Quoth Andrew Cady: > On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote: > > if you're worried about an evil google, hey, they control the > > browser, so you've already lost. > > I use Chromium and update it through my distro, so no, Google > does not control the browser (/usr/bin/chromium).
Me too, but I was thinking that if they were evil they could slip in a subtle vulnerability that would be really hard to find; it's a large codebase that (to my knowledge) is only well- understood by Google employees. I don't think it's likely, but considering how fast-moving the codebase is, something subtle like a fencepost error that they could just quietly use / give away "if it's really needed" is imaginable. Theoretically fixable by (e.g.) Debian, in practice, most of the time it wouldn't be. This is an inherant problem of large, fast-moving, complex software developed primarily by one close-knit and corporate-bound team. > But they do, > still, control the extensions installed through user accounts > (~/.config/chromium/Default/Extensions/). Google's control is > hard-coded into the source. What do you mean, they control the extensions through user accounts? That they auto-update? Or that Google are the primary source of extensions? What is hardcoded into the source? I would like more diversity than 99.9% of extensions distributed through Google's infrastructure, but (like the 'app stores') it does provide a useful service; basic malware checking, that keeps most people safe from bad actors most of the time. At the expense of a single point of failure that can be compelled to fail by state action. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
