Google has the chance to make desktop Linux secure.
By starting with a blank sheet of paper, and lessons learned while developing its browser, Google wants to build a lightweight OS for netbooks that avoids the weekly "security update" hassles of its big-time rival.
This means the processes Google is addressing with Chrome -- system hardening, process isolation, secure auto-update, verified boot, intuitive account management, defenses in depth, and devices secure by default -- have to be more than buzzwords.
But there is something even more important Chrome OS has to do in terms of security. That is it has to develop an ecosystem of applications around itself that are themselves secure.
This is something it has yet to do with the underlying browser (and Google is clear that the browser is the technology under its operating system). Most Chrome add-ons are Google-written. Compare it to what Firefox offers -- there is no comparison.
Google has to find a way to reach out to the creators of add-ons and plug-ins, as well as applications, and not only get them supporting the OS but supporting it in the same secure way Google supports it.
This will not be easy.
An alternative is to focus on the Linux application space rather than the browser space, even though, as Google says, all Chrome OS applications will run from the browser.
In this case Google must convince Linux application developers to emulate its secure process, promising massive distribution for apps that may not now be ready for prime time.
So it's not just about what Google's programmers do in terms of security that will drive Chrome OS. Google needs application developers to accept its security development framework as well. That means doing the kind of marketing to developers (developers, developers, developers, developers) Microsoft has been doing for decades.
And it's not just about doing the Ballmer dance. It's about getting those developers to do the safety dance.