From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49949) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eBUiw-00065T-Ii for guix-patches@gnu.org; Sun, 05 Nov 2017 18:53:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eBUis-0007Wo-Gp for guix-patches@gnu.org; Sun, 05 Nov 2017 18:53:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:44103) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eBUis-0007Wh-CT for guix-patches@gnu.org; Sun, 05 Nov 2017 18:53:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eBUis-0008IY-2x for guix-patches@gnu.org; Sun, 05 Nov 2017 18:53:02 -0500 Subject: [bug#28004] Chromium Resent-Message-ID: From: Marius Bakke In-Reply-To: <87o9p45bb6.fsf@fastmail.com> References: <87y3qvb15k.fsf@fastmail.com> <20171010131949.y43plpzxbppvrigr@abyayala> <87lgkha2cx.fsf@gnu.org> <20171012195628.GA31843@jasmine.lan> <87shensfq6.fsf@gnu.org> <87o9p45bb6.fsf@fastmail.com> Date: Mon, 06 Nov 2017 00:52:32 +0100 Message-ID: <87o9og4727.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Leo Famulari Cc: 28004@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Ludovic Court=C3=A8s writes: > >> I think we should make sure that our package does not call home in any >> way. That=E2=80=99s what I expect from a security- and privacy-conscious >> distro. > > Currently, it calls home at first launch, prompting for a login. But > I've verified that it does not send any unsolicited requests for > subsequent startups, as long as the user does not change the > command-line flags. I tried picking two other Debian patches[0][1] to see if it helped with the annoying splash screen and decided to verify whether the browser still "calls home" from a clean profile. The last time I checked was many versions ago. After dismissing the sign-in dialog, the "New Tab Page" loads a regular Google search bar, and "pre-fills" two of the "most commonly used" slots with Chrome URLs, (still) downloading a bunch of data in the process. Not great, but maybe we could live with that if it was just for the first run (it wasn't; had to change search engine to prevent the New Tab Page from calling the mothership). To my great surprise, while watching tcpdump from a different window, it also called home *when I switched windows*. Every time the Chromium window was activated, some data was sent to Google servers. Going into settings and toggling the "Use a prediction service to help complete searches and URLs typed in the address bar" option (to off) disabled that behaviour. Not very confidence-instilling. I'm going to try to incorporate the "Inox Patchset"[2], which is a set of patches that attempts to remove all such misfeatures from Chromium. They seem to have managed to stay on top of recent Chromium development, unlike two other prominent privacy-focused "forks", so I'm optimistic. But it might take some weeks before the next update. Stay tuned.. [0] [1] [2] --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln/pEAACgkQoqBt8qM6 VPq3VwgAycCAXzPEfUOb40FCNfmgCvYld4O8BdaTtDXhFj6DzMqdVXq3jNddGpDn xMKRHZPCEKFAzNeh2a+YAW2m1isPnw6EQywJl4jXnMSUVhFUSZiNQB4NTTVxYeCL Z51yjQcYBBfJvcS0b40V2Lq0Ij8LRu4rasrLQICiHtypFxoOToy5640P3KVP9nAL re1Y6IUL57YUzc0kEkgpspb0hh2gNOQb7/tW9H5v15Ecd0vhF57SYil1H+GNRbac 7hCK5D4MbDeYobrXo4pwjh4FPjwwA66/jPU0xV9C7YLLok7Upxa448P40qxhg95G BtMhSAlvts54B7X1RPcLY0gaSE8CIg== =1ceO -----END PGP SIGNATURE----- --=-=-=--