Google has been announcing new details about its next Android release, Oreo.
One of the items that came out is a new requirement for a
minimum kernel version.
SoC manufacturers must now use a kernel that is greater than 4.4, one of the
long term stable (LTS) kernels
maintained by Greg Kroah-Hartman. Android has
long prided itself on differentiation and given device makers a lot of latitude.
This has not infrequently led to fragmentation and difficulties with device
upgrades. Google has started to work towards fixing this with efforts like
One aspect that many people like about mandatory kernel versions is increased
security. The argument is that newer kernel versions already have all the
security fixes and features so they are going to be more secure. This is true,
to a degree. Kernel 4.4.x should cover everything 3.18.x did plus more. The
problem with this argument is that the kernel does not stop updating. A
a mandatory kernel version ensures a base layer of protection but will not
protect against new threats. A newer kernel will make it easier to apply fixes
but this involves the device maker actually pushing out updates. Requiring a
4.4.x kernel isn’t going to help against StackCowBleed if your device never
gets the update. Mandating a newer kernel version isn’t going to make device
updates easier if you have to deal with a million lines
of out of tree code either.
A move towards a standard for kernels is a step in the right direction for
the Android ecosystem. This needs to be coupled with a continual effort to
get code upstream and deliver regular updates though. Hats off to the Android
team and device makers who continually work to make this better.