://puri.sm/products/librem-5/
> Will they be able to stay afloat?
It doesn't matter: The phone runs the mainline kernel and not locked down, it will be able to receive all updates even without Purism. You can install any other OS, too.
> Can they make enough money to invest in features?
Seems like no, because virtually nobody knows about them, even on HN. And, again, it doesn't really matter.
> Can they support an ecosystem that not only support FOSS but proprietary software too?
Why?
> Can they make contracts with operators to have earlier access to newer tech?
This is pure nihilism. Only Apple and Google can do that, so we're all doomed, right? However Purism have been trying, not without some progress, https://puri.sm/posts/breaking-ground/
> Does the cost reflect the value that the customer gets out of them?
Probably yes, https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...
Typed and submitted entirely on my Librem 5.
Sure you can. The Pinephone Pro is discontinued, sadly, but regular Pinephones are able to be purchased, I just double checked the PINE64 store:
https://pine64.com/product/pinephone-beta-edition-with-conve...
Security not only matters, we are still far away from the same liability as in other industries.
GNU/Linux also had as baseline what other UNIXes were capable of, and even that had to grew for ACLs, NSA's LinuxSE, and containers.
I'm currently working on an OS image for the Hackberry devices, maybe it'll get some traction. [1]
[1] https://github.com/rogueberry
(My impression was based on lwn discussions about that change)
Edit: https://android.googlesource.com/kernel/common/ has a lot of recent changes
As rooting may tamper the google's telemetry (can we already call it "spying" please).
The worse part is that, you can do all of those functionality with a browser on linux (or Android), yet to use them as Android apps on a device without gapps (even if jt's not rooted and with locked bootloader) is not allowed. Make this make sense.
The same in India. I can't use even the government weather app and the disaster alerts app without signing in to google play.
Seeing that this malpractice (of forcing the users into Google's surveillance net) is widespread among seemingly unrelated agencies like banks and government agencies of several nations, I would really like to know who is peddling this draconian scheme among them.
I want to send some angry rants to the app owners/developers and ask for those malicious peddlers to be permanently banned from further interference in cyber security matters of these institutions.
https://calebhearth.com/dont-get-distracted
(Yes, there will still be issues if you use apps that require Google's remote attestation, but at least in Europe, many banks etc. do not require it.)
Take your condescension and nationalist sycophancy somewhere else, instead of ruining a technical discussion.
Play Integrity is a remote attestation scheme by which apps can ask the OS to prove to a remote server that it is unmodified. It allows apps to refuse to run on devices with root or third-party ROMs.
Play Services is a set of libraries and APIs for things like network-based location, push notifications, and advertising. Nearly all Android phones include it, and users of third-party ROMs can add it at install time (but not later) with packages like MindTheGapps. There's an open source substitute called MicroG that allows most apps to run without it.
You're right in your elaboration, but I didn't mention which one it is. My primary concern is that it forces me to log in to my play services account, which I haven't agreed to so far.
> There's an open source substitute called MicroG that allows most apps to run without it.
It's not for the lack of trying and I probably wouldn't even be complaining if it had worked. Phones are getting harder to root these days, much less install a custom ROM. Everyday feels like the ecosystem is tightening around us.
This isn't true, actually. Banks and gov entities use those mobile apps as authenticators. They do have a distinct purpose.
I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.
And here is the funny part. On my A13 Android (fully rooted, BL UL, custom ROM) I can totally bypass play integrity, using the keybox method. There is literally no way for google to patch this. I am yet to get it working on A16, mainly for lack of time to tinker, also because OP15 has no sources released yet to build ROMs for it, which is the main motivator for me to use an Android phone.
The takeaway is this: Google promotes "Play Integrity" (PI) as a working solution against "tempered devices" (ie. because god forbid you have sudo access on your device). Yet, it's easy (albeit a bit complex as you have to know the right telegram groups) to bypass it. PI gives the illusion of security, yet in reality it counter-solution exists. Real bad actors would have 0 issues doing what they want to do, the real impact is deterring users from open source roms like Lineage, simply because their bank app wouldn't work, which imo is Google plan all along masquerading as security feature. Google's main business is ads, and hosts based ad blocking is extremely easy once rooted.
Their recent moves align well with this (slow rollout of open sourcing, QPR2 is still not out yet, antagonizibg 3rd party stores like f-droid), all in the "name" of security.
So what you're saying is that you can have it permanently 'fixed' with no shenanigans like that?
I'm in the EU and currently I do online banking with 3 banks without using any app, i.e. thru a laptop browser. The 1st literally lets me stay logged in with a simple cookie, with an SMS 2FA requirement every 90 days. The 2nd additionally asks for a PIN to be entered at each session. The 3rd is a neobank and is tougher, requiring a TOTP (which I generate on the same machine, needless to say).
A 4th does require an app, and in fact can hardly even be used with a desktop OS. That bank is Revolut and I therefore don't use it and I recommend others avoid it too.
The pen test results get put into the ticket system as immovable entries. Engineers will question them, only to be shot down by the cyber security department who organized the pen test. The engineers will eventually accept that they cannot convince cyber to drop the issue, and implement the jail break detection.
Why does cyber mandate it? Because no one in a large company wants to accept the risk, even imaginary risk. They want to be able to say, when security is breached, “we did our due diligence. Look at the report, we implemented everything in it”
Why do firms offering penetration testing keep putting junk like this into their reports? Because their automated tools list them out and they’re getting paid to find issues. The more the better.
It’s insane and entirely about passing off risk.
The Dutch ID app got rid of all trackers and such requirements last year, but they didn't go the full length and made an F-droid repo (or a government store or sth).
Google actively guiding developers to APIs like the Play Integrity API (which requires not only you register the phone with Google on a Google account, but also an untampered device, outdated or not.
I don't even root my devices, just using something like Lineage already gets you the basic-integrity Max. Not enough for many banking apps.
The term has fallen by the wayside and hardly ever gets used nowadays.
15 more comments available on Hacker News