1 |
2011/8/5 Matthew Finkel <matthew.finkel@×××××.com>: |
2 |
> On Fri, Aug 5, 2011 at 12:05 AM, Thanasis <thanasis@××××××××××.org> wrote: |
3 |
>> |
4 |
>> I noticed that chromium's code has a lot of vulnerabilities. |
5 |
>> https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Fchromium |
6 |
>> I suppose this is why we see so often version upgrades of it (and it's |
7 |
>> not a small app to build). |
8 |
>> Why is its code so, should I say prone to bugs, compared to |
9 |
>> other browsers? |
10 |
>> |
11 |
> |
12 |
> Firefox isn't perfect |
13 |
> either https://bugs.gentoo.org/buglist.cgi?quicksearch=www-client%2Ffirefox&list_id=337885 |
14 |
> I think you hit the nail on the head by saying that "it's not a small app to |
15 |
> build". The more code that's written increases the the chances a security |
16 |
> holes will be introduced into the application. |
17 |
|
18 |
I don't think so. It's not the raw number of source code lines which |
19 |
makes it more prone to bugs. I think that a closer and more realistic |
20 |
number would be the number of lines divided by the number of full-time |
21 |
developers, and don't forget to put in the middle of that formula how |
22 |
skilled they are. Having that into account, chromium has a good base |
23 |
since few teams in the planet will have the quantity and quality of |
24 |
man power that Google has to devote to this project. |
25 |
|
26 |
> And as an internet browser, they're also susceptible to many more vectors of |
27 |
> attack than most other packages. For chromium specifically, I haven't looked |
28 |
> at the CVEs but I suspect many are for webkit and not just Chromium. |
29 |
> Just my 2c. |
30 |
|
31 |
The webkit branch into chromium is not the same that you can find in |
32 |
any other webkit-based project. They just have a common origin, but |
33 |
they are maintained separately and it is my understanding that they |
34 |
have diverged enough to be considered as separate things. |
35 |
|
36 |
-- |
37 |
Jesús Guerrero Botella |