eylenburg
consider including row for accuracy of the Android security patch level field
GrapheneOS appears to be the only one of these alternate operating systems which is setting an accurate value for the Android security patch level and downplaying the importance by splitting out a Vendor security patch level field as the LineageOS-based operating systems are doing. The split our vendor security patch level field is also often set inaccurately. LineageOS and derivatives of it often don't ship firmware and do not know the patch level that's applied.
Android security patch level is not the patch level for what's built from the Android Open Source Project.
Giving users honest and accurate information about the patch level without downplaying or obfuscating it is a useful feature.
If operating systems want to redefine this as the patch level for what they build from AOSP, they should rename it. It's inaccurate to set it to the AOSP security patch level for what they built and to set another Vendor security patch level field. Even calling it an AOSP security patch level field would not be accurate since plenty of code they ship in vendor prebuilt by the OEM is part of AOSP and built from it. It could be split up in a way that's accurate but it only serves to mislead people about the security patch state. The whole point is to have a single field giving the overall situation for firmware, kernel, drivers, other device support code and the rest of the OS. The kernel and drivers are not less important, and around half the important vulnerabilities are not fixed by just updating AOSP.
DivestOS does state it is inaccurate: https://divestos.org/pages/patch_levels#branchPatchLevels
DivestOS inherently cannot and does not include all patches from the monthly Android Security Bulletin. The patch level shown in the Settings app on DivestOS should not be regarded as accurate, in favor of this page. It merely conveys the most recent month that it may contain patches from.
It also makes it easy to see which patches are actually included/backported and how big a gap there is between versions: https://divestos.org/pages/patch_counts
That could be considered a redefinition under this however.
What LineageOS does is backwards. They should be adding a new field called LineageOS security patch level and leaving the Android security patch level with the standard definition, which should generally be what they set for Vendor security patch level.
I think adding another field serves no real purpose though... the Android security patch level deals with it. If anything, it should be clearer that the Android security patch level field also includes OEM bulletins but that's only relevant to alternate operating systems so they're unlikely to more clearly define it in that regard.