Yes, that's the honesty and transparency. The truth is that Google doesn't care; this bug isn't a priority. So the options available are 1) leave the bug open and ignore it or 2) be honest and close it as "obsolete"
Both options have the same result: no bugfix. However option #2 is a lot more transparent. Part of that transparency is your being aware that Google simply does not care.
This is just official confirmation that they don't care -I wonder why they did it... if you want to be silent just keep doing what you've been doing so far: ignoring the reports.
Many developers know that many important bugs remain open after many months and Google doesn't care at all, but the average Joe has no idea.
Im not assuming anything, Google has a track record to failing to incorporate patches in a timely manner. I don't see how closing a high priority security bug on their public tracker as "won't fix" helps them do better.
> Once the bug is fixed by the third party then automatically it will be fixed for Google.
The article explains why this isn't a safe assumption and documents numerous cases where patches were not deployed to Android devices until well after the vulnerability was publicly disclosed. https://github.blog/2023-01-23-pwning-the-all-google-phone-w...
Thus is seems obvious to me that closing the bug as "won't fix" is the wrong response. The issue shouldn't be closed until the security patch makes its way into the Android Security Bulletin.
Hmm.. I dunno. It seems pretty preposterous to decline a bug with no comment whatsoever and then to have 33 more people confirm the bug after it being declined. This thing is 3 years old now.
If "doesn't give a fuck" doesn't describe google's stance on this, how would you describe it?
No, you can't move the goalposts like this. You just said Google should have waited to disclose until a complete fix was published. In asserting that, you must also assert you'd rather have Google disclose nothing than something.
Sure. And that process is stupid in that case, and should be called stupid. If Google refuses to create a bug report themselves even though the issue is clearly described, then they can get lost.
you don't get promoted by working on old and boring projects. everyone fight to get into the new sexy rewrite of something that is already somewhat successful. yeah they can screw up and kill features, but users will continue to use ensuring your promotions.
in a huge corp, do not assume that just because the little support guy understand your pain, the engineers behind will move a finger.
I have no interest at all in reporting any bugs in Google products ever. Sorry.
Edit: Explanation, as that seemed a little snarky. Google don't seem to pay any attention to requests unless you make them through "special channels". I'm sure if I made enough stink, wrote it up, submitted to HN &c then it would get noticed and fixed, but that's not fair to the thousands of users submitting bug reports through the official channels and being completely ignored. Until Google actually start listening to their customers, I have no intention of talking to them.
I think that quote could also be interpreted as saying that Google simply didn't see it as a change that qualified for the program, not that they weren't planning on fixing it. But again, I could be entirely wrong; I have no experience with either the team or the program. I just have a hard time imagining any of the engineers that I know there getting assigned a bug like this and clicking 'working as intended - will not fix'.
"I have filed a bug" sure sounds like a brush-off to me, especially when combined with the tone of the rest of the reply (which basically reads "Not our problem" -- while it might not be Google's own defect, it's definitely a problem for Google, and one that requires mediation).
That's the logic the blog author is using. As you can see in the bit of the article I quoted. I didn't say I necessarily agree with their analysis of this still being the same bug.
The fact that they mentioned it a couple of times suggests it was a factor in their decision to release the details today (or at least wanted to poke fun at Google).
Exactly. Even the most trivial of bugs can't be fixed as quickly as Google would need it to be fixed for that to be their go-to strategy. You simply cannot use that as your response to a show-stopping bug if you have stringent up-time requirements.
It could be a situation where Google doesn't mean to do it, but also isn't incentivized to fix it. The people who make the most money off Google have the most time and motivation to find ways to manipulate it to protect and increase their profit. Anyone at Google who wants to fix it is incentivized to come up with new features for promotion rather than bugfix.
No, Google is claiming that all of their evidence, including research and data gathering, shows that the bug wasn't known or abused, but for privacy reasons they only keep two weeks of logs, so that particular chunk of evidence (the server logs) doesn't cover enough time to be definitive.
Both options have the same result: no bugfix. However option #2 is a lot more transparent. Part of that transparency is your being aware that Google simply does not care.
reply