this post was submitted on 15 May 2024
12 points (100.0% liked)

GrapheneOS [Unofficial]

1713 readers
1 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 3 years ago
MODERATORS
 

Our Vanadium browser (https://grapheneos.org/features#vanadium) is based on the stable releases of Chromium. We port to the new releases when they're still in Beta/Dev/Canary but we wait until it's Stable to upgrade, particularly since Stable is the only branch with proper security support.

Within release channels, Chromium uses staged rollouts where initially only a random subset of users get the new release. Recently, the initial Stable channel release started being done 1 week early and only rolled out to a tiny number of users:

https://developer.chrome.com/blog/early-stable

Current release status for Android is at https://chromiumdash.appspot.com/releases?platform=Android. There are 2 variants of a regular Stable release and 2 of an early one, since they enjoy A/B testing changes so much.

We've been following the early Stable, but this month they failed to support it properly...

After the pair of early Stable releases based on v125 for Android, there were 2 pairs of releases based on v124 with 2 rounds of security patches for issues being exploited in the wild. They failed to update the early Stable release as they have before, so we had to deal with it.

Strangely, it appears that the early Stable channel release was only rolled out for Android and the Safari-based iOS app. The 0.2% of Android users receiving the early Stable release aren't getting patches for those 2 vulnerabilities being exploited in the wild. That's not great.

These are the 2 patches missing for Android users who get updated to 125.0.6422.34 or 125.0.6422.35:

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.htmlhttps://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html

Both are marked as having an exploit in the wild. They should really simply make 1 tag and stop making things overly complex.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 6 months ago (1 children)

That's why I don't use Vanadium: I don't want to depend on google shit.

(I use Fennec)

[–] [email protected] 1 points 6 months ago (1 children)

Vanadium is still more secure than fennec

Why? Well, vanadium has these security improvements:

  • Type-based Control Flow Integrity (CFI)
  • Hardware memory tagging (MTE) enabled for the main allocator
  • Strict site isolation and sandboxed iframes
  • JavaScript JIT disabled by default with per-site toggle via drop-down permission menu

Also many more security improvements

[–] [email protected] 0 points 6 months ago

Yes, I know that Vanadium is actually better at security but I really just don't want to depend on Chrome.

I use fennec with some addons, e.g. to disable js from some sources. For me that's enough.

Thanks anyway for your comment and link.