:: Re: [Dng] Plan for Devuan to use Mo…
Top Page
Delete this message
Reply to this message
Author: Jude Nelson
Date:  
To: Adam Borowski
CC: dng@lists.dyne.org
Subject: Re: [Dng] Plan for Devuan to use Mozilla products as is
> Besides issues related to Chromium's poor support for privacy features,
> it also has no real security support.


No comment on the privacy features, but I beg to differ on the security.
The fact that the Linux build of Chromium runs each tab and plugin in its
own seccomp'ed process and runs them all separately from a "kernel" process
puts the browser worlds ahead of Firefox in terms of security. Excluding
project Electrolysis (which I look forward to), the fact that Firefox runs
every tab in the same process means that one bad tab can compromise the
whole browser without too much effort. By contrast, Chromium's
kernel/process-per-tab factoring has led to secure browser designs [1]
where this class of exploit and others are provably impossible.

-Jude

[1] http://goto.ucsd.edu/quark/


On Wed, Mar 4, 2015 at 8:33 PM, Adam Borowski <kilobyte@???> wrote:

> On Wed, Mar 04, 2015 at 05:14:26PM -0600, T.J. Duchene wrote:
> > >>>Is Devuan going to use the exact same guideline? If not,is there any
> > >>>plan for Devuan to use Mozilla products as is in the future,
> > >>>especially Firefox and Thunderbird?
> >
> > If I might offer an alternative suggestion? I'd rather see Devuan
> > default to Chromium with NAPI support than use Firefox, period.
>
> Besides issues related to Chromium's poor support for privacy features,
> it also has no real security support. There's nothing but "install the
> newest and greatest, right now". Unlike Firefox' long-term-support
> releases, any version of Chromium becomes unsupported the moment a new one
> appears. Even worse, there's no heed that such new version builds on
> toolchains which are not likewise "newest and greatest" (such as gcc-4.7).
>
> Please read:
> https://lists.debian.org/debian-security-announce/2015/msg00031.html
> -- there is no security support for Chromium on any Debian release: support
> on wheezy had to be dropped, while there's no jessie yet, and wheezy has
> still 1.5 years of primary security support, not to even mention LTS.
>
> --
> // If you believe in so-called "intellectual property", please immediately
> // cease using counterfeit alphabets. Instead, contact the nearest temple
> // of Amon, whose priests will provide you with scribal services for all
> // your writing needs, for Reasonable and Non-Discriminatory prices.
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>