From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: bug#34565: ungoogled-chromium contains Widevine DRM Date: Wed, 20 Feb 2019 10:22:19 +0100 Message-ID: <87imxe95mc.fsf@roquette.mug.biscuolo.net> References: <1550547897.31222.1.camel@jxself.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:60066) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gwO5r-0001j9-6V for bug-guix@gnu.org; Wed, 20 Feb 2019 04:23:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gwO5n-00088K-1j for bug-guix@gnu.org; Wed, 20 Feb 2019 04:23:07 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:56417) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gwO5m-00087s-Qp for bug-guix@gnu.org; Wed, 20 Feb 2019 04:23:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gwO5m-0008E4-DI for bug-guix@gnu.org; Wed, 20 Feb 2019 04:23:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20190220054219.GA9386@jasmine.lan> (message from Leo Famulari on Wed, 20 Feb 2019 00:42:19 -0500) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 34565@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, maybe Marius Bakke have something interesting to say about his judgements on this "DRM matter" indeed, this is a pretty ignorant (aka me) comment: Leo Famulari writes: [...] > I think the next steps for this subject are to first, in general, figure > out where Widevine comes from, and then, more specifically, decide what > to do about the files you mentioned.=20 > > As I mentioned already, other distros seem to get Widevine by extracting > its binary from Chrome, even when using it for Chromium. It seems > reasonable to assume that if Widevine were included in Chromium they > would not be downloading a whole 'nother browser for that one > component. ungoogle-chromium FAQs [1] confirms that in order to install Widevine users have to download a shared object (libwidevinecdm.so) and install it system wide in /usr/lib/chromium or in $HOME/.local/lib/ I tried to install ungoogled-chromium from Guix but failed (another story...) so I cannot see myself, but AFAIU there is no way for a user to enable Widevine from the user interface *nor* manually I don't know if the libwidevinecdm.so user loading must be forbidden **programmatically** [2] to be FSDG compliant: what is the case with the linux-libre kernel? are users forbidden to "insmod proprietery_module" they _independently_ downloded or developed? anyway, as Julien Lepiller already verified (Guix package definition is there for anyone to check, and checking is very easy), Widevine stuff only gets built when the ENABLE_WIDEVINE build option is set... and it's not this case, so it's unlikely that users will be able to install Widevine even following the above mentioned procedure last but not least: AFAIU ungoogled-chromium Guix package documentation nor Guix Manual contains information on how to obtain proprierary extensions to any software; am I wrong? > As for the specific files listed by Julien, they may be harmless, or > not, we should figure out what they do and if they need to be removed. AFAIU that code allows dynamically linking Widevine (sorry cannot still check myself), but it is _disabled_ at build time is this enough to be FSDG compliant? given all the above, it seems to me that ungoogled-chromium binaries provided by Guix substitute servers _and_ sources provided by Guix build farms (are provided by them, right?) does not ship with DRM enabled to sum it up: AFAIU for users to be able to use Widevine they must create a custom package definition _outside_ official Guix channels *and* download the shared object "libwidevinecdm.so" from Chromium, installing it "manually" system wide or locally HTH! Ciao Giovanni [1] https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-do-i-i= nstall-widevine-cdm [2] I mean by stripping away any bit of source code that allows users to dynamically link potentially proprietary shared objects in the software =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlxtHEwACgkQ030Op87M ORJl5w/+JddYSZeBKTdqiGMOuJo6h1oWsJB5UgW5+h8EBsrbZSRRRO9RtF2UDLus HAQwJX3JDowo4lMb5DUERHUHPnbACvKQFWBwDeuWK+jRdo+/naodu4UPX7/gHerq pwyYjn30Zxn6GXtdnKkISGOPXrGqpi5dJChcIpSDwaQkTn8G7guPM3KC/+mMjDeE OnDTzhoqXfM/YyKQIXcOU823HH9Jvb0vJiEfzBmg1Gty7KzM6jJew6yxFPtzaseN SiD0hZj4U+9ZAcGhEFE0zn7BXTsadUUsX09pk687vevi2Kk69fskLviZJ6Id56yc ebuRZ7C2Ao/2g+nr8nU2cNWKi6DDOYEKF8YXbZfheT28s0ojkLTGH87M7q6sZNVg IE5Cmp4pxTXKE8LvcPhED/QODzw4Ez+nVEozT3/+JBoUuhkl4NZbgNN+Wuz7rEcz C4XZpc075JhdnnudzY4P9mbt9lJnHWwSrX/xIpRlTRguRrnSV671LkHUa7HWmVQA tNO8tLWXHlKRRxIAVOPCsyvoP8PRlpxugrIaoORVC1f4YqX7XT91aQshTWiygtrp 6NBCLmpG6AvTj6yUOoMiJFB3iFNfPLVuyMC3AwdR/hHok2xpG0ae2QQY9My131I2 49z9IiGNxYM6F+TDbkgxSH5Uak0NvQuSF+Emc4GmQcWWmohNC/Q= =3yTE -----END PGP SIGNATURE----- --=-=-=--