- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Wed, 6 Apr 2011 10:24:16 -0700
- To: Shawn Wilsher <sdwilsh@mozilla.com>
- Cc: Joran Greef <joran@ronomon.com>, public-webapps@w3.org
On Wed, Apr 6, 2011 at 10:14 AM, Shawn Wilsher <sdwilsh@mozilla.com> wrote: > On 4/6/2011 9:44 AM, Joran Greef wrote: >> We only need one fixed version of SQLite to be shipped across Chrome, >> Safari, Opera, Firefox and IE. That in itself would represent a tremendous >> goal for IndexedDB to target and to try and achieve. When it actually does, >> and surpasses the fixed version of SQLite, those developers requiring the >> raw performance and reliability of SQLite could then switch over. > > I don't believe any browser vendor would be interested in shipping two > different version of SQLite (one for internal use, and one for the web). I > can say, with certainty, that Mozilla is not. In addition, as previously stated, the near certainty that there is, hidden somewhere in the code, some security bugs (there are *always* security bugs) means that browsers can not/will not ship a "single fixed version". When a security bug is encountered, either the browsers update to a new version of sqlite (if it's already been fixed), thus potentially breaking sites, or they patch sqlite and then upgrade to the patched version, thus potentially breaking sites, or they fork sqlite and patch the error only in their forked version, still potentially breaking sites but also forking the project. The only thing that is *not* a valid possibility is the browsers staying on the single fixed version, thus continuing to expose their users to the security bug. ~TJ
Received on Wednesday, 6 April 2011 17:25:04 UTC