Talk:Safari (web browser)

Latest comment: 11 months ago by AirshipJungleman29 in topic GA Reassessment
Former good articleSafari (web browser) was one of the Engineering and technology good articles, but it has been removed from the list. There are suggestions below for improving the article to meet the good article criteria. Once these issues have been addressed, the article can be renominated. Editors may also seek a reassessment of the decision if they believe there was a mistake.
Article milestones
DateProcessResult
November 12, 2021Good article nomineeListed
December 6, 2023Good article reassessmentDelisted
Current status: Delisted good article


Inclusion of details about releases only available under NDA

edit

The article currently contains details about pre-release "seed" builds of Safari. It links to connect.apple.com as a source for information about this build. The page containing this information states:

Warning: Pre–release software is Apple confidential information. Your unauthorized distribution of pre–release software or disclosure of information relating to pre–release software (including the posting of screen shots) may subject you to both civil and criminal liability and result in immediate termination of your ADC Membership.

Providing information about each pre-release build is also of highly questionable valuable. — Preceding unsigned comment added by 38.119.251.140 (talk) 5 March 2008 06:12 UTC (UTC)

A Commons file used on this page or its Wikidata item has been nominated for deletion

edit

The following Wikimedia Commons file used on this page or its Wikidata item has been nominated for deletion:

Participate in the deletion discussion at the nomination page. —Community Tech bot (talk) 11:10, 1 November 2022 (UTC)Reply

Good article

edit

This article is quite flawed, and IMO worse than Google Chrome, which is C-class. Hopefully editors can help fix this, otherwise I doubt it'll last very long (though I've complained before about the ever-stricter interpretation of GA and FA criteria, so I don't have the heart to nominate it for GA review). The writing quality and sourcing just aren't on par. Seemingly random articles were added as citations, that have nothing to do with the material they're supposed to verify. DFlhb (talk) 05:46, 23 December 2022 (UTC)Reply

@DFlhb Hi, thanks for your contributions to the article! I was the GA reviewer before. I agree it wasn't perfectly reviewed (first time I did a GA review), letting another editor do a a 2nd review would be fine. Or maybe just delist as it is now.
Though, I disagree about your removal of the security exploits being indiscriminate information. It was based on good sources by Ars Technica, which is not routine coverage. It would be fine to not add the entire paragraph back as it was, but at small section discussing the Pwn2Own stuff would be good in my view, since the researchers like Charlie Miller are notable. The Google Chrome article you list also has a section dedicated to vulnerabilities, next to its security architecture (this article should also have such a section imo). PhotographyEdits (talk) 12:27, 23 December 2022 (UTC)Reply
Here's why I think security exploits are routine, and it misleads readers to emphasise them:
Throughout Safari's existence, there have been 91 (WebKit) + 1,122 (Safari itself) = 1,213 security exploits that are as severe, or more severe, than the one Charlie Miller found (CVSS score >4). Chrome had 2,361. Windows 10 had 2,314. Android had 3,721. macOS had 641. iOS had 2,446.
Individual exploits are routine. But even then, these numbers can't tell us which OS or browser is more, or less, secure. If a platform (or app) has more users, intelligence agencies and hackers pay higher prices for exploits, so researchers focus on finding exploits in those platforms. Zerodium pays $1m for Windows exploits, 500k for Chrome exploits, $100k for Safari exploits, and $50k for macOS or Linux exploits. So smaller platforms don't get the same scrutiny. Zerodium (and many others) buy these exploits, and re-sell them to governments and rival corporations, which use the exploits and keep them secret, so none of them are included in the numbers above (until found by a white hat hacker and disclosed publicly rather than sold).
There are likely hundreds of major exploits in every app you use, they're just hard to discover, and those professionals whose job it is to discover them can make more money selling them to hackers than disclosing them to Apple/Google to fix. I doubt it could be more routine (and I'd remove it from the Chrome article too). DFlhb (talk) 13:33, 23 December 2022 (UTC)Reply
@DFlhb Fair, good arguments! I agree then, but it would still make sense to at least put the total number of disclosed vulnerabilities in the article, I think that CVE details is a good enough source for a single number. This should then also be listed in the other browser articles, so readers could compare them. PhotographyEdits (talk) 13:46, 23 December 2022 (UTC)Reply
Folks, bear in mind that reliable sources inform what is WP:DUE for inclusion. If Ars Technica made a mountain out of a molehill, that would be unfortunate, but I'm not sure whether that means we can ignore the coverage? Robby.is.on (talk) 13:53, 23 December 2022 (UTC)Reply
@Robby.is.on Yes, that's basically what I was arguing for, but I also think we can put that same information in a broader context by putting the total amount of vulnerabilities in it. How about we first list the total amount and then highlight that a single was found during a competition by a well known researcher? PhotographyEdits (talk) 14:01, 23 December 2022 (UTC)Reply
Sure, per WP:VNOT, and WP:NOTNEWS. It also fails the WP:10YT: that exploit was breaking news, and then no one continued to talk about it. It was fleeting.
And @PhotographyEdits, the problem with listing the total amount is that again, it would misinform readers. The only thing they could conclude from that number, is that it's correlated with how secure or insecure something is, but the number can't tell you that at all; it has no informational value. Besides, it would be a primary source. No reliable secondary source covers the total number, because they know it's irrelevant. If we can find browser developers (even competitors) who claim Safari is less secure, or who have evaluated its security measures, that would be due, because it wouldn't be routine coverage. DFlhb (talk) 14:09, 23 December 2022 (UTC)Reply
@DFlhb That's not true, check this book from 2016 here. PhotographyEdits (talk) 14:13, 23 December 2022 (UTC)Reply
@DFlhb I found quite a nice source here, which even has a graph in it. I would argue that it is acceptable per Wikipedia policy to use this books as a source in combination with a primary source to update that number to 2022. PhotographyEdits (talk) 14:56, 23 December 2022 (UTC)Reply
Nice! That's a good source, because it's high-level (instead of focusing on one vulnerability) and contains expert analysis. We should cover it. I'll try to find more security experts that analyse the subject in depth, and that don't just talk about one incident. DFlhb (talk) 15:06, 23 December 2022 (UTC)Reply
I just found this. He's a security researcher, so it's usable as a source despite being primary (as long as we attribute it), but unfortunately most of the article is about Firefox. But there's a paragraph about Safari, with two links we could use.
I also found this, about Safari. WebKit has a Just-in-time compiler, so it seems that it has write xor execute permissions for memory, which makes it more secure. But that's WP:OR, since the article doesn't say it outright; it's about macOS. I'll try to find a better source. DFlhb (talk) 15:34, 23 December 2022 (UTC)Reply
A primary source from a researcher can only be used if they are a subject matter expert and their research in the relevant field has been published by WP:RS. Those articles look nice, would be great if we can use them. PhotographyEdits (talk) 15:39, 23 December 2022 (UTC)Reply
Also: if we cannot use it as a reliable source, it could be included in a "further reading" section. They don't have the same strict requirements. PhotographyEdits (talk) 15:41, 23 December 2022 (UTC)Reply
Good work, you two! :-) Robby.is.on (talk) 15:20, 23 December 2022 (UTC)Reply
😀 Thanks! DFlhb (talk) 15:35, 23 December 2022 (UTC)Reply

GA Reassessment

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Article (edit | visual edit | history) · Article talk (edit | history) · WatchWatch article reassessment pageMost recent review
Result: Delisted. ~~ AirshipJungleman29 (talk) 19:13, 6 December 2023 (UTC)Reply

Currently the article, as it stands is just a somewhat promotional summary of the features and individual release of Safari.

There isn't any discussions of privacy violations, security exploits (or even for that matter Apple's work on trying to eliminate third-party cookies, the IndexedDB data leak, issues with ITP etc). There is legitimate criticism (and some positive commentary) from multiple fronts on how Apple develops Safari and the fact that it lags behind many other browsers by a large margin. However, non of this appears to be discussed in the article in depth. This imo fails GA #3a and GA #4.

Besides this, there are a few almost contentless sections ("ios versions","Continuity" etc) failing GA #3a, multiple citation needed templates, and a almost completely unreferenced "Payments from Google" section failing GA #2, and some malformed citations. Overall, I do not think this represents the best work we have, and thus would like to move to review the article's GA status (or atleast ask for the article to be improved). Sohom (talk) 01:34, 29 November 2023 (UTC)Reply

For context on what I am talking about in paragraph 2:
- Discussion of ITP: [1][2][3][4][5]
- IndexedDB issues: [6][7][8]
- More discussion on the benefits of ITP: [9][10] [11] (and a bunch other which I can help idenitfy)
- Commentary on Safari's security issues and releases commentary: [12] (Safari here is refered to as Apple) [13] (coverage of security fixes in WebContent at the start, the rest of it is dense code, but still there is some interesting stuff in there) [14] (Safari's lack of features criticism) [15] (Blog post, but by a respected and well known figure) [16] (Blog post, but from a well respected figure in web standards tech) [17] (Petition to the UK Gov?) (there are more but there needs to be a effort to pick the wheat from the chaff, not completey ignore it) Sohom (talk) 02:22, 29 November 2023 (UTC)Reply
Previously discussed on the talk page; I didn't think this met GA standards, and still don't. Your list of missing points is solid; to me the biggest missing point is Safari lagging behind in terms of web compatibility, and repeated bugs that have made it much harder for web developers to support Safari than other browsers (like several other IndexedDB issues and a localStorage bug). I'll try to work on this today. DFlhb (talk) 07:10, 29 November 2023 (UTC)Reply
I would further agree. There is an overwhelming amount of short sections, a dearth of cited scholarly sources concerning this influential web browser, and a lack of information on how this browser was generally received by the public or commentators. I would agree this article is in even worse shape than Google Chrome by failing GA #3a, and due to this article's similar scale, would suggest a Delist as this may be too big of a fix for GAR alone and would need a complete re-write. The Night Watch (talk) 14:17, 30 November 2023 (UTC)Reply
You're right; the required changes would be too extensive not to go through a full GAN again - DFlhb (talk) 00:54, 2 December 2023 (UTC)Reply
Original GA reviewer here: the Safari article was the GA review I did, but I didn't do it thorough enough in retrospect. Support delist for now. PhotographyEdits (talk) 18:09, 4 December 2023 (UTC)Reply
The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.