[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Christoph Anton Mitterer calestyo at scientia.net
Tue Jun 16 03:16:44 UTC 2015


Hi.


Shouldn't we see a DSA following this incident?

Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.

Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.


And to be quite honest, I seriously consider the good faith of an such
upstream which does these kinds of things and wonder whether it can be
considered trustworthy enough to be part of Debian or whether it should
be banned from it.
More or less silently bundling proprietary code with open source
software (especially but not only when enabled per default) can already
be considered quite bad behaviour.

But basically secretly downloading it leads to the question of possible
malicious intent (and everyone knows that Google&Co. do voluntarily
and/or forcibly cooperate with NSA and friends).
And I guess no one can prove that this blob didn't contain any rootkit,
and even if - the rootkit'ed version may have been just distributed to
certain people.
The downloading makes it more or less impossible for the admin/user and
especially for our maintainers to notice what's happening here
(otherwise they'd need audit every line of code for any such
occasions).


And even if the blob wasn't evil: while I haven't looked at the code, I
wouldn't even be surprised if the downloading itself is done
insecurely.


Worse, chromium isn't the only such rootkit-downloader,... this happens
- to my taste - far to often in recent times,.. e.g. FF which secretly
downloaded the OpenH264 blob.


Now that specific incident may be solved (at least for now),... but no
appropriate notification of users is made, so theoretically&practically
arbitrary users may have had their systems compromised now, and they
won't even notice.

:/


Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150616/bf976b51/attachment-0001.bin>


More information about the Pkg-chromium-maint mailing list