https://old.reddit.com/r/GrapheneOS/com ... d/ekzo6c0/
Fair criticism, would you say?The Linux kernel is a security disaster, but so are the kernels in macOS / iOS and Windows, although they are moving towards changing. For example, iOS moved a lot of the network stack to userspace, among other things.
The userspace Linux desktop software stack is far worse relative to the others. Security and privacy are such low priorities. It's really a complete joke and it's hard to even choose where to start in terms of explaining how bad it is. There's almost a complete disregard for sandboxing / privilege separation / permission models, exploit mitigations, memory safe languages (lots of cultural obsession with using memory unsafe C everywhere), etc. and there isn't even much effort put into finding and fixing the bugs. Look at something like Debian where software versions are totally frozen and only a tiny subset of security fixes receiving CVEs are backported, the deployment of even the legacy exploit mitigations from 2 decades ago is terrible and work on systems integration level security features like verified boot, full system MAC policies, etc. is near non-existent. That's what passes as secure though when it's the opposite. When people tell you that Debian is secure, it's like someone trying to claim that Windows XP with partial security updates (via their extended support) would be secure. It's just not based in any kind of reality with any actual reasoning / thought behind it.
Is it true that only a fraction of CVEs actually get fixed in Debian Stable? I always assumed that they all get fixed.
---
Edit:
I cross-posted this in LQ forums also, where someone pointed me to Debian's security tracker for Chromium, which as of this writing looks pretty bad (looks like ~100 vulnerabilities in Stable): https://security-tracker.debian.org/tra ... e/chromium
Using Firefox instead of Chromium is not a good solution either, as Firefox is not well-regarded by security researchers: https://madaidans-insecurities.github.i ... cher-views
I'm marking this as 'SOLVED' in light of this. While I'll continue to use Debian (no better alternative AFAICT), one should probably stay away from the browsers that come with it.
---
Edit2:
Saving the screenshot for context, in case the vulns situation changes. The vulns date back to 3 months ago, while Debian 11 was released 2 months ago. So they released it with open CVEs in Chromium, and left them there!