Google Cuts Chrome 'Patch Gap' in Half, From 33 Days To 15

Google security engineers said last week they have successfully cut down the "patch gap" in Google Chrome from 33 days to only 15 days. From a report: The term "patch gap" refers to the time it takes from when a security bug is fixed in an open source library to when the same fix lands in software that uses that particular library. In today's software landscape where many apps rely on open source components, the "patch gap" is considered a major security risk. The reason is because when a security bug is fixed in an open source library, details about that bug become public, primarily due to the public nature and openness of most open source projects. Hackers can then use details about these security flaws to craft exploits and launch attacks against software that relies on the vulnerable component, before the software maker has a chance to release a patch. If the software maker is on a fixed release schedule, with updates coming out every few weeks or months, the patch gap can provide hackers with an attack window that most software projects can't deal with.

Realtime updates will happen

[xack]

Versions will be obsolete as the latest code changes are streamed real time in a “stadia for browsers” fashion. You think the 4-6 week update trains are fast now, just wait until every commit gets pushed instantly.

Re:

[the_B0fh]

Already happening with Facebook, AWS, etc.

Realtime total failures will happen

[jellomizer]

Granted updates in 2020 are much safer then they were in 2000, where every update was a gamble if your system would come back. Which is why enterprises still have a delayed update procedures in progress where they wait a while after the patch before applying it to the test network, then putting it into production.

However I can see with real time updates, a case where a lot of system break all at once due to a bad patch. Even with all this testing a bad patch comes into play. Just recently Office 365 had

Re:

[sexconker]

LOL! You think enterprises have a test network!!

AT BEST, they have a sacrificial lamb group.

Re:

[jellomizer]

Where I work we have a Test Network. I have even worked at places that had Dev, Test and Production networks.

Re: Realtime total failures will happen

[Way Smarter Than You]

My company has multiple test environments for generic bugs, security, load, performance, specific customer issues, etc. It's all been in place for years, kept up to date, well funded and growing. What unserious shitty company are you at?

Cool, but ...

[fahrbot-bot]

How's their pay gap [nytimes.com]? (And, no, they apparently do not generally pay men less [wired.com])

Google said it shared the male pay gap in this instance because the results were counterintuitive. But the analysis arrives as Google faces an investigation by the US Department of Labor and a lawsuit by current and former female employees, both of which allege that Google discriminates systematically against women in pay and promotion.

Firefox?

[twocows]

Firefox's patching schedule was copied from Chrome back when Chrome first started gaining popularity. I hated it then and I hate it now, which is why I use ESR.

Now that Chrome's cutting their patching schedule in half, I have to wonder if Mozilla's going to do the same. I sure hope not.

Re:

[DontBeAMoran]

https://www.theonion.com/fuck-... [theonion.com]

You know the routine. Replace "razor" with "browser", and replace "blades" with "patching" or whatever.

should you worry

[renegade600]

don't it worry you that chrome is so bad, it now has to be patched every 15 days?