Google confirms AOSP source code will only drop in Q2 and Q4, Pixel monthly security patches unchanged

Google is making a major behind-the-scenes change to how it publishes Android’s open-source code, and while it may sound alarming at first, the company insists that security patch delivery will not be affected, especially for Pixel users.

Effective 2026, the company will move from its traditional quarterly release cadence to a biannual schedule, releasing source code only in Q2 and Q4 of each year.

While this raises questions for custom ROM developers like GrapheneOS, Google has assured users that the frequency of security patch releases will remain unaffected.

The new AOSP schedule

For years, Google has released the source code for nearly every new version of Android—typically coinciding with quarterly updates (QPRs) and major OS upgrades—shortly after they hit Pixel devices. This allowed developers to modify and distribute their own OS versions based on the latest code.

Starting this year, however, that transparency is being dialed back. Google told Android Authority that it will now publish new source code to AOSP only twice a year. The goal is to “ensure platform stability for the Android ecosystem” and align better with Android’s “trunk-stable” development model.

Developers visiting source.android.com will now see a banner confirming the new policy:

“Effective in 2026, to align with our trunk-stable development model and ensure platform stability for the ecosystem, we will publish source code to AOSP in Q2 and Q4. For building and contributing to AOSP, we recommend utilizing android-latest-release instead of aosp-main.”

What gets released (and what doesn’t)

This change effectively means the source code for the initial major Android release (likely the Q2 drop) and the QPR2 update (likely the Q4 drop) will be published. However, the source code for QPR1 and QPR3 will no longer be released as standalone drops. This means that:

• QPR1 changes will be included in the QPR2 source drop (Q4).
• QPR3 changes will be included in the next initial major release (Q2).

A Google spokesperson explained that this reduction from four to two releases per year simplifies development and eliminates the complexity of managing multiple code branches, ultimately allowing them to deliver a more stable foundation.

No change to monthly security patch releases for Pixel devices

The immediate concern for many was whether this reduced release schedule would impact security. Google has clarified that it will not.

A spokesperson told Android Authority:

“Process for security patch releases will not change and that the company will keep publishing security patches each month on a dedicated security-only branch for relevant OS releases just as it does today.”

For Pixel users, this means the monthly security update cadence remains exactly as it is today. Your device will continue to receive prompt protection against vulnerabilities.

Impact on GrapheneOS and Custom ROMs

While Pixel users on the stock OS might not notice the difference, the change creates a significant hurdle for privacy-focused projects like GrapheneOS that rely on AOSP source code to build their operating systems.

If a new Pixel device or a major feature update launches during a “dark” quarter (e.g., QPR1 or QPR3), developers may not have access to the corresponding source code for months. This delay prevents them from building a stable, fully feature-matched version of their OS until the next biannual drop.

We have already seen friction arising from similar issues. In September 2025, GrapheneOS voiced frustration over “empty promises” regarding security updates and delays in AOSP pushes. More recently, support for the Pixel 10 was delayed, with GrapheneOS citing missing source code and hardware connectivity issues as barriers to a stable release.

If the Pixel 10a or future devices launch with a version of Android that falls into a non-release window (like QPR1), custom ROM users could be left waiting significantly longer for stable builds compared to previous years.

This move solidifies the “trunk-stable” approach Google has been pushing, prioritizing a unified, stable codebase over frequent, granular public releases. For the average user, the promise of unchanged security patches is the most critical takeaway. However, for the open-source community that thrives on the “Open” in AOSP, 2026 marks the beginning of a more closed era.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.