[Dev] [GNU-linux-libre] QTWebengine is nonfree

Luke g4jc at openmailbox.org
Sun Jan 8 05:50:44 GMT 2017

On 01/08/2017 05:01 AM, fauno wrote:
> André Silva <emulatorman at riseup.net> writes:
>> Hi guys, since Chromium is blacklisted as nonfree software [0] we have a
>> serious issue. KDE is migrating their apps to QTWebEngine which contains
>> Chromium as the embed engine inside it. [1]
>> Blacklisting it could be a solution, however since it's an engine, a lot
>> of packages won't work without it and it will require a large task to
>> remove the entire QT/KDE framework.
>> What do you think is the best solution to this problem?
>> I feel that Chromium is nonfree and presents privacy risks due to
>> outstanding issues.
>> [0]:https://www.libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines#chromium-browser
>> [1]:https://labs.parabola.nu/issues/1167
> wasn't chromium considered non libre because of some source files'
> licenses being proprietary?  that license review was made years ago,
> maybe the situation changed?
Unfortunately, the situation hasn't improved much - I mentioned it
recently on gnu-linux-libre mailing list along with current efforts to
liberate it.

The original "Pass the Ubuntu license check script" Chromium bug report
from 2009 is still open and has a blocker.

Even if we manage to get the code fully free, it presents serious
privacy concerns that need to be patched out.
Chromium doesn't ship with an "about:config" like Mozilla does, so it
makes the job more tedious for us. inox-patchsets are working on it
little by little, but there is considerable work to do. The
inox-patchset official github even mentions: "It is possible that some
data is still transmitted [to Google] (but down to a minimum) this is
because Chromium is a quite large and complex codebase which changes
each day."

Google Chrome (Unbranded = Chromium) has also had an unusual past:

- Google Chrome Leaking Credit Card Data?
"So it turns out that it’s Chrome’s sync feature that was saving my
information, but why?
It turns out that auto-fill data is synced with your Google account (if
you’re signed in and have the feature enable, of course), and all of the
computers you’re signed into – and by default, without the benefit of
encryption. This file may contain any number of things, from mine I was
able to extract the following:

    Full name
    Wife’s full name
    Date of birth
    Wife’s date of birth
    Social Security Number
    Multiple credit card numbers
    Multiple CVVs
    Bank account & routing number

Not to mention quite a few websites I’ve been to, various addresses,
employer’s name and other various useful tidbits. All would be quite
useful for identity theft or highly targeted spear

- Google Dismisses Chrome Browser Microphone Snooping Exploit
"Google has shot down a researcher's claims that an exploit he posted
online showing how an attacker could snoop on phone calls or other
conversations on a user's machine constitutes a security flaw,
maintaining that Chrome's speech-recognition feature complies with the
W3C's specification."

- Google's Chromium on Debian Is Listening In on Your Conversations
"Apparently, the latest version of Chromium (version 43) on Debian,
silently installs a binary file without the user's consent or without
being pre-checked or pre-approved. This binary is, in fact, an extension
responsible for the browser's voice search feature and adds the famous
"OK Google" functionality found in the company's mobile apps to its
Chromium project.

- https://en.wikipedia.org/wiki/Google_and_privacy_issues#Google_Chrome


Returning to the original topic, QT and KDE were previously using
QTWebkit. Webkit does remain fully free software, and Webkit2 is under
active development.
Unfortunately, QT is now moving strongly to Webengine, which states on
it's project website: "QtWebEngine integrates chromium's fast moving web
capabilities into Qt. Our goal is to bring the latest and best
implementation of the web platform into the universe of Qt. It is not
just a port of the core HTML/CSS rendering engine, *it is the entire
Chromium platform.*"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170108/19fca202/attachment.sig>

More information about the Dev mailing list