1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Re: ungoogled-chromium?

    From Mathias Behrle@21:1/5 to All on Tue Dec 7 22:00:01 2021
    * Tomas Pospisek: " ungoogled-chromium? [was: Re: Bug#995212: chromium: Update
    to version 94.0.4606.61 (security-fixes)]" (Tue, 7 Dec 2021 19:43:10 +0100):

    (I have been running an ungoogled-chromium for a while (ca. a year
    ago?), however at that time their chrome wasn't extremely stable so I
    gave up again. Does anybody have experience using it recently?)

    (Using chromium only as fallback browser if necessary):

    Since the removal of chromium from Debian was announced I gave UngoogledChromium
    on flatpak a try and it runs very stable so far.

    --

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
    AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6

    -----BEGIN PGP SIGNATURE-----
    Comment: Signed by Mathias Behrle

    iQIzBAEBCgAdFiEErCl+XEa50LYccXaB1tCb5IQFu/YFAmGvyCYACgkQ1tCb5IQF u/bJmhAAlNvt5YS3iK9HTPt520m6ivtynrYdtviFpM6E5fY6TIewgiWmJDjfyxIT ZTwt6y4vQ7uiAdKiWLs/GMSe6gwojBW3zI6fBqh3XrJwsI1ik9rD2o0zxQYqmlGM aG5oJTRuYLXDD94b0+MT3FSJo92hRickk71LVbuAlMBPiPiJkXKfTyDBdS2wdT3C TiETgIqlR1XrA94+PpUHUUIf2Y9wis1QPxOgKIs8FNxeE8JyMmKfwD8iX2qDeyBR rvkKHqGoc+WQdJj7tk6mCfuvy+Wz/owsFEel86JSWiPD0BfwvwSoHF9wrmATTrFP vHhFFDjCDiHdboQX98YXcHyzyi54R1+YpcWBFlYTCEDy9p8SrpOjmjh9ClaKJ3dP C6g8AOvQeYJHBRKB3q1WgcBpD+YEzrL33QUhhYnhTLgdDIIu2j9w1YEVjk2ekShq cBDcFnny8N3bnude5e476KFQHeTn6LDnXTHMH94R01kaMuUX7YyRebQfuXVKV8kn FnWXJsVbubO4I126Z+bSsgcec8j2l/waU9OKEGK1qDmYZca7EnjzTENf7ntbVrxC RWVksaR0V7YZ4RYc6lXZtRmKL8sB1wW9HWPpPJ10vYvr7Me9uJICuomZd4rUl4/R LevlI+HkpT2Vc6Y5ZUsDLdmdclrhyfKatmN6vBTrUblbKTAbh3Q=
    =YOpb
    -----END P
  • From Vincent Bernat@21:1/5 to All on Tue Dec 7 22:50:01 2021
    ❦ 7 December 2021 21:46 +01, Mathias Behrle:

    (I have been running an ungoogled-chromium for a while (ca. a year
    ago?), however at that time their chrome wasn't extremely stable so I
    gave up again. Does anybody have experience using it recently?)

    (Using chromium only as fallback browser if necessary):

    Since the removal of chromium from Debian was announced I gave UngoogledChromium
    on flatpak a try and it runs very stable so far.

    Same here. And they are now following security updates closely (in the
    past, there could lag two or three weeks behind). Flatpak compiles it
    from source (while UngoogledChromium let contributors compile it and
    publish the binary because GitHub CI does not allow such resource-heavy
    build).
    --
    After all, all he did was string together a lot of old, well-known quotations.
    -- H. L. Mencken, on Shakespeare

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Blank@21:1/5 to Vincent Bernat on Tue Dec 7 23:30:01 2021
    On Tue, Dec 07, 2021 at 10:45:27PM +0100, Vincent Bernat wrote:
    Same here. And they are now following security updates closely (in the
    past, there could lag two or three weeks behind). Flatpak compiles it
    from source (while UngoogledChromium let contributors compile it and
    publish the binary because GitHub CI does not allow such resource-heavy build).

    You mean th builds of the Flatpk stuff are not properly controlled? But instead uncontrolled done by contributors?

    Bastian

    --
    There are some things worth dying for.
    -- Kirk, "Errand of Mercy", stardate 3201.7

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to Bastian Blank on Wed Dec 8 00:40:01 2021
    On Tue, 07 Dec 2021 at 23:08:41 +0100, Bastian Blank wrote:
    On Tue, Dec 07, 2021 at 10:45:27PM +0100, Vincent Bernat wrote:
    Flatpak compiles it
    from source (while UngoogledChromium let contributors compile it and publish the binary because GitHub CI does not allow such resource-heavy build).

    You mean th builds of the Flatpk stuff are not properly controlled? But instead uncontrolled done by contributors?

    I think there is some confusion here.

    Flatpak is a piece of software (like apt/dpkg), not an organization or
    provider of compiled software (like Debian). Anyone can host a Flatpak repository, and you can deliver almost anything in Flatpak format (safe
    or not, Free or not, compiled from source or not), just like you can
    put almost anything in a .deb package.

    Flathub is a major build and distribution service for Flatpak apps,
    in the same way that Debian and Launchpad are major providers of .deb
    packages. Perhaps a closer parallel is that if Flatpak is like the
    Android app framework, then Flathub is like the Google Play store:
    you can use Flatpak without using Flathub at all, but most Flatpak
    users are using Flathub for at least some of their apps. If you think
    you have installed an app "from Flatpak" without any further details,
    it is probably from Flathub.

    Flathub generally requires builds to be done on Flathub's
    infrastructure, from source code if possible, in the same way Debian
    generally requires builds to be done on buildds, from source if possible.
    (Like Debian, it makes an exception for binary-only non-free software
    where no public source code is available.)

    At least one package on Flathub is built on third-party infrastructure
    and directly contributed as binaries even though it is open-source.
    The only example I'm aware of is Firefox, which is built by
    Mozilla's CI and provided to Flathub as binaries.

    I believe what Vincent meant is that the generic non-Flatpak binaries
    provided by the "Ungoogled Chromium" project are compiled on unknown
    machines and require trusting their submitters, whereas the Flatpak
    binaries provided by Flathub are compiled from the same source
    code provided by the "Ungoogled Chromium" project, but compiled on
    Flathub infrastructure. Here's an example of a build log from Flathub
    building Ungoogled Chromium, which does look like it came from source
    code (at least superficially, I haven't examined it in detail): https://flathub.org/builds/#/builders/12/builds/8123

    It is possible that the "Ungoogled Chromium" Flatpak build on Flathub
    takes some parts as prebuilt binaries while compiling other parts from
    first principles. Someone would have to inspect the build in detail to
    find out, the same way it isn't trivial to tell from looking at a Debian package whether it is fully built-from-source or not.

    However, when a Flatpak app is compiled using flatpak-builder (which is
    what Flathub uses), the build is done in a sandbox that does not allow
    network access; so we can be sure that if the "Ungoogled Chromium" build contains prebuilt binaries, those prebuilt binaries must have been part
    of one of the "source" components listed in the JSON or YAML manifest
    that drives the build. This is similar to building a Debian package
    with `pbuilder build --network no` [1], and then being able to inspect the orig.tar.* and debian.tar.* to look for any prebuilt binaries that might
    have been used.

    smcv

    [1] but not sbuild (#802850): our policy forbids network access during
    build but our official infrastructure currently does not technically
    prevent it

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stephan =?ISO-8859-1?Q?Verb=FCcheln@21:1/5 to Simon McVittie on Wed Dec 8 04:20:01 2021
    On Tue, 2021-12-07 at 23:35 +0000, Simon McVittie wrote:
    Flathub generally requires builds to be done on Flathub's
    infrastructure, from source code if possible, in the same way Debian generally requires builds to be done on buildds, from source if
    possible.
    Are you sure about that? Is there a policy?


    At least one package on Flathub is built on third-party
    infrastructure
    and directly contributed as binaries even though it is open-source.
    The only example I'm aware of is Firefox, which is built by
    Mozilla's CI and provided to Flathub as binaries.
    The Flatpak package for the Signal desktop app is literally built by downloading and unpacking the binary deb from the vendor. https://github.com/flathub/org.signal.Signal/blob/master/org.signal.Signal.json

    Signal itself is open source, but the build process is a complex NPM
    rabbit hole.

    Regards

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Bernat@21:1/5 to All on Wed Dec 8 08:30:01 2021
    ❦ 7 December 2021 23:35 GMT, Simon McVittie:

    I believe what Vincent meant is that the generic non-Flatpak binaries provided by the "Ungoogled Chromium" project are compiled on unknown
    machines and require trusting their submitters, whereas the Flatpak
    binaries provided by Flathub are compiled from the same source
    code provided by the "Ungoogled Chromium" project, but compiled on
    Flathub infrastructure.

    Yes.
    --
    Don't stop with your first draft.
    - The Elements of Programming Style (Kernighan & Plauger)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tomas Pospisek@21:1/5 to Vincent Bernat on Wed Dec 8 09:40:02 2021
    On 08.12.21 08:27, Vincent Bernat wrote:
    ❦ 7 December 2021 23:35 GMT, Simon McVittie:

    I believe what Vincent meant is that the generic non-Flatpak binaries
    provided by the "Ungoogled Chromium" project are compiled on unknown
    machines and require trusting their submitters, whereas the Flatpak
    binaries provided by Flathub are compiled from the same source
    code provided by the "Ungoogled Chromium" project, but compiled on
    Flathub infrastructure.

    Yes.

    The Debian packages get built by the open build service [1] though as
    far as I can see?
    *t

    [1] https://github.com/ungoogled-software/ungoogled-chromium-debian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to All on Wed Dec 8 10:40:01 2021
    On Wed, 08 Dec 2021 at 03:10:31 +0000, Stephan Verbcheln wrote:
    On Tue, 2021-12-07 at 23:35 +0000, Simon McVittie wrote:
    Flathub generally requires builds to be done on Flathub's
    infrastructure, from source code if possible, in the same way Debian generally requires builds to be done on buildds, from source if
    possible.

    Are you sure about that? Is there a policy?

    I thought there was a socially-enforced policy, but I can't find it
    written down, and perhaps it doesn't exist. Certainly the preference is
    that apps are built from source where possible, as Ungoogled Chromium
    seems to be, but that's never going to be mechanically enforceable
    without some sort of gatekeeper reviewing every update, which scales
    poorly - imagine what would happen if every Debian package upload went
    through NEW...

    There is a weaker technically-enforced policy, similar to what we have in Debian when non-free packages are built on buildds: the package needs
    to be "built" on Flathub infrastructure from a flatpak-builder manifest,
    but depending on the package, that might be from real source code, or it
    might be just unpacking prebuilt binaries from the archives that are listed
    as the "source code". I had thought that prebuilt binaries were only used
    for non-free packages where source code is not available at all (like
    Steam Link), but it seems it is also done for some packages where source
    code is available but hard to build.

    The way in which Firefox is different is that it has an exception to that weaker technically-enforced policy: there's no flatpak-builder manifest
    for Firefox in Flathub's Github project, and builds done by Mozilla get imported into the ostree repository directly.

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)