[arch-dev-public] Chromium losing Sync support on March 15

Evangelos Foutras evangelos at foutrelis.com
Tue Jan 26 19:20:04 UTC 2021

On Fri, 22 Jan 2021 at 10:05, Evangelos Foutras <evangelos at foutrelis.com> wrote:
> On Wed, 20 Jan 2021 at 19:28, Giancarlo Razzolini via arch-dev-public
> <arch-dev-public at lists.archlinux.org> wrote:
> > After reading this thread [0], I think that, if we keep using their keys, or even
> > start using the chrome keys, this might put Arch into muddy legal waters and I don't
> > think that's a good idea.
> It seems others feel the same way, understandably so. I'd expect
> Chrome's keys to be replaced, with added protection so they remain
> secret, before legal action would be considered.
> In any case, I posted a request for clarification on whether using
> Chrome's keys is illegal or not. [1] Perhaps they will be able to
> definitively tell us that it's not allowed (under EU Law).
> [1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/sPe22z7Ynrg

As somewhat expected, the above didn't result in any further clarification.

The only acceptable way forward for me is to switch to Chrome's keys.
We (kind of) have permission for this based on the 2013 ToS exception
allowing inclusion of Google API keys in our packages (see attached
email copy). This was not just permitted unofficially; "the 2013
special terms, additional quota, and exact wording of the email passed
the internal approval process, including legal, engineering, and
VP-level management". [1]

Building Chromium without API keys results in a browser that is
unsuitable for production use. Removing the OAuth 2.0 credentials (or
when the Chrome team limits them) mainly breaks Chrome data sync
(e.g.: passwords, bookmarks, open tabs). Additionally removing the
main API key disables functionality like Safe Browsing and
Geolocation. I don't consider a browser with downgraded functionality
and security suitable for end users. [2]

If people are still concerned about angering Google, even though
there's probably nothing illegal about bundling Chrome's keys (when
also considering the aforementioned permission from 2013) then let's
just remove the package from our repos instead of officially providing
a potentially unsafe and feature-incomplete browser.

[1] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/m/Mt0U_lWPDAAJ
[2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/m/OOxl9wKLAAAJ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Google API keys for Chromium.pdf
Type: application/pdf
Size: 47569 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210126/5bd64448/attachment-0001.pdf>

More information about the arch-dev-public mailing list