| > Ideally you never introduce it. Alternatively, you never let it get to the point where getting it down is essentially a no-op. I can't understand this logic at all. You seem to be denying that you can ever reduce software attack surface in existing software, which is obviously false. It's undeniable that seccomp-bpf dramatically reduced attack surface in the Linux kernel, for example. > A research project in a Mozilla lab that is not fully embraced yet. Parts of it may, slowly, end up in Firefox. How does this improve matters or introduce solid foundations? I would think the important thing that determines whether we're developing the software is whether we're developing the software, not whether there are immediate product plans. By that logic, AT&T never developed Unix. > Even so, let us assume that Firefox uses Servo. We're still in security hell due to SM. No. I've already explained why this is incorrect. Switching to V8 would make negligible if any difference in terms of security. > In practice, Microsoft did tremendous work with Edge. EdgeHTML is a fork of Trident! Its development was not "starting again on solid foundations"! > Chrome is not perfect, but is as close to perfect as you can get while still using rotten tools (C++). Chrome is a fork of WebKit, which is a fork of KHTML! Its development was not "starting again on solid foundations"! |