* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender @ 2021-06-14 21:29 Jorge P. de Morais Neto via Bug reports for GNU Guix 2021-06-15 13:49 ` Leo Famulari 2021-06-16 16:33 ` Leo Famulari 0 siblings, 2 replies; 13+ messages in thread From: Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2021-06-14 21:29 UTC (permalink / raw) To: 49029 Hi. I use Guix atop Debian¹ testing (currently bullseye). I normally browse the web on GNU IceCat and sometimes Firefox and Emacs EWW. I only use (ungoogled-)chromium for the rare websites that don't work on the other browsers. Long ago I installed in Chromium the extension The Great Suspender, and only today (months after G$$gle Chrome, according to news articles) did my Chromium disable it for having malware. And the only Chromium that did that for me was Debian's. So, I hypothesize that the ungoogling process has disabled Chromium's ability to automatically disable malware extensions. If true, that is a serious defect of ungoogled-chromium and Guix should make sure that users at least know about it. There could be a warning in the Guix package description *and* on the browser's start page. Thank you for your work on GNU! Regards ¹ When I find the time I intend to migrate to PureOS for superior libre software ethics. -- - https://stallmansupport.org "In Support of Richard Stallman" - If an email of mine arrives at your spam box, please notify me. - Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z. - Free/libre software for Replicant, LineageOS and Android: https://f-droid.org - [[https://www.gnu.org/philosophy/free-sw.html][What is free software?]] ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-14 21:29 bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2021-06-15 13:49 ` Leo Famulari 2021-06-15 14:40 ` Leo Prikler 2021-06-15 16:59 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2021-06-16 16:33 ` Leo Famulari 1 sibling, 2 replies; 13+ messages in thread From: Leo Famulari @ 2021-06-15 13:49 UTC (permalink / raw) To: 49029 On Mon, Jun 14, 2021 at 06:29:03PM -0300, Jorge P. de Morais Neto via Bug reports for GNU Guix wrote: > Hi. I use Guix atop Debian¹ testing (currently bullseye). > > I normally browse the web on GNU IceCat and sometimes Firefox and > Emacs EWW. I only use (ungoogled-)chromium for the rare websites that > don't work on the other browsers. Long ago I installed in Chromium the > extension The Great Suspender, and only today (months after G$$gle > Chrome, according to news articles) did my Chromium disable it for > having malware. And the only Chromium that did that for me was > Debian's. > > So, I hypothesize that the ungoogling process has disabled Chromium's > ability to automatically disable malware extensions. If true, that is a > serious defect of ungoogled-chromium and Guix should make sure that > users at least know about it. There could be a warning in the Guix > package description *and* on the browser's start page. Chromium is a program that is meant to be "evergreen". Version numbers are not highlighted to the user and the software is supposed to update itself, quickly and often. It's like a "rolling release" just for that program. A variant of the package that blocks communication to Google and requires one of us to update it is, if you trust the Chromium team, categorically less up-to-date than a "normal Chromium" downloaded directly from chromium.org, and thus also less "secure", as you've seen. I don't know exactly how the "disable malware extensions" mechanism works, but it's likely that the "ungoogling" disables the possibility that it can happen quickly, outside of full program updates. It's a tradeoff we (have to?) make to offer a variant of Chromium that is judged acceptable by us under the Free System Distribution Guidelines, which Guix follows: https://www.gnu.org/distros/free-system-distribution-guidelines.en.html Personally I use the "regular" variants of browsers, that talk directly to the "motherships" of Google and Mozilla, for that reason. By the way, the Debian testing branch is the last to receive security updates, and in general has no guarantee of fast security updates. If you want to use a Debian with more up-to-date software than the stable branch and also are concerned about your security, you might consider using Debian sid. ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-15 13:49 ` Leo Famulari @ 2021-06-15 14:40 ` Leo Prikler 2021-06-15 16:59 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 1 sibling, 0 replies; 13+ messages in thread From: Leo Prikler @ 2021-06-15 14:40 UTC (permalink / raw) To: Leo Famulari, Jorge P. de Morais Neto; +Cc: 49029 Am Dienstag, den 15.06.2021, 09:49 -0400 schrieb Leo Famulari: > On Mon, Jun 14, 2021 at 06:29:03PM -0300, Jorge P. de Morais Neto via > Bug reports for GNU Guix wrote: > > Hi. I use Guix atop Debian testing (currently bullseye). > > > > I normally browse the web on GNU IceCat and sometimes Firefox and > > Emacs EWW. I only use (ungoogled-)chromium for the rare websites > > that > > don't work on the other browsers. Long ago I installed in Chromium > > the > > extension The Great Suspender, and only today (months after G$$gle > > Chrome, according to news articles) did my Chromium disable it for > > having malware. And the only Chromium that did that for me was > > Debian's. > > > > So, I hypothesize that the ungoogling process has disabled > > Chromium's > > ability to automatically disable malware extensions. If true, that > > is a > > serious defect of ungoogled-chromium and Guix should make sure that > > users at least know about it. There could be a warning in the Guix > > package description *and* on the browser's start page. > > Chromium is a program that is meant to be "evergreen". Version > numbers > are not highlighted to the user and the software is supposed to > update > itself, quickly and often. It's like a "rolling release" just for > that > program. > > A variant of the package that blocks communication to Google and > requires one of us to update it is, if you trust the Chromium team, > categorically less up-to-date than a "normal Chromium" downloaded > directly from chromium.org, and thus also less "secure", as you've > seen. > > I don't know exactly how the "disable malware extensions" mechanism > works, but it's likely that the "ungoogling" disables the possibility > that it can happen quickly, outside of full program updates. > > It's a tradeoff we (have to?) make to offer a variant of Chromium > that > is judged acceptable by us under the Free System Distribution > Guidelines, which Guix follows: > > https://www.gnu.org/distros/free-system-distribution-guidelines.en.html > > Personally I use the "regular" variants of browsers, that talk > directly > to the "motherships" of Google and Mozilla, for that reason. > > By the way, the Debian testing branch is the last to receive security > updates, and in general has no guarantee of fast security updates. If > you want to use a Debian with more up-to-date software than the > stable > branch and also are concerned about your security, you might consider > using Debian sid. On a somewhat related note, this also highlights the trust people put into storefronts like Google or Mozilla. An update, that would first be pushed to Github and then to distros like Debian or Guix would have had more people looking at it critically. Not to say, that Guix can't ever ship malware, but that we try our darndest not to ;) Now that I think of it, I should probably push my cosmetic changes to evil-malware-service-type. ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-15 13:49 ` Leo Famulari 2021-06-15 14:40 ` Leo Prikler @ 2021-06-15 16:59 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2021-06-16 16:31 ` Leo Famulari 1 sibling, 1 reply; 13+ messages in thread From: Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2021-06-15 16:59 UTC (permalink / raw) To: 49029, Leo Famulari Hi. I didn't receive your email (I did this reply from Emacs debbugs package). Please include my email address in further messages to mitigate the risk that I miss them. I continue below: On 06/15/21 09:49 , Leo Famulari wrote: > Chromium is a program that is meant to be "evergreen". Version > numbers are not highlighted to the user and the software is supposed > to update itself, quickly and often. It's like a "rolling release" > just for that program. > A variant of the package that blocks communication to Google and > requires one of us to update it is, if you trust the Chromium team, > categorically less up-to-date than a "normal Chromium" downloaded > directly from chromium.org, and thus also less "secure", as you've seen. > I don't know exactly how the "disable malware extensions" mechanism > works, but it's likely that the "ungoogling" disables the possibility > that it can happen quickly, outside of full program updates. > > It's a tradeoff we (have to?) make to offer a variant of Chromium that > is judged acceptable by us under the Free System Distribution > Guidelines, which Guix follows: I can accept a reasonable trade-off, but I still believe this should be actively communicated to users. It is not obvious. If had known that before, I would certainly have been more careful with extensions. Indeed, now that I know, I have not only deleted my old (ungoogled-)Chromium profile, but also, on the new profile, I installed only HTTPS Everywhere and Privacy Badger extensions. I have also changed an important password that I remember having used on the malware-infected Chromium. > By the way, the Debian testing branch is the last to receive security > updates, and in general has no guarantee of fast security updates. If > you want to use a Debian with more up-to-date software than the stable > branch and also are concerned about your security, you might consider > using Debian sid. Thank you for the advice. I already knew that though, and I think the security risk of Debian testing is mitigated by my care. I have installed and configured debsecan. It emails be about Debian vulnerabilities, and then, in aptitude, I manually pull important security updates from Debian unstable (sid). That is a bit time-consuming, but I fear that going full unstable would be too unreliable (more breakages) and would remove the option of settling in stable without reinstalling. I mean, since my sources.list refers to bullseye, then, when it becomes stable, I will have Debian stable and will have a choice whether (and when) to upgrade to the new testing (bookworm). Regards! -- - https://stallmansupport.org "In Support of Richard Stallman" - If an email of mine arrives at your spam box, please notify me. - Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z. - Free/libre software for Replicant, LineageOS and Android: https://f-droid.org - https://www.gnu.org/philosophy/free-sw.html "What is free software?" ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-15 16:59 ` Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2021-06-16 16:31 ` Leo Famulari 0 siblings, 0 replies; 13+ messages in thread From: Leo Famulari @ 2021-06-16 16:31 UTC (permalink / raw) To: Jorge P. de Morais Neto; +Cc: 49029 On Tue, Jun 15, 2021 at 01:59:44PM -0300, Jorge P. de Morais Neto wrote: > I can accept a reasonable trade-off, but I still believe this should be > actively communicated to users. It is not obvious. If had known that > before, I would certainly have been more careful with extensions. > Indeed, now that I know, I have not only deleted my old > (ungoogled-)Chromium profile, but also, on the new profile, I installed > only HTTPS Everywhere and Privacy Badger extensions. I have also > changed an important password that I remember having used on the > malware-infected Chromium. That trade-off applies for everything we package: in general, Guix packages will be less up to date than what upstream offers, and thus probabilistically more buggy and, based on your threat model, they may be "less secure". It's the same for any distro. But, the situation is exacerbated for Chromium, which is developed very rapidly and has the most complete and advanced security posture of probably any program in use right now. I guess that's what hundreds of billions of dollars in annual revenue can buy. Chromium, and web browsers in general, also have the most dire security exposure, because most computer users do *everything* in their browser, and because they are used to interact with untrusted data (the internet). Chrome / Chromium is the "juiciest" target for attackers. ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-14 21:29 bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender Jorge P. de Morais Neto via Bug reports for GNU Guix 2021-06-15 13:49 ` Leo Famulari @ 2021-06-16 16:33 ` Leo Famulari 2021-06-16 21:09 ` Marius Bakke 1 sibling, 1 reply; 13+ messages in thread From: Leo Famulari @ 2021-06-16 16:33 UTC (permalink / raw) To: 49029 On Mon, Jun 14, 2021 at 06:29:03PM -0300, Jorge P. de Morais Neto via Bug reports for GNU Guix wrote: > I normally browse the web on GNU IceCat and sometimes Firefox and > Emacs EWW. I only use (ungoogled-)chromium for the rare websites that > don't work on the other browsers. Long ago I installed in Chromium the > extension The Great Suspender, and only today (months after G$$gle > Chrome, according to news articles) did my Chromium disable it for > having malware. And the only Chromium that did that for me was > Debian's. Does anybody know what we need to do to fix this bug? Do we need to update the ungoogled-chromium package? ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-16 16:33 ` Leo Famulari @ 2021-06-16 21:09 ` Marius Bakke 2021-06-16 22:17 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 0 siblings, 1 reply; 13+ messages in thread From: Marius Bakke @ 2021-06-16 21:09 UTC (permalink / raw) To: Leo Famulari, Jorge P. de Morais Neto; +Cc: 49029 [-- Attachment #1: Type: text/plain, Size: 1314 bytes --] Leo Famulari <leo@famulari.name> skriver: > On Mon, Jun 14, 2021 at 06:29:03PM -0300, Jorge P. de Morais Neto via Bug reports for GNU Guix wrote: >> I normally browse the web on GNU IceCat and sometimes Firefox and >> Emacs EWW. I only use (ungoogled-)chromium for the rare websites that >> don't work on the other browsers. Long ago I installed in Chromium the >> extension The Great Suspender, and only today (months after G$$gle >> Chrome, according to news articles) did my Chromium disable it for >> having malware. And the only Chromium that did that for me was >> Debian's. > > Does anybody know what we need to do to fix this bug? Do we need to > update the ungoogled-chromium package? It's not easily possible to install extensions with ungoogled-chromium, apart from the two that are available directly through Guix. If the user goes out of their way to install extensions, such as using a browser from a different distro, there is little we can do. Mixing browser profiles between the vanilla and ungoogled Chromium is not a supported use case. Warranty void. I'd accept a patch that warns or refuses to use a "tainted" browser profile, or changes the default browser profile directory so it does not conflict with vanilla. But I'm inclined to close this as "not-a-bug" for now. WDYT, Jorge? [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-16 21:09 ` Marius Bakke @ 2021-06-16 22:17 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2022-01-04 4:55 ` Maxim Cournoyer 0 siblings, 1 reply; 13+ messages in thread From: Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2021-06-16 22:17 UTC (permalink / raw) To: Marius Bakke, Leo Famulari; +Cc: 49029 Hi Marius. Em [2021-06-16 qua 23:09:19+0200], Marius Bakke escreveu: > It's not easily possible to install extensions with ungoogled-chromium, > apart from the two that are available directly through Guix. If the > user goes out of their way to install extensions, such as using a > browser from a different distro, there is little we can do. > > Mixing browser profiles between the vanilla and ungoogled Chromium is > not a supported use case. Warranty void. In my case, the Debian Chromium's profile was already there when I installed Guix's ungoogled-chromium. I didn't even notice that Guix's ungoogled-chromium cannot install extensions from the Chrome Store. > I'd accept a patch that warns or refuses to use a "tainted" browser > profile, or changes the default browser profile directory so it does not > conflict with vanilla. Unfortunately I cannot write such a patch; I would have to dedicate a large amount of time learning about Chromium's insides (which are reportedly byzantine) and I don't even know if I'll actually keep using Guix's ungoogled-chromium. But couldn't you report this to ungoogled-chromium upstream? > But I'm inclined to close this as "not-a-bug" for now. WDYT, Jorge? In my humble opinion, users should be communicated, especially users of Guix package manager on another GNU distribution. Maybe at least a warning in the package description that mixing Guix's ungoogled-chromium and host distribution's Chromium on the same profile is unsupported? Regards -- - https://stallmansupport.org "In Support of Richard Stallman" - I am Brazilian. I hope my English is correct and I welcome feedback. - https://www.defectivebydesign.org - https://www.gnu.org ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2021-06-16 22:17 ` Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2022-01-04 4:55 ` Maxim Cournoyer 2022-01-06 11:34 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 0 siblings, 1 reply; 13+ messages in thread From: Maxim Cournoyer @ 2022-01-04 4:55 UTC (permalink / raw) To: Jorge P. de Morais Neto; +Cc: 49029 Hello Jorge, Jorge P. de Morais Neto <jorge+list@disroot.org> writes: > Hi Marius. > > Em [2021-06-16 qua 23:09:19+0200], Marius Bakke escreveu: > >> It's not easily possible to install extensions with ungoogled-chromium, >> apart from the two that are available directly through Guix. If the >> user goes out of their way to install extensions, such as using a >> browser from a different distro, there is little we can do. >> >> Mixing browser profiles between the vanilla and ungoogled Chromium is >> not a supported use case. Warranty void. > > In my case, the Debian Chromium's profile was already there when I > installed Guix's ungoogled-chromium. I didn't even notice that Guix's > ungoogled-chromium cannot install extensions from the Chrome Store. > >> I'd accept a patch that warns or refuses to use a "tainted" browser >> profile, or changes the default browser profile directory so it does not >> conflict with vanilla. > > Unfortunately I cannot write such a patch; I would have to dedicate a > large amount of time learning about Chromium's insides (which are > reportedly byzantine) and I don't even know if I'll actually keep using > Guix's ungoogled-chromium. But couldn't you report this to > ungoogled-chromium upstream? With close to 1500 bugs open, we need *your* help :-). If you think this issue is worthy of bringing upstream, please see to it! Otherwise, I'm afraid I'll close this issue as not-a-bug as Marius suggested, as it appears to me reasonable that the Guix-installed ungoogled-chromium wouldn't know to police (especially outside of regular updates) software installed from external sources to Guix. Thank you, Maxim ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2022-01-04 4:55 ` Maxim Cournoyer @ 2022-01-06 11:34 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2022-01-06 13:46 ` Maxim Cournoyer 0 siblings, 1 reply; 13+ messages in thread From: Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2022-01-06 11:34 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: 49029, Leo Famulari, Marius Bakke Hello! Em [2022-01-03 seg 23:55:59-0500], Maxim Cournoyer escreveu: > With close to 1500 bugs open, we need *your* help :-). If you think > this issue is worthy of bringing upstream, please see to it! Do you know of a way of bringing this issue upstream without a GitHub account? I could not find one. Kind regards -- - Many people hate injustice but few check the facts; this causes more injustice. Ask me about <https://stallmansupport.org> - I am Brazilian. I hope my English is correct and I welcome feedback. - Free Software Supporter: https://www.fsf.org/free-software-supporter - If an email of mine arrives at your spam box, please notify me. ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2022-01-06 11:34 ` Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2022-01-06 13:46 ` Maxim Cournoyer 2022-01-07 0:09 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 0 siblings, 1 reply; 13+ messages in thread From: Maxim Cournoyer @ 2022-01-06 13:46 UTC (permalink / raw) To: Jorge P. de Morais Neto; +Cc: 49029 Hi, Jorge P. de Morais Neto <jorge+list@disroot.org> writes: > Hello! > > Em [2022-01-03 seg 23:55:59-0500], Maxim Cournoyer escreveu: > >> With close to 1500 bugs open, we need *your* help :-). If you think >> this issue is worthy of bringing upstream, please see to it! > > Do you know of a way of bringing this issue upstream without a GitHub > account? I could not find one. You could find one of the project maintainers email address in the git history of the project and send them a private email with your suggestion. Thanks, Maxim ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2022-01-06 13:46 ` Maxim Cournoyer @ 2022-01-07 0:09 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2022-01-07 18:09 ` Maxim Cournoyer 0 siblings, 1 reply; 13+ messages in thread From: Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2022-01-07 0:09 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: 49029, Leo Famulari, Marius Bakke Hi, Em [2022-01-06 qui 08:46:43-0500], Maxim Cournoyer escreveu: > You could find one of the project maintainers email address in the git > history of the project and send them a private email with your > suggestion. I have just emailed Eloston. I will inform here if he replies. Kind regards -- - Please adopt free/libre formats like PDF, Org, LaTeX, ODF, Opus, WebM and 7z. - Libre apps for AOSP (Replicant, LineageOS, etc.) and Android: F-Droid - https://www.gnu.org/philosophy/free-sw.html "What is free software?" ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender 2022-01-07 0:09 ` Jorge P. de Morais Neto via Bug reports for GNU Guix @ 2022-01-07 18:09 ` Maxim Cournoyer 0 siblings, 0 replies; 13+ messages in thread From: Maxim Cournoyer @ 2022-01-07 18:09 UTC (permalink / raw) To: Jorge P. de Morais Neto; +Cc: 49029-done Hi Jorge, Jorge P. de Morais Neto <jorge+list@disroot.org> writes: > Hi, > > Em [2022-01-06 qui 08:46:43-0500], Maxim Cournoyer escreveu: > >> You could find one of the project maintainers email address in the git >> history of the project and send them a private email with your >> suggestion. > > I have just emailed Eloston. I will inform here if he replies. Thank you for doing so. I'll close this on Guix side, as the discussion has now moved to upstream, but feel free to reply with their response (if any) here, for the record! Thank you, Maxim ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2022-01-07 18:10 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-14 21:29 bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender Jorge P. de Morais Neto via Bug reports for GNU Guix 2021-06-15 13:49 ` Leo Famulari 2021-06-15 14:40 ` Leo Prikler 2021-06-15 16:59 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2021-06-16 16:31 ` Leo Famulari 2021-06-16 16:33 ` Leo Famulari 2021-06-16 21:09 ` Marius Bakke 2021-06-16 22:17 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2022-01-04 4:55 ` Maxim Cournoyer 2022-01-06 11:34 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2022-01-06 13:46 ` Maxim Cournoyer 2022-01-07 0:09 ` Jorge P. de Morais Neto via Bug reports for GNU Guix 2022-01-07 18:09 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).