Re: Firefox 52's end of life, packaging Chromium

[Mark H Weaver <mhw@netris.org>]

Mark H Weaver <mhw@netris.org> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> The TODO list for convenience:
>>
>> * There is still some data transmitted when starting the browser for the
>>   first time.  It seems related to the "domain_reliability" component.
>> * Remove remaining "Web Store" links.  Currently I've only found it in
>>   settings, under "accessibility" and "fonts".
>> * Opening settings transmits a bunch of data, the next version will
>>   include the 'disable-translation-lang-fetch' patch from Inox.
>> * PDFium is built, but does not seem to work (the 'install' phase
>>   probably needs tweaking).  Might just disable it instead.
>>
>> It would be *very* nice if the first and third items could be solved
>> before merging, but I don’t consider them blockers.
>
> The GNU FSDG says "The distro must contain no DRM, no back doors, and no
> spyware."  Since GNU Guix has committed to follow the FSDG, that means
> that we must not include programs that include spyware.  We have
> committed ourselves to "removing such programs if any are discovered."
>
> Guix _is_ committed to the GNU FSDG, right?
>
> Do you agree that #1 and #3 look like spyware?  If so, wouldn't that
> make them blockers?

I admit that it's unclear whether or not those data transmissions could
reasonably be called 'spyware', but at the very least their existence
provides cover for spyware added later, by conditioning users to accept
data transmission to Google when it hasn't been requested (by either the
user or the website being visited).

Someone may have analyzed the data transmitted at some time in the past
and concluded that it was most likely benign and with minimal impact to
one's privacy, but even if we accept that analysis, it cannot be assumed
to hold true for current or future versions of Chromium.

If we accept the existence of such traffic, we effectively eliminate our
ability to detect the inclusion of new spyware added to Chromium in the
future.

In addition, I'm under the impression that efforts to remove spyware
from Chromium are considered a work-in-progress, i.e. unfinished, but I
admit that I haven't looked recently.  Perhaps that impression is stale.

The reason I am so sensitive to this issue is that Debian included
nonfree software in their kernels for many years, despite it being a
widely known violation of the Debian Free Software Guidelines.
Apparently it was deemed sufficient to make a "best effort" to comply
with their own promises.  I hope that Guix would never take a similar
position.

If I have overreacted, and the situation is better than I fear, then I
apologize for the trouble.

I've asked Marius whether any spyware remains.

     Thanks,
       Mark