Bug#1042111: chromium: Web Environment Integrity
Thanks for working on this! I noticed that this patch is not listed in the copyright file, it would be great if someone could include the header from the ungoogled-chromium repository.
Bug#1042111: chromium: Web Environment Integrity
On Wed, 26 Jul 2023 16:12:13 -0400 Andres Salomon wrote: > As Matt mentioned, this is something that we need to decide if we want > disabled at build time (deleting base_feature_status from > third_party/blink/renderer/platform/runtime_enabled_features.json5 , > which would turn it back into a blink field-trial option that's > disabled by default), disabled at runtime (I'm not sure whether a > command-line argument or something set in initial_preferences). I think what we'll do is disable this with a patch to runtime_enabled_features.json5 for now. If we ever need to revisit that decision later, we can further discuss it then.
Bug#1042111: chromium: Web Environment Integrity
In my opinion, as a maintainer and user of Chromium (as distinct from Chrome), we absolutely need to ship this with the code removed / disabled. This is a deliberate attempt to lock out the open Web, to force the use of a Google-approved (and Google-locked) software, firmware, and hardware stack, and to enable persistent, lifelong tracking per user of every action ever taken on the Web. If a bank or similar requires it, then a separate (locked) commercial device should be used to interact with that specific commercial entity. It is not our responsibility as open source developers to work for free, or at the expense of companies supporting open ecosystems, in order to make it easy to access the services provided by hostile for-profit entities. Furthermore, it is the responsibility of the company requiring the locked commercial device to ensure it is fit for purpose, etc. at their own expense, and they need to bear the full financial and legal liability of that requirement. In some ways this is no different than the old Bluray fight. Illegal (in the US) access methods aside, people got used to using a separate player or other device and continued to enjoy their freedom to modify and use their Debian computers, privately, as they always had. This did not measurably harm Debian, and in fact probably helped as people begain to understand that the Debian ecosystem was trustworthy in the true sense, i.e. not watching every move or preventing access to key OS components. If this code is not removed, I would probably need to stop helping with the maintainance efforts. Conversely I am happy to step up and assist with the removal process.
Bug#1042111: chromium: Web Environment Integrity
As Matt mentioned, this is something that we need to decide if we want disabled at build time (deleting base_feature_status from third_party/blink/renderer/platform/runtime_enabled_features.json5 , which would turn it back into a blink field-trial option that's disabled by default), disabled at runtime (I'm not sure whether a command-line argument or something set in initial_preferences). On one hand, someone might require this if, say, their bank decided to start using it and only worked with it enabled. On the other hand, leaking information like the list of browser plugins is pretty shitty. That commit is for v117, so we have 2 months to figure it out. On Wed, Jul 26 2023 at 12:25:34 PM -07:00:00, Matt Taggart wrote: Package: chromium Version: 115.0.5790.102-2 Engineers working for Google have proposed a standard named Web Environment Integrity details available at https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md There have been hundreds of articles, social media posts, etc discussing this, here is a page that gives a good summary of the events so far: https://interpeer.io/blog/2023/07/google-vs-the-open-web/ Initially it was a standards proposal, but now it looks that it's already implemented https://github.com/chromium/chromium/commit/6f47a22906b2899412e79a2727355efa9cc8f5bd Debian needs to figure out if this is something we want in chromium (at all, disabled at build time, disabled at runtime, etc). Thanks, -- Matt Taggart m...@lackof.org
Bug#1042111: chromium: Web Environment Integrity
Package: chromium Version: 115.0.5790.102-2 Engineers working for Google have proposed a standard named Web Environment Integrity details available at https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md There have been hundreds of articles, social media posts, etc discussing this, here is a page that gives a good summary of the events so far: https://interpeer.io/blog/2023/07/google-vs-the-open-web/ Initially it was a standards proposal, but now it looks that it's already implemented https://github.com/chromium/chromium/commit/6f47a22906b2899412e79a2727355efa9cc8f5bd Debian needs to figure out if this is something we want in chromium (at all, disabled at build time, disabled at runtime, etc). Thanks, -- Matt Taggart m...@lackof.org
