[arch-dev-public] Chromium losing Sync support on March 15
It looks like Sync will only work with official Chrome starting two months from now. [1] It is understandable to some extend, perhaps to guard against malicious applications using unofficial (non-Chrome) API keys and tricking users to log into their account. This argument doesn't hold much ground in the context of trusted builds like our chromium package, but I doubt Google would bother to work with us (i.e.: each individual Linux distro) on this to find a workable solution going forward. This is intended as a heads-up; I am not sure what we're going to do yet. [1] https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html
Jochen Eisinger (Director of Engineering, Chrome) has confirmed that the killing of our API keys is a done deal. He also does not seem interested in the slightest bit to explore possible remedies for Chromium packages. If Chrome's keys are still public in March, I would want to try and use them in our Chromium package for however long they remain unchanged and non-secret. If a team member thinks this is a terrible idea, please let me know. If (or when) the above workaround fails, I am going to stop maintaining Chromium and be in favor of dropping the package from our repos, though I have a feeling someone will want to adopt it despite the reduction in functionality. [1] https://groups.google.com/a/chromium.org/g/embedder-dev/c/NXm7GIKTNTE/m/Qxce...
Em janeiro 19, 2021 17:08 Evangelos Foutras via arch-dev-public escreveu:
If Chrome's keys are still public in March, I would want to try and use them in our Chromium package for however long they remain unchanged and non-secret. If a team member thinks this is a terrible idea, please let me know.
I'm fine with this approach, and I hope it works for a long time.
If (or when) the above workaround fails, I am going to stop maintaining Chromium and be in favor of dropping the package from our repos, though I have a feeling someone will want to adopt it despite the reduction in functionality.
I would probably adopt it, since I rely heavily on chromium and, never used the sync functionality (nor care about it). I bet others would too. Regards, Giancarlo Razzolini
Em janeiro 20, 2021 13:38 Giancarlo Razzolini via arch-dev-public escreveu:
I'm fine with this approach, and I hope it works for a long time.
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea. So, if after March 15th you feel like orphaning chromium, I would adopt it and keep it on the repos without the sync feature. Also, if there's any other key we should stop using, now it's a good time to know. Regards, Giancarlo Razzolini [0] https://groups.google.com/a/chromium.org/g/embedder-dev/c/NXm7GIKTNTE
On 20/01/2021 18:28, Giancarlo Razzolini via arch-dev-public wrote:
Em janeiro 20, 2021 13:38 Giancarlo Razzolini via arch-dev-public escreveu:
I'm fine with this approach, and I hope it works for a long time.
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.
I feel the same, I personally don't want us to bear the burden of a possible backlash from a big corporation for us potentially misusing their API keys. Note that the Fedora maintainer noted that they will not include these API keys although they are readily available. [1] [1] https://twitter.com/spotfoss/status/1351665708837572609 Greetings, Jelle van der Waa
On 20/01/2021 21.16, Jelle van der Waa via arch-dev-public wrote:
Note that the Fedora maintainer noted that they will not include these API keys although they are readily available. [1]
There's a legal entity behind Fedora (something about a hat too) that could be sued. It is more blurry when it's about a bunch of strangers publishing packages. BP
Hi On Wed, Jan 20, 2021 at 12:17 PM Jelle van der Waa via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
On 20/01/2021 18:28, Giancarlo Razzolini via arch-dev-public wrote:
Em janeiro 20, 2021 13:38 Giancarlo Razzolini via arch-dev-public escreveu:
I'm fine with this approach, and I hope it works for a long time.
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.
I feel the same, I personally don't want us to bear the burden of a possible backlash from a big corporation for us potentially misusing their API keys.
Note that the Fedora maintainer noted that they will not include these API keys although they are readily available. [1]
Would it be possible to make this "Google cloud sync" functionality optional/pluggable? i.e. the opensource Chromium package is going to be available in the official repo. And anyone who wants to enable the GoogleSync has to install a package from AUR. Similar to how Chromium+DRM integration is done using chromium-widevine AUR package.
Em janeiro 20, 2021 17:28 Anatol Pomozov via arch-dev-public escreveu:
Would it be possible to make this "Google cloud sync" functionality optional/pluggable? i.e. the opensource Chromium package is going to be available in the official repo. And anyone who wants to enable the GoogleSync has to install a package from AUR. Similar to how Chromium+DRM integration is done using chromium-widevine AUR package.
The API keys are public and can easily be obtained on the internet. They have been public for a long time now, if I understood correctly. Also, they can be provided by environment variables, instead of being baked into the package by us. So, uses wanting sync functionality could use chrome keys at their own risk by just providing a few env vars. Regards, Giancarlo Razzolini
On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.
It seems others feel the same way, understandably so. I'd expect Chrome's keys to be replaced, with added protection so they remain secret, before legal action would be considered. In any case, I posted a request for clarification on whether using Chrome's keys is illegal or not. [1] Perhaps they will be able to definitively tell us that it's not allowed (under EU Law). [1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg
On Fri, 22 Jan 2021 at 10:05, Evangelos Foutras <evangelos@foutrelis.com> wrote:
On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.
It seems others feel the same way, understandably so. I'd expect Chrome's keys to be replaced, with added protection so they remain secret, before legal action would be considered.
In any case, I posted a request for clarification on whether using Chrome's keys is illegal or not. [1] Perhaps they will be able to definitively tell us that it's not allowed (under EU Law).
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg
As somewhat expected, the above didn't result in any further clarification. The only acceptable way forward for me is to switch to Chrome's keys. We (kind of) have permission for this based on the 2013 ToS exception allowing inclusion of Google API keys in our packages (see attached email copy). This was not just permitted unofficially; "the 2013 special terms, additional quota, and exact wording of the email passed the internal approval process, including legal, engineering, and VP-level management". [1] Building Chromium without API keys results in a browser that is unsuitable for production use. Removing the OAuth 2.0 credentials (or when the Chrome team limits them) mainly breaks Chrome data sync (e.g.: passwords, bookmarks, open tabs). Additionally removing the main API key disables functionality like Safe Browsing and Geolocation. I don't consider a browser with downgraded functionality and security suitable for end users. [2] If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser. [1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...
Em janeiro 26, 2021 16:20 Evangelos Foutras via arch-dev-public escreveu:
As somewhat expected, the above didn't result in any further clarification.
The only acceptable way forward for me is to switch to Chrome's keys. We (kind of) have permission for this based on the 2013 ToS exception allowing inclusion of Google API keys in our packages (see attached email copy). This was not just permitted unofficially; "the 2013 special terms, additional quota, and exact wording of the email passed the internal approval process, including legal, engineering, and VP-level management". [1]
Building Chromium without API keys results in a browser that is unsuitable for production use. Removing the OAuth 2.0 credentials (or when the Chrome team limits them) mainly breaks Chrome data sync (e.g.: passwords, bookmarks, open tabs). Additionally removing the main API key disables functionality like Safe Browsing and Geolocation. I don't consider a browser with downgraded functionality and security suitable for end users. [2]
If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...
Hi, Due to the recent developments on the chromium-packagers list, I think we should drop chromium from the repositories. If we use chrome keys we'll be on a legal limbo. If we drop the oauth keys, chromium is crippled. If we drop all keys, safe browsing doesn't work. The prospects are bleak, to say the least. Also, after the recent messages, I wouldn't be surprised if google comes after us, if we choose to bake chrome keys into our chromium package. Regards, Giancarlo Razzolini
That email won't be enough if it only takes google one more email to just say "we're rescinding that previous permission". It sounds to me like Google doesn't want Chromium to have the full functionality anymore; and it kind of sounds like they want Chromium to die and Chrome to be the one-and-only. What we want to do in response to this is IMO not just a legal question but also a moral one. I see from the email threads that several other distros have the same issue. My recommendation: Drop Chromium from the repositories. Give zero official support for Chrome or Chromium. Announce it very loudly on archlinux.org, as soon as possible. Encourage other distributions to follow suit with the exact same action. If we make a bit of noise, Google may end up backtracking, but if they don't at least users will know what happened. On Tue, Jan 26, 2021 at 8:22 PM Evangelos Foutras via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
On Fri, 22 Jan 2021 at 10:05, Evangelos Foutras <evangelos@foutrelis.com> wrote:
On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
After reading this thread [0], I think that, if we keep using their keys, or even start using the chrome keys, this might put Arch into muddy legal waters and I don't think that's a good idea.
It seems others feel the same way, understandably so. I'd expect Chrome's keys to be replaced, with added protection so they remain secret, before legal action would be considered.
In any case, I posted a request for clarification on whether using Chrome's keys is illegal or not. [1] Perhaps they will be able to definitively tell us that it's not allowed (under EU Law).
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg
As somewhat expected, the above didn't result in any further clarification.
The only acceptable way forward for me is to switch to Chrome's keys. We (kind of) have permission for this based on the 2013 ToS exception allowing inclusion of Google API keys in our packages (see attached email copy). This was not just permitted unofficially; "the 2013 special terms, additional quota, and exact wording of the email passed the internal approval process, including legal, engineering, and VP-level management". [1]
Building Chromium without API keys results in a browser that is unsuitable for production use. Removing the OAuth 2.0 credentials (or when the Chrome team limits them) mainly breaks Chrome data sync (e.g.: passwords, bookmarks, open tabs). Additionally removing the main API key disables functionality like Safe Browsing and Geolocation. I don't consider a browser with downgraded functionality and security suitable for end users. [2]
If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...
Excerpts from Jerome Leclanche via arch-dev-public's message of January 26, 2021 21:04:
It sounds to me like Google doesn't want Chromium to have the full functionality anymore; and it kind of sounds like they want Chromium to die and Chrome to be the one-and-only. What we want to do in response to this is IMO not just a legal question but also a moral one. I see from the email threads that several other distros have the same issue.
My recommendation: Drop Chromium from the repositories. Give zero official support for Chrome or Chromium. Announce it very loudly on archlinux.org, as soon as possible. Encourage other distributions to follow suit with the exact same action.
If we make a bit of noise, Google may end up backtracking, but if they don't at least users will know what happened.
+1 -- Sincerely, Johannes Löthberg :: SA0DEM
On Tue, Jan 26, 2021 at 09:20:04PM +0200, Evangelos Foutras via arch-dev-public wrote:
If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.
Frankly, I'd love to "stick it to the Man" and bundle the chrome keys. It would place Google in an interesting position. With that said... looking at the mailing list this feels like doing Google a favour. Clearly they do not care about their users, and do not want us to distribute the packages. Why help them keep users for a few more weeks and put in a liable situation? It's dissapointing frankly. -- Morten Linderud PGP: 9C02FF419FECBE16
On Tue, 26 Jan 2021 at 22:53, Morten Linderud via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
Frankly, I'd love to "stick it to the Man" and bundle the chrome keys. It would place Google in an interesting position.
Same. :)
With that said... looking at the mailing list this feels like doing Google a favour. Clearly they do not care about their users, and do not want us to distribute the packages. Why help them keep users for a few more weeks and put in a liable situation?
Indeed, that's another big issue with that approach, that we're only postponing the inevitable. After the fuss raised on the mailing lists, they are likely to use new keys for Chrome and obfuscate them in the chrome binary.
On 1/26/21 9:53 PM, Morten Linderud via arch-dev-public wrote:
It's dissapointing frankly.
Disappointing doesn't really catch it tho. If it would be just about the sync functionality: so be it. But crippling the API usage on a level that rips out especially things like the safe browsing functionality as well places chromium knowingly and forcefully into a position that doesn't make it viable to be distributed to users. I'm incredibly mad that his is literally a situation where the open source world is soaked up and in return a big clear "screw you guys, we don't care" sign is raised. Well played, exploiting a monopoly position like this and literally cheating on the open source community all around them. PS: firefox is affected by safe browsing keys as well.
On Tue, 26 Jan 2021 22:18:21 +0100 Levente Polyak via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
I'm incredibly mad that his is literally a situation where the open source world is soaked up and in return a big clear "screw you guys, we don't care" sign is raised. Well played, exploiting a monopoly position like this and literally cheating on the open source community all around them.
Straight out of the 1990s Microsoft playbook.
On 2021-01-26 22:18:21 (+0100), Levente Polyak via arch-dev-public wrote:
On 1/26/21 9:53 PM, Morten Linderud via arch-dev-public wrote:
It's dissapointing frankly.
Disappointing doesn't really catch it tho. If it would be just about the sync functionality: so be it. But crippling the API usage on a level that rips out especially things like the safe browsing functionality as well places chromium knowingly and forcefully into a position that doesn't make it viable to be distributed to users.
I'm incredibly mad that his is literally a situation where the open source world is soaked up and in return a big clear "screw you guys, we don't care" sign is raised. Well played, exploiting a monopoly position like this and literally cheating on the open source community all around them.
PS: firefox is affected by safe browsing keys as well.
I agree, that this situation and Google's position on this is utterly disappointing. However, I am one of the people that actually needs chromium for work daily and that needs to rely on it for several websites that are not supported by firefox (which I use mainly). I suggest we all take a deep breath and evaluate the situation. Is safe-browsing and geolocation in chromium and firefox really affected by this? If so, that would of course be bad (from the reactions so far, users seem mostly fine without the Google sync functionality). However, we need to test this carefully with e.g. packages in [testing] instead of prematurely deleting everything. If e.g. safe-browsing is indeed affected, now would be the time to contact mozilla about this to a) change this for firefox by default and b) evaluate whether it is possible to e.g. use their services in chromium. If safe-browsing is not affected, under what circumstances are we allowed to use and distribute a browser with it? The Google Chrome team can and needs to answer these questions. These are all things we need to figure out. Let's please not panic. Best, David -- https://sleepmap.de
Em janeiro 27, 2021 5:58 David Runge via arch-dev-public escreveu:
However, I am one of the people that actually needs chromium for work daily and that needs to rely on it for several websites that are not supported by firefox (which I use mainly).
Me too.
I suggest we all take a deep breath and evaluate the situation. Is safe-browsing and geolocation in chromium and firefox really affected by this?
If google drops the api key, yes. They said we can continue using them, but we don't know for how long, and they also mentioned reviewing quotas, which would render them unusable.
If so, that would of course be bad (from the reactions so far, users seem mostly fine without the Google sync functionality). However, we need to test this carefully with e.g. packages in [testing] instead of prematurely deleting everything.
Again, it's not just sync functionality. Login won't work anymore, and with it, a bunch of other stuff. I have sent the full list on arch-general.
If safe-browsing is not affected, under what circumstances are we allowed to use and distribute a browser with it? The Google Chrome team can and needs to answer these questions.
We are allowed to continue using the api key, until they fell like we aren't anymore. Which is why we should probably ditch chromium altogether.
These are all things we need to figure out. Let's please not panic.
Nobody is panicking out yet, but March 15th is approaching. Regards, Giancarlo Razzolini
On 27/01/2021 12:45, Giancarlo Razzolini via arch-dev-public wrote:
Em janeiro 27, 2021 5:58 David Runge via arch-dev-public escreveu:
However, I am one of the people that actually needs chromium for work daily and that needs to rely on it for several websites that are not supported by firefox (which I use mainly).
Me too.
I suggest we all take a deep breath and evaluate the situation. Is safe-browsing and geolocation in chromium and firefox really affected by this?
If google drops the api key, yes. They said we can continue using them, but we don't know for how long, and they also mentioned reviewing quotas, which would render them unusable.
If so, that would of course be bad (from the reactions so far, users seem mostly fine without the Google sync functionality). However, we need to test this carefully with e.g. packages in [testing] instead of prematurely deleting everything.
Again, it's not just sync functionality. Login won't work anymore, and with it, a bunch of other stuff. I have sent the full list on arch-general.
... which indeed sounds like the perfect place to continue this argument. Alad
If safe-browsing is not affected, under what circumstances are we allowed to use and distribute a browser with it? The Google Chrome team can and needs to answer these questions.
We are allowed to continue using the api key, until they fell like we aren't anymore. Which is why we should probably ditch chromium altogether.
These are all things we need to figure out. Let's please not panic.
Nobody is panicking out yet, but March 15th is approaching.
Regards, Giancarlo Razzolini
On 2021-01-27 08:45:53 (-0300), Giancarlo Razzolini wrote:
If google drops the api key, yes. They said we can continue using them, but we don't know for how long, and they also mentioned reviewing quotas, which would render them unusable.
We don't have any specifics, so we will have to wait until we know more.
If so, that would of course be bad (from the reactions so far, users seem mostly fine without the Google sync functionality). However, we need to test this carefully with e.g. packages in [testing] instead of prematurely deleting everything.
Again, it's not just sync functionality. Login won't work anymore, and with it, a bunch of other stuff. I have sent the full list on arch-general.
The login functionality is only relevant for in-browser login, right? As long as users can still use chromium to safely browse the internet, I'm not too concerned about that.
If safe-browsing is not affected, under what circumstances are we allowed to use and distribute a browser with it? The Google Chrome team can and needs to answer these questions.
We are allowed to continue using the api key, until they fell like we aren't anymore. Which is why we should probably ditch chromium altogether.
How is this situation different from all these years up until now though? If safe-browsing indeed stops working, without any viable replacement option, then we can still consider dropping chromium. Best, David -- https://sleepmap.de
On 1/26/21 9:20 PM, Evangelos Foutras via arch-dev-public wrote:
If people are still concerned about angering Google, even though there's probably nothing illegal about bundling Chrome's keys (when also considering the aforementioned permission from 2013) then let's just remove the package from our repos instead of officially providing a potentially unsafe and feature-incomplete browser.
[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/... [2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/...
I've been following the conversation with much interest and I can see we all feel very similarly about this. I went through the links you mention and the email you attached. What strikes me is that at some point, one of the people on the Google groups thread just says that the person who gave the initial permission to use Google's API keys had no legal right to give it. I can say for certain that exact action is legally ridiculous in it of itself. If what they say is correct, then it means Google knew about this for years and did nothing, and their inaction means lack of IP enforcement preventing them from launching legal action against anyone today. On the other hand, if their claim is incorrect and Arch Linux was legally granted such permission, then Google has to officially withdraw that permission and as far as I can tell they have not done that appropriately. Basically, in any case, what they are forcing us to do is in my opinion disgusting and frankly can be considered coercion. However, I do not think that anyone would give any flying **cks if Google threw millions at a lawsuit against us just to set an example. The whole situation is infuriating and if it was any other company, not as big as Google, we would not be having this conversation, we would just tell them to go away and be done with it. But as we probably cannot do so, I agree that we should indeed "stick it to the man" as much as we possibly can for as long as we can. I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide. What is more, I believe if we do have access to a willing legal team, we should write and submit an official complaint to the EU ombudsman -- Google are in fact crippling an open source alternative to their browser, limiting choice, disrupting the market place, coercing the "little man", etc. -- all things for which they were recently found guilty of and fined by the EU [1]. An official complaint shouldn't cost us anything and will be sending a message directly where it needed -- publicly, to our users, to our supporters, to the market and to Google. -- Regards, Konstantin [1] - https://en.wikipedia.org/wiki/European_Union_vs._Google
On Wed, Jan 27, 2021 at 01:23:58AM +0200, Konstantin Gizdov via arch-dev-public wrote:
I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide.
I disagree on utilzing the AUR for an extended turf-war. Drop it from the repositories and people can maintain it in the AUR. It's user contributed stuff anyway and you are going to battle fork regardless for moderation purposes. Is chrome banned? Ungoogled-chromium fine? Banned? What about other derivative crap you suddenly need to actively ban and think about? Assuming someone is even there to even hit the button on the deletion request.
What is more, I believe if we do have access to a willing legal team, we should write and submit an official complaint to the EU ombudsman -- Google are in fact crippling an open source alternative to their browser, limiting choice, disrupting the market place, coercing the "little man", etc. -- all things for which they were recently found guilty of and fined by the EU [1].
I don't think we should spend money on this. -- Morten Linderud PGP: 9C02FF419FECBE16
On 1/27/21 1:31 AM, Morten Linderud via arch-dev-public wrote:
I don't think we should spend money on this.
EU ombudsman is a free service. Also, legal help can be found pro-bono for things like this. -- Regards, Konstantin
On 1/27/21 1:31 AM, Morten Linderud via arch-dev-public wrote:
I disagree on utilzing the AUR for an extended turf-war. Drop it from the repositories and people can maintain it in the AUR. It's user contributed stuff anyway and you are going to battle fork regardless for moderation purposes.
Is chrome banned? Ungoogled-chromium fine? Banned? What about other derivative crap you suddenly need to actively ban and think about?
Assuming someone is even there to even hit the button on the deletion request.
Correct me if I'm wrong. An AUR package will have to have the keys verbatim in the PKGBUILD. We would be essentially hosting this information on the AUR, which would be in violation of Google's new terms, right? So how are we going to allow such packages and not get a Cease and Desist? On that point, we could grep by the value of the keys and delete automatically. -- Regards, Konstantin
On Wed, Jan 27, 2021 at 03:19:09AM +0200, Konstantin Gizdov via arch-dev-public wrote:
On 1/27/21 1:31 AM, Morten Linderud via arch-dev-public wrote:
I disagree on utilzing the AUR for an extended turf-war. Drop it from the repositories and people can maintain it in the AUR. It's user contributed stuff anyway and you are going to battle fork regardless for moderation purposes.
Is chrome banned? Ungoogled-chromium fine? Banned? What about other derivative crap you suddenly need to actively ban and think about?
Assuming someone is even there to even hit the button on the deletion request.
Correct me if I'm wrong. An AUR package will have to have the keys verbatim in the PKGBUILD. We would be essentially hosting this information on the AUR, which would be in violation of Google's new terms, right? So how are we going to allow such packages and not get a Cease and Desist?
On that point, we could grep by the value of the keys and delete automatically.
It doesn't matter. They wouldn't get anywhere with a cease and desist on some semi-public strings in some PKGBUILD. It's user submitted content and we are not breaking anything by giving people recipes for ToS/EULA breaking products of said recipe. This is how we can keep proprietary software in the AUR after all. Nothing changes. -- Morten Linderud PGP: 9C02FF419FECBE16
On 1/26/21 6:23 PM, Konstantin Gizdov via arch-dev-public wrote:
I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide. This is histrionics. I don't see why we should ban the proprietary google-chrome package, which is already somewhat inconvenient to use because of the AUR, over politics. Where is your respect for the rights of our users?
We're not in the business of telling people they're not allowed to use the AUR for the express purpose which the AUR was created for. That's a REALLY hot take. -- Eli Schwartz Bug Wrangler and Trusted User
In data mercoledì 27 gennaio 2021 00:35:50 CET, Eli Schwartz via arch-dev- public ha scritto:
On 1/26/21 6:23 PM, Konstantin Gizdov via arch-dev-public wrote:
I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide.
This is histrionics. I don't see why we should ban the proprietary google-chrome package, which is already somewhat inconvenient to use because of the AUR, over politics. Where is your respect for the rights of our users?
We're not in the business of telling people they're not allowed to use the AUR for the express purpose which the AUR was created for. That's a REALLY hot take.
I agree with you 100% Eli. I find this whole thing of "sticking it" to Google just ridiculous. Like you really think they would even care? I mean, I also find the whole situation irritating and their arguments actually insulting to our intelligence but there's no winning this. On the other hand I seem to be the only one here that actually need chromium for my daily work and dropping it to AUR is already a big enough inconvenience to let me consider switching distro on my work laptop, but banning it from the AUR!? Do you even care about our users? I personally think that as long as there is a willing maintainer we should just package chromium without the google api keys just like fedora is doing? Or are we also dropping the multitude of other browsers with no google sync/ safe browsing integrations? -- Massimiliano Torromeo
On 1/27/21 1:49 AM, Massimiliano Torromeo via arch-dev-public wrote:
I agree with you 100% Eli.
I find this whole thing of "sticking it" to Google just ridiculous. Like you really think they would even care? No and that's the problem. And even if they don't, we should just give in?
I mean, I also find the whole situation irritating and their arguments actually insulting to our intelligence but there's no winning this. That may be, but I don't agree this is an argument to go belly up.
On the other hand I seem to be the only one here that actually need chromium for my daily work and dropping it to AUR is already a big enough inconvenience to let me consider switching distro on my work laptop, but banning it from the AUR!? Do you even care about our users? No, you are not the only one. I am using Chromium exclusively actually. Every day and even some work things I do only work in Chromium. I completely know where you are coming from. I do care about the users, because I am one of them. I am willing to do this myself. I will find another way, but unless I do find another way, I will forever be stuck in trying to find more and more ways to suck up to Google and their stupid policies, and give in to their coercion. Which I am not willing to do anymore. That is my reasoning.
I personally think that as long as there is a willing maintainer we should just package chromium without the google api keys just like fedora is doing? Or are we also dropping the multitude of other browsers with no google sync/ safe browsing integrations?
I do not think we should ship chromium at all, although Safe Browsing was never a thing I enjoyed or found a benefit in. It can also be misused badly [1]. -- Regards, Konstantin [1] - https://gomox.medium.com/google-safe-browsing-can-kill-your-startup-7d73c474...
In data mercoledì 27 gennaio 2021 01:12:39 CET, Konstantin Gizdov via arch- dev-public ha scritto:
I mean, I also find the whole situation irritating and their arguments actually insulting to our intelligence but there's no winning this.
That may be, but I don't agree this is an argument to go belly up.
The thing is, I don't even think we would be going "belly up" on anything. At the end of the day, as irritating as it might be, google's apis were never open source or a part of chromium (except obviously the integration part) and even without access to these apis, the browser itself is very much Free Software under an OSI approved license. Something that, for example, Vivaldi, which has users that swear by it, cannot really say (only partially). Google might even decide that they don't want to invest resources on the sync infrastructure anymore and kill it altogether and it would be their right to do so, and not even all that surprising given the amount of dead google projects over the years. The only thing that I find distasteful is that this all feels like an attack on chromium, linux distrubutions and their maintainers, since they don't seem to have any valid reason to withold access to their apis other than to draw more users to their proprietary variant of the browser. Even so that doesn't make chromium any less Free Software or undeserving to be in the repos. If anything that would still keep some users away from Chrome since I suspect most users would resort to installing something like "chrome- bin". Also, who knows, maybe this will make someone start working on a free alternative to google sync... -- Massimiliano Torromeo
On 1/27/21 2:43 AM, Massimiliano Torromeo wrote:
Google might even decide that they don't want to invest resources on the sync infrastructure anymore and kill it altogether and it would be their right to do so, and not even all that surprising given the amount of dead google projects over the years. Sure, but that would be fine and no one will bat an eye about it. What is not fine is the thing you describe below.
The only thing that I find distasteful is that this all feels like an attack on chromium, linux distrubutions and their maintainers, since they don't seem to have any valid reason to withold access to their apis other than to draw more users to their proprietary variant of the browser. This is them trying to control the market by crippling the Chromium browser.
Even so that doesn't make chromium any less Free Software or undeserving to be in the repos. If anything that would still keep some users away from Chrome since I suspect most users would resort to installing something like "chrome- bin". Except, honestly, I don't see this happening realistically. An AUR PKGBUILD will need the keys, which cannot be downloaded from an online resource, so they would have to be included verbatim on the AUR. Which would be in violation of Google's terms. We will get a Cease and Desist sooner or later.
Also, who knows, maybe this will make someone start working on a free alternative to google sync...
Yes, hopefully! -- Regards, Konstantin
On 1/27/21 1:35 AM, Eli Schwartz via arch-dev-public wrote:
This is histrionics. No. Please don't start with the judgmental statements. This is my honest opinion and it's high time you gave me the respect to have my own opinion. You don't have to agree, but that doesn't automatically make what I said a call for attention.
I don't see why we should ban the proprietary google-chrome package, which is already somewhat inconvenient to use because of the AUR, over politics. Where is your respect for the rights of our users? My respect is where it should be - Google is playing a game with their rights and we should not be tolerating it. That is my honest opinion not aimed at attracting attention. Our quarrels with Google are far away from the end user. Most users will not read the ADP conversation and will just learn that chromium was dropped, not much else. I think if we want to send a message, this is the most effective way to do it. And it seems to already be working.
We're not in the business of telling people they're not allowed to use the AUR for the express purpose which the AUR was created for. That's a REALLY hot take.
I agree with you completely on this point. But I also see two issues specific only to this particular situation. 1. What happens when Google sends us a Cease and Desist for having their API keys in a PKGBUILD hosted on the AUR? 2. Aren't we explicitly enabling/helping/giving instructions to someone to build a package in a way that is explicitly forbidden by the new rules in the EULA of Chromium and Google Chrome? We will be hosting a PKGBUILD that does exactly what is forbidden by Google. -- Regards, Konstantin
On 1/27/21 1:23 AM, Konstantin Gizdov wrote:
I am not sure how this would be taken, but I propose we not only remove it from the repos, but we clean the AUR of Chromium and Chrome too and we enforce no one uploads any more such variants. This, I believe, is the only way the message will be loud and clear to our users because people will have to really share Chrome PKGBUILDs on 3rd party platforms as if it were illegal. In the end, this is what Google wants, right!? We cannot distribute Chrome's binary nor can we build a functioning Chromium. They essentially want their software no where near our _dirty_ platform. I think we should abide.
With regards to the above statement from myself here on the discussion of what to do with Chromium given the circumstances, I would like to apologise both for the way I reacted and the way I worded that reaction. I did not indent to be hostile towards anyone, much less our users, however, I do now realise this is essentially what I projected. For this I am truly sorry. I was very angry and felt betrayed, but that is no reason to act out in this way. To those, I have hurt or in any way offended, I am sorry and I hope you can understand. -- Regards, Konstantin P.S. Please don't take this email as a way to add or take away from the ongoing relevant discussion about Chromium's fate. I only kept the list and thread, for continuity.
There's more than Chromium: Dropping Google API key support from Arch packages will also affect libreoffice packages. Removing the keys from Libreoffice packages will make it loose access to Google drive. -Andy
participants (16)
-
alad
-
Anatol Pomozov
-
Andreas Radke
-
Bartłomiej Piotrowski
-
David Runge
-
Doug Newgard
-
Eli Schwartz
-
Evangelos Foutras
-
Giancarlo Razzolini
-
Jelle van der Waa
-
Jerome Leclanche
-
Johannes Löthberg
-
Konstantin Gizdov
-
Levente Polyak
-
Massimiliano Torromeo
-
Morten Linderud