Hey.
Just wondered: 1) Since this is a binary blob who, by it's nature, is made for surveillance, it's IMO more a rather serious security issue than just a DFSG-policy problem. No one really knows what exactly Google ships there. So maybe people should be told about this more actively in a DSA or NEWS.Debian entry? 2) To my great surprise (and shock - due to the compromise) I found the binaries downloaded last July, even though I never used chromium on any site that uses EME or things like that. Which makes this behaviour even more suspicious. 3) AFAIU, now the Debian package no longer downloads it automatically (with widevine-cdm-cu.patch), but many people will still have it silently in place (and presumably executed). Which is again kinda a point for (1). 4) This problem of browsers downloading their own closed-source and possibly compromised stuff has already surfaced in the past. Wouldn't it be safer to completely remove the code doing at all? Right now we have widevine-cdm-cu.patch which is fine for just this, and as soon as Google would add something new it would probably get downloaded&executed again until someone notices by chance. In general, I think it's pretty bad if software circumvents secure APT do download further software: - there is no central security support (just imagine an attacked simply blocks any time chromium tries to upgrade the binary blobs) and people will not even notice if upgrades from within the software fail. - it's not taken into account by tools like check_apt either - unless someone knows that Chromium puts software in .config it will stay there forever and not begin removed or so when the chromium package would be removed - an evil Google could just selectively distribute hacked versions of their binaries - something which is more or less impossible when all software comes via secure APT - doing package upgrade really in a secure way (i.e. preventing blocking attacks, downgrade attacks, or just not using outdated/insecure algorithms) is actually not that easy and I've seen many downloader packages doing it wrong - with secure APT there's one central place where all this is handled (securely) Cheers, Chris.
