From: Ricardo Wurmus <rekado@elephly.net>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org, "Clément Lassieur" <clement@lassieur.org>
Subject: Re: Firefox 52's end of life, packaging Chromium
Date: Sun, 02 Sep 2018 12:21:42 +0200 [thread overview]
Message-ID: <87va7oyzbd.fsf@elephly.net> (raw)
In-Reply-To: <871sacz9si.fsf@netris.org>
Hi Mark,
> Mark H Weaver <mhw@netris.org> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>>> The TODO list for convenience:
>>>
>>> * There is still some data transmitted when starting the browser for the
>>> first time. It seems related to the "domain_reliability" component.
>>> * Remove remaining "Web Store" links. Currently I've only found it in
>>> settings, under "accessibility" and "fonts".
>>> * Opening settings transmits a bunch of data, the next version will
>>> include the 'disable-translation-lang-fetch' patch from Inox.
>>> * PDFium is built, but does not seem to work (the 'install' phase
>>> probably needs tweaking). Might just disable it instead.
>>>
>>> It would be *very* nice if the first and third items could be solved
>>> before merging, but I don’t consider them blockers.
>>
>> The GNU FSDG says "The distro must contain no DRM, no back doors, and no
>> spyware." Since GNU Guix has committed to follow the FSDG, that means
>> that we must not include programs that include spyware. We have
>> committed ourselves to "removing such programs if any are discovered."
>>
>> Guix _is_ committed to the GNU FSDG, right?
Of course it is.
>> Do you agree that #1 and #3 look like spyware? If so, wouldn't that
>> make them blockers?
#3 looks like it’s fetching translation information, which seems
legitimate. #1 is unclear to me, honestly, as it seems to be a bug.
AIUI the “domain_reliability” component is not enabled by default.
For context I read a little about this “domain_reliability” thing and
found this Google document (I don’t know if this is an official
publication by the Chromium developers):
https://docs.google.com/document/d/14U0YA4dlzNYciq2ke0StEMjomdBUN6ocSt1kN03HJ0s/pub#h.20j0auqi631o
From what I understand, the “Domain Reliability Monitoring” feature in
Chromium is sending connection successes / failures for resources on a
participating domain to a collection point determined by the operators
of that domain, i.e. not necessarily to Google.
I certainly would not want this to be enabled by default (and my
understanding is that it is not), but it would be okay to let users opt
in by enabling it. (Just like the default for Epiphany is to use an
ad-blocker by default, with a setting to disable it.)
I personally don’t trust Chromium (because user privacy is against
upstream’s interests) and will not use it myself nor will I recommend
its use. But I trust that Marius and others who have been working on
this package for months and evaluated its behaviour periodically across
upgrades act in good faith and have made considerable efforts to remove
anti-features.
From what I know about these remaining TODO items, they don’t look like
spyware to me. I could be wrong, of course, and I’m happy that we have
a community of people who are very vigilant, including Marius and
yourself. Thank you for also asking about EME support in Chromium[1],
which is something I did not think of.
[1]: http://issues.guix.info/issue/28004#263
> I admit that it's unclear whether or not those data transmissions could
> reasonably be called 'spyware', but at the very least their existence
> provides cover for spyware added later, by conditioning users to accept
> data transmission to Google when it hasn't been requested (by either the
> user or the website being visited).
By “spyware added later” do you mean with future updates to the package?
Future updates will remain difficult because we’re dealing with an
upstream that is not aligned with our values. We take patches from
other communities, though, that focus on removing anti-features from
Chromium. Future updates will have to be evaluated in the future.
> In addition, I'm under the impression that efforts to remove spyware
> from Chromium are considered a work-in-progress, i.e. unfinished, but I
> admit that I haven't looked recently. Perhaps that impression is stale.
I’m afraid removing spyware from Chromium will never truly be finished
until Google stop developing the browser. Future upgrades will need to
undergo careful checks (much like upgrades to Shogun to ensure that all
non-free software is stripped off).
--
Ricardo
next prev parent reply other threads:[~2018-09-02 10:22 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-29 9:03 Firefox 52's end of life, packaging Chromium Clément Lassieur
2018-08-29 15:24 ` Pierre Neidhardt
2018-08-29 16:14 ` Christopher Lemmer Webber
2018-08-29 18:16 ` Leo Famulari
2018-08-29 21:25 ` Amirouche Boubekki
2018-08-29 22:35 ` Clément Lassieur
2018-08-29 23:26 ` Amirouche Boubekki
2018-08-30 7:43 ` Clément Lassieur
2018-08-30 1:12 ` Mike Gerwitz
2018-08-30 5:14 ` Clément Lassieur
2018-08-30 9:55 ` Ludovic Courtès
2018-08-30 10:04 ` Nils Gillmann
2018-08-30 11:01 ` Clément Lassieur
2018-08-30 12:09 ` Ludovic Courtès
2018-08-30 13:30 ` Nils Gillmann
2018-08-30 11:00 ` Clément Lassieur
2018-08-30 16:35 ` Mike Gerwitz
2018-08-30 9:07 ` Nils Gillmann
2018-08-30 9:20 ` Nils Gillmann
2018-08-30 16:38 ` Mike Gerwitz
2018-08-30 8:41 ` Ricardo Wurmus
2018-08-30 8:54 ` Clément Lassieur
2018-08-30 12:11 ` Ricardo Wurmus
2018-08-30 14:23 ` Amin Bandali
2018-09-01 14:08 ` Ludovic Courtès
2018-09-01 17:31 ` Nils Gillmann
2018-09-01 20:28 ` Amin Bandali
2018-09-02 13:54 ` Marius Bakke
2018-09-02 16:21 ` Mark H Weaver
2018-09-01 17:53 ` Joshua Branson
2018-09-01 23:18 ` Nils Gillmann
2018-09-03 20:57 ` Joshua Branson
2018-09-04 8:13 ` Nils Gillmann
2018-09-02 5:33 ` Mark H Weaver
2018-09-02 6:35 ` Mark H Weaver
2018-09-02 8:13 ` Mark H Weaver
2018-09-02 10:21 ` Ricardo Wurmus [this message]
2018-09-02 13:29 ` Marius Bakke
2018-09-02 16:48 ` Ricardo Wurmus
2018-09-04 21:44 ` Ludovic Courtès
2018-09-02 6:52 ` Leo Famulari
2018-08-30 9:57 ` Ludovic Courtès
2018-09-07 9:29 ` Clément Lassieur
2018-09-15 10:36 ` Clément Lassieur
2018-09-17 13:28 ` Chromium channel Marius Bakke
2018-09-17 14:16 ` Clément Lassieur
2018-09-17 18:08 ` Nils Gillmann
2018-09-17 17:57 ` Pjotr Prins
2018-09-22 12:44 ` Ludovic Courtès
[not found] <mailman.598.1535619290.1280.guix-devel@gnu.org>
2018-08-30 23:38 ` Firefox 52's end of life, packaging Chromium Benjamin Slade
2018-08-31 16:57 ` Hartmut Goebel
2018-09-01 14:13 ` Ludovic Courtès
2018-09-01 18:44 ` Pjotr Prins
2018-09-02 4:57 ` Mike Gerwitz
2018-09-05 20:57 ` Christopher Lemmer Webber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87va7oyzbd.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=clement@lassieur.org \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).