No matter how this turns out, I'm sure GrapheneOS will make a smart effort. https://grapheneos.org/
But long-term, Android is such a massive code base, and was designed more for surveillance and consumption, than for privacy&security and the user's interests.
I think getting mainline Linux on viable and sustainable on multiple hardware devices is warmer, fuzzier foundation. (Sort of a cross between Purism's work on the Librem 5, and PostmarketOS's work on trying to get mainline Linux viable on something else.)
> think getting mainline Linux on viable and sustainable on multiple hardware devices is warmer, fuzzier foundation.
You just have to somehow speedrun the decades of development that went into Android to make it decently run on mobile hardware.. never really understood this "throwing out the baby" direction - the UNIX userspace model simply doesn't work on mobile (I would wager it also doesn't work on desktop anymore), has no security (everything runs as your user which made sense when you ran some batch job on a terminal with multiple other users, but nowadays when a single user has as many processes as all the user had back then it effectively means no security between any of those programs), there is no real resource control, no lifecycles, so the device will burn scorching hot and have terrible battery life.
On Android (and iOS) apps were always living in a world with lifecycles so if they wanted to operate correctly, they had to become decent citizens (save state when asked, so they can be stopped and resumed at any moment). This also fits nicely with sandboxes and user permissions, etc.
So without developing an alternative user-space for "GNU-Linux", it's simply not competing with android in any form or shape.
And even if you do, now every GNU app has to somehow be ported to that userspace API (you can't just kill GIMP or whatever Linux process)
The closest I got to Linux mobile is GPD Pocket 4 with LTE and regular apps. Since I can get it to cap at 5 watts, it can give 9 hours of battery life. It does most things I care about, but it is just a mini laptop (which is good enough for me).
> You just have to somehow speedrun the decades of development that went into Android to make it decently run on mobile hardware
Isn't this mainly due to proprietary drivers and firmware?
No, just take a look at how long and smooth does a pinephone run with "GNU Linux" vs stock android.
Android devs actually backported a bunch of work to the mainline kernel with regards to low-level energy management, but that's only one half of the story. The other is your phone stopping unused apps gracefully, and being able to go back to sleep regularly.
The vast majority which lives in android userspace. The customer compositor, input stack, wlan daemons, etc, are all tuned and optimized for power efficiency. Also, these days, there is a lot of hardware controlled directly by userspace - it's not just the GPU. And those hardware are generally important for offloading a lot of conpute and reducing wake ups. Things seem to only be trending further in this direction.
The problem is for developers. Abandoning Android for Linux is not viable for software developers who need to eat. Sure, we can use Linux smartphones ourselves, but if the software we make has a grand total of three people who ever lay eyes on it, that's less than ideal. And given how The Year of the Linux Desktop has gone, I think it'd be strongly preferable if we managed to stave off the tightening of control over Android rather than placing bets on the future Year of the Linux Smartphone.
The Year of the Linux Desktop is kind of happening. Not at the scale that the meme implies, but I've never seen anywhere near as much adoption of the Linux desktop as this year. The combination of Valve's efforts, more usage of Linux gaming handhelds, distributions like Bazzite that have strong selling points for Windows gamers, and Microsoft pissing everyone off with everything that is Windows 11, the Linux desktop has some legitimate momentum for once
Especially considering how much software these days on Windows are all Electron/Web. So is not a hard switch as it once was.
I switched from Windows to Linux it's been 2 years. One of the few things I missed on Windows, was the native WhatsApp app, as the Web WhatsApp it's horrible. Then a few months Meta killed the native app and made into a webview-app :)
It only takes one application to force you back to using Windows.
e.g. HellDivers 2 didn't work well until recently on Linux. If you are playing certain factions it is a very fast paced game and I would frequently experience slow downs on Linux.
So if I wanted to play HellDivers 2, I would have to reboot into Windows. Since running kernel 6.16 and updates to proton it now runs better.
And I can just take about any Linux distro, install it to about any computer and have an extremely nice device to work, play games, and handle almost any daily task with. I call that a huge success.
Yet, still 1/4th of the time my ThinkPad with Linux wakes with a Thunderbolt display connected it dies with a kernel panic deep in the code that handles DDC (no matter what kernel version).
And the latest gen finger print scanner only works between 10-50% of the time depending on the day, humidity, etc., no matter hof often you re-enroll a fingerprint, enroll a fingerprint multiple times, etc.
And the battery drains in 3-4 hours. Unless you let powertop enable all USB/Bluetooth autosuspend, etc. But then you have to write your own udev rules to disable autosuspend when connected to power, because otherwise there is a large wakeup latency when you use your Bluetooth trackball again after not touching it for one or two seconds.
And if you use GNOME (yes, I know use KDE or whatever), you have to use extensions to get system tray icons back. But since the last few releases some icons randomly don't work (e.g. Dropbox) when you click on it.
And there are connectivity issues with Bluetooth headphones all the time plus no effortless switching between devices. (Any larger video/audio meeting, you can always find the Linux user, because they will need five minutes to get working audio.)
As long as desktop/laptop Linux is still death by a thousand paper cuts, Linux on the desktop is not going to happen.
I have had worse experiences on each and every count with various Windows installs on various laptops, and yet it is the "de facto" desktop OS.
That is simply not true. I have tried to get so many people on Linux, just for it to fail when they try to do something simple, enough times in a row for them to want to go back to Windows.
I really wish it was seamless and good, but it just isn't (and frankly it's a bit embarrassing it isn't given desktop environments for GNU Linux have been in development for 20+ years).
I'm not saying it's seamless and good. I'm saying that I have had windows fail in similar or worse ways.
For example the laptop I had from my previous employer (a pretty beefy Dell) was failing to go to sleep, I had to unplug the charger and the HDMI cable on my desk each night, otherwise every second night it was keeping my monitor lit on the lock screen; when low on battery it clocked the CPU down so much that the whole system froze to a grinding stop not even the mouse pointer was moving, and even after putting it back on the charger it remained similarly unusable for a good 10 mins..
Like I have been using Linux since the Xorg config days when you could easily get a black screen if you misconfigured something, but at least those issues are deterministic and once you get to a working state, it usually stays there. Also, Linux has made very good progress in the last decade and it has hands down the best hardware support nowadays (makes sense given that the vast vast majority of servers run Linux, so hardware companies employ a bunch of kernel devs to make their hardware decently supported).
> Yet, still 1/4th of the time my ThinkPad with Linux wakes with a Thunderbolt display connected it dies with a kernel panic deep in the code that handles DDC (no matter what kernel version).
This doesn't happen on my ThinkPad but does on my MacBook. If anyone else faces these kernel panics on their Mac, you have to set your monitor to a hard 120hz rather than a variable rate on the macOS display settings. KDE handles the variable rate just fine on the ThinkPad for me.
I had so many more issues running Windows over the years than Linux. BSODs were a common occurrence, and yearly fresh installs were a thing to keep my computer usable.
I moved to Mint almost 4 years ago at this point, running it on a now fairly old Dell G5 from 2019. Runs as smoothly as ever.
I had one problem during this 4 year run (botched update and OS wouldn't start). Logging to terminal and getting Timeshift to go back to before the update did the trick. Quick and painless. I could even run all the updates (just had to be careful to apply one of those after a reboot).
I have no idea what you are talking about. Maybe I am just very lucky with Linux.
It's the same in every discussion about OS vs OS. People who like one OS will claim that the other OS is full of problems, and vice versa. In some cases I guess people are just lucky/unlucky. Personally, I've been using both in parallel for about 15 years, and while I've never had any issues with Windows (no BSODs), Linux constantly gives me problems. But I'm a developer and much prefer to develop on Linux, so I stick with it.
Though I think that is not warranted with respect to my original comment. I have used Linux in some form or shape for 31 years now (jikes), I would love Linux to win, and I have used Linux on a wide variety of hardware (last few laptops have been ThinkPads).
I think desktop Linux will not improve until people start acknowledging the issues and work on it. It's the same as the claim that Linux is very secure (which Linux fans will often repeat), while it has virtually no layered security, and a fairly large part of the community is actively hostile towards such improvements (e.g. fully verified boot).
I think people tend to have double standards when it comes to Linux. People who run Linux generally choose to run Linux intentionally and are for that reason more willing to accept/overlook issues.
I have both Linux machines and Macs and Linux has always been objectively worse when it comes to driver and software issues. It's just has a large number of paper cuts.
I think people tend to have double standards when it comes to MacOS. People who run MacOS generally choose to run MacOS intentionally and are for that reason more willing to accept/overlook issues.
I use both Linux machines and Macs (at work) and Macs has always been objectively worse when it comes to usability ajd development. It's just has a large number of paper cuts.
The odds of having just about any Linux distro work "out of the box" without manual tweaking on just about any computer are still pretty low I'm afraid (by "work" I mean "support all of the functionality"). For instance, the laptop I'm writing this on connects without problems to a Bluetooth mouse, but won't for the life of me work with my Bluetooth headphones.
> The odds of having just about any Linux distro work "out of the box" without manual tweaking on just about any computer
Well, show me that magic OS that works on "just about any computer", because I am sure Windows ain't that. OSX only works on their select devices, and Windows have its own way of sucking. Let's be honest, there are shitty hardware out there and nothing will work decently on top. People just try to save these by putting Linux on top and then the software gets the blame.
As long as it isn't a gamer laptop.
Not really, because Proton is Win32, kind of.
Half of the applications people use on Windows are just browsers in a native frame, at this point Win32 is just one of the many "stacks" that you can run on Linux.
It really isn't. This is a temporary sugar rush that comes after pretty much every time Microsoft does something awful. After a while the buzz will fizz out and the majority of those PC gamers that looked to switching go back to Windows.
IME a lot developers don't even use Linux on their desktop machine. I've met three developers that use Linux professional IRL. A lot of devs have a hard time even using git bash on Windows.
I am always called up by people at work because I am "the Linux guy" when they have a problem with Linux or Bash.
Sure, there are a lot of people that use Linux indirectly e.g. deploy to a Linux box, use Docker or a VM. But if someone isn't running Windows, 9 times out of 10 they are running a Mac.
More generally the thing that has paid the bills for me is always these huge proprietary tech stacks I've had to deal with. Whether it be Microsoft's old ASP.NET tech stack with SQL Server, AWS, Azure, GCP, what pays the bills is proprietary shite. I hate working with this stuff, but that what you gotta to pay the bills.
I mean, this strongly has to depend on what kind of software you are developing. I don't know a single developer who primarily uses Windows. Literally everyone around me uses Linux for development work (and a large portion of them also use Linux for their personal machines).
Of course. However if a developer isn't using Windows typically they are using a Mac.
In corpo-world. Everyone is using Windows. If they are using Linux it would be through a VM or WSL. I guarantee none of those people are using Linux at home.
So for every developer you know that is using Linux, there are many more people using Windows supplied to by their IT department.
> In corpo-world. Everyone is using Windows. If they are using Linux it would be through a VM or WSL. I guarantee none of those people are using Linux at home.
And I guarantee that you're wrong, because I work a corporate job where I have to put up with Windows and am 99% Linux at home. (The other 1% is *BSD and illumos.)
You are the minority but you can believe whatever you like.
The vast majority of developers I have worked with (and I've contracted a lot of places) know next to next to nothing about Linux. They can barely use a terminal (Powershell, CMD, Bash/Zsh) and often can't do anything outside of the IDE.
If they do use Linux. It be on a Raspberry PI that gets stuck in a drawer after a few months.
To those that keep voting me down on this. The teams and environments you work in are the outliers. I've had to accept that I am in the minority as a Linux user even amongst software professionals.
Yeah, I'm probably a minority. That doesn't mean that nobody uses linux, just that it's less common.
I never said that nobody uses Linux. I said that it was extremely uncommon even amongst developers.
> I guarantee none of those people are using Linux at home.
[...]
> I never said that nobody uses Linux.
I'm willing to believe that this is just a misunderstanding resulting from nonliteral exaggerated language for effect, but ... yes, you did.
>Sure, there are a lot of people that use Linux indirectly e.g. deploy to a Linux box, use Docker or a VM. But if someone isn't running Windows, 9 times out of 10 they are running a Mac.
That was my original comment. It is pretty easy to that to assume that when someone says "none" in a subsequent comment they mean "almost none" following that statement.
> This is a temporary sugar rush that comes after pretty much every time Microsoft does something awful.
I think what it fundamentally comes down to is that for consumer-oriented Linux to see widespread adoption, it needs to succeed on its own merits. Right now, and since forever, Linux exists in a space for the majority of consumers who consider it where they think "I might use it, because at least it's not the other guy". A real contender would instead make the general public think "I'll use this because it's genuinely great and a pleasure to experience in its own right". And that's why I have absolutely zero faith in Linux becoming a viable smartphone ecosystem. If it were truly viable, it would have been built out already regardless of what Android was doing. "Sheltering Android refugees" is not a sustainable path to growth any more than "sheltering Windows refugees" is.
I agree, with a caveat. The vast number of consumers don't even know Linux/BSD or any the alternatives exist.
I have zero faith in a Linux smartphone. What will happen is that there will be some GNU/FSF thing with specs that are 15 years out date and you will have to install Linux via a serial console using Trisquel and the only applications available will the Mahjong (yes I am being hypobolic).
Clearly hyperbole! We'll also have TuxPaint, SuperTuxKart (CPU rendering only, because the toolchain doesn't support Android's HAL), and a couple of (long-abandoned) LibreOffice forks that crudely adapt different subsets of the interface for a touch device.
Unfortunately in the past people have taken obvious hyperbole literally.
I realised a few years ago when one of my friends didn't know what the browser was on her phone, that any notion of people caring about the OS outside of branding is pretty much non-existent.
I know it's been tried before (eg by Mozilla), but perhaps now the time is right for a web apps-only OS.
Many developers would need some help to get offline functionality and updates right though.. And it would be really nice if these apps didn't require parsing megabytes of JavaScript libraries on startup.
One can dream! :-)
My TV runs one, it isn't taking the world by storm.
https://webostv.developer.lge.com/discover
It's got to be better than the laggy, unreliable, content-pushing Google TV crap that runs my TV... Right?
Making a guess: nope. Same underpowered SoC, in order to save $5.
It is better than Android TV, which I also own, but in terms of ads, yep there are some as well.
Differention, that is what all OEMs care about, netbooks already showed us that.
Some people don't care and build on top of Linux anyway. This lockdown will accelerate this. At some point a critical mass will eventually be reached, perhaps with the assistance of some corporate entity or organization of some sort that pushes it over the edge. Then there will be a real open competitor. Will take some time though.
so the thing is, as an Android dev if I get embedded linux experience then I have lateral career movement to the peripherals that I'm usually writing apps for. While the intersection of app developers to embedded linux developers is probably very small, there is a smidge of incentive there, and that can be a powerful thing for the community: a lot of the pain points on linux phones feel hardware oriented (I complain loudly about the pinephone battery elsewhere in this thread).
another tailwind might be in the gaming scene. I have the general sense that SteamOS has been an interesting gateway for technically-minded folks to be impressed by this Linux thing. A similar model for mobile phones might be a tailwind (like a SteamOS for ARM?) The reason why that's perfect is because it undermines the Google monopoly and creates an app ecosystem that people will absolutely flock to, at least for games ($$).
> Abandoning Android for Linux is not viable for software developers who need to eat.
We'll finally get our ecosystem diversity back when the next geopolitical happening happens and Google bans Chinese android apps on bullshit pretexts.
Wait a few years more.
I'd rather like to see AOSP development spun off to a separate non-profit entity. Either by Google doing it or by a hard fork (which will need a lot of funding). Traditional Linux misses the polish and especially the security layering to be a good phone OS. Better to start from an already good base that works.
Why would that affect anything? The Chinese Android ecosystem is already split from the Google one.
> Why would that affect anything?
The Chinese will eventually find it easier to sell their Chinese ecosystem devices to the world instead of catering to Google and American three-letter agencies.
Waydroid does surprisingly well at running Android apps on Linux.
Sure some apps won't work for whatever reason & HN commenters will have incredibly scathing things to say about that, but I bet there's a lot of folks who'd be cool with missing an app here or there.
It sucks to be losing Android, but IMO it's an ecosystem in free-fall. Bootloaders are locked more and more, there's literally zero AOSP hardware buyable now, and the roms scene has diminished not grown over time.
I totally think theres a Steam Deck moment waiting around a corner, where what seemed impossible a year ago shows up and is dead obvious & direct, and we all wonder why there were so many doubts before.
> Right, but that's a choice from manufacturers, not a requirement of building a mobile platform.
IMO, I think Microsoft gave up on running Android apps on Windows because they read the writing on the wall: Google will use Play Integrity/Protect to ensure Android apps only run on Google-approved devices/operating systems and nothing else.
I think this is the ultimate fate for Waydroid, as well.
> Android is such a massive code base, and was designed more for surveillance and consumption
I disagree. I have been using de-googled / de-spywared Android for a decade now and I really love it. Once you remove google mobile services and rely on open source applications Android feels really good.
Also its questionable if projects such as purism or even the pinephone will ever offer such good security and privacy as a de-googled Pixel with GrapheneOS will.
https://grapheneos.social/@GrapheneOS/112712864209034804
The hope is lost for Android, there is no moving forward with google antagonizing its foss roots. Libre phone it is. We have to forcibly remove the bandage.
I wish you were wrong, but I don't disagree with assessment. I am on grapheneos ( edit: on pixel ) now, but even that should only be a pitstop now since google has decided to show its hand in such a nasty ( if not that unexpected ) manner.
Everyone is quick to ascribe malice without understanding why changes are made. It's never done for the reasons you think. Without a formal relationship between Graphene and Pixel, things were operating out of luck. This is why the next target hardware is starting with a business relationship. Even desktop Linux is most successful when business relationship between a vendor and the distro maker. Everything else is ripe for random breakage in support.
It is not quick. Whatever goodwill google had, it is gone based on their actions alone. And this is beside the point, because, I am not judging on what they intended to do, but what their actions, including after intense community backlash, were. In other words, their intent is irrelevant given the circumstances. Their actions, however, even without intended malice, will cause tremendous damage all around.
AOSP is open source so it could be forked.
Except many key features are nowadays delivered via APEX modules, distributed via PlayStore.
https://source.android.com/docs/core/ota/apex
APEX modules are open source components of AOSP. See https://android.googlesource.com/platform/packages/modules/. Those modules include a lot of other AOSP code beyond what's directly in packages/modules too.
Google began shipping Google builds of the APEX modules via the Play Store to work around non-Pixel devices not shipping the latest monthly, quarterly and yearly OS releases. For Google Mobile Services devices, many of the APEX modules are required to be the official Google builds from the Play Store. The changes to APEX modules are released as part of the quarterly and yearly AOSP releases.
https://grapheneos.org/features#anti-persistence
GrapheneOS has apex modules disabled and never had the need for that.
ART updates are distributed via APEX since Android 12.
So is it stuck in Java 12?
I believe it's similar to kernel modules in that they can either be compiled into the kernel or distributed separately. Graphene probably just distributes it as part of the system images. This just means rollouts are coupled. Apex doesn't imply closed source, only that there is a stable surface that allows more modular updates.
APEX modules have their changes released as part of AOSP quarterly and yearly releases. There were also monthly releases with the new features distributed in the monthly mainline updates until recently. GrapheneOS is entirely capable of signing APEX modules with cross-device keys and distributing updates in our App Store, but we have very frequent OS updates and little need for APEX modules. APEX modules require a reboot to kick in so we prefer doing everything via OS releases which already only have to ship changes due to delta (incremental) updates. APEX modules are only relevant to us through how they've made the code more modular and created API boundaries between modules which are stable within major releases. It creates a bit more work for us to maintain some of our changes since we need to change the defined APIs but beyond that it's largely the same as before.
No, all of the standard APEX modules are part of the Android Open Source Project. Only device-specific APEX modules used to distribute driver support aren't part of it.
> Android was designed more for surveillance and consumption, than for privacy&security and the user's interests
I disagree. The Android security model is better than the Linux one. I am very happy with GrapheneOS, I don't have much to complain about.
The problem is that Google sucks and nobody enforces antitrust laws. But it's not just Google: how many Android manufacturers don't suck, really? Do they contribute to AOSP at all? Probably not. Do they build reasonable devices that could run something like GrapheneOS? Nope. Just relocking the bootloader is often a problem.
> I disagree. The Android security model is better than the Linux one.
In some ways it probably is, but it still isn't that good in my opinion (although some of the problems have to do with the way the settings and controls are working rather than the security model itself, there are also problems with the security model itself too). (I think there are other problems with Android (and other operating systems) too.)
> although some of the problems have to do with the way the settings and controls are working
I was talking about the security model.
buy a used OnePlus 6 and load Mobian on it. quite functional these days running a mainline kernel.
(2018) makes me more than a bit sad. I have a OnePlus 6, and it was ok with the software I tried out ~3 years ago, and basically fast enough. But it's soul crushing how running mainline Linux is just so impossible for consumer mobile chips.
It felt at the time like there was positive progress, more bits getting mainlined at a trickle but at least steady trickle rate. But it feels dark now. At least the GPU drivers everywhere have been getting much better, but I get the impression Qualcomm couldn't even ship a desktop/laptop after years of delay, is barely getting that in order now. It feels impossible to hope for the mobile chips anywhere to find religion & get even basic drivers mainlined.
>than for privacy&security and the user's interests.
Even if that was true, AOSP is better for privacy and security than any other Linux distro.
By which criterion? This sounds wrong.
https://madaidans-insecurities.github.io/linux.html
It's a different approach to security. There are no malicious apps in GNU/Linux repositories. (And yes, Linux security should be improved; I run Qubes on desktop)
https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...
> There are no malicious apps in GNU/Linux repositories.
That's definitely not the case. There have been repeated cases of developers shipping malicious code which ended up in distribution package repositories. Defining malicious is difficult and incredibly privacy invasive behavior is often not considered to be malicious. That software is also generally being used without a mandatory app sandbox with a proper permission model, so it can access whatever it wants for the most part beyond self-imposed restrictions.
There are similarly maintained package repositories for Android such as F-Droid. It adds the people doing packaging as trusted parties. Contrary to common misconceptions, Linux distributions and F-Droid are not meaningfully auditing/reviewing the upstream code and therefore not actually significantly reducing trust in the upstream projects. There substantial delays for updates with how most are maintained, so that gives time for external parties to find issues but doesn't mean it won't be packaged and shipped anyway.
> incredibly privacy invasive behavior is often not considered to be malicious
This is not true for Debian, which is the upstream of PureOS.
> therefore not actually significantly reducing trust in the upstream projects
And yet, it has practically negligible number of malicious apps, especially compared with Google Play. It's far from perfect, and you are right that the sandboxing should be further improved. Nevertheless, it is a security model working in practice for a large userbase of Debian. It works especially well for technical users.
> This is not true for Debian, which is the upstream of PureOS.
Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
> And yet, it has practically negligible number of malicious apps, especially compared with Google Play.
Google Play is not the only app repository for Android-based operating systems. There are repositories in the style of traditional Linux distributions and also better approaches available.
> Nevertheless, it is a security model working in practice for a large userbase of Debian.
No, it has very poor privacy and security.
> It works especially well for technical users.
Being technical doesn't address the massive privacy and security issues. It only makes it less likely people install blatant malware instead of it being a problem through supply chain attacks and very poor security throughout the OS.
> Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
You can't attack Debian like this without providing a few examples.
> No, it has very poor privacy and security.
This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?
>It's a different approach to security
That's like saying using a hole in a wall is a different approach to security than putting a lockable door in a wall. Sure no security is s different approach to security, but it's not an effective one.
>There are no malicious apps in GNU/Linux repositories
Maybe not intentionally malicous, but there have been bugs that can cause applications to act maliciously such as deleting users files. If an application gets exploited it could also do malicous things. Just because you trust the author of a program, that doesn't mean that sanboxing is pointless. Additionally programs like the terminal are a free for the user to run things like curl | sh which can run malware infecting the system and run wild since there is no security to stop it from doing almost anything.
>Purism
The wiki page pretty much says that they don't have privacy or security and don't have the resources to implement such features unlike Google or Apple. They also make some claims to try and pretend their platform is secure and private in order to help sell the Librem 5, a product they made with inferior privacy and security compared to Android.
I hope you consider strict threat modeling when deciding which approach to security is preferred. How about a threat of Google removing your control of the OS [this thread] and [0]? Or Google delaying security patches [1]?
[0] https://news.ycombinator.com/item?id=45017028
[1] https://news.ycombinator.com/item?id=45208925
>Google removing your control of the OS
That is a feature of Play Services and not a part of AOSP which is what we are talking about.
>Or Google delaying security patches
Like it or not coordinated vulnerability disclosure is a thing in the industry and is done by other Linux distros too.
This is not "coordinated vulnerability disclosure". It's waiting for slow vendors at the risk of everybody else.