- Both, FlatHub and Snap Store had a more than 2 weeks gap between Google reporting a security vulnerability being exploited in the wild and these software stores pushing an upgrade.
- Debian chromium package is still vulnerable.
Exploited in the wild is a crucial difference here. That’s the line between theoretic considerations and security in the real world.
03 April 2021
-
firefox-esr on Debian Security Tracker
- One unimportant issue.
- No security vulnerabilities reported being exploited in the wild.
-
chromium on Debian Security Tracker
- 6 CVEs.
- At least 1 vulnerability reported being exploited in the wild.
Due to my above two posts and this post…
Firefox and Chromium | Madaidan's Insecurities may I suggest to replace Chromium with Chrome? @madaidan
It sounds right in theory but all the security mitigation in Chromium didn’t help to avoid this vulnerability being exploited in the wild. We should prioritize security in the real world over theoretic considerations. Despite all security innovations in Chrome / Chromium, that didn’t actually help users in the real world if Chromium maintenance (new releases with security fixes) lags behind Chrome. Maintenance is unfortunately something that cannot be excluded from the security comparison.
Now for more than 2 weeks Kicksecure would have had the choice to either install by default:
- Firefox: No security vulnerabilities reported being exploited in the wild.
- Chromium: At least 1 vulnerability reported being exploited in the wild.
More theoretic considerations…
Additionally, users on the Linux platform [1] had to choice:
- to use non-freedom software Chrome + vulnerable being to Google Chrome Repository Insecurity
Kicksecure Freedom Software doesn’t have the chance to install Chrome by default because it would then become non-freedom software. Even when mixing Freedom Software with non-freedom software, I wouldn’t know if Chrome could be legally re-distributed. I haven’t found license agreement for Chrome yet.
The question of the Kicksecure default browser, Debian’s Firefox ESR (or from any other Firefox from alternative sources) versus any Chromium unfortunately now got less clear to me.
[1] Leaving out Windows from considerations since this is about what to do in Kicksecure, Freedom Software, Linux based.