[Dev] Fwd: Re: Article: Chromium's subtle freedom flaws

Nicolás A. Ortega deathsbreed at themusicinnoise.net
Fri Mar 17 17:37:45 GMT 2017

I have been following this issue for a long time now, however I haven't
been able to respond to any threads due to technical reasons.

As I've been following along with these issues I've found very little
evidence that Chromium is in-and-of-itself non-free (not including
third-party plugins such as Widevine, which also support DRM), much less
other software that use Chromium infrastructure (correct me if that was
the incorrect term) such as QtWebEngine. What's more, the evidence that
is provided tends to be either of no indication that Chromium is
non-free (such as the Debian lintian reports that I constantly see
floating around [0]) typically refers to JavaScript files that are Free
Software, however they are simply minified. Although this may be a
reason not to package it, it most definitely is not a reason to call
Chromium non-free. If the arguments were saying that Chromium has
non-free third parties such as Widevine then that is perfectly valid (so
does Firefox[1], however we do not have the Firefox issue, in Parabola
at least, since we use IceWeasel/IceCat instead), but third-party
plugins such as Widevine can be easily removed (the Debian community has
done this[2]). In the Red Hat community these reports were brought up to
their maintainer and the maintainer concluded that all of the issues
brought up in the prior mentioned lintian reports are in reality free JS
but simply minified (which, as I mentioned before, is an issue for
packaging but not for freedom necessarily)[3]

The second largest complaint of Chromium has been that it leaks
information[4][5]. First I would like to make very clear that even if a
program lacks security or privacy features that **does not** make it
non-free. Therefore, even if there are privacy issues Chromium should
not be labelled as non-free, but rather insecure and at the very most
spyware (we are well aware that even Free Software can spy on you[6]).
However, moving on, I have looked through these issues that were brought
up and it seems that they have been slowly fixed with the exception of
three of them which were labelled as either `wontfix'[7][8] or still
remain open[9]. Upon these grounds Chromium can be judged.

If it turns out that there truly are non-free files in Chromium then let
it be so, I won't complain, but there needs to be solid evidence. I
understand it being removed from the Parabola repositories as a
temporary measure until the issue is resolved (as Parabola should not
risk there being non-free software in the repository), however to
publicly claim that it is non-free without any substantial evidence is
something that has been annoying me. I would ask that when these claims
are made that they are given with hard evidence as to the matter, and
(quite importantly) that when it is announced to the community via news
post[10] that it give **all** evidence (or at least the most pertinent
evidence) as to why a software is non-free, and if the reasons are
something other then it should be stated as such (eg. privacy concerns,
temporary removal until freedom issues resolved, etc.).

Again, if Chromium indeed has non-free files then I am fine with it
being removed, however I would like links with the evidence **and** it
should be reported to upstream as an issue (a link to the upstream bug
would also be something nice to add to the news post). I'm pretty sure
that opening a bug report will be much less work than all of this
repackaging of KDE and Qt packages to work without QtWebEngine (which,
as mentioned by Elyzabeth, is probably not even non-free even if
Chromium were).

[0] https://lintian.debian.org/maintainer/pkg-chromium-maint@lists.alioth.debian.org.html#chromium-browser
[1] https://support.mozilla.org/t5/Video-audio-and-interactive/Watch-DRM-content-on-Firefox/ta-p/37423
[2] https://packages.debian.org/stretch/chromium-widevine
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1418917
[4] https://lists.gnu.org/archive/html/libreplanet-discuss/2017-01/msg00056.html
[5] https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
[6] https://www.gnu.org/philosophy/ubuntu-spyware.html
[7] https://bugs.chromium.org/p/chromium/issues/detail?id=163116
[8] https://bugs.chromium.org/p/chromium/issues/detail?id=80722
[9] https://bugs.chromium.org/p/chromium/issues/detail?id=55058
[10] https://www.parabola.nu/news/chromium-blacklisted-to-respect-your-freedom/

> I earnestly hope this upcoming FSF article provides explicit and irrefutable 
> proof of QtWebEngine being non-free. Proof of hard-coded connections and 
> privacy leaks that I can verify for myself. A list of the non-free plugins and 
> DRM shipped as a part of Qt because none are listed in the documentation. Any 
> evidence of such obviously malicious behaviour that I can report to Qt and 
> work towards fixing.

Nicolás A. Ortega (Deathsbreed)
Public PGP Key:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170317/53680ba9/attachment.sig>

More information about the Dev mailing list