[trashburger]

Have you looked at how it's implemented? The image decoder is completely separate from the main browser and is in a sandboxed process (with restricted syscall and filesystem access). If the image decoder is exploited, there's nothing the attacker can do.

[ptx]

Where can I find more details on how this sandboxing works?

Edit: Seems like it's using OpenBSD's pledge API? https://www.youtube.com/watch?v=bpRw6KQnY0k&t=8107s

[jorvi]

Look at how many of the past big exploit chains on iPhones, Chromium etc involved media decoding at some point in that chain.

It’s like crypto, you have to be very deliberate with your choices, and it’s generally ill-advised to roll your own.

[Misdicorl]

That advice has context. Do not roll your own if the feature is not your core product offering. So don't roll crypto if you're not selling crypto. If it is your core offering (and media decoding is absolutely a core offering of a web browser), you should choose carefully whether to get it off the shelf or roll your own.

Otherwise how would new/better stuff ever get built?!

[jorvi]

If Apple and Google can’t even find all the vulnerabilities in their libs, how on earth would a scrappy team of a few devs, especially since media decode isn’t the sole thing they’re focused on?

> Otherwise how would new/better stuff ever get built?!

The problem here is that people are salivating to use this as their daily driver. When WireGuard was still in development, everyone got told in very strong terms to not use it in any setting that required actual security.

Browsing the web at large is sort-of hostile by default.

Ladybird is a great project, and I hope it keeps developing, but any user that thinks their media decode libraries will be bulletproof libs free of vulnerabilities are nuts.

[tremon]

If Apple and Google can’t even find all the vulnerabilities in their libs, how on earth would a scrappy team of a few devs

Perhaps a few devs have nowhere near the required escape velocity to create vulnerabilities before they can be fixed, nor the pressure of PMs to ship substandard code?

[Misdicorl]

> but any user that thinks their media decode libraries will be bulletproof libs free of vulnerabilities are nuts.

Sure. And its a high bar to challenge the same or better vulnerability profile that the established players have. But a "small scrappy team" which is capable of doing everything this team has done certainly garners a lot of confidence that the bar is possible.

[Neikius]

Apple and google are big corpos and those are legendary for their inability to make anything properly. It has been a while since they were small and could move fast... So no, I would not take them as a standard.