Like I said before, syzkaller has also been applied to FreeBSD, and clang implements KA-san and UB-san which is used quite extensively.
Conversation
That's not news to me and I haven't been saying that zero comparable work is being done for FreeBSD... as I said above, my point is that a whole lot less of it is being done. Are you saying that comparable computing hours have been put into fuzzing, with as many fuzzers?
2
Chromium vs. Firefox is another example. Chromium has far more resources put into fuzzing, and finds more bugs. That doesn't mean Chromium has lower code quality or more of these bugs than Firefox. The number of bugs being found has a lot to do with time and effort put into it.
2
There is one big exception, in that by far the most consumers of Chromium are using Chrome on Android or their desktop or laptop, which contains a lot of code not found in Chromium
1
It doesn't contain a lot of code not found in Chromium. Can you list some things that aren't open sourced as part of Chromium for Android or *nix operating systems? It's nearly just a branding swap. It doesn't have an impact on fuzzing the web sandbox, and they do that anyway.
1
Of course I can't list things which aren't public, but there's at the very least three sources of additional code that I know about: The flash player, Widevine CDM, and NaCL. Additionally, there's also big differnces in multimedia codec support, as well as sandboxing differences.
2
That's not true. NaCL is open source and included in Chromium. The flash player and Widevine are separate plugins and work in Chromium. There are not sandboxing differences. What differences in codec support are you actually talking about? Chromium certainly supports H.264, etc.
2
Do you understand that Chrome developers are Chromium developers, and the Chromium development blog is the Chrome development blog? Chrome developers have .org emails. Chromium refers to the project, and Chrome to the branded product built from the sources.
1
I'm not talking down to you. I'm trying to understand why you're making these false claims about Chromium. I don't see how this is related to the conversation anyway, just like the FreeBSD kernel vs. Linux kernel conversation. You don't seem to disagree and just want to argue.
I used those as examples of cases where projects have drastically different resources put into bug discovery and triage. That's all.
Here are the NaCl sources by the way:
chromium.googlesource.com/chromium/src.g
Crash reporting, updates and other things like that are in Chromium too.
1
It supports both the Widevine and Pepper Flash plugins. I've used both. Distributions usually don't include crash reporting because they don't want to deal with that, and their package manager handles updates. Some distros don't enable various codecs, others enable them all.
1
Show replies