On Tue, Jun 15, 2021 at 01:59:44PM -0300, Jorge P. de Morais Neto wrote: > I can accept a reasonable trade-off, but I still believe this should be > actively communicated to users. It is not obvious. If had known that > before, I would certainly have been more careful with extensions. > Indeed, now that I know, I have not only deleted my old > (ungoogled-)Chromium profile, but also, on the new profile, I installed > only HTTPS Everywhere and Privacy Badger extensions. I have also > changed an important password that I remember having used on the > malware-infected Chromium.
That trade-off applies for everything we package: in general, Guix packages will be less up to date than what upstream offers, and thus probabilistically more buggy and, based on your threat model, they may be "less secure". It's the same for any distro. But, the situation is exacerbated for Chromium, which is developed very rapidly and has the most complete and advanced security posture of probably any program in use right now. I guess that's what hundreds of billions of dollars in annual revenue can buy. Chromium, and web browsers in general, also have the most dire security exposure, because most computer users do *everything* in their browser, and because they are used to interact with untrusted data (the internet). Chrome / Chromium is the "juiciest" target for attackers.