Comment by mdaniel
2 days ago
I feel as though you overlooked the "every" word in my question. I appreciate you built once, that's a solid accomplishment. If I'm going to be riding your custom build, with your custom C++ changes that introduce their own RCE risk, I want to at least know I'm only vulnerable to your RCE and not your RCE plus the 'just disclosed' RCE for Chromium itself that was actually patched 3 weeks ago but that you didn't bother to track because you don't track Chromium release tags
Yes, I'm acutely aware of exactly how much compute pulling off such a stunt requires; what I'm wondering is whether you are aware of exactly how much RCE risk you're running by squatting on someone else's C++ codebase that ships what feels like a vuln-a-week from one of the best funded security research teams in the world
i think you raise a good point but also... how else would you propose to "fork Chrome"? this seems like the most reasonable approach?
Well, I wasn't passing judgement upon their forking of Chrome; that's a business decision whether it gets them where they want to go. What I'm saying is that IF you're going to try that stunt, it's just like adopting one of those exotic animals: you need to understand what ongoing upkeep cost you're incurring, not just "oh, hey, I found a jaguar on the side of the road! here, kitty, kitty!"
It's also not a rando library that changes 3 times a year and who fucking cares if it has vulns: this is one of the biggest attack surfaces known to mankind given what it does for the user
Merely as a "for comparison," rebuilding Firefox takes about an hour on a developer class workstation, which IMHO sure would make tracking upstream a lot less expensive