Just ran endless for the first time, some pretty crucial security updates are missing, so I unfortunately can't use it for the time being. :(

Got endless 3.1.3 installed just now, thanks to the new ISO torrent, it downloaded really quick. I downloaded the basic version. So when I booted up I was pretty excited, I had a few graphical errors but they were minor and asside from the fact.

I’ll try to summarize the crucial problems I find. They’re all related to the browsers and Flash.
My problem with Endless OS in it’s current state is that the Chromium browser is much more out of date than Fedora, the operating system I recently switched off of because the Chromium security updates weren’t coming fast enough. I tried Manjaro, but the libre version wouldn’t boot up. Which was dissapointing. Even Debian took a little while longer than I would have liked to push the 57 update for Chromium.
That being said, the security updates for Chromium are further behind than I have seen in 2017.
It’s not even on version 56. It’s two whole versions behind the latest Chrome installed on 3.1.3. This worries me because probably many users who are learning to use computers are running Endless and may prefer Chromium, and it currently has Flash, and is out of date. The potential for exploitation is immense. Flash + PWN2OWN busted Chromium version = RIP

These two security advisories from Debian apply to versions of Chromium that are newer and don’t have Flash.
https://www.debian.org/security/2017/dsa-3810
https://www.debian.org/security/2017/dsa-3776

Browser security moves fast, yes, but it’s also extremely crucial to keep users who are learning computers safe. Chromium version 55 is absolutely not safe.
This project isn’t alone on behind behind on Chromium updates. Electron is too!
https://electron.atom.io/
They site the version of Chromium the top security advisory is about.
Please update the users of Endless to the latest Chromium from at least Debian. I worry about the sheer ammount of remote code vulnerabilities and that’s just the tip of the iceburg for Chromium 55.

If you guys want to know if the software you’re running is vulnerable, check the Debian security advisories. They may not be as up to date as directly from Chromium or Chrome or from the Arch repositories but they are heralded as being prompt. https://www.debian.org/security/

I’ll do my best to warn people about things like this, but it’s hard to sort thru all the Distro’s security advisories for GNU/Linux as they don’t all apply, for example some distro’s use older versions for security and some use newer versions of software in the hopes that it will be more secure but in the end the older version is unnafected by new vulnerabilities.

I hope what I’ve talked about here helps the developers of Endless realise that the state of Chromium has to be improved to keep user safe.

JimmyBot signing off :smile:

1 Like

This is also a good resource since some vulnerabilities may apply to Endless OS https://www.ubuntu.com/usn/

1 Like

@jimmybot Thank you for expressing your concern. We had been following Ubuntu releases of Chromium, which typically is delayed behind Debian, and we also concluded that we need to stay more up-to-date and decided to switch to following Debian directly. Unfortunately, that was a bit more complicated than we had hoped (especially since we have to support both AMD64 and ARM), and we ended up without Chromium 56 ready for our 3.1.3 release. Rest assured that we will be upgrading to Chromium 57 for 3.1.4, and we expect to stay closer to the latest stable releases in the future. Note, though, that there will always be a small lag due to our OS releases that happen about once per month, as we need time to integrate and test before we make an OS release.

If you are concerned about getting the latest security releases as soon as possible, you may want to use Google Chrome instead of Chromium. We monitor daily for updates to the stable release of Google Chrome and update our flatpak downloader, typically within a day of the stable release. Since Google Chrome is delivered via flatpak, you would need to check for updates in the app center. We don’t currently automatically update flatpaks like we do the OS.

For what its worth, if you download and install the operating system, the default behavior would be to download and set Google Chrome as your default browser rather than Chromium, since Google ships licensed codecs with Chrome that we cannot distribute for free with Chromium. In that case, Chromium is still installed as part of the OS as a fallback, but typical users who download and install Endless (or purchase a non-Endless computer with Endless OS, such as from ASUS or Acer) would be guided towards using Chrome instead of Chromium. However, we disable the automatic download of Chrome when running Endless in a live test mode, because the package would have to be downloaded and unpacked into memory.

Thanks again!

Roddy

2 Likes