Some BIG news dropped this week that could have a major impact on Android security: The LTS (long-term support) period for the Linux kernel is being cut down from 6 years to 2 years.

Ron Amadeo has a good summary of the situation on ArsTechnica: https://arstechnica.com/gadgets/2023/09/linux-gives-up-on-6-year-lts-thats-fine-for-pcs-bad-for-android/

(Instead of maintaining 6 different LTS versions for 6 years each, I wonder why the number of supported LTS versions wasn't just reduced down to, like, 3?)

@MishaalRahman In response to your last question/comment, I assume it is due to the fact that LTS kernels are selected yearly. If the number of supported releases was reduced to three at any one point in time but the support duration was kept at six years, that means that a new LTS kernel would be released every two years. I think that would be a regression for vendors who upgrade to the latest LTS every year, as it means regressions from one LTS to another become harder to track down.

Google never publicly announced this, but a little fun fact: Since 2021, Google has actually required that Android devices perform bi-yearly LTS (minor) updates for the first 2 years after the release of the OS. Afterwards, they have to perform a yearly LTS update while the OS version is still in Google's support window.

You can sometimes see this in the Android Security Bulletin, where a "minimum kernel version" is listed for a particular Android OS version.

As for why LTS updates are important for Android security, it's because it's not always possible (http://kroah.com/log/blog/2018/02/05/linux-kernel-release-model/) to identify when a bug fix is a security fix. Google tries to ID these for SPL compliance, but they can't catch them all, leading to times where a fix landed on upstream Linux months before it made its way to Android devices.

@MishaalRahman This is merely speculation on my part but I believe this move is being done to try and force vendors to upgrade their kernels more frequently, which requires living upstream to keep up with Linux’s rate of change. While I am sure there are some vendors who will be upset by this change, I wonder if they realize that the older extended LTS releases like 4.14 and 4.19 do not receive anywhere near the number of changes/fixes that the newer ones like 5.10 and 5.15 receive.

@MishaalRahman There are only two stable maintainers and most upstream developers don’t participate in the stable process, so if there is a tricky backport and the original developer or mainline maintainer does not help out, it is typically not applied, unless another vendor needs it and decides to send it to stable versus taking into their downstream vendor kernel. I expect dropping the support lifetime will increase the overall quality of the stable releases, even if there are fewer of them.

@MishaalRahman Not new news by the way ;) https://social.kernel.org/objects/829a54f3-b03f-4530-b5a0-bb9593aa04cf

@z3ntu oh fascinating, thanks for sharing the post

@MishaalRahman And I think this was the original post I saw about this topic https://social.kernel.org/objects/1e068f03-bf1b-4860-9f11-3a95d6542539

But also check Greg's other posts from around that time, also lots of talk about the EU laws for software updates, quite interesting to read imo!

@MishaalRahman News were dropped half a year ago. Nothing new was said this week. :/

@krzk yes, I just learned that this isn't new news (thanks to Luca Weiss). Will update post/follow up in a few mins