From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mDy3GWIpymBhIQEAgWs5BA (envelope-from ) for ; Wed, 16 Jun 2021 18:40:02 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id GE8GFWIpymD2GwAAB5/wlQ (envelope-from ) for ; Wed, 16 Jun 2021 16:40:02 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1DA1E22470 for ; Wed, 16 Jun 2021 18:40:00 +0200 (CEST) Received: from localhost ([::1]:40220 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltYa6-0002IL-UL for larch@yhetil.org; Wed, 16 Jun 2021 12:39:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40332) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltYSS-00051K-IO for bug-guix@gnu.org; Wed, 16 Jun 2021 12:32:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:41681) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ltYSP-0008N8-UB for bug-guix@gnu.org; Wed, 16 Jun 2021 12:32:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ltYSP-0008HB-Mm for bug-guix@gnu.org; Wed, 16 Jun 2021 12:32:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Jun 2021 16:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49029 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: "Jorge P. de Morais Neto" Received: via spool by 49029-submit@debbugs.gnu.org id=B49029.162386109031767 (code B ref 49029); Wed, 16 Jun 2021 16:32:01 +0000 Received: (at 49029) by debbugs.gnu.org; 16 Jun 2021 16:31:30 +0000 Received: from localhost ([127.0.0.1]:53227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltYRu-0008GJ-Cv for submit@debbugs.gnu.org; Wed, 16 Jun 2021 12:31:30 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:34337) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltYRt-0008G6-Aa for 49029@debbugs.gnu.org; Wed, 16 Jun 2021 12:31:29 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 341B61393; Wed, 16 Jun 2021 12:31:23 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 16 Jun 2021 12:31:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=IUMEYNO6jPosbcBJUbzspIF/ VValndBUlYFZ7Vvduac=; b=yFGRUTSgebeZNgxzdWnJOTdyJPk9cteOfl4lfG1p MaGF6SlOKn1zmowRpcyID5mwc4fGUsmnJMFvLa1fXPTqv09TwASHBHvohyj2j+2o /3jx5WYvPu5T719E/OP53Pi8PhEm+PSCtJrXpyorVRnaJDUDg9lKCJZHfNY6fZ8Y xIc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=IUMEYN O6jPosbcBJUbzspIF/VValndBUlYFZ7Vvduac=; b=wMvZDGUUcXjN4JOvW/+0Tf +3XcFrFB2CSqSFtDxiQkc8ylwfZGRCTAYDqN70RlONKoIjYRwcmV9eBZA3tZvcjO tpPjCxTDEClSkgD8/PKw8z7E5IfDFNMOSUxmkIbonKumQ7hh5MioK+l92rbg+tq7 LzWHRYuT69IOX63VB6I7PJubqvUtd3jLuEqJ2blPT10woHhPgydTayu+XqsiVX8J IDDY6OImGBZkh2byedSAOAfPzjggrkdUJw9+TvPBtNIK8Dp+MeApwNoAJ0D3QzRF RcZ2z3b83B0YvQvhfTFjHwnxrPiTJT6d2zLhRLogklkI458YY+/t9NwoFIqd9HBQ == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfedvledgleelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepgfeileejtdeiieetkeeiieefteefve effefhkedtgffggeffudekvdefueduveeunecuffhomhgrihhnpehinhhtvghrnhgvthdr tghhrhhomhgvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 16 Jun 2021 12:31:22 -0400 (EDT) Date: Wed, 16 Jun 2021 12:31:20 -0400 From: Leo Famulari Message-ID: References: <87k0mwdtk0.fsf@disroot.org> <87czsndpxb.fsf@disroot.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87czsndpxb.fsf@disroot.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 49029@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623861600; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=IUMEYNO6jPosbcBJUbzspIF/VValndBUlYFZ7Vvduac=; b=fhqKgjGd+lFD1KpgDbx5Fdoym7o/sAXqUrhBigtQzKyOBc+lEQ+jgFv3a+vRY1m5VMw5lp 5MNMLfuZ0ZlABIc+kLLjMe93pDZ5Xmxozw719Hzx7ltJLu+yFtlFNvyPqnrIs70ilxV6gC nYYO++SKh71oqStXdA7tNLHP13ifoZuEl9+aWxUNZ5Hrm02BoTBLRZGpU+P3R9NEDX6b1r OYw+AKdvBpni9J7UiafSkJYPJqM7Rxb/IqATHZJG9v+TLDr3rcdGytIXRjwqIl10dh8YPI 0g9Kq7c2p26esRzxRR7htbAlXT67XcvYeDPi6OGO2GUMTPHuNITZURiLdrWEdQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623861600; a=rsa-sha256; cv=none; b=lGIVaq0a8ifCHf5U+UQ5fQO2cQ0mHBpfFmsucY3kePScwGH/OepLmbZx9jzjLz44h+Sxkn ACnaai6uNNB6Iv8oOvdcdATZmH2yFepAylN+8hFlwL0eW19cTQ+M162ZUiqB5Idfuu7zTu 9TqwIQgrHn2Y+OBLhD1qFIFWkQHxHOEWau7suWar+KJl6Y13S5JZbk2eO+ZVKRY1e12Hj4 YF4kpNscllseEAT/DB41TBX27iywfj8Yd959nDMOBZ+VArda95VO5sWH/6qFZ4/+D4u0Wd VdCKwhtrztAZjCAMKgDW30BSrXfXNGLgbjvwh14JuaqnT7j0DJJbWJ4hdxH50A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=yFGRUTSg; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b=wMvZDGUU; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=yFGRUTSg; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b=wMvZDGUU; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 1DA1E22470 X-Spam-Score: -1.42 X-Migadu-Scanner: scn1.migadu.com X-TUID: PYDPOiPHQdR3 On Tue, Jun 15, 2021 at 01:59:44PM -0300, Jorge P. de Morais Neto wrote: > I can accept a reasonable trade-off, but I still believe this should be > actively communicated to users. It is not obvious. If had known that > before, I would certainly have been more careful with extensions. > Indeed, now that I know, I have not only deleted my old > (ungoogled-)Chromium profile, but also, on the new profile, I installed > only HTTPS Everywhere and Privacy Badger extensions. I have also > changed an important password that I remember having used on the > malware-infected Chromium. That trade-off applies for everything we package: in general, Guix packages will be less up to date than what upstream offers, and thus probabilistically more buggy and, based on your threat model, they may be "less secure". It's the same for any distro. But, the situation is exacerbated for Chromium, which is developed very rapidly and has the most complete and advanced security posture of probably any program in use right now. I guess that's what hundreds of billions of dollars in annual revenue can buy. Chromium, and web browsers in general, also have the most dire security exposure, because most computer users do *everything* in their browser, and because they are used to interact with untrusted data (the internet). Chrome / Chromium is the "juiciest" target for attackers.