Got endless 3.1.3 installed just now, thanks to the new ISO torrent, it downloaded really quick. I downloaded the basic version. So when I booted up I was pretty excited, I had a few graphical errors but they were minor and asside from the fact.
I’ll try to summarize the crucial problems I find. They’re all related to the browsers and Flash.
My problem with Endless OS in it’s current state is that the Chromium browser is much more out of date than Fedora, the operating system I recently switched off of because the Chromium security updates weren’t coming fast enough. I tried Manjaro, but the libre version wouldn’t boot up. Which was dissapointing. Even Debian took a little while longer than I would have liked to push the 57 update for Chromium.
That being said, the security updates for Chromium are further behind than I have seen in 2017.
It’s not even on version 56. It’s two whole versions behind the latest Chrome installed on 3.1.3. This worries me because probably many users who are learning to use computers are running Endless and may prefer Chromium, and it currently has Flash, and is out of date. The potential for exploitation is immense. Flash + PWN2OWN busted Chromium version = RIP
These two security advisories from Debian apply to versions of Chromium that are newer and don’t have Flash.
https://www.debian.org/security/2017/dsa-3810
https://www.debian.org/security/2017/dsa-3776
Browser security moves fast, yes, but it’s also extremely crucial to keep users who are learning computers safe. Chromium version 55 is absolutely not safe.
This project isn’t alone on behind behind on Chromium updates. Electron is too!
https://electron.atom.io/
They site the version of Chromium the top security advisory is about.
Please update the users of Endless to the latest Chromium from at least Debian. I worry about the sheer ammount of remote code vulnerabilities and that’s just the tip of the iceburg for Chromium 55.
If you guys want to know if the software you’re running is vulnerable, check the Debian security advisories. They may not be as up to date as directly from Chromium or Chrome or from the Arch repositories but they are heralded as being prompt. https://www.debian.org/security/
I’ll do my best to warn people about things like this, but it’s hard to sort thru all the Distro’s security advisories for GNU/Linux as they don’t all apply, for example some distro’s use older versions for security and some use newer versions of software in the hopes that it will be more secure but in the end the older version is unnafected by new vulnerabilities.
I hope what I’ve talked about here helps the developers of Endless realise that the state of Chromium has to be improved to keep user safe.
JimmyBot signing off