Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Developers On Browser Security

Posted by ScuttleMonkey on from the never-ending-war-of-escalation dept.

CowboyRobot writes "Developers of Google's Chrome browser have spoken up in an article describing their approach to keeping the browser secure, focusing on minimizing the frequency, duration, and severity of exposure. One tool Chrome uses is a recently open-sourced update distribution application called 'Omaha.' 'Omaha automatically checks for software updates every five hours. When a new update is available, a fraction of clients are told about it, based on a probability set by the team. This probability lets the team verify the quality of the release before informing all clients.'"

11 of 61 comments (clear)

  1. Beta testers by twidarkling · · Score: 3, Insightful

    So basically, they're getting a random sample of their user base to beta test updates in the wild for them. I hope there's some kind of warning about this while using it.

    --
    Canada: The US's more awesome sibling.
    1. Re:Beta testers by jayme0227 · · Score: 5, Interesting

      It's certainly better than having the entire user base beta test the patch for them which is where we're at now in most cases.

      --
      But then I realized the cable was blue, so I only gave it one star. I hate blue.
    2. Re:Beta testers by RoFLKOPTr · · Score: 5, Informative

      No, they're getting a random sample of their user base to test a ready-for-release patch so that in case there are a couple cases not within their testing scenarios where the patch is unstable or a security hole is present, they will be able to address that (if it's serious enough) before releasing it to the whole world. This is so much better than the current way of doing things, because patches are still tested in the shop to the same degree as they would be without Omaha, except this way there's even more to be sure that the patch works correctly.

    3. Re:Beta testers by hairyfeet · · Score: 3, Interesting

      But let us be fair here: How many fricking machines are running Windows? How many hundreds of thousands or even millions of different hardware and software configurations? Just in my home I have a 733Mhz, a 1.7Ghz laptop, my boys 2.6Ghz and 3.06Ghz, and finally the 3.6GHz I'm about to give the oldest, all running XP32, while I am running XP x64 on my new AMD dual. They all have hugely different hardware and software installed, yet somehow it just seems to work.

      According to Wikipedia you are looking at a 400 million + install base for JUST XP, and then when you figure in that they are currently supporting Win2K Pro, WinXP 32/64, WinServer 2K3 32/64, and WinVista the idea that they could put out patches that wouldn't break something is just plain crazy. The fact that the "oops" patches only happen once or twice a year is frankly a miracle when you consider how many different possible combinations of software/hardware there can be on a Windows machine.

      How many times have you see on the forums after the latest Ubuntu release "the update for foo completely hosed my (insert hardware here)"? I'm sure the Linux guys doing hardware driver support can tell you what a massive PITA it is trying to make sure an update doesn't totally hose something else, and still there are always problems. So considering the fact that unlike certain companies named after fruit I can put a machine together with so many different mish mashes of hardware together and actually have the thing work and run stable I think we can cut the guys at MSFT a little break when it comes to the occasional "oops" patch.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Now for a better scheduler by Anonymous Coward · · Score: 4, Interesting

    Now if they could stop running googleupdate crap ALL THE TIME (maybe use the OSs built in scheduling system to run every so often) and give me more control over when/how things get updated it will be much better.

    1. Re:Now for a better scheduler by Anonymous Coward · · Score: 4, Interesting

      It _is_ killable - ironically, part of what you have to do is delete the job from the scheduler which restarts the damn thing every so often.

      It could do with a more user friendly ticky box to turn it off, but it's not completely evil.

      One thing I've never understood is why MS didn't expose the Windows Update facilities to other vendors (with user approval, of course.) A one-stop shop for updates a la Ubuntu's Update Manager would be a hell of a lot less messy, and it would actually work for people who do the Right Thing and don't run with Admin / Power User privileges.

  3. Re:Russian Roulette Anyone? by InsertWittyNameHere · · Score: 5, Funny

    The "Don't Be Evil" policy currently only applies to a fraction of Google's userbase. Once they verify the quality of this policy they will release it to all users.

    Don't Be Evil [BETA]

  4. Glass ($halfEmpty != $halfFull) by mcrbids · · Score: 3, Insightful

    Any time you release a new version of software, there's an increased likelihood that there will be unforeseen bugs not specifically tested for. You can test tell you're blue in the face, but no matter how you look at it, real-life is the real test.

    And it's not just bugs. Even when things are working exactly to plan, you don't necessarily want to roll it out everywhere all at once.A good example is our password-change policy - we now require periodic changes in passwords. When we did this, requiring everybody to change their password, we did it "gracefully" over a month's time so that the help desk wouldn't be overwhelmed by idiots who don't understand the idea of changing their password.

    It's pretty sad that something so simple would cause people to freak out, but it does, and that's just humanity. Get over it, already. People are people, and it's easier to spread the work out over a period of time rather than just beat yourself up all at once.

    Gradual roll-out is a *good thing* unless it's a terrible security issue that must be addressed immediately.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. Re:Russian Roulette Anyone? by geobeck · · Score: 3, Funny

    I thought Google's motto was 'Be Not Evil'?

    Actually it's "Do no evil." So you can be as evil as you want, as long as you don't act on it. Even Dick Cheney could work for Google if he stopped... um, well... breathing.

    --
    Find environmentally and socially responsible products on http://buy-right.net
  6. Re:Russian Roulette Anyone? by Bill+Dog · · Score: 3, Funny

    Google - evil you can trust!

    --
    Attention zealots and haters: 00100 00100
  7. Another reason to turf Flash ASAP by tonywong · · Score: 3, Informative

    And get into HTML5 for video etc:

    "Google Chrome must support plug-ins such as Flash Player and Silverlight so users can visit popular Web sites such as YouTube. These plug-ins are not designed to run in a sandbox, however, and they expect direct access to the underlying operating system. This allows them to implement features such as full-screen video chat with access to the entire screen, the userâ(TM)s webcam, and microphone. Google Chrome does not currently run these plug-ins in a sandbox, instead relying on their respective vendors to maintain their own security."