They have automation. Probably signature verification too.
I don’t know what you’re on about regarding security preventing this. It’s not like it was a security compromise or rogue employee. My guess is that they just didn’t have the automated build tools set up for an old device that wasn’t supposed to receive any more updates, so they did it on the engineer’s workstation and released that build.
It gets uploaded to the distribution system.
You’re saying that Google has no automation or signature verification for what gets loaded onto their pushed update server?
There should be multiple layers of security preventing something like this and I’m interested in how those all failed for this to happen.
They have automation. Probably signature verification too.
I don’t know what you’re on about regarding security preventing this. It’s not like it was a security compromise or rogue employee. My guess is that they just didn’t have the automated build tools set up for an old device that wasn’t supposed to receive any more updates, so they did it on the engineer’s workstation and released that build.