From: "Jorge P. de Morais Neto" via Bug reports for GNU Guix <bug-guix@gnu.org>
To: 49029@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender
Date: Tue, 15 Jun 2021 13:59:44 -0300 [thread overview]
Message-ID: <87czsndpxb.fsf@disroot.org> (raw)
In-Reply-To: <YMiv99V9CoQ3cThr@jasmine.lan> (Leo Famulari's message of "Tue, 15 Jun 2021 09:49:43 -0400")
Hi. I didn't receive your email (I did this reply from Emacs debbugs
package). Please include my email address in further messages to
mitigate the risk that I miss them. I continue below:
On 06/15/21 09:49 , Leo Famulari wrote:
> Chromium is a program that is meant to be "evergreen". Version
> numbers are not highlighted to the user and the software is supposed
> to update itself, quickly and often. It's like a "rolling release"
> just for that program.
> A variant of the package that blocks communication to Google and
> requires one of us to update it is, if you trust the Chromium team,
> categorically less up-to-date than a "normal Chromium" downloaded
> directly from chromium.org, and thus also less "secure", as you've seen.
> I don't know exactly how the "disable malware extensions" mechanism
> works, but it's likely that the "ungoogling" disables the possibility
> that it can happen quickly, outside of full program updates.
>
> It's a tradeoff we (have to?) make to offer a variant of Chromium that
> is judged acceptable by us under the Free System Distribution
> Guidelines, which Guix follows:
I can accept a reasonable trade-off, but I still believe this should be
actively communicated to users. It is not obvious. If had known that
before, I would certainly have been more careful with extensions.
Indeed, now that I know, I have not only deleted my old
(ungoogled-)Chromium profile, but also, on the new profile, I installed
only HTTPS Everywhere and Privacy Badger extensions. I have also
changed an important password that I remember having used on the
malware-infected Chromium.
> By the way, the Debian testing branch is the last to receive security
> updates, and in general has no guarantee of fast security updates. If
> you want to use a Debian with more up-to-date software than the stable
> branch and also are concerned about your security, you might consider
> using Debian sid.
Thank you for the advice. I already knew that though, and I think the
security risk of Debian testing is mitigated by my care. I have
installed and configured debsecan. It emails be about Debian
vulnerabilities, and then, in aptitude, I manually pull important
security updates from Debian unstable (sid).
That is a bit time-consuming, but I fear that going full unstable would
be too unreliable (more breakages) and would remove the option of
settling in stable without reinstalling. I mean, since my sources.list
refers to bullseye, then, when it becomes stable, I will have Debian
stable and will have a choice whether (and when) to upgrade to the new
testing (bookworm).
Regards!
--
- https://stallmansupport.org "In Support of Richard Stallman"
- If an email of mine arrives at your spam box, please notify me.
- Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z.
- Free/libre software for Replicant, LineageOS and Android: https://f-droid.org
- https://www.gnu.org/philosophy/free-sw.html "What is free software?"
next prev parent reply other threads:[~2021-06-15 17:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 21:29 bug#49029: ungoogled-chromium failed to disable malware extension The Great Suspender Jorge P. de Morais Neto via Bug reports for GNU Guix
2021-06-15 13:49 ` Leo Famulari
2021-06-15 14:40 ` Leo Prikler
2021-06-15 16:59 ` Jorge P. de Morais Neto via Bug reports for GNU Guix [this message]
2021-06-16 16:31 ` Leo Famulari
2021-06-16 16:33 ` Leo Famulari
2021-06-16 21:09 ` Marius Bakke
2021-06-16 22:17 ` Jorge P. de Morais Neto via Bug reports for GNU Guix
2022-01-04 4:55 ` Maxim Cournoyer
2022-01-06 11:34 ` Jorge P. de Morais Neto via Bug reports for GNU Guix
2022-01-06 13:46 ` Maxim Cournoyer
2022-01-07 0:09 ` Jorge P. de Morais Neto via Bug reports for GNU Guix
2022-01-07 18:09 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87czsndpxb.fsf@disroot.org \
--to=bug-guix@gnu.org \
--cc=49029@debbugs.gnu.org \
--cc=jorge+list@disroot.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.