Pass a new "right to repair" law, such that any OEM that halts software patches on any network-connected device for more than 6 months will be required to unlock bootloaders and publish technical specs.
Apple and Android will see enormous and wonderful community involvement if that were to happen, and congress could force it, should we motivate them.
> Pass a law that taxes Google punitively for each app sale on an unmaintained phone, and see how quiclky they'll find a way to support their phones.
Wouldn't the result of that, be that phones that get anywhere even close to being unmaintained would stop dead (or close to it), so Google doesn't get exposed to a problem?
To me, that doesn't sound better than the situation you're trying to fix.
Selling apps to the long tail of older phones is probably worth throwing some money in a maintenance team. Especially with phones having a 3 year shelf life.
As long as there is also a minimum support window, say 3+ years, and full specs and source are community released, then why not?
The important part could easily be ensuring that older hardware can be accessed. We need an end to binary blobs, or, to force long term blob support and updates.
I imagine a scenario where you pay $20 per year for support and updates for your old device, to a third party.
Or of course, there could be foundations, compile it yourself, etc too.
But if the environment is the reason, why not share the load?
Manufacturers publishing code, sources, and docs is not trivial in of itself.
I'm not a fan of it, because that basically means that Google asks the community to take up the bill for a service they sell at extraordinarily high price.
I know that's the case for lots of open-source software, but since we're coming to that topic, Google's open-source policy that produces software that is either tightly aligned with their own interest (Chrome) or barely usable without their proprietary ecosystem (Android) is shameful. Quite frankly, I would much rather see open-source communities work on linux phones, no matter how useless that may be.
Another reason I'm not a fan of it is that if Google is allowed to transfer their responsibility to a community, I'm willing to bet that their initial support duration will drop even more, and that any issue will be blamed on open-source maintainers, log4j-style.
> But if the environment is the reason, why not share the load?
Does Google share the profits? Is their Android business barely profitable to justify getting free labour?
> will be required to unlock bootloaders and publish technical specs
is probably sufficient motivation. There's no way Apple would be willing to do that. Google might be, but they might have a lot of resistance from Qualcomm and possibly mobile carriers and other partners.
That is imo a bad fix, because it would be very easy for Google and Apple to make sure the technical specs are unreadable and the bootloaders complicated to use, without much recourse for the lawmaker.
Comparatively, it's much easier to make a law targeting the stores that's hard to avoid.
Yes, indeed. But that is a massive footgun to use, and it creates a direct incentive to have longer service durations.
It is likely that Google would stand to make more money by offering longer service duration for their OS, and by demanding phonemakers to maintain their firmware.
I guess the info we need to see whether this would be a good decision or not is how much money Google makes from selling apps to phones 3 year and older.
I'm sure that, was such a law allowed to pass, lawmakers and prosecutors would magically find a way to express their dissatisfaction if Google was trying to skirt the law in such a crude way.
My bet would be on Google successfully lobbying to kill the bill in the first place, or to cripple it and make it irrelevant (for instance with a long grace period that always gets extended).
> lawmakers and prosecutors would magically find a way to express their dissatisfaction if Google was trying to skirt the law in such a crude way.
Depends on what the law makers actually want. Enough legislation is passed just do they can tell their voters "look, we did something" without actually hurting their corporate buddies.
Disagree. For certain vendors you can already get unlocked bootloaders and kernel sources. That's how various aftermarket android ROMs are built. However, even for a project like lineageos, there's only one or two maintainers per device. Do you think one or two volunteer maintainer (presumably working in their free time), can keep the entire kernel up to date and patched?
>Any locked device must brick itself after 6 months of no patches, to ensure the safety of the network.
What does this accomplish? Get people mad? Moreover, what prevents someone from making trivial patches to keep a device "up to date", kind of like how people make trivial changes to their passwords to keep up with password rotation policies?
To be fair if the devices bricked themselves people would start to value update lufetime even more and sales of devices with short support would drop like a rock.
But this suffers from goodhart's law. "support period" becomes the metric to game, so manufacturers would say they "support" for 10 years or whatever, but what that entails is having an inter bump up the version number every 6 months.
If they say security updates for 10 years and there are unpatched security vulnerabilities living in the device before that I think they should have to refund the purchase.
> Do you think one or two volunteer maintainer (presumably working in their free time), can keep the entire kernel up to date and patched?
Maybe I misunderstand it, but I think it’s not that bad?
The kernel gets kept up-to-date by LineageOS, the device builds (official or unofficial) use the base builds, but add device-specific tweaks, and cherry-pick commits from elsewhere. And actually a level above that is AOSP which is maintained by Google.
>And actually a level above that is AOSP which is maintained by Google.
How do you think the CVEs get discovered? What about CVEs in the qualcomm specific code? How do you know that the amateur kernel developers wouldn't fall prey to c footguns and introduce new vulnerabilities?
Don't get me wrong, this is strictly better than the current state of affairs where there's zero patches, but I think people are underestimating how much effort it takes to keep a huge codebase patched.
> We need a lemon-like law for consumer electronics.
I wonder how this should apply to planned obsolescence of devices like smartphones.
On one hand, it's obscene that manufacturers expect us to routinely spend ~$1k on a device that will in the best case scenario last for three years. There's no inherent reason that a flagship Samsung from 2017 shouldn't be perfectly serviceable today, and likewise for a Pixel 6 or iPhone 13 in 2030. However, the discontinuation of security updates makes it so that for all practical purposes they are not.
On the other hand, we can't exactly compel speech or labor. It would be one thing if there were a kill switch triggered after N years, but in this case the obsolescence isn't caused by an active update, rather a lack thereof.
Here's a possible middle ground:
1. Block device manufacturers from arbitrarily deprecating hardware. We can't compel the release of new software, but we can block the release of new software. Require manufacturers to submit a filing with request for approval before the release of any new mobile OS update, which must include an exhaustive list of all supported devices. In the event that a device is dropped from the list in a subsequent filing, it must be explained to the satisfaction of regulators that a specific hardware limitation makes continued support for the device problematic or impractical. Given approval to drop support for a device from an OS release, there would be no obligation on the manufacturer to backport security updates to prior releases.
2. Block component manufacturers from arbitrarily deprecating hardware. Any hardware included in a publicly available consumer electronic device must have its manufacturer commit to providing up-to-date driver software with support for the latest OS for the lifetime of the device. Failure to provide this within a certain time frame (say, three months) following the request of a device manufacturer would open them up to a lawsuit, wherein they could be compelled to publish the most recent release of the driver as open source / public domain. #1 would provide the incentive for each device manufacturer to proactively enforce this, as their entire product roadmap would be effectively frozen if they allowed component manufacturers to drag their feet.
3. Ban irreversible bootloader locking in new devices. Maybe an initial bootloader lock would be acceptable, but power users should have some way to override the lock and install a custom ROM without relying on vulnerabilities in the software.
Delaying patches slightly doesn't really help revenues unless it's widely publicized, in which case they look bad and possibly get sued and it doesn't even save them any effort. Maybe it's a risk, but I'll definitely take that risk over what we have today.
Pass a new "right to repair" law, such that any OEM that halts software patches on any network-connected device for more than 6 months will be required to unlock bootloaders and publish technical specs.
Apple and Android will see enormous and wonderful community involvement if that were to happen, and congress could force it, should we motivate them.