Conversation

Chromium provides the WebView, so it's an important part of the base OS with substantial integration. It's also the chosen default browser. The same build is used to provide both (Monochrome), but there are differences in how they work including different renderer sandboxes.

Once toolchain hardening is added back for the OS, it will need to be ported over the Chromium again. Separate toolchain versions for AOSP and Chromium is an annoyance but projects of this scale tend to hit lots of compiler bugs and it's best to stick with what's tested upstream.

I've noticed that traditional Linux distributions (Debian, Fedora, Arch Linux) build Chromium with security features like CFI crippled or even completely disabled due to using GCC and/or using component builds which are a development feature, especially with system libraries.

Nearly every non-Google Chromium build is also being deployed with messed up field trial configuration. I think it's best to disable field trials, but they all seem to ship with either seed-based field trials or the testing configuration aimed at maximizing testing code coverage.

I don't think it makes sense to ship intentionally maximized experimental attack surface / bugs and many annoyances never shipped for most Chrome users. Having a random set of experimental features isn't much better. For Chrome, Google controls it from a service for A/B testing.