Security Update Discussion

[BugHunter1000]

Hi everyone. First I want to say thank you to the 50ish devs making this "modern, simple, and pure" approach to web browsing experiment a reality. Since firing up Wireshark and watching what other modern browsers do, they are loud annoying screaming babies compared with the quiet zen of this project. Well done!

I would like to begin a discussion on a question which is forefront in my mind, and probably everyone else's on how this project handles security. I've been testing UC over the last few weeks and one thing that comes up as a concern is how we do security updates and how worried I should be using UC between Chrome updates and when we release a new patch.

Thus I subscribed to several news feeds and found this in my reader today: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html

I had to giggle internally at the number of anti-features involved in Chrome that wouldn't touch UC because we simply don't support them. And good riddance!

But a couple caught my eye, such as:

• [$20000][1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30
• [$20000][1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04
• [$7500][1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20

There were a few others, you can read them yourself at the link above if you are the curious sort.

My question is whether any of these effect UC and how soon we will see updates for them? I am also very curious what method everyone uses to "patch" UC. I run a very minimal Linux without any package manager and so I use either the binary or self-compiled depending on my mood. I use several extensions as well, so re-downloading everything and starting fresh is becoming an enormous problem. Is there a better solution on that front?

Thank you all again and best wishes for this (already crazy) new year!

[Zoraver]

You should operate under the assumption that security vulnerabilities in Chromium affect ungoogled-chromium as well, unless you have reason to believe otherwise. The update to Chromium 87.0.4280.141 (#1311) is ready for review and will be merged after Eloston has time to review it.

I would not recommend using the contributor binaries since they can be submitted by anyone without reproducibility. Either compile ungoogled-chromium yourself or install it from a package repository that you trust. Updating ungoogled-chromium should not require you to reinstall extensions; you are hitting a bug or you are doing something else (deleting your chromium profile?) that is causing you to have to reinstall them.

[BugHunter1000]

@Zoraver Thank you for getting back to me so quickly, and for all the work your team does on this cool project. I really meant what I said positively about it.

I've got a VM running Manjaro where I'm testing this - is there a proposed best practice on Arch derivatives like this one to install and update? Assume I am an idiot and you will probably not be disappointed. You can imagine that I am wary of the AUR if I am going so far as to try out UC. I'm actually moving in the direction of stripping down all my software of needless complexity such as Chrome and SystemD, both for transparency and just a sort of "zen" that I prefer in my systems. Is there a way to do the build without resorting to AUR and if AUR is what you recommend, can you explain how you are comfortable with it? If possible I would really like to understand a non-AUR solution even if this is the recommended approach.

Thanks to all of you again!