So I don't like the GP's attitude at all, and I am stunned at how dismissive an unkind they've been on multiple posts about Nyxt.
But I think I'm beginning to realize more concretely what they mean about potential security issues with Nyxt and the way it reuses engines from other browsers.
I think it's something like this: some functions in engines written for other browsers may assume that they will only be called from other parts of the browsers they're designed for, or similar browsers. They may assume some inputs are safe, or that they'll only be invoked in the context of a sandbox or whatever. That assumption may hold in their original uses, but Nyxt could expose them to novel uses where those assumptions are untrue, and that could have security implications.
I think maybe this is the reason that GP assumes Google might go out of their way to break compatibility or discourage the use of their engine with Nyxt.
I guess what I'm left wondering is: is it obvious that this would be a negative for Google or Apple or whomever? Why would we expect the security fixes needed for calling some functions in unexpected contexts to get in the way of the engine developers?
How could you see that relationship playing out, if Nyxt exposes vulnerabilities in these engines that aren't reachable from the browsers they're designed for?
But I think I'm beginning to realize more concretely what they mean about potential security issues with Nyxt and the way it reuses engines from other browsers.
I think it's something like this: some functions in engines written for other browsers may assume that they will only be called from other parts of the browsers they're designed for, or similar browsers. They may assume some inputs are safe, or that they'll only be invoked in the context of a sandbox or whatever. That assumption may hold in their original uses, but Nyxt could expose them to novel uses where those assumptions are untrue, and that could have security implications.
I think maybe this is the reason that GP assumes Google might go out of their way to break compatibility or discourage the use of their engine with Nyxt.
I guess what I'm left wondering is: is it obvious that this would be a negative for Google or Apple or whomever? Why would we expect the security fixes needed for calling some functions in unexpected contexts to get in the way of the engine developers?
How could you see that relationship playing out, if Nyxt exposes vulnerabilities in these engines that aren't reachable from the browsers they're designed for?