Google messed up Pixel 6 Secutiy Patch Update

Google has rolled out a monthly security update for its Pixel phones at the beginning of each month for the last several years. The January 2022 update for Pixel phones started rolling out on Tuesday, but Google’s latest Pixel phones — the Pixel 6 and Pixel 6 Pro — won’t be receiving the update until later this month.

A couple of weeks of delay doesn’t sound like a big deal, but Google previously halted and pulled the big December 2021 update before it rolled out for most Pixel 6 users — meaning most users are running a build that’s two months out of date (and potentially getting their enterprise access revoked). Considering that the January 2022 update fixes the very serious emergency calling bug, it’s a bit worrying that the update has been delayed!

It’s normal for some bugs to go unnoticed before an update goes out, because it’s impossible to catch every issue in the brief time they have to test. Nevertheless, this delay highlights a flaw in how Google handles Android’s monthly security patches.

Android 12 was Google’s biggest OS update in years, and given the approximately one-year turnaround for its development, it’s no surprise that the initial release had a lot of bugs and unresolved issues.

That’s another reason the December 2021 update was particularly noteworthy: it fixed nearly 100 bugs in Android 12. Fixing so many bugs and integrating the Android 12 QPR1 codebase necessitated extensive testing, but Google doesn’t do public beta tests for quarterly releases, so they had to test everything internally. The approximately 1.5 month long period for testing and certification was clearly insufficient this time around, though. Tying the release of a security update to a big feature update is risky, and this time, it resulted in the security update being significantly delayed.

Google knows how severe this issue is, which is why they even backported security patches to Android 8.0-8.1 for OEMs to pick even though Google only commits to backporting security patches to Android versions that are less than 3.5 years old. Google wants to release new security updates once a month and new quarterly platform releases once every three months, but there’s no reason they can’t step out of that cycle occasionally. 

Committing to a once-a-month release cycle has its benefits, of course, as it makes updates more predictable and less annoying for users. However, I believe an exception needs to be made when it comes to updates that fix major security issues — patches are immediately made available all the time for critical security issues that affect other software we use on a day-to-day basis.