> The component updater, responsible for delivering out-of-band security updates to the various components of the browser, is disabled within ungoogled-chromium. It’s responsible for updating Chrome’s CRLSets, which are necessary for meaningful certificate revocation. Most of the components are delivered via the component updater because they have a need for out-of-band security updates, and it’s not helpful nor necessary to disable them.
> Furthermore, the extensions that users rely on aren’t updated automatically, posing an additional risk to users of the browser.
Not connecting to google services unles you explicitly request it is almost the entire point of ungoogled-chromium, so this is really misplaced criticism. Especially for the CRLs, giving Google the power to take third party websites offline is not something everyone agrees with.
The missing hardening is also not something to be summed up as "significant security regressions". Ironically it might even improve your security if it means that attacks depending on Chromes upstream toolchain configuration won't work - no one is realistically going to specifically target a niche project like ungoogled-chromium.
Is there evidence that Brave or your preferred Chromium build reproduce the compiler etc tooling that official Chrome supposedly uses for speedbumps to hinder exploiting their memory safety vulnerabilities?
Interesting to learn. Are these issues fixable? I'm not familiar with what changes went into UGC but something like changing the compiler toolchain seems like a strange decision.
> The component updater, responsible for delivering out-of-band security updates to the various components of the browser, is disabled within ungoogled-chromium. It’s responsible for updating Chrome’s CRLSets, which are necessary for meaningful certificate revocation. Most of the components are delivered via the component updater because they have a need for out-of-band security updates, and it’s not helpful nor necessary to disable them.
> Furthermore, the extensions that users rely on aren’t updated automatically, posing an additional risk to users of the browser.
Not connecting to google services unles you explicitly request it is almost the entire point of ungoogled-chromium, so this is really misplaced criticism. Especially for the CRLs, giving Google the power to take third party websites offline is not something everyone agrees with.
The missing hardening is also not something to be summed up as "significant security regressions". Ironically it might even improve your security if it means that attacks depending on Chromes upstream toolchain configuration won't work - no one is realistically going to specifically target a niche project like ungoogled-chromium.