From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cIYgAhy9yGCaSAEAgWs5BA (envelope-from ) for ; Tue, 15 Jun 2021 16:45:48 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id KLEzORu9yGACZgAAB5/wlQ (envelope-from ) for ; Tue, 15 Jun 2021 14:45:47 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4D95B9325 for ; Tue, 15 Jun 2021 16:45:47 +0200 (CEST) Received: from localhost ([::1]:50110 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltAK2-0006gM-1J for larch@yhetil.org; Tue, 15 Jun 2021 10:45:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45780) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltAFV-000819-7M for bug-guix@gnu.org; Tue, 15 Jun 2021 10:41:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38870) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ltAFS-0002hl-Me for bug-guix@gnu.org; Tue, 15 Jun 2021 10:41:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ltAFS-00086k-Ac for bug-guix@gnu.org; Tue, 15 Jun 2021 10:41:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender Resent-From: Leo Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 15 Jun 2021 14:41:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49029 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari , "Jorge P. de Morais Neto" Received: via spool by 49029-submit@debbugs.gnu.org id=B49029.162376805931148 (code B ref 49029); Tue, 15 Jun 2021 14:41:02 +0000 Received: (at 49029) by debbugs.gnu.org; 15 Jun 2021 14:40:59 +0000 Received: from localhost ([127.0.0.1]:50416 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltAFO-00086J-RJ for submit@debbugs.gnu.org; Tue, 15 Jun 2021 10:40:59 -0400 Received: from mailrelay.tugraz.at ([129.27.2.202]:24160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltAFM-00086A-A4 for 49029@debbugs.gnu.org; Tue, 15 Jun 2021 10:40:57 -0400 Received: from [10.0.0.4] (62-116-34-49.adsl.highway.telekom.at [62.116.34.49]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4G49wh6K10z1LLyL; Tue, 15 Jun 2021 16:40:52 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4G49wh6K10z1LLyL DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1623768053; bh=vY4cXgw4b9GIRtX9wT9HiMVn9tDkeh6LDu9NI8O9YCY=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=UK6nYVig7avozo6E0ZkRPFXNpr/iS0A359TIsYRvnrRUWyVfMx+eR+O6mqwl+2dZx KaPoFpxdpmv5KBh0heqWm1/923QDcuwZt1jo5Ukc+rn0q6VEMQrLLu5IjbJWwUtmpI H+5q6lhgrdYeonEigt9B+e2MoOB2jVxZjvdbw2k4= Message-ID: From: Leo Prikler Date: Tue, 15 Jun 2021 16:40:31 +0200 In-Reply-To: References: <87k0mwdtk0.fsf@disroot.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 49029@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623768347; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=vY4cXgw4b9GIRtX9wT9HiMVn9tDkeh6LDu9NI8O9YCY=; b=nzQbGthNCfwVAOs01aoUC7O4h0pI7PGSwHisk59zt3s254tYKQGl+7hJWmeVs3FTFwlJfN yzRWg0H6FHzPk6Y0GeKLJNAnkhiHY5tPq2RU9NSG+XcrAxmVsyNBfGdMmxJOeZI7eQWLdh b9TC8571sPiKKp1/9JWr7/q8eMwceIeBr5GF7PzO0VwO5JH8nqbX+abNBHmhKqH0MEriNY vma32WHYknlMOVsdvqpr9y3jvjv1yUvFcosr4MUKBrxQtXuw/T9+Jf2trNa7xElFKFjkPh EDuQPMxLl0A4NS3zaLPd/0nF6rOeltNoS5do+nHW5FDPzIJYt07iYn+PrkDJIQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623768347; a=rsa-sha256; cv=none; b=PIM5pQmwmJ2Gf5NbSyUOiFEAsVwVnXhu2fa/YQNIsS1krtLbpuqDn1Fb/dtGyVHYSLR+xJ lv9JtrOFxUNLsq2eACu/mzjWUZX5y/anXi5qs6YOEHKX+IvmVUIc2RHyQvV1NukgjjQldT BQqoRvCg8M04110Jdtf0Zn6LEJqY9p1bRCO115R0bR5ytGQ0y6ALa2NJeju+abM/HUTIn2 5DUunb5Yf5Bz3BY3qLurlgTUv+ttpbmwqFBaqnu2w3P4ZSttSsNZc53rR2On5y1v5x6Hes wRhIYCcbhEowPNxvy9zKP58S/SH9J54SeCNtvMwzRAZDbPyxZs8chV5ME9H7gA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=UK6nYVig; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=UK6nYVig; dmarc=fail reason="SPF not aligned (relaxed)" header.from=student.tugraz.at (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4D95B9325 X-Spam-Score: -1.33 X-Migadu-Scanner: scn1.migadu.com X-TUID: zDszj1qSRxxi Am Dienstag, den 15.06.2021, 09:49 -0400 schrieb Leo Famulari: > On Mon, Jun 14, 2021 at 06:29:03PM -0300, Jorge P. de Morais Neto via > Bug reports for GNU Guix wrote: > > Hi. I use Guix atop Debian testing (currently bullseye). > > > > I normally browse the web on GNU IceCat and sometimes Firefox and > > Emacs EWW. I only use (ungoogled-)chromium for the rare websites > > that > > don't work on the other browsers. Long ago I installed in Chromium > > the > > extension The Great Suspender, and only today (months after G$$gle > > Chrome, according to news articles) did my Chromium disable it for > > having malware. And the only Chromium that did that for me was > > Debian's. > > > > So, I hypothesize that the ungoogling process has disabled > > Chromium's > > ability to automatically disable malware extensions. If true, that > > is a > > serious defect of ungoogled-chromium and Guix should make sure that > > users at least know about it. There could be a warning in the Guix > > package description *and* on the browser's start page. > > Chromium is a program that is meant to be "evergreen". Version > numbers > are not highlighted to the user and the software is supposed to > update > itself, quickly and often. It's like a "rolling release" just for > that > program. > > A variant of the package that blocks communication to Google and > requires one of us to update it is, if you trust the Chromium team, > categorically less up-to-date than a "normal Chromium" downloaded > directly from chromium.org, and thus also less "secure", as you've > seen. > > I don't know exactly how the "disable malware extensions" mechanism > works, but it's likely that the "ungoogling" disables the possibility > that it can happen quickly, outside of full program updates. > > It's a tradeoff we (have to?) make to offer a variant of Chromium > that > is judged acceptable by us under the Free System Distribution > Guidelines, which Guix follows: > > https://www.gnu.org/distros/free-system-distribution-guidelines.en.html > > Personally I use the "regular" variants of browsers, that talk > directly > to the "motherships" of Google and Mozilla, for that reason. > > By the way, the Debian testing branch is the last to receive security > updates, and in general has no guarantee of fast security updates. If > you want to use a Debian with more up-to-date software than the > stable > branch and also are concerned about your security, you might consider > using Debian sid. On a somewhat related note, this also highlights the trust people put into storefronts like Google or Mozilla. An update, that would first be pushed to Github and then to distros like Debian or Guix would have had more people looking at it critically. Not to say, that Guix can't ever ship malware, but that we try our darndest not to ;) Now that I think of it, I should probably push my cosmetic changes to evil-malware-service-type.