[Dev] QTWebengine is nonfree

Luke g4jc at openmailbox.org
Sun Jan 8 20:20:03 GMT 2017

On 01/08/2017 07:05 PM, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> This sounds like a big problem, but it might not be hard to fix.
> Could someone give me additional information?
>   > Hi guys, since Chromium is blacklisted as nonfree software [0] we have a
>   > serious issue. KDE is migrating their apps to QTWebEngine which contains
>   > Chromium as the embed engine inside it. [1]
> What does "embed engine" mean?
> What jobs does it need to do?
> Is it possible to use Iridium instead of Chromium?
> Can you tell me the names and addreses of a few people in KDE that
> it would be useful to discuss this with?
/> What does "embed engine" mean?/
To "embed the engine" in this context = running another program inside
your own. The code to do it for QT is as simple as:

import QtQuick 2.1
import QtWebEngine 1.0

WebEngineView {
    url: "htttp://www.ics.com"

It allows developers to quickly create GUI programs that contain the
entire Chromium platform (more than just a web-engine, since Chrome is
also developing ChromeOS), without actually having to do any of the work
usually required for a backend web engine. This makes for pretty
programs with different layouts, all using the same web engine. To quote
one of the QT development websites...

"As the build includes Google Chromium, which has over 9,000 source
files, it will take some time to complete. My build took about
forty-five minutes to compile the software on a standard quad-core CPU

In summary, QtWebEngine is planned to replace QtWebKit as the
web-rendering engine for Qt. It will likely be included as part of the
Qt 5.4 release. While QtWebKit will continue to be available for binary
compatibility, new development will focus on QtWebEngine. I encourage
you to take a look at it and consider using it in your Qt applications."

It's essentially the same as Internet Explorer was doing in times past
for Visual C++. Users can drag and drop widgets to create
"pseudo-browsers", all powered by the same embedded engine. That is why
there were (and are) so many non-free browsers. There are in reality
only a few free web-engines, and many re-branded "browsers" that mere
put shiny new graphics on old engines.

/> What jobs does it need to do?/
What a web-engine/layout engine needs to do is quite complex. It is
difficult to describe in one e-mail, but the best article I could find
is from a Mozilla developer. I am including the highlight of the article

"Let’s talk terminology. A browser engine is the portion of a web
browser that works “under the hood” to fetch a web page from the
internet, and translate its contents into forms you can read, watch,
hear, etc. Blink, Gecko, WebKit, and Trident are browser engines. In
contrast, the the browser’s own UI—tabs, toolbar, menu and such—is
called the chrome. Firefox and SeaMonkey are two browsers with different
chrome but the same Gecko engine.

A browser engine includes many sub-components: an HTTP client, an HTML
parser, a CSS parser, a JavaScript engine (itself composed of parsers,
interpreters, and compilers), and much more. Those components involved
in parsing web formats like HTML and CSS and translating them into what
you see on-screen are sometimes called the layout engine or rendering

The above complexity is also why no one wants to do it, they just depend
on others to do that work for them and then "embed an engine" into their
pseudo-browsers and other programs for rapid development.
//> Is it possible to use Iridium instead of Chromium?
Unfortunately, Iridium has merely used a few inox-patchsets and GUI
branding to the Chromium engine. In addition to not blocking non-free
addons, it does not solve the non-free license issues, per outstanding
bug ticket:  https://github.com/iridium-browser/iridium-browser/issues/93

Another project, ungoogled-chromium goes much further, and yet still
admits defeat. Here is the state of Ungoogled-Chromium:

In addition to features from Debian
<https://tracker.debian.org/pkg/chromium-browser>, Inox patchset
<https://github.com/gcarq/inox-patchset>, and Iridium Browser

  * Replace many web domains in the source code with non-existent
    alternatives ending in |qjz9zk| (known as domain substitution)
  * Strip binaries from the source code (known as source cleaning)
      o This includes all pre-built executables, shared libraries, and
        other forms of machine code. They are substituted with system or
        user-provided equivalents, or built from source.
      o However a few data files (e.g. |*_page_model.bin| that define
        page models for the DOM Distiller) are left in as they do not
        contain machine code and are needed for building.
  * Disable functionality specific to Google domains (e.g. Google Host
    Detector, Google URL Tracker, Google Cloud Messaging, Google
    Hotwording, etc.)
  * Add Omnibox search provider "No Search" to allow disabling of searching
  * Disable automatic formatting of URLs in Omnibox (e.g. stripping
    |http://|, hiding certain parameters)
  * Disable JavaScript dialog boxes from showing when a page closes
    (onbeforeunload events)
      o Bypasses the annoying dialog boxes that spawn when a page is
        being closed
  * Added menu item under "More tools" to clear the HTTP authentication
    cache on-demand
  * Force all pop-ups into tabs
  * Disable Safe Browsing
      o See the FAQ
  * Disable WebRTC
      o This will be configurable in the future.
  * Disable intranet redirect detector
      o Prevents unnecessary invalid DNS requests to the DNS server.
      o This breaks captive portal detection, but captive portals still
  * Add more URL schemes allowed for saving
      o Note that this generally works only for the MHTML option, since
        an MHTML page is generated from the rendered page and not the
        original cached page like the HTML option.
  * (Iridium Browser feature change) Prevent URLs with the |trk:| scheme
    from connecting to the Internet
      o Also prevents any URLs with the top-level domain |qjz9zk| (as
        used in domain substitution) from attempting a connection.
  * (Iridium and Inox feature change) Prevent pinging of IPv6 address
    when detecting the availability of IPv6
  * Support for building Debian and Ubuntu packages
      o Creates a separate package |chrome-sandbox| for the SUID sandbox
          + Not necessary to install if the kernel option
            |unprivileged_userns_clone| is enabled
  * Windows support with these changes:
      o Build |wow_helper.exe| from source instead of using the
        pre-built version
      o Build |swapimport.exe| from source instead of downloading it
        from Google (requires customized syzygy source code
      o Build |yasm.exe| from source instead of using the pre-built version
      o Use user-provided building utilities instead of the ones bundled
        with Chromium (currently |gperf| and |bison|)
      o Do not set the Zone Identifier on downloaded files (which is a
        hassle to unset)

DISCLAIMER: Although it is the top priority to eliminate bugs and
privacy-invading code, there will be those that slip by due to the
fast-paced growth and evolution of the Chromium project.

Per Ungoogled-Chromium bug ticket #117: /
"/I don't know if any fork of Chromium complies with the free software
guidelines. If you are using Debian or Ubuntu, I adapt all of Debian's
changes to ungoogled-chromium. I've also stripped almost all of the
binary blobs through source cleaner (all of the machine code is gone;
some data in binary form for page distillation and international
components for unicode)."

/"/Closing as wontfix since this is impractical to accomplish without
rewriting larger portions of source code to use free software. There
simply isn't enough manpower."
/> Can you tell me the names and addreses of a few people in KDE that,it
would be useful to discuss this with?/
Unfortunately, I don't know of anyone in KDE or QT, but they should
definitely be made aware of this issue if they are not already. It
present serious freedom concerns. Perhaps some one else can help with
this information and reaching out to them/?//

Parabola GNU/Linux-libre Packager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170108/7293ee49/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170108/7293ee49/attachment.sig>

More information about the Dev mailing list