[Dev] [GNU-linux-libre] [libreplanet-discuss] QTWebengine is nonfree

Tue Jan 17 23:23:43 GMT 2017

On 01/17/2017 02:57 PM, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > I've reached out to ungoogled-chromium as well since the project spends
>   > a considerable amount of time patching, to ask what they considered to
>   > be "large portions of code".
>
> Any response?
>
I was able to get a response, the developer wrote:
---

"Eloston:@g4jc After looking into this issue in greater depth, what I
said in #117 may be incorrect. Here is Debian's |copyright| file for
Chromium 55
<https://anonscm.debian.org/cgit/pkg-chromium/pkg-chromium.git/tree/debian/copyright?h=debian/55.0.2883.75-3&id=601bf3b000b4df4a79463f8500a95b5722f42cfc>,
and here is the Lintian report for the latest Chromium (currently 55)
<https://lintian.debian.org/maintainer/pkg-chromium-maint@lists.alioth.debian.org.html#chromium-browser>.
I'm not seeing anything there that's violating the free software
definition, but I could be mistaken."
----

The situation has definitely improved since the last Debian Lintian
report. In the first report there were several thousand files missing
license information.
That is now down to <100 files.

Using ungoogled-chromium's combined patches to strip pre-built binaries
and apply privacy fixes would be a minimum requirement in my opinion.

Even if we (Parabola) can patch it, it would be much better if KDE and
QT did this upstream.
As it has the potential to affect millions of GNU/Linux users - well
outside of just Parabola.

However, my sentiments also echo what Isacc wrote on this thread, and
are especially important for Parabola's nonprism (privacy) repo:
---
"Orthogonal yet absolutely important, because QtWebEngine is
said to contain *all* of Chromium, not just the Blink engine. Even
if the freedom problems were fixed soon (they could be), we would
still need to worry about Qt (and therefore KDE) possibly subjecting
their users to the well-documented Google tracking. Chromium
would become one of those rare cases of free software that is also
spyware."
---

We have no reliable way of controlling fingerprinting API's in an
embedded Chromium.

As previously mentioned liberating this requires:
- No non-free source code
- No pre-built binaries or libraries (e.g. compile and use system ones
instead), no use of "use_prebuilt" in makefile.
- Access to chrome://flags[1]
- Ability to solve well-known privacy issues[2]

For those on the mailing list who still believe Google is not tracking
users, and is a "Do no evil" corporation at heart - I deplore you to
"google it".
(or preferably duckduckgo/searx/yacy it since that is much safer).

The many connections to Google that are outbound from Chromium, even if
good by intention, create very invasive meta data and fingerprinting
opportunities.
These opportunities can be exploited against users, many of which may
have no idea that Chromium is running on their computer if it is embedded.
We may never be able to block them all due to Chromium's design, but
limiting it's reach is essential.

To demonstrate the seriousness of this issue on Parabola:
- Try installing KDE's GnuPG frontend "kgpg" --> depends on -->
akonadi-contacts --> currently requires --> qt5-webengine (Chromium)

Luke
Parabola GNU/Linux-libre Packager
https://parabola.nu

1.
http://stackoverflow.com/questions/17060363/google-chrome-how-can-i-programmatically-enable-chrome-flags-some-of-the-mod
2.
https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170117/8a1dd720/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170117/8a1dd720/attachment.sig>