[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob
Michael Gilbert
mgilbert at debian.org
Tue Jun 16 04:49:31 UTC 2015
On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote:
> Shouldn't we see a DSA following this incident?
>
> Since no one really know which binaries have been downloaded there and
> what they actually do, and since it cannot be excluded that it was
> actually executed, such systems are basically to be considered
> compromised.
>
> Quite a deal of people choose open source just to prevent that - get
> untrustworthy / unverifiable code run on their systems - failed.
>
>
> And to be quite honest, I seriously consider the good faith of an such
> upstream which does these kinds of things and wonder whether it can be
> considered trustworthy enough to be part of Debian or whether it should
> be banned from it.
> More or less silently bundling proprietary code with open source
> software (especially but not only when enabled per default) can already
> be considered quite bad behaviour.
>
> But basically secretly downloading it leads to the question of possible
> malicious intent (and everyone knows that Google&Co. do voluntarily
> and/or forcibly cooperate with NSA and friends).
> And I guess no one can prove that this blob didn't contain any rootkit,
> and even if - the rootkit'ed version may have been just distributed to
> certain people.
> The downloading makes it more or less impossible for the admin/user and
> especially for our maintainers to notice what's happening here
> (otherwise they'd need audit every line of code for any such
> occasions).
>
>
> And even if the blob wasn't evil: while I haven't looked at the code, I
> wouldn't even be surprised if the downloading itself is done
> insecurely.
>
>
> Worse, chromium isn't the only such rootkit-downloader,... this happens
> - to my taste - far to often in recent times,.. e.g. FF which secretly
> downloaded the OpenH264 blob.
Barring the obtusely incorrect rootkit miscategorization, oss-sec is a
far better venue for discussion since Debian is not the only
distribution that includes chromium 43 .
Best wishes,
Mike
More information about the Pkg-chromium-maint
mailing list