Take for example the Teracube 2e that /e/OS is currently selling: https://murena.com/shop/smartphones/brand-new/murena-teracube-2e-emerald-na/
Here are the prorprietary vendor blobs that are being shipped with it: https://gitlab.e.foundation/e/devices/android_device_teracube_emerald/-/blob/v1-r/proprietary-files.txt
Note the line at the top denoting the version those blobs are from:
Extracted from full_yk673v6_lwg62_64-user 11 RP1A.200720.011 p1k61v164bspP16 release-keys unless pinned
More specifically this part: RP1A.200720
That is this version of Android: https://android.googlesource.com/platform/build/+/9d2242d67e673ed357812999705a7b91be3a1f58
Note the date:
Wed Jul 29 22:47:56 2020 +0000
Here is the kernel too, note the version it uses: https://gitlab.e.foundation/e/devices/android_kernel_teracube_emerald/-/blob/v1-r/Makefile
4.19.127
Here is Linux 4.19.127: https://lwn.net/Articles/822424/
Note the date:
Sun, 7 Jun 2020 14:58:56 +0200
Is it really acceptable for /e/OS to be selling devices that are 2+ years behind on kernel and vendor security patches?
Edit: these other devices they’re selling are also end-of-life (only the oem/vendor can provide firmware&vendor security updates)
- Galaxy S9/S9+: end of life March 2022: https://9to5google.com/2022/04/04/samsung-galaxy-s9-android-updates-drop-support/
- Murena One: uses the MT6771 SoC from 2018: https://en.wikichip.org/wiki/mediatek/helio/mt6771
- it is technically unclear if this SoC is EOL or not, but Google and Samsung are the first vendors to commit to 5 years of security updates, and this chip predates those offerings