Em janeiro 20, 2021 13:38 Giancarlo Razzolini via arch-dev-public escreveu:

I'm fine with this approach, and I hope it works for a long time.

After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea. So, if after March 15th you feel like orphaning chromium, I would adopt it and keep it on the repos without the sync feature. Also, if there's any other key we should stop using, now it's a good time to know. Regards, Giancarlo Razzolini [0] https://groups.google.com/a/chromium.org/g/embedder-dev/c/NXm7GIKTNTE

On 20/01/2021 21.16, Jelle van der Waa via arch-dev-public wrote:

Note that the Fedora maintainer noted that they will not include these API keys although they are readily available. [1]

There's a legal entity behind Fedora (something about a hat too) that could be sued. It is more blurry when it's about a bunch of strangers publishing packages. BP

Em janeiro 20, 2021 17:28 Anatol Pomozov via arch-dev-public escreveu:

Would it be possible to make this "Google cloud sync" functionality optional/pluggable? i.e. the opensource Chromium package is going to be available in the official repo. And anyone who wants to enable the GoogleSync has to install a package from AUR. Similar to how Chromium+DRM integration is done using chromium-widevine AUR package.

The API keys are public and can easily be obtained on the internet. They have been public for a long time now, if I understood correctly. Also, they can be provided by environment variables, instead of being baked into the package by us. So, uses wanting sync functionality could use chrome keys at their own risk by just providing a few env vars. Regards, Giancarlo Razzolini

On Fri, 22 Jan 2021 at 10:05, Evangelos Foutras wrote:

On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public wrote:

...

After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.

It seems others feel the same way, understandably so. I'd expect Chrome's keys to be replaced, with added protection so they remain secret, before legal action would be considered.

In any case, I posted a request for clarification on whether using Chrome's keys is illegal or not. [1] Perhaps they will be able to definitively tell us that it's not allowed (under EU Law).

[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg

As somewhat expected, the above didn't result in any further clarification. The only acceptable way forward for me is to switch to Chrome's keys. We (kind of) have permission for this based on the 2013 ToS exception allowing inclusion of Google API keys in our packages (see attached email copy). This was not just permitted unofficially; "the 2013 special terms, additional quota, and exact wording of the email passed the internal approval process, including legal, engineering, and VP-level management". [1] Building Chromium without API keys results in a browser that is unsuitable for production use. Removing the OAuth 2.0 credentials (or when the Chrome team limits them) mainly breaks Chrome data sync (e.g.: passwords, bookmarks, open tabs). Additionally removing the main API key disables functionality like Safe Browsing and Geolocation. I don't consider a browser with downgraded functionality and security suitable for end users. [2] If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser. [1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...

That email won't be enough if it only takes google one more email to just say "we're rescinding that previous permission". It sounds to me like Google doesn't want Chromium to have the full functionality anymore; and it kind of sounds like they want Chromium to die and Chrome to be the one-and-only. What we want to do in response to this is IMO not just a legal question but also a moral one. I see from the email threads that several other distros have the same issue. My recommendation: Drop Chromium from the repositories. Give zero official support for Chrome or Chromium. Announce it very loudly on archlinux.org, as soon as possible. Encourage other distributions to follow suit with the exact same action. If we make a bit of noise, Google may end up backtracking, but if they don't at least users will know what happened. On Tue, Jan 26, 2021 at 8:22 PM Evangelos Foutras via arch-dev-public wrote:

On Fri, 22 Jan 2021 at 10:05, Evangelos Foutras wrote:

...

On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public wrote:

...

After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.

It seems others feel the same way, understandably so. I'd expect Chrome's keys to be replaced, with added protection so they remain secret, before legal action would be considered.

In any case, I posted a request for clarification on whether using Chrome's keys is illegal or not. [1] Perhaps they will be able to definitively tell us that it's not allowed (under EU Law).

[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg

As somewhat expected, the above didn't result in any further clarification.

The only acceptable way forward for me is to switch to Chrome's keys. We (kind of) have permission for this based on the 2013 ToS exception allowing inclusion of Google API keys in our packages (see attached email copy). This was not just permitted unofficially; "the 2013 special terms, additional quota, and exact wording of the email passed the internal approval process, including legal, engineering, and VP-level management". [1]

Building Chromium without API keys results in a browser that is unsuitable for production use. Removing the OAuth 2.0 credentials (or when the Chrome team limits them) mainly breaks Chrome data sync (e.g.: passwords, bookmarks, open tabs). Additionally removing the main API key disables functionality like Safe Browsing and Geolocation. I don't consider a browser with downgraded functionality and security suitable for end users. [2]

If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.

[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...

On Tue, Jan 26, 2021 at 09:20:04PM +0200, Evangelos Foutras via arch-dev-public wrote:

If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.

Frankly, I'd love to "stick it to the Man" and bundle the chrome keys. It would place Google in an interesting position. With that said... looking at the mailing list this feels like doing Google a favour. Clearly they do not care about their users, and do not want us to distribute the packages. Why help them keep users for a few more weeks and put in a liable situation? It's dissapointing frankly. -- Morten Linderud PGP: 9C02FF419FECBE16

On 1/26/21 9:53 PM, Morten Linderud via arch-dev-public wrote:

It's dissapointing frankly.

Disappointing doesn't really catch it tho. If it would be just about the sync functionality: so be it. But crippling the API usage on a level that rips out especially things like the safe browsing functionality as well places chromium knowingly and forcefully into a position that doesn't make it viable to be distributed to users. I'm incredibly mad that his is literally a situation where the open source world is soaked up and in return a big clear "screw you guys, we don't care" sign is raised. Well played, exploiting a monopoly position like this and literally cheating on the open source community all around them. PS: firefox is affected by safe browsing keys as well.

On 2021-01-26 22:18:21 (+0100), Levente Polyak via arch-dev-public wrote:

On 1/26/21 9:53 PM, Morten Linderud via arch-dev-public wrote:

...

It's dissapointing frankly.

Disappointing doesn't really catch it tho. If it would be just about the sync functionality: so be it. But crippling the API usage on a level that rips out especially things like the safe browsing functionality as well places chromium knowingly and forcefully into a position that doesn't make it viable to be distributed to users.

I'm incredibly mad that his is literally a situation where the open source world is soaked up and in return a big clear "screw you guys, we don't care" sign is raised. Well played, exploiting a monopoly position like this and literally cheating on the open source community all around them.

PS: firefox is affected by safe browsing keys as well.

I agree, that this situation and Google's position on this is utterly disappointing. However, I am one of the people that actually needs chromium for work daily and that needs to rely on it for several websites that are not supported by firefox (which I use mainly). I suggest we all take a deep breath and evaluate the situation. Is safe-browsing and geolocation in chromium and firefox really affected by this? If so, that would of course be bad (from the reactions so far, users seem mostly fine without the Google sync functionality). However, we need to test this carefully with e.g. packages in [testing] instead of prematurely deleting everything. If e.g. safe-browsing is indeed affected, now would be the time to contact mozilla about this to a) change this for firefox by default and b) evaluate whether it is possible to e.g. use their services in chromium. If safe-browsing is not affected, under what circumstances are we allowed to use and distribute a browser with it? The Google Chrome team can and needs to answer these questions. These are all things we need to figure out. Let's please not panic. Best, David -- https://sleepmap.de

On 27/01/2021 12:45, Giancarlo Razzolini via arch-dev-public wrote:

Em janeiro 27, 2021 5:58 David Runge via arch-dev-public escreveu:

...

However, I am one of the people that actually needs chromium for work daily and that needs to rely on it for several websites that are not supported by firefox (which I use mainly).

Me too.

...

I suggest we all take a deep breath and evaluate the situation. Is safe-browsing and geolocation in chromium and firefox really affected by this?

If google drops the api key, yes. They said we can continue using them, but we don't know for how long, and they also mentioned reviewing quotas, which would render them unusable.

...

If so, that would of course be bad (from the reactions so far, users seem mostly fine without the Google sync functionality). However, we need to test this carefully with e.g. packages in [testing] instead of prematurely deleting everything.

Again, it's not just sync functionality. Login won't work anymore, and with it, a bunch of other stuff. I have sent the full list on arch-general.

... which indeed sounds like the perfect place to continue this argument. Alad

...

If safe-browsing is not affected, under what circumstances are we allowed to use and distribute a browser with it? The Google Chrome team can and needs to answer these questions.

We are allowed to continue using the api key, until they fell like we aren't anymore. Which is why we should probably ditch chromium altogether.

...

These are all things we need to figure out. Let's please not panic.

Nobody is panicking out yet, but March 15th is approaching.

Regards, Giancarlo Razzolini

On 1/26/21 9:20 PM, Evangelos Foutras via arch-dev-public wrote:

If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.

[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...

I've been following the conversation with much interest and I can see we all feel very similarly about this. I went through the links you mention and the email you attached. What strikes me is that at some point, one of the people on the Google groups thread just says that the person who gave the initial permission to use Google's API keys had no legal right to give it. I can say for certain that exact action is legally ridiculous in it of itself. If what they say is correct, then it means Google knew about this for years and did nothing, and their inaction means lack of IP enforcement preventing them from launching legal action against anyone today. On the other hand, if their claim is incorrect and Arch Linux was legally granted such permission, then Google has to officially withdraw that permission and as far as I can tell they have not done that appropriately. Basically, in any case, what they are forcing us to do is in my opinion disgusting and frankly can be considered coercion. However, I do not think that anyone would give any flying **cks if Google threw millions at a lawsuit against us just to set an example. The whole situation is infuriating and if it was any other company, not as big as Google, we would not be having this conversation, we would just tell them to go away and be done with it. But as we probably cannot do so, I agree that we should indeed "stick it to the man" as much as we possibly can for as long as we can. I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide. What is more, I believe if we do have access to a willing legal team, we should write and submit an official complaint to the EU ombudsman -- Google are in fact crippling an open source alternative to their browser, limiting choice, disrupting the market place, coercing the "little man", etc. -- all things for which they were recently found guilty of and fined by the EU [1]. An official complaint shouldn't cost us anything and will be sending a message directly where it needed -- publicly, to our users, to our supporters, to the market and to Google. -- Regards, Konstantin [1] - https://en.wikipedia.org/wiki/European_Union_vs._Google

On 1/27/21 1:31 AM, Morten Linderud via arch-dev-public wrote:

I don't think we should spend money on this.

EU ombudsman is a free service. Also, legal help can be found pro-bono for things like this. -- Regards, Konstantin

On Wed, Jan 27, 2021 at 03:19:09AM +0200, Konstantin Gizdov via arch-dev-public wrote:

On 1/27/21 1:31 AM, Morten Linderud via arch-dev-public wrote:

...

I disagree on utilzing the AUR for an extended turf-war. Drop it from the repositories and people can maintain it in the AUR. It's user contributed stuff anyway and you are going to battle fork regardless for moderation purposes.

Is chrome banned? Ungoogled-chromium fine? Banned? What about other derivative crap you suddenly need to actively ban and think about?

Assuming someone is even there to even hit the button on the deletion request.

Correct me if I'm wrong. An AUR package will have to have the keys verbatim in the PKGBUILD. We would be essentially hosting this information on the AUR, which would be in violation of Google's new terms, right? So how are we going to allow such packages and not get a Cease and Desist?

On that point, we could grep by the value of the keys and delete automatically.

It doesn't matter. They wouldn't get anywhere with a cease and desist on some semi-public strings in some PKGBUILD. It's user submitted content and we are not breaking anything by giving people recipes for ToS/EULA breaking products of said recipe. This is how we can keep proprietary software in the AUR after all. Nothing changes. -- Morten Linderud PGP: 9C02FF419FECBE16

In data mercoledì 27 gennaio 2021 00:35:50 CET, Eli Schwartz via arch-dev- public ha scritto:

On 1/26/21 6:23 PM, Konstantin Gizdov via arch-dev-public wrote:

...

I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide.

This is histrionics. I don't see why we should ban the proprietary google-chrome package, which is already somewhat inconvenient to use because of the AUR, over politics. Where is your respect for the rights of our users?

We're not in the business of telling people they're not allowed to use the AUR for the express purpose which the AUR was created for. That's a REALLY hot take.

I agree with you 100% Eli. I find this whole thing of "sticking it" to Google just ridiculous. Like you really think they would even care? I mean, I also find the whole situation irritating and their arguments actually insulting to our intelligence but there's no winning this. On the other hand I seem to be the only one here that actually need chromium for my daily work and dropping it to AUR is already a big enough inconvenience to let me consider switching distro on my work laptop, but banning it from the AUR!? Do you even care about our users? I personally think that as long as there is a willing maintainer we should just package chromium without the google api keys just like fedora is doing? Or are we also dropping the multitude of other browsers with no google sync/ safe browsing integrations? -- Massimiliano Torromeo

In data mercoledì 27 gennaio 2021 01:12:39 CET, Konstantin Gizdov via arch- dev-public ha scritto:

...

I mean, I also find the whole situation irritating and their arguments actually insulting to our intelligence but there's no winning this.

That may be, but I don't agree this is an argument to go belly up.

The thing is, I don't even think we would be going "belly up" on anything. At the end of the day, as irritating as it might be, google's apis were never open source or a part of chromium (except obviously the integration part) and even without access to these apis, the browser itself is very much Free Software under an OSI approved license. Something that, for example, Vivaldi, which has users that swear by it, cannot really say (only partially). Google might even decide that they don't want to invest resources on the sync infrastructure anymore and kill it altogether and it would be their right to do so, and not even all that surprising given the amount of dead google projects over the years. The only thing that I find distasteful is that this all feels like an attack on chromium, linux distrubutions and their maintainers, since they don't seem to have any valid reason to withold access to their apis other than to draw more users to their proprietary variant of the browser. Even so that doesn't make chromium any less Free Software or undeserving to be in the repos. If anything that would still keep some users away from Chrome since I suspect most users would resort to installing something like "chrome- bin". Also, who knows, maybe this will make someone start working on a free alternative to google sync... -- Massimiliano Torromeo

On 1/27/21 1:35 AM, Eli Schwartz via arch-dev-public wrote:

This is histrionics. No. Please don't start with the judgmental statements. This is my honest opinion and it's high time you gave me the respect to have my own opinion. You don't have to agree, but that doesn't automatically make what I said a call for attention.

I don't see why we should ban the proprietary google-chrome package, which is already somewhat inconvenient to use because of the AUR, over politics. Where is your respect for the rights of our users? My respect is where it should be - Google is playing a game with their rights and we should not be tolerating it. That is my honest opinion not aimed at attracting attention. Our quarrels with Google are far away from the end user. Most users will not read the ADP conversation and will just learn that chromium was dropped, not much else. I think if we want to send a message, this is the most effective way to do it. And it seems to already be working.

We're not in the business of telling people they're not allowed to use the AUR for the express purpose which the AUR was created for. That's a REALLY hot take.

I agree with you completely on this point. But I also see two issues specific only to this particular situation. 1. What happens when Google sends us a Cease and Desist for having their API keys in a PKGBUILD hosted on the AUR? 2. Aren't we explicitly enabling/helping/giving instructions to someone to build a package in a way that is explicitly forbidden by the new rules in the EULA of Chromium and Google Chrome? We will be hosting a PKGBUILD that does exactly what is forbidden by Google. -- Regards, Konstantin