Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
How far behind is each major Chromium browser?(chromium-drift.pages.dev)
113 points by skaul 3 hours ago | 42 comments
butz 2 hours ago | parent | next [-]

I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.

waitwhatwhoa an hour ago | parent | next [-]

We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)

1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron

captn3m0 2 hours ago | parent | prev | next [-]

I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.

I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.

nicoburns 2 hours ago | parent | prev | next [-]

I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.

nolist_policy 12 minutes ago | parent | next [-]

Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.

josefx 2 hours ago | parent | prev [-]

Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?

panzi 2 hours ago | parent | prev [-]

Just wanted to write the same comment!

quantumleaper 2 hours ago | parent | prev | next [-]

Cool idea, but without longer-term tracking of how long each browser lags for each Chromium release, it's hard to draw any meaningful conclusions. It's also clear that in the case of major vulnerabilities, vendors would fast-track adoption of the patch.

I would definitely include the fact that "major" versions of Chromium are released every 2 weeks. For instance, Vivaldi is on version 146.0.7680.218 that released this Tuesday [1], only 5 days ago.

[1] https://chromium.googlesource.com/chromium/src/+/f97d14f8a0a...

dopa42365 2 hours ago | parent [-]

More like 4 weeks than 2.

https://chromestatus.com/roadmap

quantumleaper 22 minutes ago | parent [-]

You are right, I misremembered this announcement [1]. They are switching from a 4-week to a 2-week release schedule this September.

[1] https://developer.chrome.com/blog/chrome-two-week-release

dataflow 2 hours ago | parent | prev | next [-]

> Why does Chromium version lag matter?

> users are exposed to known, already-patched security vulnerabilities

Then why only focus on major versions? Don't minor versions/revisions have security fixes?

xeeeeeeeeeeenu an hour ago | parent | next [-]

Yes and also stable isn't the only maintained branch of Chromium, there's also extended stable (currently 146.x). LTS exists too (144.x), but I believe it's meant only for ChromeOS.

superjan an hour ago | parent | prev [-]

In a perfect world, there would be a stable version of chrome, that would get fixes, but would crucially not get the new features that introduce new vulnerabilities. Not a fun job, I know, but with today’s coding agents it wouldn’t even be an unreasonable ask.

pimlottc 2 hours ago | parent | prev | next [-]

Please don’t use green/red schemes, it’s the most common form of colorblindness and it’s especially bad with such pale shades.

sgtlaggy 19 minutes ago | parent | next [-]

On the topic of accessibility, the contrast of the text in the "up to date" bubbles is very low. I can barely see the yellow one, let alone read it without significant eye strain.

Firefox's dev tools have an Accessibility tab where you can see warnings about low contrast and simulate different forms of color blindness.

richwater 9 minutes ago | parent [-]

This website, while cool data, is just awful for me who is very red/green colorblind. Unusable.

xandrius an hour ago | parent | prev | next [-]

It has text supporting the color, so it's fine.

richwater 10 minutes ago | parent [-]

Some of the text is undereadable on the background.

shooly an hour ago | parent | prev [-]

Red/green is the most common way to show bad/good, error/success, etc.

Using any other color scheme would just confuse everyone instead of only colorblind people... how would that be any better?

magpi3 an hour ago | parent [-]

White with black text for success and black with white text for failure. People would figure it out.

shooly 44 minutes ago | parent [-]

So as I said instead of confusing a minority of people, we confuse everyone instead?

magpi3 24 minutes ago | parent [-]

There are always creative ways to present data. Dismissing the needs of a minority of people just because we don't share their visual impairment is lazy, and we can do better.

yawndex an hour ago | parent | prev | next [-]

In defense of Vivaldi, it is actually up to date, just on the Extended Stable cycle: https://chromiumdash.appspot.com/releases?platform=Mac

https://chromium.googlesource.com/chromium/src.git/+/main/do...

UberFly 2 hours ago | parent | prev | next [-]

This is somewhat useful, but I know for instance that Vivaldi is often one version behind for the sake of stability, but also will also release incremental security updates in the period before major version updates.

darkwater 25 minutes ago | parent | prev | next [-]

I use Firefox, btw

Retr0id an hour ago | parent | prev | next [-]

Is "uptodown" really the canonical download page for Comet?

A point-in-time view is interesting but it's less useful than a graph over time.

Would be fun to add the version shipped in LG smart TVs (hint: it's ancient)

mm263 3 hours ago | parent | prev | next [-]

Please add Helium

wswin 2 hours ago | parent | next [-]

and Ungoogled Chromium

dotcoma an hour ago | parent | prev | next [-]

Helium rocks!

ece an hour ago | parent | prev | next [-]

qutebrowser would be nice too.

Yehoshaphat 2 hours ago | parent | prev [-]

I second this motion.

mostlyk an hour ago | parent [-]

I third this motion.

shevy-java 20 minutes ago | parent | prev | next [-]

The problem is: we all are behind Google. Google sits in the driver seat here.

This is really, really bad ...

Edit: Ok, almost all of us. There are some non-Google browsers such as firefox, but Google dished out money to Mozilla for many years, which made real competition impossible.

jjmarr 2 hours ago | parent | prev | next [-]

Shouldn't it also show the version number of the browser the user is currently on?

koolala 2 hours ago | parent [-]

Which user?

catlikesshrimp an hour ago | parent [-]

The one visiting the website (tfa website)

koolala an hour ago | parent [-]

Why? What does tfa mean? I'm visiting it on Firefox.

edoceo an hour ago | parent [-]

TFA is: The Fantastic Article. The top thing that was posted.

koolala 2 hours ago | parent | prev | next [-]

Could add the Meta Quest browser

ece an hour ago | parent | prev | next [-]

Vivaldi does minor releases as needed for security and bugs, so saying 1 major version behind is a bit coarse.

Fokamul 2 hours ago | parent | prev [-]

This website, for me, it's named "List of all browsers I will never use".

Yet another reminder, lawmakers US/EU/Anywhere else, should force all browsers to actively block fingerprinting.

shooly an hour ago | parent [-]

What fingerprinting? What does this have to do with anything?