As read from my Mozilla Firefox…

  • deweydecibel@lemmy.world
    link
    fedilink
    English
    arrow-up
    207
    ·
    edit-2
    5 months ago

    headlines have focused on the detrimental effect this will have on ad blockers, which will need to adopt a complex workaround to work as now. There is a risk that users reading those headlines might seek to delay updating their browser, to prevent any ad blocker issues; you really shouldn’t go down this road—the security update is critical.

    It’s almost like tying together feature updates with security updates was a deliberate choice by tech companies so that they could tell users shit exactly like this.

    How can there be any real market choices when software literally tells users “for your own safety, you must abandon the things you want, and take the things we give you”. How can consumers influence the direction of the product if they never have the option to decline that direction?

    • tedu@azorius.net
      link
      fedilink
      arrow-up
      23
      ·
      5 months ago

      We’re all trying to figure out where these headlines came from. The stable channel with all the fixes does not (at this time) bundle the warning. How is that users have become confused and believe the dev channel is the only way to get security fixes?

      • madsen@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        ·
        5 months ago

        The headline is supposedly CISA urging users to either update or delete Chrome — it’s not Chrome/Google itself. However, I’m having trouble finding the actual CISA alert. It’s not linked in the article as far as I can tell.

    • Avid Amoeba@lemmy.ca
      link
      fedilink
      English
      arrow-up
      14
      ·
      edit-2
      5 months ago

      When it comes to open source software, market choices aren’t nearly as necessary because new ones can be created at will and very low cost by forking. But in the abstract thech companies are definitely not interested in choices. Choices don’t maximize profits.

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          5 months ago

          It depends on how fat the fork is. While I haven’t worked on Blink, as a developer who works on other people’s very large codebases, including one from Google, I disagree. There are free tools for build automation. That’ll take care of being up-to-date with upstream in terms of security. Patching things can be done using conflict-minimizing strategies. I used to work at an Android OEM and I’ve seen it done with great success. Thinking of Blink specifically, there have been lots of forks during its WebKit days. If I remember correctly there are also thin forks of Firefox maintained by some open source developers. This is all to support thay I don’t think it’s that big of a deal. Especially if most of it is rebranding and restoring some deprecated or deleted functionality. Could be wrong. I think we’ll see, because I have a feeling the cost of maintaining a Chromium fork could be cheaper than patching apps to work well on Firefox. Some corpos might even pitch in. Not to mention that it isn’t at all obvious for how long Firefox will be developed by Mozilla. If they drop the ball at some point we’ll be faced with implementing new features in Firefox vs patching features of Chromium. ⚖️

          • mryessir@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            It does not depend in how fat the fork is. You provide some reasons on your own.

            Your assumption appears to be that open source software can be maintained with minimal costs by the community and sofware-aid assures an ongoing bug prevention of some sort.

            In the end you still need at least a few full-time devs on it. It would be fair to pay them accordingly if they are maintaining behemoths of software.

            Funfact: Infrastructure costs are x-times higher then IT Personel in my organization. A big chunk of it is energy and space; But its less then licensing costs…

            • Avid Amoeba@lemmy.ca
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              5 months ago

              The Debian community already maintains a Chromium fork. How much does that cost?

              The human time needed should grow with the number of patches that need to be applied to the upstream code base, because some will fail now and then. This is what I refer to as “fatness” of the fork. The more patches, the fatter. It should be possible to build, packege and publish a fork with zero patches without human intervention, after the initial automation work. Testing is done by the users as it always has been in Debian and its derivatives. You’re referring to a few full-time developers and I simply don’t see the need. Maybe I’m missing something obvious. 😅

              • mryessir@lemmy.sdf.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                5 months ago

                The Debian community not already maintains a Chromium fork. How much does that cost?

                I honestly can’t and wouldn’t judge: Time, Resources, implicit know-how etc. are unknown to me.

                The human time needed should grow with the number of patches that need to be applied to the upstream code base, …

                jupp

                … because some will fail now and then.

                Forks are done due to different reasons. Therefore it depends why to fork. It could be possible that one feature diverges so much that applying patches isn’t enough. Especially patches in a debian sense, neither .diff/.patch-patches.

                This is what I refer to as “fatness” of the fork. The more patches, the fatter. It should be possible to build, packege and publish a fork with zero patches without human intervention, after the initial automation work.

                For a brief period, until something rattles on the build system. Debian patches are often applied to remove binary blobs due to licensing - Imagine upstream chooses to include M$ Recall into the render engine. You would need to apply extraordinary amounts of work. Maybe even maintaining a complete separate implementation. This would also imply changes on the build systems, which needs to get aligned continiously between both upstreams, now.

                Maybe I’m missing something obvious. 😅

                With each version you have to very carefully review every commit if you want to maintain compatability with upstream, in order to merge patches into your fork.

                When there are 50 devs working on upstream and you need to review every commit to assure requirement X, this alone is a hard path. If you need to also apply workarounds compatible with future versions of upstream, you need PROFESSIONALS. Luckily these are found in the FOSS community; But they are underpaid and worse: underappreciated.

                // plus I could imagine that things like chrome may even not be coming with the full test suite. The test suite of a browser are surely so huge I can’t even comprehend the effort put into it. And then bug tickets… Upstream says: Not in my version. Now the fork has to address these themselves! :)

                • laurelraven
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  5 months ago

                  Add into that, I’m betting googie will actively try to make downstream forks difficult to maintain without accepting the components they want to force on everyone like manifest v3

    • Alpha71@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      How can consumers influence the direction of the product if they never have the option to decline that direction?

      They always have an option, they just don’t have the balls to actually do it.

  • tedu@azorius.net
    link
    fedilink
    arrow-up
    94
    ·
    5 months ago

    I’m going to go way out on a limb here and guess nothing will happen if I do neither.

    • AlphaAutist@lemmy.world
      link
      fedilink
      English
      arrow-up
      102
      ·
      5 months ago

      The article says that’s what the government is telling employees since there were several critical vulnerabilities found in chrome. It is very convenient that these vulnerabilities were patched in the same update that manifest v2 is removed though

      • Audalin@lemmy.world
        link
        fedilink
        English
        arrow-up
        45
        ·
        5 months ago

        CVEs are constantly found in complex software, that’s why security updates are important. If not these, it’d have been other ones a couple of weeks or months later. And government users can’t exactly opt out of security updates, even if they come with feature regressions.

        You also shouldn’t keep using software with known vulnerabilities. You can find a maintained fork of Chromium with continued Manifest V2 support or choose another browser like Firefox.

        • deweydecibel@lemmy.world
          link
          fedilink
          English
          arrow-up
          38
          ·
          edit-2
          5 months ago

          You also shouldn’t keep using software with known vulnerabilities. You can find a maintained fork of Chromium with continued Manifest V2 support or choose another browser like Firefox.

          It’s disgusting how this exact idea is used to push users away from things they want, and no matter what they claim, you can’t convince me this isn’t part of how they design certain updates. When the customer has no choice but to update, the company has no reason to make the update appealing. They can actively make it all worse and worse and worse, while continuing to scare users into accepting it.

          I’m tired of companies hiding behind “security” to mask anti-consumer shit, and I’m tired of the security community helping them shovel that shit while acting like the consumer is a fool for not wanting to eat it.

          • 0xD@infosec.pub
            link
            fedilink
            English
            arrow-up
            4
            ·
            5 months ago

            Yeah, go read a book or something.You have no idea what you are talking about.

            • unexpectedteapot@lemmy.ml
              link
              fedilink
              English
              arrow-up
              37
              ·
              5 months ago

              Backporting security and bug fixes is a responsible and reasonable measure taken by any software that actually respects its users ESPECIALLY when a new breaking update is released. You failed at bullying a stranger with valid concerns. Try to bring reason with you next time before you decide to be rude and condescending.

        • reddig33@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          5 months ago

          Maybe that software doesn’t need to be so fucking “complex”. It’s a web browser. Stop cramming everything but the kitchen sink into it. Half of the crap in web browsers like WebGL and WASM should be plugins anyway.

        • AbidanYre@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          5 months ago

          You can find a maintained fork of Chromium with continued Manifest V2 support or choose another browser like Firefox

          You can find them, but you’re not getting them installed on your government issued work computer.

      • Neato@ttrpg.network
        link
        fedilink
        English
        arrow-up
        5
        ·
        5 months ago

        Government isn’t telling employees shit. Federal users have no control over browser updates or most settings. At best this is a directive to push updates to it department head.

      • tedu@azorius.net
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        I don’t know why you’d jump to the dev channel, though. Just apply the stable channel update.

    • umbrella@lemmy.ml
      link
      fedilink
      English
      arrow-up
      10
      ·
      5 months ago

      its not a false security risk, it really is unsecure to withhold updates.

      the bullshit comes from what they are doing.

    • callmepk@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      5 months ago

      I have to use for work, because all our customer only uses chrome or chrome-based browser :(

    • devilish666@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      5 months ago

      Well it’s me bc my job :

      1. YouTube Revanced for entertainment
      2. MicroG for account for apps that need google dependency for work
      3. Gmail for personal email although nowadays i rarely used it because my client rather used Telegram or WhatsApp
      4. GDrive for backup
      • eodur@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        I highly recommend looking at something like Proton for 3 and 4. Or backblaze for 4 if it’s truly for backup.

        • devilish666@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          5 months ago

          Thx for recommendations bro
          I already used proton but that’s only for truly personal stuff, a lot of things on my country only support Microsoft mail or google sadly that’s why I’m still using gmail for works, same thing like WhatsApp

          Now i only need recommendations for YouTube apps that can sync playlist from my YouTube (like SpMp music player), bc i hate using YtRevanced patch every time YouTube roll out new apps

  • thejml@lemm.ee
    link
    fedilink
    English
    arrow-up
    31
    ·
    5 months ago

    I choose to just continue not having it in the first place. I uninstalled it from my work PC a year ago and never put it on either personal install. Definitely haven’t missed it.

  • NutWrench@lemmy.world
    link
    fedilink
    English
    arrow-up
    26
    ·
    5 months ago

    So . . . exactly what stealth crap is hidden in the Chrome “update?”

    " . . . but it’s also the day Google started to pull the plug on many Manifest V2 extensions as its rollout of Manifest V3 takes shape."

    Ahhhh, there we go. Manifest 3 will break almost all Chrome adblockers.

  • Luna@lemdro.id
    link
    fedilink
    English
    arrow-up
    24
    ·
    5 months ago

    Meanwhile my school still uses Chrome v109 since that was the last version that supported Windows 8