[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Steven Chamberlain steven at pyro.eu.org
Thu Jun 18 22:42:51 UTC 2015


Upstream have said:
> This is not "opt-in default". If you do not explicitly opt in (using
> the "Enable Ok Google" setting in chrome://settings), then this module
> will not run.

That suggests to me that security of users was not put at risk, unless
they enabled that optional feature.  It was likely 'only' a privacy
concern and Debian policy violation.

May I ask boldly, is NaCl a legitimate feature of a Debian package in
'main'?  I'm reminded of the FSF's John Sullivan speaking at DebConf14
about the DFSG iceweasel browser offering to install non-free software.
AIUI NaCl's only purpose is to execute compiled, most likely non-free
code?  (Whereas minified non-free JavaScript is objectionable to some,
this seems an order of magnitude worse).

I'm not implying chromium belongs in contrib or non-free - there is
already the non-free Chrome as an option there - but rather, would the
DFSG chromium browser be 'more' free if it disabled NaCl?

I also propose more QA within Debian to find applications phoning home,
which could have been detected in this case within something like the
autopkgtest framework and simply opening a page on a local webserver.

Sorry, if you feel this is off-topic for the bug log, please take it to
an appropriate list but preferably keep me in Cc: if you do.

Christoph Anton Mitterer wrote:
> And there's still no single sign of properly visible announcements to
> user what might have happened here. :(

The bug made it to Hacker News, so that has been accomplished now
to some extent.  Thanks Chris for speaking up about this.

Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 493 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150618/f6fb8aee/attachment.sig>

More information about the Pkg-chromium-maint mailing list