Linus is right about paid security updates

[YellowJersey]

Unpopular opinion: On last week's WANShow, Linus pitched the idea that, after three years, you should have the option to pay for security updates. The chat was very clear in saying "NO!" And, I have to say, I'm with Linus on this one. PROVIDED:

1) You get at least three years of support included with the purchase of the device;

2) The paid security updates are for a reasonable price (I think Linus' suggestion of $3 a month is perfectly reasonable); and

3) It is optional.

 I'm generally against the move towards software-as-a-service and lament the death of ownership, but I'm for this because it's optional. Cashflow is very important and so this would provide revenue to phone manufacturers and give them a reason to provide ongoing support. E-waste is a HUGE problem and only getting even worse. Security is important. If we can solve this with an optional $3 a month after three years of updates, then I'm all for it. I think it's a win-win situation. If I can get another two or three years of security updates and life out of my device, then $36 a year is very reasonable.

 

 Remember, right now we get nothing and have little to no options.

 The people against it sound like people who don't want Dark Souls to get an optional easy mode because then "plebs" might get into it; bitching about something that they can ignore if they want. You lose nothing.

[Mihle]

I doubt very many would be willing to pay that. Majority of people don't care enough.

[piratemonkey]

Most either don't care to enough to update already, nevermind to pay to update. This also would create a scenario where there's a massive vulnerability but because next to no one would be paying, possibly millions of people out right couldn't get the fix. 

[straight_stewie]

I'm so sick and tired of every single thing under the sun becoming a subscription service. PaaS (product as a service) is one of the worst things to befall the capitalistic world IMO.

[YellowJersey]

12 minutes ago, straight_stewie said:

I'm so sick and tired of every single thing under the sun becoming a subscription service. PaaS (product as a service) is one of the worst things to befall the capitalistic world IMO.

I agree that everything become a subscription sucks, but this is an option where we currently have none. So this would be a paid service for something that doesn't even exist. It's completely different than Adobe making CC a subscription service.

[WereCatf]

52 minutes ago, YellowJersey said:

The chat was very clear in saying "NO!" And, I have to say, I'm with Linus on this one

Personally, I think the latter option Linus mentioned is the right one, ie. once the manufacturer stops offering security-updates, they need to provide the means for the community to take over.

[TrigrH]

1 minute ago, WereCatf said:

Personally, I think the latter option Linus mentioned is the right one, ie. once the manufacturer stops offering security-updates, they need to provide the means for the community to take over.

If not from the start like most android phones. In addition I wish it was easier to service the battery on modern phones. I shouldn't have to heatgun and pry the glass/display off.

[WereCatf]

Just now, TrigrH said:

In addition I wish it was easier to service the battery on modern phones. I shouldn't have to heatgun and pry the glass/display off

That's a separate issue, tho.

[TrigrH]

Just now, WereCatf said:

That's a separate issue, tho.

Please explain what part of device longevity and e-waste concerns makes this issue separate? There is no point in security updates if the device is useless due to poor battery life after 3 years. Software and hardware, two sides of the same coin.  

[WereCatf]

4 minutes ago, TrigrH said:

Please explain what part of device longevity and e-waste concerns makes this issue separate? There is no point in security updates if the device is useless due to poor battery life after 3 years. Software and hardware, two sides of the same coin.  

The battery can still be replaced, even if you can't do it yourself. The software, on the other hand, in many cases cannot be replaced at all unless the manufacturer provides you with the means of doing that. It may be a related issue, but it's still a separate one.

[TrigrH]

Just now, WereCatf said:

The battery can still be replaced, even if you can't do it yourself. The software, on the other hand, in many cases cannot be replaced at all unless the manufacturer provides you with the means of doing that. It may be a related issue, but it's still a separate one.

Maybe i'm mistaken, since I watched the wanshow Linus is talking about extended support for android devices, most of which you can flash a custom rom for updates. Seems like the same shit to me.

[WereCatf]

8 minutes ago, TrigrH said:

most of which you can flash a custom rom for updates

Most of which you can't flash a custom ROM on. There are a lot of phones and tablets where there is no way of unlocking the bootloader, for example, and the manufacturer isn't planning to help.

[piratemonkey]

1 minute ago, TrigrH said:

most of which you can flash a custom rom for updates

I think you're missing the point. Most people (not you and I, most likely not those reading this) don't care enough to update anything. And flashing a rom relies on the device being able to be flashed, and not messing up when you do do it. This isn't something that's recommended even for the more technically inclined

[Lord Vile]

1 hour ago, YellowJersey said:

Unpopular opinion: On last week's WANShow, Linus pitched the idea that, after three years, you should have the option to pay for security updates. The chat was very clear in saying "NO!" And, I have to say, I'm with Linus on this one. PROVIDED:

1) You get at least three years of support included with the purchase of the device;

2) The paid security updates are for a reasonable price (I think Linus' suggestion of $3 a month is perfectly reasonable); and

3) It is optional.

 I'm generally against the move towards software-as-a-service and lament the death of ownership, but I'm for this because it's optional. Cashflow is very important and so this would provide revenue to phone manufacturers and give them a reason to provide ongoing support. E-waste is a HUGE problem and only getting even worse. Security is important. If we can solve this with an optional $3 a month after three years of updates, then I'm all for it. I think it's a win-win situation. If I can get another two or three years of security updates and life out of my device, then $36 a year is very reasonable.

 

 Remember, right now we get nothing and have little to no options.

 The people against it sound like people who don't want Dark Souls to get an optional easy mode because then "plebs" might get into it; bitching about something that they can ignore if they want. You lose nothing.

For lower end phones sure but for the models approaching a grand they need to match Apples 5 years

[TrigrH]

31 minutes ago, piratemonkey said:

I think you're missing the point. Most people (not you and I, most likely not those reading this) don't care enough to update anything. And flashing a rom relies on the device being able to be flashed, and not messing up when you do do it. This isn't something that's recommended even for the more technically inclined

Exactly, just like prying your display off to get at the battery. Both are difficult and come with an element of risk. Both elements are needed to enable long life on these devices.

[Teddy07]

2 hours ago, Mihle said:

I doubt very many would be willing to pay that. Majority of people don't care enough.

Yep I am one of them.

 

[PeachGr]

If you buy a device with 150€, usually you don't changes device because of security updates, but because it became obsolete and you look for an upgrade. For that, and 10 more reasons Linus was wrong

[Roswell]

I don’t think Linus understands that the cost of supporting and testing updates doesn’t linearly scale with the amount of people that would be theoretically paying for it.
 

If an Android manufacturer started supporting their 100 different models from the past 5-7 years, they would need to shell out ENORMOUS amounts of money to a literal army of software engineers. It’s not feasible.

 

The reason Apple is willing to support devices for so long is because they get considerable amounts of revenue back on those devices through services and the App Store. Android manufacturers get nothing really outside of the hardware sale itself.

[Rohith_Kumar_Sp]

i totally would like to pay for updates after 3 years, i'm on S7 edge on 4th year and samsung updated it the last time in march of this year (longest for any devices they have supported it), since i am planning to use it for 2 more, i would love to.

[LAwLz]

I think Linus is wrong about paid updates.

Not because "it's better to have the option to paid for updates than to not get updates at all after 3 years". I am against it because it wouldn't be the way Linus describes in the video.

It wouldn't be optional the way he describes it. It would make no sense.

 

1) The reason why updates dry up on Android is mostly dictated by Qualcomm, not the OEM like Samsung. Once Qualcomm stops supplying BSPs for their SoCs the manufacturers are more or less stuck. So Linus doesn't even understand one of the root problems which makes what he describes impossible or at the very least improbable.

2) Barely anyone would pay for it. People would be way more willing to just run unsupported and unpatched software than pay for it. Hell, people like my mom and other people who aren't interested in tech DISLIKES getting updates. They are scared it will change something they don't want changed, or they don't want to restart their phones. To them, not getting updates is a good thing. No way they would pay to get updates.

If barely anyone is paying for updates, then there wouldn't be any incentive for Samsung to develop the updates (which is a fixed cost). It costs them just as much to develop an update for 1 person as it does to develop it for 10,000 people. 

3) The people who are really interested in paying for updates has a big overlap with the group of people who would download and flash the updates from for example XDA. They are basically designing something that appeals to the same people who would pirate it. Not exactly the demographic you want to cater to if you want to make money.

 

 

Edit:

Also, Linus is wrong when he says hardware on phones hasn't gotten more expensive.

He mentions the Snapdragon 865 vs 765G only being 70 dollars.

The problem with that is that the 765G includes a modem, and the 865 does not. So it's a 70 dollar difference for the SoC, but then you have to add on the cost of the X55 modem plus the additional antennas, RFFE and other components, which according to CounterPoint is estimated to be around 97 dollars.

So all of a sudden, that 70 dollar difference is more like 180 dollars.

 

 

Galaxy S4 manufacturing cost (estimation) - 244 dollars.

Galaxy S20 Ultra manufacturing cost (estimation) - 528 dollars.

 

 

The cost of phones has risen at roughly the same rate as the cost of hardware has increased.

Google has made updating Android easier, and that's why we see longer support cycles. It's not because "manufacturers take bigger margins" like Linus says.

[flashiling]

3 hours ago, piratemonkey said:

Most either don't care to enough to update already, nevermind to pay to update. This also would create a scenario where there's a massive vulnerability but because next to no one would be paying, possibly millions of people out right couldn't get the fix. 

but if there is a massive vulnerability now, does it get fixed when noone is paying?

[Loote]

Isn't this mostly achieved in new Androids (10 and 11) having multiple system modules updatable without flashing new ROMs?
https://thehackernews.com/2020/09/android-11-security-privacy.html

 

I mean #3 from that list, is it not enough?

I wouldn't trust manufacturers to provide updates on time anyway.

[LAwLz]

41 minutes ago, Loote said:

Isn't this mostly achieved in new Androids (10 and 11) having multiple system modules updatable without flashing new ROMs?
https://thehackernews.com/2020/09/android-11-security-privacy.html

 

I mean #3 from that list, is it not enough?

I wouldn't trust manufacturers to provide updates on time anyway.

It's not quite that simple.

 

Google already sends out security updates to some modules (13 to be more precise) in Android through the app store. It's called "project mainline" and it's supported by all devices that ship with Android 10 or later. For all phones released with a version earlier than 10 it's optional though (so if your phone shipped with Android 9 or earlier, it is probably not supported).

The new thing in android 11 is that instead of Google being in charge of 13 system modules (like the network stack and media codecs) like they were in Android 10, they are now in charge 20 modules.

But 20 modules is still far from the entire OS and anything that might need patching. So while a large chunk of Android can and is updated independently of the OEM releasing updates, there are still plenty of stuff that require the OEMs to update.

[Loote]

Well shit.
I got one of those updates on Android 10, hopefully with the changes they make the coverage of things they patch will continue to grow up to a safe level.

[Lord Vile]

On 10/6/2020 at 9:01 AM, Vitamanic said:

I don’t think Linus understands that the cost of supporting and testing updates doesn’t linearly scale with the amount of people that would be theoretically paying for it.
 

If an Android manufacturer started supporting their 100 different models from the past 5-7 years, they would need to shell out ENORMOUS amounts of money to a literal army of software engineers. It’s not feasible.

 

The reason Apple is willing to support devices for so long is because they get considerable amounts of revenue back on those devices through services and the App Store. Android manufacturers get nothing really outside of the hardware sale itself.

Maybe google should make android more uniform to standardise support per SoC as they get the money from the Play store.