Why is Vivaldi (apparently) so far behind in Chromium updates?

wmv80

Chromium 93 is almost two weeks old at this point, and as of this writing there is still not a corresponding update for Vivaldi?

There's no way I would ever use Google Chrome, but Brave released an update quickly.

With Vivaldi, does the need to make sure the new features are working smoothly take precedence over the patching of "high-priority" security flaws (in the case of Chromium 93, no fewer than 27 of them?)

If that's the case, I'm afraid I can't in good conscience recommend Vivaldi (which, let's be perfectly clear, is a great browser whose functionality and philosophy I have appreciated since the days of the original Opera) to anyone whose security I care about.

With all due respect, eleven days (and counting) is a long time to wait for high-priority security flaws to be patched.

luetage

@wmv80 94 will be 10 more security fixes and 95 30 more and 96 5 more (random numbers), all of which haven’t been fixed yet. That any browser you use will ever be secure is a fantasy (even the most up to date one). The question is how serious are the flaws, how can they be exploited, are you in danger with typical use, what precautions do you take in general? And yeah, naturally Vivaldi needs a bit longer. But I bet if there was a serious serious security issue, stable would receive an intermediate security update.

npro

@wmv80 All these browsers use just Chromium's native UI, while Vivaldi has its own on top of it, and many interconnected features, so apples can not be compared to oranges to begin with.

Secondly new vulnerabilities not always affect previous versions, in case they do Vivaldi can backport the patches for those extra 10-15 days difference between major versions. They have done it in the past.

Then there's also a convenience reason I believe, if you look at Chromium's schedule https://chromiumdash.appspot.com/schedule

Chromium always releases a Stable Refresh with all new patches 2 weeks after its initial release, meaning if Vivaldi releases it exactly at that time it doesn't need to offer an update over an update over an update for the patches of that period for a product that is supposed to be "Stable".

So, there's nothing wrong the way Vivaldi does it.

P.S. and besides... even in the unrealistic worst-case scenario of Vivaldi not being able to backport the patches, 10-15 days is laughable, we've been living with open and existing Intel/AMD vulnerabilities for over 20 years and who knows how many unknown ones on behalf of Micro$oft no one ever heard of and nothing ever happened, right?

Pesala

@wmv80 For my own use I prefer to use the latest Snapshot as my default browser. That is usually patched first. Current version is Chrome/93.0.4577.69

I happily recommend the Snapshot branch to any computer-savvy user who knows how to cope with a few bugs. Very rarely, something will break and cause a severe issue, but an update then follows within days.

Stable build 4.2 will come out soon. The developers are focusing on getting the Snapshots release as Stable. I expect to see Release Candidates next week, and 4.2 Stable when it is ready.

npro

@pesala said in Why is Vivaldi (apparently) so far behind in Chromium updates?:

For my own use I prefer to use the latest Snapshot as my default browser. That is usually patched first.

Not adviseable for his concerns, as it often falls behind in versions between the last RC promoted to Stable and the first version of the new development cycle, while Stable gets continuously patched.

Skeptical/new users should stick to the official explanation imo: https://vivaldi.com/blog/snapshot-vs-stable/

TbGbe

@guigirl said in Why is Vivaldi (apparently) so far behind in Chromium updates?:

Vivaldi 4.2.2406.25 / Chrome 93.0.4577.69

As mentioned by @Pesala that is the Snapshot version!

However, https://vivaldi.com/blog/desktop/bonus-friday-snapshot-vivaldi-browser-snapshot-2406-25/

Since we are now close to the 4.2 stable release now, we are also providing pre-release links to equivalent builds for the stable stream. These are for those of you who wish to upgrade early (having first tested in snapshot configuration). Autoupdate to these (or newer) stable builds will not be enabled until further testing is completed and the final is released.

TbGbe

@guigirl Yes, you (and I) know that you referred to the Snapshot; but I was concerned that OP may not.

I didn't mean to imply "inappropriate"; only that it should have been included that you were referring to the Snapshot version number .

By claiming that there is still not a corresponding update for Vivaldi I believe OP was clearly referring to the Stable branch.

TbGbe

@guigirl Me?? Never!

wmv80

As the OP, please allow me to clarify:

@TbGbe is 100% right. I was indeed referring (exclusively) to the Stable branch.

Just yesterday, Google announced patches for several more bugs including two zero-days currently being exploited in the wild.

My installation of Brave is already updated to 93.0.4577.82. My installation of Vivaldi? Still unchanged. Crickets.

My reference to "anyone whose security I care about" refers to less technical friends and family members who would not be inclined, equipped, or advised to install Snapshot builds.

These are people who might enjoy some of Vivaldi's features and functionality, but who should always have the latest security patches applied.

The fact that they can already get the latest security patches from Brave but still not from Vivaldi is a sad fact indeed. There is nothing even mildly inaccurate about that.

For the record, it is also a fact that I hope changes sooner rather than later, so that Vivaldi can be a good choice for novices and Vivaldi virtuosos alike.

Eggcorn

@guigirl The snapshot is meant primarily for testers, not end users. The OP is an end user.

TbGbe

@wmv80 Chrominum 93.0.4577.83 is now available for Stable
https://forum.vivaldi.net/topic/66302/vivaldi-translates-selected-text-into-a-selection-of-languages-more-privately

npro

@wmv80 you haven't read anything from anyone in this thread, right?

Just sad.

DoctorG

@wmv80 Vivaldi 4.2.2406.44 / Chrome 93.0.4577.83 since 08:09 UTC.

steveshank

I think we have choices. We can use Google's Chrome Browser and be tracked and have our behavior sold, or we can find a third alternative like Firefox, or we can choose a browser based on the released chromium version. The Browsers based on what Google produces will always come out after Google and always be behind. The more they add to the base engine, the longer that lag will be.

This lag will always produce a security problem. We have to decide whether the added benefits of privacy, customizability and a better browsing experience is worth the the lag and security issues.

There is also a tradeoff. Built-in adblocking etc. make the browser more secure. So, we can just weigh the options, but those browsers that are built on top of the Chrome engine, will not beat Google out of the gate.

steveshank

Does this other browser offer lots of customization and a significantly better browsing experience so there really isn't a trade-off? I just assume the more you do to improve the base and the better you test it, the longer it is going to take, in general, so you get more features, but wait a little longer.

If Vivaldi were really slow, never patched back etc. then the trade-off wouldn't be worth it, but probably most of us are willing to make the tradeoff.

Eggcorn

@wmv80 Just because Vivaldi's using an old Chromium, doesn't mean that they haven't applied the security updates from the current Chromium.

My understanding is: The Vivaldi team will sometimes apply the security updates from the current Chromium (for obvious reasons), while still using an old Chromium till they know that the current Chromium will work properly with Vivaldi.

DoctorG

@eggcorn Yes, security patches are applied, that does not mean that Vivaldi has to use a newer Chromium core to be secure.

Streptococcus

@wmv80
I got version 4.2.2406.44 a few days ago, and it is Chrome/93.0.4577.83. Slimjet, on the other hand, is one version of Chrome behind (92).

fixitmanAZ

I would rather have a stable (as in not "THE LATEST") version of a browser rather than a basically untested one just released say in the last 6 weeks! So, the latest I will possibly update a browser to is two versions behind "current" Chromium. And possibly 8 versions behind so most of the bugs introduced are worked out.
Same with any browser really. 6 weeks isn't even enough time to work out bugs or realize your latest changes introduced regressions.