2011/8/5 Jesús J. Guerrero Botella <jesus.guerrero.bote...@gmail.com>
> 2011/8/5 Matthew Finkel <matthew.fin...@gmail.com>: > > On Fri, Aug 5, 2011 at 12:05 AM, Thanasis <thana...@asyr.hopto.org> > wrote: > >> > >> I noticed that chromium's code has a lot of vulnerabilities. > >> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium > >> I suppose this is why we see so often version upgrades of it (and it's > >> not a small app to build). > >> Why is its code so, should I say prone to bugs, compared to > >> other browsers? > >> > > > > Firefox isn't perfect > > either > https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefox&list_id=337885 > > I think you hit the nail on the head by saying that "it's not a small app > to > > build". The more code that's written increases the the chances a security > > holes will be introduced into the application. > > I don't think so. It's not the raw number of source code lines which > makes it more prone to bugs. I think that a closer and more realistic > number would be the number of lines divided by the number of full-time > developers, and don't forget to put in the middle of that formula how > skilled they are. Having that into account, chromium has a good base > since few teams in the planet will have the quantity and quality of > man power that Google has to devote to this project. > > > And as an internet browser, they're also susceptible to many more vectors > of > > attack than most other packages. For chromium specifically, I haven't > looked > > at the CVEs but I suspect many are for webkit and not just Chromium. > > Just my 2c. > > The webkit branch into chromium is not the same that you can find in > any other webkit-based project. They just have a common origin, but > they are maintained separately and it is my understanding that they > have diverged enough to be considered as separate things. > > -- > Jesús Guerrero Botella > > Your points on code quality and developer quality/experience are well taken, and I completely agree; the number of lines of source code is never really a good criterion for comparison. I also wasn't aware the chromium-base and webkit-base had diverged so much. On second look of the bug reports, all of them are linked to the Google Chrome Release blog, where the vast majority of the vulnerabilities/bugs are attributed to bounty hunters. So I believe this also heavily contributes to the quick release cycle. To Thanasis' point, I think the quick release cycle is two-fold. The first being that Google has a policy of release early-release often, so I would guess that once the new feature set is stable they push it out. Second is the fact that most people like using stable and secure software as well as making money. Also, quite a few of the bugs, in the Google Chrome Team's words, were "clever", so I would assume they weren't easy to find. I didn't go digging around to see how old these bugs were, to see when they were introduced, but it did appear that a large portion were due to common coding error, i.e. use-after-free, memory corruption, etc. As an aside, a similar (condensed) list of vulnerabilities in all Mozilla projects can be found here [0]. I think, overall, compared to Chrome/Chromium, there are significantly less vulnerabilities reported for Firefox. But there is also far less money going towards the discoveries, as well. 0. http://www.mozilla.org/security/known-vulnerabilities/ - Matt
