Comment by akyuu
3 years ago
IMO the browser is far too important to use third-party builds containing patches that don't receive serious audit.
For example, the Chromium packages provided by the vast majority of Linux distros disable security features like CFI (check your favorite distro's x86_64 Chromium package build log and look for the "is_cfi" argument). I think Arch is the only exception.
ungoogled-chromium has similar problems https://qua3k.github.io/ungoogled/
If you are going to use a Blink-based browser, I would recommend just using the official Google release, or maybe Edge or Brave if you trust the organizations behind them. Otherwise, just switch to Firefox. It has its own problems, like being overall less hardened than Chromium, but it's far less user-hostile. And regarding security, for browsing untrusted sites, I think you should always virtualize the browser since they're all routinely exploited anyway.
> Linux distros disable security features like CFI
Why would they even do that?
I'm not sure, but I think CFI also requires building Chromium as a single binary with LTO, and this has extremely high memory requirements that their build infrastructure might not be able to handle. Also, I think some distros use GCC instead of LLVM/Clang, so CFI isn't even an option.