[gentoo-user] www-client/chromium

[gentoo-user] www-client/chromium

[Thanasis]

I noticed that chromium's code has a lot of vulnerabilities.
https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
I suppose this is why we see so often version upgrades of it (and it's
not a small app to build).
Why is its code so, should I say prone to bugs, compared to
other browsers?

Re: [gentoo-user] www-client/chromium

[Matthew Finkel]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

On Fri, Aug 5, 2011 at 12:05 AM, Thanasis <thanasis@asyr.hopto.org> wrote:

> I noticed that chromium's code has a lot of vulnerabilities.
> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
> I suppose this is why we see so often version upgrades of it (and it's
> not a small app to build).
> Why is its code so, should I say prone to bugs, compared to
> other browsers?
>
>
Firefox isn't perfect either
https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefox&list_id=337885

I think you hit the nail on the head by saying that "it's not a small app to
build". The more code that's written increases the the chances a security
holes will be introduced into the application.
And as an internet browser, they're also susceptible to many more vectors of
attack than most other packages. For chromium specifically, I haven't looked
at the CVEs but I suspect many are for webkit and not just Chromium.

Just my 2c.

[-- Attachment #2: Type: text/html, Size: 1503 bytes --]

Re: [gentoo-user] www-client/chromium

[Adam Carter]

On Fri, Aug 5, 2011 at 2:05 PM, Thanasis <thanasis@asyr.hopto.org> wrote:
> I noticed that chromium's code has a lot of vulnerabilities.
> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
> I suppose this is why we see so often version upgrades of it (and it's
> not a small app to build).
> Why is its code so, should I say prone to bugs, compared to
> other browsers?

You've made an assumption there. Correlation implies causation?

Perhaps there's more bugs found because of the bounties paid? Or maybe
its because the code is newer than the alternatives.... I don't think
its possible to make a judgement based on the information I have.

Re: [gentoo-user] www-client/chromium

[Michael Mol]

On Fri, Aug 5, 2011 at 12:23 AM, Adam Carter <adamcarter3@gmail.com> wrote:
> On Fri, Aug 5, 2011 at 2:05 PM, Thanasis <thanasis@asyr.hopto.org> wrote:
>> I noticed that chromium's code has a lot of vulnerabilities.
>> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
>> I suppose this is why we see so often version upgrades of it (and it's
>> not a small app to build).
>> Why is its code so, should I say prone to bugs, compared to
>> other browsers?
>
> You've made an assumption there. Correlation implies causation?
>
> Perhaps there's more bugs found because of the bounties paid? Or maybe
> its because the code is newer than the alternatives.... I don't think
> its possible to make a judgement based on the information I have.

At least one of the "multiple vulnerabilities" bugs linked to a Chrome
update notice which didn't list any vulnerabilities. (Well, except a
Flash update, which I didn't dig into)


-- 
:wq

Re: [gentoo-user] www-client/chromium

[Matthew Finkel]

[-- Attachment #1: Type: text/plain, Size: 363 bytes --]

On Fri, Aug 5, 2011 at 12:36 AM, Michael Mol <mikemol@gmail.com> wrote:

>
> At least one of the "multiple vulnerabilities" bugs linked to a Chrome
> update notice which didn't list any vulnerabilities. (Well, except a
> Flash update, which I didn't dig into)
>
>
> --
> :wq
>
>
Mmmmm Flash. Now there is a nice and secure piece of software!


-- 
Matthew Finkel

[-- Attachment #2: Type: text/html, Size: 746 bytes --]

Re: [gentoo-user] www-client/chromium

[Thanasis]

on 08/05/2011 07:23 AM Adam Carter wrote the following:
> On Fri, Aug 5, 2011 at 2:05 PM, Thanasis <thanasis@asyr.hopto.org> wrote:
>> I noticed that chromium's code has a lot of vulnerabilities.
>> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
>> I suppose this is why we see so often version upgrades of it (and it's
>> not a small app to build).
>> Why is its code so, should I say prone to bugs, compared to
>> other browsers?
> 
> You've made an assumption there. 

Maybe my assumption isn't true, after all seeing the list for firefox
that Matthew pointed to, although with firefox we don't see upgrades so
often, I guess we should *not* feel more secure with it...

Re: [gentoo-user] www-client/chromium

[Adam Carter]

>> You've made an assumption there.
>
> Maybe my assumption isn't true, after all seeing the list for firefox
> that Matthew pointed to, although with firefox we don't see upgrades so
> often, I guess we should *not* feel more secure with it...

The noscript firefox addon gives significant protection with only a
little inconvenience. There was no equivalent for chromium last time I
checked, and it still doesn't have a master password to protect saved
webform passwords. Chromium is faster than a pgo build of firefox so i
would prefer to use it, but not until those two issues are addressed.

Re: [gentoo-user] www-client/chromium

[Matthew Finkel]

[-- Attachment #1: Type: text/plain, Size: 1016 bytes --]

On Fri, Aug 5, 2011 at 1:14 AM, Adam Carter <adamcarter3@gmail.com> wrote:

> >> You've made an assumption there.
> >
> > Maybe my assumption isn't true, after all seeing the list for firefox
> > that Matthew pointed to, although with firefox we don't see upgrades so
> > often, I guess we should *not* feel more secure with it...
>
> The noscript firefox addon gives significant protection with only a
> little inconvenience. There was no equivalent for chromium last time I
> checked, and it still doesn't have a master password to protect saved
> webform passwords. Chromium is faster than a pgo build of firefox so i
> would prefer to use it, but not until those two issues are addressed.
>
>
I felt the same way, but then I found NotScript [0]. It's decent, I do like
noscript a bit better, but it gets the job done. I can't recall anything
about a master password, though, so that may still be a valid concern.

0.
https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn

-- 
Matthew Finkel

[-- Attachment #2: Type: text/html, Size: 1488 bytes --]

Re: [gentoo-user] www-client/chromium

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 984 bytes --]

On Friday 05 Aug 2011 06:14:37 Adam Carter wrote:
> >> You've made an assumption there.
> > 
> > Maybe my assumption isn't true, after all seeing the list for firefox
> > that Matthew pointed to, although with firefox we don't see upgrades so
> > often, I guess we should *not* feel more secure with it...
> 
> The noscript firefox addon gives significant protection with only a
> little inconvenience. 

By "little inconvenience" you mean that most webpages will not show up 
properly?  These days any page has a tonne of JavaScript in it and menus, 
slideshows, etc. will not render without it.  Because many designers or CMS' 
engines do not provide graceful degradation, you end up looking at half a page 
and thinking what else is missing.

I agree that security can have a price in terms of inconvenience, but I found 
that I had to switch NoScript off after a while because it was becoming a 
significant hindrance.

Just my 2cs . . .
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] www-client/chromium

[Thanasis]

on 08/05/2011 08:44 AM Mick wrote the following:
> On Friday 05 Aug 2011 06:14:37 Adam Carter wrote:
>> The noscript firefox addon gives significant protection with only a
>> little inconvenience. 
> 
> By "little inconvenience" you mean that most webpages will not show up 
> properly?  These days any page has a tonne of JavaScript in it and menus, 
> slideshows, etc. will not render without it.  Because many designers or CMS' 
> engines do not provide graceful degradation, you end up looking at half a page 
> and thinking what else is missing.
> 
> I agree that security can have a price in terms of inconvenience, but I found 
> that I had to switch NoScript off after a while because it was becoming a 
> significant hindrance.
> 

I will agree. I also have it almost "switched off" (allow scripts globally).

Re: [gentoo-user] www-client/chromium

[Jesús J. Guerrero Botella]

2011/8/5 Matthew Finkel <matthew.finkel@gmail.com>:
> On Fri, Aug 5, 2011 at 12:05 AM, Thanasis <thanasis@asyr.hopto.org> wrote:
>>
>> I noticed that chromium's code has a lot of vulnerabilities.
>> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
>> I suppose this is why we see so often version upgrades of it (and it's
>> not a small app to build).
>> Why is its code so, should I say prone to bugs, compared to
>> other browsers?
>>
>
> Firefox isn't perfect
> either https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefox&list_id=337885
> I think you hit the nail on the head by saying that "it's not a small app to
> build". The more code that's written increases the the chances a security
> holes will be introduced into the application.

I don't think so. It's not the raw number of source code lines which
makes it more prone to bugs. I think that a closer and more realistic
number would be the number of lines divided by the number of full-time
developers, and don't forget to put in the middle of that formula how
skilled they are. Having that into account, chromium has a good base
since few teams in the planet will have the quantity and quality of
man power that Google has to devote to this project.

> And as an internet browser, they're also susceptible to many more vectors of
> attack than most other packages. For chromium specifically, I haven't looked
> at the CVEs but I suspect many are for webkit and not just Chromium.
> Just my 2c.

The webkit branch into chromium is not the same that you can find in
any other webkit-based project. They just have a common origin, but
they are maintained separately and it is my understanding that they
have diverged enough to be considered as separate things.

-- 
Jesús Guerrero Botella

Re: [gentoo-user] www-client/chromium

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 478 bytes --]

On Fri, 5 Aug 2011 15:14:37 +1000, Adam Carter wrote:

> The noscript firefox addon gives significant protection with only a
> little inconvenience. There was no equivalent for chromium last time I
> checked, and it still doesn't have a master password to protect saved
> webform passwords

Chromium uses KWallet to store passwords on a KDE system now. I believe
it can use the GNOME keyring too.


-- 
Neil Bothwick

Talk is cheap because supply exceeds demand.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] www-client/chromium

[Matthew Finkel]

[-- Attachment #1: Type: text/plain, Size: 3534 bytes --]

2011/8/5 Jesús J. Guerrero Botella <jesus.guerrero.botella@gmail.com>

> 2011/8/5 Matthew Finkel <matthew.finkel@gmail.com>:
> > On Fri, Aug 5, 2011 at 12:05 AM, Thanasis <thanasis@asyr.hopto.org>
> wrote:
> >>
> >> I noticed that chromium's code has a lot of vulnerabilities.
> >> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium
> >> I suppose this is why we see so often version upgrades of it (and it's
> >> not a small app to build).
> >> Why is its code so, should I say prone to bugs, compared to
> >> other browsers?
> >>
> >
> > Firefox isn't perfect
> > either
> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefox&list_id=337885
> > I think you hit the nail on the head by saying that "it's not a small app
> to
> > build". The more code that's written increases the the chances a security
> > holes will be introduced into the application.
>
> I don't think so. It's not the raw number of source code lines which
> makes it more prone to bugs. I think that a closer and more realistic
> number would be the number of lines divided by the number of full-time
> developers, and don't forget to put in the middle of that formula how
> skilled they are. Having that into account, chromium has a good base
> since few teams in the planet will have the quantity and quality of
> man power that Google has to devote to this project.
>
> > And as an internet browser, they're also susceptible to many more vectors
> of
> > attack than most other packages. For chromium specifically, I haven't
> looked
> > at the CVEs but I suspect many are for webkit and not just Chromium.
> > Just my 2c.
>
> The webkit branch into chromium is not the same that you can find in
> any other webkit-based project. They just have a common origin, but
> they are maintained separately and it is my understanding that they
> have diverged enough to be considered as separate things.
>
> --
> Jesús Guerrero Botella
>
>
Your points on code quality and developer quality/experience are well taken,
and I completely agree; the number of lines of source code is never really a
good criterion for comparison. I also wasn't aware the chromium-base and
webkit-base had diverged so much. On second look of the bug reports, all of
them are linked to the Google Chrome Release blog, where the vast majority
of the vulnerabilities/bugs are attributed to bounty hunters. So I believe
this also heavily contributes to the quick release cycle. To Thanasis'
point, I think the quick release cycle is two-fold. The first being that
Google has a policy of release early-release often, so I would guess that
once the new feature set is stable they push it out. Second is the fact that
most people like using stable and secure software as well as making money.
Also, quite a few of the bugs, in the Google Chrome Team's words, were
"clever", so I would assume they weren't easy to find. I didn't go digging
around to see how old these bugs were, to see when they were introduced, but
it did appear that a large portion were due to common coding error, i.e.
use-after-free, memory corruption, etc.

As an aside, a similar (condensed) list of vulnerabilities in all Mozilla
projects can be found here [0]. I think, overall, compared to
Chrome/Chromium, there are significantly less vulnerabilities reported for
Firefox. But there is also far less money going towards the discoveries, as
well.

0. http://www.mozilla.org/security/known-vulnerabilities/

- Matt

[-- Attachment #2: Type: text/html, Size: 4518 bytes --]