That email won't be enough if it only takes google one more email to just say "we're rescinding that previous permission". It sounds to me like Google doesn't want Chromium to have the full functionality anymore; and it kind of sounds like they want Chromium to die and Chrome to be the one-and-only. What we want to do in response to this is IMO not just a legal question but also a moral one. I see from the email threads that several other distros have the same issue. My recommendation: Drop Chromium from the repositories. Give zero official support for Chrome or Chromium. Announce it very loudly on archlinux.org, as soon as possible. Encourage other distributions to follow suit with the exact same action. If we make a bit of noise, Google may end up backtracking, but if they don't at least users will know what happened. On Tue, Jan 26, 2021 at 8:22 PM Evangelos Foutras via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
On Fri, 22 Jan 2021 at 10:05, Evangelos Foutras <evangelos@foutrelis.com> wrote:
On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.
It seems others feel the same way, understandably so. I'd expect Chrome's keys to be replaced, with added protection so they remain secret, before legal action would be considered.
In any case, I posted a request for clarification on whether using Chrome's keys is illegal or not. [1] Perhaps they will be able to definitively tell us that it's not allowed (under EU Law).
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg
As somewhat expected, the above didn't result in any further clarification.
The only acceptable way forward for me is to switch to Chrome's keys. We (kind of) have permission for this based on the 2013 ToS exception allowing inclusion of Google API keys in our packages (see attached email copy). This was not just permitted unofficially; "the 2013 special terms, additional quota, and exact wording of the email passed the internal approval process, including legal, engineering, and VP-level management". [1]
Building Chromium without API keys results in a browser that is unsuitable for production use. Removing the OAuth 2.0 credentials (or when the Chrome team limits them) mainly breaks Chrome data sync (e.g.: passwords, bookmarks, open tabs). Additionally removing the main API key disables functionality like Safe Browsing and Geolocation. I don't consider a browser with downgraded functionality and security suitable for end users. [2]
If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...