Google explains why vulnerability in WebView goes unpatched in Android 4.3 and earlier

Please don't conflate the OS distribution with the embedded platform distribution.

I'm not conflating anything. You don't understand how the Android ecosystem works. It is fragmented into many different operation systems maintained and distributed by OEMs, not a unified OS controlled by Google. The hardware vendors are shipping AOSP at all. They are making a true fork of the project with customizations across the board, which is why they can't simply update to the latest 4.x point release.

Google are absolutely the OS distributor. Others might repackage it for deployment onto specific hardware but Google are the ones deploying and maintaining the OS itself. This is the upstream/downstream relationship.

Google is the OS distributor for the fork of AOSP that they deploy on Nexus devices. The OEMs maintain their own forks and make major changes to the operating system. They are not simply taking AOSP, adding their drivers and shipping it as is. That's why they can't simply update from 4.3 -> 4.4. They have a fork of the operating system, and they would need to rework many of their non-hardware-related changes for the 4.4 release. It's certainly possible to run 4.4 (or even 5.0 in many cases) with the same kernel as 4.3.

Which, again, they could not do if they were not the maintainers and deployers of the Android OS. They are the ones who provide the path to delivery of the AOSP and Android itself. Third party downstreams pull down the Android OS from the AOSP or directly from Google through other means (licensing agreements with Google, normally) and then repackage it and rebundle it for distribution onto specific platforms, including and introducing their unique libraries and drivers.

AOSP isn't what gets deployed on devices. It's a base for building an operating system, but doesn't really run on real hardware itself. The OEMs aren't simply repackaging / rebundling AOSP... they are making a per-device fork to add the hardware support and then make sweeping changes to many other components.

So yes, this is entirely on Google. The Browser in question is a Google product, and the downstreams are delivering it as-is. Google are the ones who are responsible for delivering backports of the binary.

Google is responsible for the fact that the Galaxy Nexus hasn't been updated to 4.4. Google isn't responsible for other OEMs not updating to 4.4.

/r/programming Thread Link -