Chrome, Debian Linux, and the secret binary blob download riddle
Linux - NewsThis forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
Chrome, Debian Linux, and the secret binary blob download riddle
Quote:
Browser snuck proprietary voice-snoop code into distro
The Debian Project thinks it's fixed an issue where Google's Chromium web browser snuck proprietary code into the fiercely Free Software oriented Debian Linux distro. That hasn't stopped Debian users from wondering how the issue got past project maintainers in the first place.
Debian user Yoshihito Yoshino first raised the red flag on the project's bug report mailing list in May, after noticing suspicious network activity from Chromium 43, the most recent stable release of the open source version of the Chrome browser.
"After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading 'Chrome Hotword Shared Module' extension, which contains a binary without source code," Yoshino wrote. "There seems no opt-out config."
Under the Debian Social Contract, distributing software without accompanying source code is a serious no-no. The fact that an important software package from an eminent contributor has distributed code sans source, without anyone noticing, has left some Debian users asking whether the project needs stricter controls.
Even worse for some users was the nature of the proprietary code that Chromium downloaded. It was reportedly a library that supported Google's "OK Google" voice recognition feature, which some security researchers have pointed out is a potential open door for invasion of privacy.
Chromium is sourced from a company which, while it has been supportive of free software projects, has also been ambivalent in its own philosophy about software. I wouldn't necessarily put this problem down to malice on Google's part, but still it is another reason to trust Firefox more than Chromium.
Well the 'bug' was found, reported, and fixed.
As a "process" issue, I don't see a problem, any more than with any other security bug.
There has never been any promise or guarantee that any particular package has been audited or is free of malicious or unintended behaviour, only that the source the package has been built from is available for review and the package maintainers changes and actions are documented.
No doubt this will bring about greater scrutiny of future contrbutions from that vendor, possibly a change of classification to contrib, but at the end of the day it's really still 'user beware' for what yiu choose to install - Google outgrew it's famous motto a long time ago.
commit 0366a5184a70b3eefb5fcef2c2e13721669f00d8
Author: mgiuca
Date: Wed Jun 24 05:41:33 2015
Disable "Ok Google" hotwording in open source builds by default.
The compile-time flag "enable_hotwording" is now tied to
branding=Chrome (false by default unless making a Google Chrome build).
Note: Chromium will no longer download/install the Hotword Shared
Module, and will automatically remove the Hotword Shared Module on
startup if it was previously installed. To keep this functionality, add
"enable_hotwording=1" to GYP_DEFINES.
BUG=500922
and
Quote:
In light of this issue, we have decided to remove the hotwording component entirely from Chromium. As it is not open source, it does not belong in the open source browser.
Chromium builds from r335874 (version 45) onwards will have hotwording disabled by default and will not download the module. There is no way to enable this feature at runtime. Google Chrome users will be unaffected (although, as always, will have to opt in using settings before the hotword module will activate).
If you want a version of Chromium with hotwording, you have to build it from source, with the GYP define "enable_hotwording=1" (or equivalently, the GN arg "enable_hotwording = true"). This will produce a custom build of Chromium that downloads the proprietary hotword component.
I have also added a field in the chrome://voicesearch page (in 45 onwards) to show you whether the hotword module is installable. If that says "No", then it is not possible to opt in to hotwording (either because the language is unsupported, or because it is a Chromium build).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.