bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender

[Leo Prikler <leo.prikler@student.tugraz.at>]

Am Dienstag, den 15.06.2021, 09:49 -0400 schrieb Leo Famulari:
> On Mon, Jun 14, 2021 at 06:29:03PM -0300, Jorge P. de Morais Neto via
> Bug reports for GNU Guix wrote:
> > Hi.  I use Guix atop Debian testing (currently bullseye).
> > 
> > I normally browse the web on GNU IceCat and sometimes Firefox and
> > Emacs EWW.  I only use (ungoogled-)chromium for the rare websites
> > that
> > don't work on the other browsers.  Long ago I installed in Chromium
> > the
> > extension The Great Suspender, and only today (months after G$$gle
> > Chrome, according to news articles) did my Chromium disable it for
> > having malware.  And the only Chromium that did that for me was
> > Debian's.
> > 
> > So, I hypothesize that the ungoogling process has disabled
> > Chromium's
> > ability to automatically disable malware extensions.  If true, that
> > is a
> > serious defect of ungoogled-chromium and Guix should make sure that
> > users at least know about it.  There could be a warning in the Guix
> > package description *and* on the browser's start page.
> 
> Chromium is a program that is meant to be "evergreen". Version
> numbers
> are not highlighted to the user and the software is supposed to
> update
> itself, quickly and often. It's like a "rolling release" just for
> that
> program.
> 
> A variant of the package that blocks communication to Google and
> requires one of us to update it is, if you trust the Chromium team,
> categorically less up-to-date than a "normal Chromium" downloaded
> directly from chromium.org, and thus also less "secure", as you've
> seen.
> 
> I don't know exactly how the "disable malware extensions" mechanism
> works, but it's likely that the "ungoogling" disables the possibility
> that it can happen quickly, outside of full program updates.
> 
> It's a tradeoff we (have to?) make to offer a variant of Chromium
> that
> is judged acceptable by us under the Free System Distribution
> Guidelines, which Guix follows:
> 
> https://www.gnu.org/distros/free-system-distribution-guidelines.en.html
> 
> Personally I use the "regular" variants of browsers, that talk
> directly
> to the "motherships" of Google and Mozilla, for that reason.
> 
> By the way, the Debian testing branch is the last to receive security
> updates, and in general has no guarantee of fast security updates. If
> you want to use a Debian with more up-to-date software than the
> stable
> branch and also are concerned about your security, you might consider
> using Debian sid.

On a somewhat related note, this also highlights the trust people put
into storefronts like Google or Mozilla.  An update, that would first
be pushed to Github and then to distros like Debian or Guix would have
had more people looking at it critically.  Not to say, that Guix can't
ever ship malware, but that we try our darndest not to ;)

Now that I think of it, I should probably push my cosmetic changes to
evil-malware-service-type.