GtapheneOS Discusses How Chromium Releases Are Handled and How They Impact Security
Our Vanadium browser (https://grapheneos.org/features#vanadium) is based on the stable releases of Chromium. We port to the new releases when they’re still in Beta/Dev/Canary but we wait until it’s Stable to upgrade, particularly since Stable is the only branch with proper security support.
Within release channels, Chromium uses staged rollouts where initially only a random subset of users get the new release. Recently, the initial Stable channel release started being done 1 week early and only rolled out to a tiny number of users:
https://developer.chrome.com/blog/early-stable
Current release status for Android is at https://chromiumdash.appspot.com/releases?platform=Android. There are 2 variants of a regular Stable release and 2 of an early one, since they enjoy A/B testing changes so much.
We’ve been following the early Stable, but this month they failed to support it properly…
After the pair of early Stable releases based on v125 for Android, there were 2 pairs of releases based on v124 with 2 rounds of security patches for issues being exploited in the wild. They failed to update the early Stable release as they have before, so we had to deal with it.
Strangely, it appears that the early Stable channel release was only rolled out for Android and the Safari-based iOS app. The 0.2% of Android users receiving the early Stable release aren’t getting patches for those 2 vulnerabilities being exploited in the wild. That’s not great.
These are the 2 patches missing for Android users who get updated to 125.0.6422.34 or 125.0.6422.35:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.htmlhttps://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
Both are marked as having an exploit in the wild. They should really simply make 1 tag and stop making things overly complex.
Add comment