Our Vanadium browser (https://grapheneos.org/features#vanadium) is based on the stable releases of Chromium. We port to the new releases when they’re still in Beta/Dev/Canary but we wait until it’s Stable to upgrade, particularly since Stable is the only branch with proper security support.

Within release channels, Chromium uses staged rollouts where initially only a random subset of users get the new release. Recently, the initial Stable channel release started being done 1 week early and only rolled out to a tiny number of users:

https://developer.chrome.com/blog/early-stable

Current release status for Android is at https://chromiumdash.appspot.com/releases?platform=Android. There are 2 variants of a regular Stable release and 2 of an early one, since they enjoy A/B testing changes so much.

We’ve been following the early Stable, but this month they failed to support it properly…

After the pair of early Stable releases based on v125 for Android, there were 2 pairs of releases based on v124 with 2 rounds of security patches for issues being exploited in the wild. They failed to update the early Stable release as they have before, so we had to deal with it.

Strangely, it appears that the early Stable channel release was only rolled out for Android and the Safari-based iOS app. The 0.2% of Android users receiving the early Stable release aren’t getting patches for those 2 vulnerabilities being exploited in the wild. That’s not great.

These are the 2 patches missing for Android users who get updated to 125.0.6422.34 or 125.0.6422.35:

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.htmlhttps://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html

Both are marked as having an exploit in the wild. They should really simply make 1 tag and stop making things overly complex.

  • MrSoup@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    6 months ago

    That’s why I don’t use Vanadium: I don’t want to depend on google shit.

    (I use Fennec)

    • KindnessInfinity@lemmy.mlOPM
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Vanadium is still more secure than fennec

      Why? Well, vanadium has these security improvements:

      • Type-based Control Flow Integrity (CFI)
      • Hardware memory tagging (MTE) enabled for the main allocator
      • Strict site isolation and sandboxed iframes
      • JavaScript JIT disabled by default with per-site toggle via drop-down permission menu

      Also many more security improvements

      • MrSoup@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        6 months ago

        Yes, I know that Vanadium is actually better at security but I really just don’t want to depend on Chrome.

        I use fennec with some addons, e.g. to disable js from some sources. For me that’s enough.

        Thanks anyway for your comment and link.