Re: [GNU-linux-libre] [libreplanet-discuss] QTWebengine is nonfree

[Luke]

On 01/17/2017 02:57 PM, Richard Stallman wrote:

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > I've reached out to ungoogled-chromium as well since the project spends
  > a considerable amount of time patching, to ask what they considered to
  > be "large portions of code".

Any response?

I was able to get a response, the developer wrote:
---

"Eloston: @g4jc After looking into this issue in greater depth, what I said in #117 may be incorrect. Here is Debian's copyright file for Chromium 55, and here is the Lintian report for the latest Chromium (currently 55). I'm not seeing anything there that's violating the free software definition, but I could be mistaken."
----

The situation has definitely improved since the last Debian Lintian report. In the first report there were several thousand files missing license information.
That is now down to <100 files.

Using ungoogled-chromium's combined patches to strip pre-built binaries and apply privacy fixes would be a minimum requirement in my opinion.

Even if we (Parabola) can patch it, it would be much better if KDE and QT did this upstream.
As it has the potential to affect millions of GNU/Linux users - well outside of just Parabola.

However, my sentiments also echo what Isacc wrote on this thread, and are especially important for Parabola's nonprism (privacy) repo:
---
"Orthogonal yet absolutely important, because QtWebEngine is

said to contain *all* of Chromium, not just the Blink engine. Even

if the freedom problems were fixed soon (they could be), we would

still need to worry about Qt (and therefore KDE) possibly subjecting

their users to the well-documented Google tracking. Chromium

would become one of those rare cases of free software that is also

spyware."
---

We have no reliable way of controlling fingerprinting API's in an embedded Chromium.

As previously mentioned liberating this requires:
- No non-free source code
- No pre-built binaries or libraries (e.g. compile and use system ones instead), no use of "use_prebuilt" in makefile.
- Access to chrome://flags[1]
- Ability to solve well-known privacy issues[2]

For those on the mailing list who still believe Google is not tracking users, and is a "Do no evil" corporation at heart - I deplore you to "google it".
(or preferably duckduckgo/searx/yacy it since that is much safer).

The many connections to Google that are outbound from Chromium, even if good by intention, create very invasive meta data and fingerprinting opportunities.
These opportunities can be exploited against users, many of which may have no idea that Chromium is running on their computer if it is embedded.
We may never be able to block them all due to Chromium's design, but limiting it's reach is essential.

To demonstrate the seriousness of this issue on Parabola:
- Try installing KDE's GnuPG frontend "kgpg" --> depends on --> akonadi-contacts --> currently requires --> qt5-webengine (Chromium)


Luke
Parabola GNU/Linux-libre Packager
https://parabola.nu

1. http://stackoverflow.com/questions/17060363/google-chrome-how-can-i-programmatically-enable-chrome-flags-some-of-the-mod
2. https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs

signature.asc
Description: OpenPGP digital signature