ungoogled-chromium may contain Widevine DRM

DoneSubmitted by Jason Self.
Details
9 participants
  • Adonay Felipe Nogueira
  • Giovanni Biscuolo
  • Jason Self
  • Jelle Licht
  • Julien Lepiller
  • Leo Famulari
  • Marius Bakke
  • ng0
  • Ricardo Wurmus
Owner
unassigned
Severity
normal
J
J
Jason Self wrote on 19 Feb 2019 04:44
ungoogled-chromium contains Widevine DRM
(address . submit@debbugs.gnu.org)
1550547897.31222.1.camel@jxself.org
Package: guix
Unless I am mistaken, ungoogled-chromium is not removing Widevine DRMfrom upstream Chromium. Guix should remove that if upstream won't, as Ibelieve this goes against "the distro must contain no DRM..." in theFSDG.
L
L
Leo Famulari wrote on 19 Feb 2019 08:06
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
20190219070601.GA8273@jasmine.lan
On Mon, Feb 18, 2019 at 07:44:57PM -0800, Jason Self wrote:
Toggle quote (5 lines)> Unless I am mistaken, ungoogled-chromium is not removing Widevine DRM> from upstream Chromium. Guix should remove that if upstream won't, as I> believe this goes against "the distro must contain no DRM..." in the> FSDG.
Why do you think this is the case? It doesn't work for me on any of theWidevine demos I can find, unlike an installation of Google Chrome.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxrqskACgkQJkb6MLrKfwgzrA/9H0FJab93kOmGGYimb34J9kyy4Eu0WPw1E1owf80l6HFt6cCBsbxoEwxln3kgryTH5eUfcEuhErUUY19SnduA7hRgHz77VUpZHw47HFN5s2Psk0Q/OlyKRQ0RuccDXD4NOhS0s7gmM9wcaEQjccolYDcurdfKcvpRPqJZCoNk7y2CYZclX81ELIwF0JBK2vQ0zypoXza0+i6uqWwAxjZ9VxH+r68+s/X2j0TApeoS3HS/ssIEYsbVKuUTheCKsx/pJjX0jE/krV0k3554KnIyhn/VvMXWOV7oQvujWjrTzbsxpXLltxkHyNkll2d/ny4SjqUWzkfMfYgSwwzMTdUeMflbRKaXlPRAcNN92tKEkrImX11NBDMnZhh49CTaoHe4unR4UUy5M+Ek4xb9sh9T4lUcQ2puNFB5SSFth+OdcwVC/EAwtLx0+OIMHBhSCw4c1l//7zB9Sh2dC0c64fRtAN5Zd5sS3FQ3PSiLRF/XJIHqXr1dlUFnSzAv241g+tNuTJvpwwndy7a9fVPNfa0b2Sbqs7+rWAz53CtDjYKJFYokug2ZTUntltS0rqq0lHvVpAtSgsqNTnh3JOtSWCFsZ2HJJbDWCRxIUrOEJDBSzx1D2gpvLXcuRnhgd3KqFIduVTaW79JEIx0kqpvgLqZLUBBhi2mGJsA5wZBlAzRP+6g==v/ZO-----END PGP SIGNATURE-----

J
J
Jason Self wrote on 19 Feb 2019 14:28
(address . 34565@debbugs.gnu.org)
1550582906.5431.7.camel@jxself.org
On Tue, 2019-02-19 at 02:06 -0500, Leo Famulari wrote:Why do you think this is the case?
We know Chromium comes with it. Have you looked through ungoogled-chromium to see where it's being deleted?
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbAR6AAoJEJ0NsxtUWjGYe9QQAISDtgdlS9ieMNmlYCNB1VOND/TssfVcjWwMLkwPoYQ6nmojja0UtpVNPTs+4nvm/+dELwwCjIxVioLa335iWZk64D3chC6y/6lgybLFC+QV2asnqz/qGfOqKHAbwpPTXWKZ5A7rA7DBva4I/5nGEquNLEIPpML4u6O3PqEpKZvgie6IWKMsFiJ1TjSa+7nTB5v9n78T1p6GHsIyoef7tXxKpF7JIhv4QEys/gYpVkRRsyeF6NIyPo7BFECqBf5slZDQCeWChTXnlV+eQGJoFMn5biSQziysBdSyviHMDQ7j8bt4ECE8WuCj4GOxVzYhOpa8t5Zh7IZ9e9eL0ti7Q7PguGguUrJmL9cNrJYQYjJ2fQOxYnZ/B6/ECCDRuCDjmCoF0oRe5BC+f0UYzMAvnmkF5+ufm91g5tO1WtV1YfyCzZ3tzqLd7ON0nUxiaqtsRfA6zekQAclqhnMnTCy2Q0vXedIzFOtfthWAoR86d8IBW1wTH9QwtJJ/ku/+W1R7LorlQT1kEvojaOsTLrjTYPC1EqL8AXIy5hMEJboEW1druos+r49ARGQ7+GM8WGEgy8TLZ6g9/WTfa2w1hJpc3ZG1m83psCDaFDAwROAKASDD9yStL8qe+e8OLi7A4PCvPM1MlBYKvnOpi1gX+iG+01VPExlw9keWXMQjsBwOlJS/=OPaZ-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 19 Feb 2019 14:42
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
ea3643bd3575de03e15d3c82c1aefe8c@lepiller.eu
Le 2019-02-19 14:28, Jason Self a écrit :
Toggle quote (6 lines)> On Tue, 2019-02-19 at 02:06 -0500, Leo Famulari wrote:> Why do you think this is the case?> > We know Chromium comes with it. Have you looked through ungoogled-> chromium to see where it's being deleted?
Our package definition has two widevine-related headers listed aspreserved third-party stuff... I'm not sure how widevine normallygets into chromium, but if we don't have it, I guess we shouldnot need these headers? There might actually be an issue, butI'm not sure how to check. Where is widevine in upstream (nonungoogled) chromium? Is it downloaded at runtime?
IIUC, the rest of this widevine directory is removed beforebuilding anything, so maybe there's nothing to worry aboutafter all?
L
L
Leo Famulari wrote on 19 Feb 2019 15:43
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
20190219144342.GA2688@jasmine.lan
On Tue, Feb 19, 2019 at 05:28:26AM -0800, Jason Self wrote:
Toggle quote (3 lines)> We know Chromium comes with it. Have you looked through ungoogled-> chromium to see where it's being deleted?
Please show us the paths in our package's source code. We need to removeit if it is there.
I looked and cannot find it.
I looked at how some other distros do it.
They get the Widevine binaries by extracting them from a download of theGoogle Chrome browser, which is not the browser that has been packagedfor Guix.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxsFhsACgkQJkb6MLrKfwj3sA/9G+BmgkEAnYEe41qMs90eVYG2jtYDRvS9S6AkXVSdKUv1TecFDAvaMddlymWaML/6YvRPW/9c09g+iUjkToBYTcymdD59c7GWhR73MKcZb3i0DScU/nDllxhsdh6MqRnElK9D9Ej4Z/66y7NrrSD/5X62FXfmPDiNTP0BbAS+8FPKWLkItle3LSzAtJUmr47wvBl+fxtSf7r3eWzj5PZk1wvBmyKHC+a8JvylK2gcg1PKVF8GnqQhgdKFt/bQ5gnG1Gq1u9Um0rprza17gQjC6U+AG7W7VA9CkcBLVkY+FyQte2C1XmPSfIyDLQQ3V+EL8l6bNEuE7c+x4OWWudSkRqp8xG9JbfBvGycISBUnhzZdS/C7Po59uh4SmrGqYr1pqmIF1S/KvfphOpPt1gs0SV2ixMvPrgr4WM2lxX9UdOhpJf6PYUtLC3YpAB6s/fXxC2QEKBUsu6ba6SzH5660jXU9We+ywb2TliluHql7tcsivUOX3lEWc44wA++8TltYRhdgvufgIQRqa/41SxGH7H2DiLIRC2oMqfr3wNDty1+deeCwg1NclCAVqLUhvuEw4rOS3+VdxZcTbP4Jc/qN1Lgj9x5JnBGGucxwz3yB/H3l/szUPEz11UlBpZvPEY9BzuP0jkLlM+qHlLGQsXmJVm834SihYPsOvdD2RJzk22M==Wnx/-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 19 Feb 2019 15:44
(address . 34565@debbugs.gnu.org)
aba259a44a52136939babd3f3cfee6be@lepiller.eu
Le 2019-02-19 14:42, Julien Lepiller a écrit :
Toggle quote (18 lines)> Le 2019-02-19 14:28, Jason Self a écrit :>> On Tue, 2019-02-19 at 02:06 -0500, Leo Famulari wrote:>> Why do you think this is the case?>> >> We know Chromium comes with it. Have you looked through ungoogled->> chromium to see where it's being deleted?> > Our package definition has two widevine-related headers listed as> preserved third-party stuff... I'm not sure how widevine normally> gets into chromium, but if we don't have it, I guess we should> not need these headers? There might actually be an issue, but> I'm not sure how to check. Where is widevine in upstream (non> ungoogled) chromium? Is it downloaded at runtime?> > IIUC, the rest of this widevine directory is removed before> building anything, so maybe there's nothing to worry about> after all?
So I've downloaded the source tarball with `guix build -S chromium`and here's what I found in it:
$ find -name cdm./media/cdm./third_party/widevine/cdm./chrome/android/java/src/org/chromium/chrome/browser/media/cdm./chrome/browser/media/android/cdm./content/renderer/media/cdm./chromecast/media/cdm./components/cdm
$ find -name widevine./third_party/widevine
$ find -name '*widevine*'./third_party/widevine./third_party/widevine/cdm/android/widevine_cdm_version.h./third_party/widevine/cdm/widevinecdmadapter.ver./third_party/widevine/cdm/stub/widevine_cdm_version.h./third_party/widevine/cdm/widevine.gni./third_party/widevine/cdm/widevine_cdm_version.h./third_party/widevine/cdm/widevine_cdm_common.h./chrome/common/widevine_cdm_constants.h./chrome/common/widevine_cdm_constants.cc./chrome/browser/component_updater/widevine_cdm_component_installer.cc./chrome/browser/component_updater/widevine_cdm_component_installer.h./components/cdm/common/widevine_drm_delegate_android.cc./components/cdm/common/widevine_drm_delegate_android.h./components/cdm/renderer/widevine_key_system_properties.cc./components/cdm/renderer/widevine_key_system_properties.h

This ./chrome/browser/component_updater/widevine_cdm_component_installer.cclooks particularly suspicious to me...
Now, it seems that widevine stuff only gets built when the ENABLE_WIDEVINEoption is set, and it doesn't seem to be the case in guix' package. SinceI don't understand how the browser gets built, so I'm not sure about thedefault. In any case, it would be good to get rid of these files evenif they aren't built.
HTH!
J
J
Jason Self wrote on 20 Feb 2019 01:39
(address . 34565@debbugs.gnu.org)
1550623152.12316.5.camel@jxself.org
Based on http://issues.guix.info/issue/28004#2 itis disabled at buildtime; but not removed. The person said they thought this was FSDGcompliant but a reading of "the distro must contain no DRM" from theFSDG could be taken to mean the distro still "contains" it, since it'sstill within the source code of the program. "Disabled by default"shouldn't be good enough IMHO; build flags should not be used to hidefreedom problems. The source code represents what the software *is*,not the build flags.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbKGwAAoJEJ0NsxtUWjGYmGAP+wTXJ80sklDLx8lp9VPxPELoUhu4JVBHN53JNEe/I1Q5J5Xu9AzFGbThNoGleL+CPmXGBQVym5KI+2rNQ/LHfNymqvOGn9twPY7jCh/RhZUt7bSmm0kcKQFdfWAQDb2FaJO1dOEtV9pooWxwMwjgOzNw1FINrdBHdDfWtjvQ2vafmQAVbjaqK9mjNTW4sE26GGKOgscRsD3uoFm2HQFEptkuMd/2I6te4KZnLm+320DGvSgWKcC5AQwVsEtHcTB21LfAk4rGZwn8XGtdH+Xagsm2NVKevpYDtepTrxwQuxY1Cd1NSQ0VaDcCs8DrKX6SZaWCmQiXKSrvp+yhEX3P69diorldJkCqFLNGymGEmzyQ6LPaSYIlcpFHdxZQQ7kop/z7tUyxBdsQeMjPMcyHWLt3+OkDHGDO6jBQHxPhxsUsAK9gqCe5xW7zWk5BQZzj59WurajTXaJXR/lYlHzs+EAGPS6VQ9RQZ0dQQWObag8HbuTW2xyRwO8xFY/o0u7+r2iB5zg26BjJhFELouP0oT2PomcEgF8Y+4OWgnO0FE7U5M+74f6ACNKQ++PrLNw9dkur89dHIsvDd3MCp6yEuKfqmG2zJX+P+Jg+hhPVDXA99jaJ3b3Uw85+Ldvrz+QLEuXT6+z5oH8d59RfgYTdPL2lHnGfn+otxauemJ2jE30H=zN5H-----END PGP SIGNATURE-----

J
J
Jason Self wrote on 20 Feb 2019 02:12
(address . 34565@debbugs.gnu.org)
1550625137.14138.3.camel@jxself.org
A different but related matter is the build process itself. Iunderstand this is not exactly related to the DRM matter but it doesseem similiar. I can open another bug over this if needed. I haverecently submitted upstream's Chromium 73.0.3683.45 into my FOSSologyinstance for analysis. Actually, less than a third of the total fileswere classified as "BSD-like". In total it found 162 unique licenses.Of course, automated licenses analysis is never perfect and I have notfully vetted any particular results but it does help to at leastindicate that which is very clearly free software and that which needsfurther investigation.
Even in the short time I was reviewing it I found a number of freedomproblems. I don't mean that to be an exhaustive list of everything,merely an indicator of a symptom:
* unrar (license denies freedom 0)* third_party/blink has some images under CC-BY-NC-SA-2.0* Google Toolbar is in there, with a non-free EULA
Taking this and considering Guix's build process: The method ofbuilding seems to involve downloading Chromium, then runnningungoogled-chromium over it, and then building. I'm not sure if anyother packages have their freedom problems fixed in this way but this,just like build flags, should not be sufficient. Freedom problemsshould not be hidden/removed after the fact by asking the user to run aclean-up program after downloading the source, even if that has beenautomated by the package manager. What is sent to the end user tocompile should itself be 100% free software and FSDG compliant from thebeginning. If not it still amounts to distributing non-free software tothe user when they want to, for example, do guix build -S chromium.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbKlyAAoJEJ0NsxtUWjGYiNMQALC0+q6+B4fntdDAW8GLGdg3NVD4OHfUVWce4bdinEdYLo8G44m6hUxyGAVHVi+VJWKUbFu9z1GZoOKDTCfW7qJlNO2w3wphY2vzu5DtWfBVzX20PnAvvOo1+C3t9QoJDBJQFfJ2zy8qtq8b28Mvz3emOagcbyQE3TAktpC3HFuqqlQV9Hdabm5knavdepYyncQbaXmr48epZtARpYsUu+nbD/ANT2kf6kGgAc/Pg/8TW5qDMYufXZQdfeys3jLHoxYiHi2pxDEPsWNnIoUbXiwYgRNQ4eRFWG7zFuE4BZboimjJFnWYnTI2MDrCZ+lECukQEWDIjCUd38Waa8RmJUFBg6p0tf9LwEBRcDr+JIWCZMlw8+Ph+0HQGetx2DtjQDb59cJYgo+C6L+Xl5JhgSx3zykZPPpQpZRf8k5uY+HtTJK9/0xyaarEJhafGE7fK0KuwW62qbwj2Evnx0Tw+8jQoeEjVouZb+SkpUvQUJazGtsCi3UPqD3yIBXfBik/zdSUGptpMrUzCOHBm7q/1BsB2hegh1nVsvBVM0HLDrgwTqxBsYaD/c+ZP0YII2MJjl94F9eBiJ17FRy3mWNlgfg3mtVnyjGwhA+EK0gn05YsnsPm2WXfJu92w+BF2vY5oSGiBIXxGrM8VMwkKkd7J3FeRhzK3O7wtTW2/Bff/PUP=IL5v-----END PGP SIGNATURE-----

J
J
Jason Self wrote on 20 Feb 2019 02:19
(address . 34565@debbugs.gnu.org)
1550625587.14780.2.camel@jxself.org
Toggle quote (8 lines)> should not be hidden/removed after the fact by asking the user to run> a clean-up program after downloading the source, even if that has> been automated by the package manager. What is sent to the end user> to compile should itself be 100% free software and FSDG compliant> from the beginning. If not it still amounts to distributing non-free> software to the user when they want to, for example, do guix build -S> chromium.
I should probably add on that this position comes from my interactionwith the FSF in 2010: When LibreWRT was founded in 2010 (before itlater merged into libreCMC) we submitted a similar question to the FSF,as to if it was sufficient for the LibreWRT build scripts (which wouldbe run by the person building the firmware image from source and wouldhave completely automated, just like how someone might instruct Guix tobuild from source) to download Linux and then run the Linux-libredeblobbing scripts on it vs having the build scripts instead downloadtarballs that were already cleaned up. I can't seem to find the emailfrom back then but the response was that we needed to use alreadycleaned-up tarballs, not ask the user to clean up the software afterward even if automated. So that was what we did. Guix should dosomething similar.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbKszAAoJEJ0NsxtUWjGYptMP/03CoxIb6qFWOuDbHi1bf4CSVyWKv/OFofuPghUSWnoNWs8ugvZZma3bc4Ak3UYsR9XCWIR4lIvn30qgSczA60oTgfB8MVUp/k0c87fufQ8qbZQRt0DdOdkYGkJOll6oZOqh8qSyRX+3DUGq9rL4wvi9hjfELcTThu+0YIZBt+QKLSQmlPEnvMbUtJSDZ5UizUXVNktxSvbLdhg813yBEjAlprWr9Fe1GdUrmCeCpz/OHMJGpkr157ALxI2Wal7JmaeGKH3oFMzIOAqvAL6TWEJYwD3sWArALoLKGrbtlu/dMpbB7J2qhyR0CH2hKASixwyl+pjd8mSzPDwyHK+/YQWo2CZX4hipXPTsb9ksTr4dh5Ai9OawjEtIMU0NohZ2oErPAW25sXmZWjkTpZm/MMetur8sBsBcvCA7Bq5tawDh8FTMXGbBXiy3qBH8IyxGvPevs4NovybzkoZpqLfs9ySa0lzyklJYPrxPSeLTdCcNAKp1lUxkunMsQO7gv3jFLRvgQJXD8cHZFqXfJ0NnFkddak1r95g9woP3QrwKcVz5xn99Kz+ZdS9YhUVC01OGr8Oq7Y7n2yxCYfWNTkahwcyl2olj1CDhT8Hj62ZRC2iUtmzSiizNl/be2d9TEiUZO+YjG34jpHBMiFcDKIC1cUj6bYdauzexlozdupfqcGB4=NaxA-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 20 Feb 2019 06:15
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
20190220051536.GA7782@jasmine.lan
On Tue, Feb 19, 2019 at 05:12:17PM -0800, Jason Self wrote:
Toggle quote (12 lines)> Taking this and considering Guix's build process: The method of> building seems to involve downloading Chromium, then runnning> ungoogled-chromium over it, and then building. I'm not sure if any> other packages have their freedom problems fixed in this way but this,> just like build flags, should not be sufficient. Freedom problems> should not be hidden/removed after the fact by asking the user to run a> clean-up program after downloading the source, even if that has been> automated by the package manager. What is sent to the end user to> compile should itself be 100% free software and FSDG compliant from the> beginning. If not it still amounts to distributing non-free software to> the user when they want to, for example, do guix build -S chromium.
To clarify this general point about Guix for anyone who is readingalong, as a matter of policy the end user does not receive non-freesource code from Guix.
The tools provided by Guix to access source code only return source codethat is freely licensed. If the sources have to be modified to ensurethis, the unodified source code is not provided to the user. Guix isspecifically designed to do it this way.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxs4nUACgkQJkb6MLrKfwhsPw//TGH5826MuUVxzsxjlYgNWfcLworp6z7LEQmhq9SjjyX2gCa76bCQTyHi+wAGo2GCnYIGuV/jMAZj/dyTrpsJjd48DQhYeEUdilQPh6ktWN5LOxj/R68mp7ePBVTizKe+vEbJ1iJcK3B4F7UNAlRWp7ur+4gSqmFdGSd3y9EIwPgfVBTMjp0qleVkddJYhRYpHNmcVPcgVbyb8JewFn7ctOPsBGfpZqieirbDJRq+sjVDs2DsZzE+l+dkC2U86gQfLM6/vGwCV9Ly7yXpxf0XvdVZrowrU8M+iGeBmpvBCBY+RwF/jE8EKg/7i+I00wMEF8XtzC0eP3JyPxGOjjD/0/PMIhtuOE0DNW4TFkYhKKfy57ZnTA1P+8CoyvZUyl5eJMuGy6QgYUGLbrVERS9ib7CVTWEAUoP4CBuBuj4X+LfnTyrHDRUY76FR3SAgWQIvGkGQ8Bn+uii2UxgYhZWK6r8wTirGuu5Zjzy1vNcdaxNr5EQDu0jcxfBlQpthGuq1fZX8U8kRyJ/OCSFyUdE2hpcDLYL9xzF4d1/J30s2s6X3LU+CBhy9c86a05ZJNHY8wTxMtWBkq80r7HSC4jf80R2bHzjc2C0uUzpImhdQXdaFQ+dmmPLuUd5ph9dtxEu2CgEhrDvennldvD6my8ZSA/ig6scVOy+FbjWm56/pnc4==vUdq-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 20 Feb 2019 06:21
(no subject)
(address . control@debbugs.gnu.org)
20190220052150.GA8951@jasmine.lan
retitle 34565 ungoogled-chromium may contain Widevine DRM
J
J
Jason Self wrote on 20 Feb 2019 06:35
Re: bug#34565: ungoogled-chromium contains Widevine DRM
(address . 34565@debbugs.gnu.org)
1550640947.21795.7.camel@jxself.org
Leo Famulari wrote:
Toggle quote (4 lines)> To clarify this general point about Guix for anyone who is reading> along, as a matter of policy the end user does not receive non-free> source code from Guix.
Right; the source is downloaded from commondatastorage.googleapis.combut that is a technicality. What I'm saying is that the recipe shouldbe updated to cause it to download an already-cleaned up versiondirectly from Guix (it could be hosted somewhere on gnu.org for examplebut exactly where can be up for negotiation) and that this excuse of"they're getting it elsewhere" shouldn't be usable as an excuse tosidestep the FSDG. It's still causing the user to download the softwaredue to the recipes provided by Guix.
Toggle quote (4 lines)> The tools provided by Guix to access source code only return source> code that is freely licensed. If the sources have to be modified to> ensure this, the unodified source code is not provided to the user.
It's still being downloaded into their computer and then being cleanedup after the fact. If there weren't freedom problems with it therewouldn't be a need for a clean-up program (ungoogled-chromium in thiscase) to be running -- as a process on the user's computer -- to dothis.
And in https://www.gnu.org/distros/free-system-distribution-guidelines.html we have:
"For instance, a free system distribution must not contain browsers that implement EME, the browser functionality designed to load DRM modules."
So that should make it quite clear.
L
L
Leo Famulari wrote on 20 Feb 2019 06:42
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 34565@debbugs.gnu.org)
20190220054219.GA9386@jasmine.lan
On Tue, Feb 19, 2019 at 03:44:17PM +0100, Julien Lepiller wrote:
Toggle quote (3 lines)> So I've downloaded the source tarball with `guix build -S chromium`> and here's what I found in it:
[...]
Thanks for taking a look, Julien!
We need to find out if Widevine DRM is actually included in the Guixungoogled-chromium package or not.
Obviously the intent was to not include it, and it does not work inpractice. Widevine videos do not play and there is no prompt to installor enable DRM, unlike in some other browsers that use DRM.
I think the next steps for this subject are to first, in general, figureout where Widevine comes from, and then, more specifically, decide whatto do about the files you mentioned.
As I mentioned already, other distros seem to get Widevine by extractingits binary from Chrome, even when using it for Chromium. It seemsreasonable to assume that if Widevine were included in Chromium theywould not be downloading a whole 'nother browser for that one component.
As for the specific files listed by Julien, they may be harmless, ornot, we should figure out what they do and if they need to be removed.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxs6LsACgkQJkb6MLrKfwhX7hAAkH8/9+45iJyItVt5t/tP/qHhK34m+Vc+tkrk3+BaCev2AFP45h8i57oIwVXq8VGff++j575zGbZRV0+PHaOinAEo15mTWIWbpes56LM/LToOrpepd+E1ikQNTJGqzWeus2VFWW1rjwPNM5YWcjNBBOQMSENkJkOWT5p9HS+oFaKsXsl8q5A9+bFPcruwMyp0wmU59tdoSibik5zKcX2bI4SgWW69vGhh57lVLHtm7sKUSPySamnthTEYwSOzBMuIYOv6W3TS7cuiMqYqT8hpPbUxddJyysfrQjNQNQ2sWv5CqVj5gSSNXQRyH/OGQ6j5tnn+tuvSSAsP1c7d2P0NfgB/PdrmfIj2gzy9J3mxfHF2ZLzjsuRpzowGOlxgoEF2XlZtESMvDXrDyFtRlk7KwPL5qsVOwIOW9UbEfs4sCPiUhB2iXFOQWqwJwwTRycbefAwzNckMsrd08Z5tegq2QMYE/yHaFCEr+p4tjFdnXWExe03sd/3IrSE2F0DR/eRQaXf0fNP/ZqMYmG0+NvXBy4lc6GCmApgq5cJS6hkw2mtkhUNiiPKz/1hsNyHHNNnTmJ4rR3NpGzfnXTPjPmftWk+S/hP/6uCNRPUWcXlLrfSq6xLR5aESHJBFfuLzS9Agw+sb3j2Hcno6alIXxF5fMrTTyGV4rgR0uypx8IZejh8==24ni-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 20 Feb 2019 08:59
Re: bug#34565: ungoogled-chromium might contain remnants of Widevine DRM
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
8736oivqkb.fsf@elephly.net
Jason Self <j@jxself.org> writes:
Toggle quote (14 lines)> Leo Famulari wrote:>> To clarify this general point about Guix for anyone who is reading>> along, as a matter of policy the end user does not receive non-free>> source code from Guix.>> Right; the source is downloaded from commondatastorage.googleapis.com> but that is a technicality. What I'm saying is that the recipe should> be updated to cause it to download an already-cleaned up version> directly from Guix (it could be hosted somewhere on gnu.org for example> but exactly where can be up for negotiation) and that this excuse of> "they're getting it elsewhere" shouldn't be usable as an excuse to> sidestep the FSDG. It's still causing the user to download the software> due to the recipes provided by Guix.
Please do not claim that Guix sidesteps or aims to sidestep the FSDG.This is not the case as we are committed to abiding by the FSDG.
What users get when using “guix build --source” is the processed sourcecode from the Guix build farm. The fallback is to fetch the originalsources directly and process them (which is what the build farm does aswell).
--Ricardo
G
G
Giovanni Biscuolo wrote on 20 Feb 2019 10:22
Re: bug#34565: ungoogled-chromium contains Widevine DRM
(name . Leo Famulari)(address . leo@famulari.name)(address . 34565@debbugs.gnu.org)
87imxe95mc.fsf@roquette.mug.biscuolo.net
Hello,
maybe Marius Bakke have something interesting to say about hisjudgements on this "DRM matter"
indeed, this is a pretty ignorant (aka me) comment:
Leo Famulari <leo@famulari.name> writes:
[...]
Toggle quote (10 lines)> I think the next steps for this subject are to first, in general, figure> out where Widevine comes from, and then, more specifically, decide what> to do about the files you mentioned. >> As I mentioned already, other distros seem to get Widevine by extracting> its binary from Chrome, even when using it for Chromium. It seems> reasonable to assume that if Widevine were included in Chromium they> would not be downloading a whole 'nother browser for that one> component.
ungoogle-chromium FAQs [1] confirms that in order to install Widevineusers have to download a shared object (libwidevinecdm.so) and installit system wide in /usr/lib/chromium or in $HOME/.local/lib/
I tried to install ungoogled-chromium from Guix but failed (anotherstory...) so I cannot see myself, but AFAIU there is no way for a userto enable Widevine from the user interface *nor* manually
I don't know if the libwidevinecdm.so user loading must be forbidden**programmatically** [2] to be FSDG compliant: what is the case with thelinux-libre kernel? are users forbidden to "insmod proprietery_module"they _independently_ downloded or developed?
anyway, as Julien Lepiller already verified (Guix package definition isthere for anyone to check, and checking is very easy), Widevine stuffonly gets built when the ENABLE_WIDEVINE build option is set... and it'snot this case, so it's unlikely that users will be able to installWidevine even following the above mentioned procedure
last but not least: AFAIU ungoogled-chromium Guix package documentationnor Guix Manual contains information on how to obtain proprieraryextensions to any software; am I wrong?
Toggle quote (3 lines)> As for the specific files listed by Julien, they may be harmless, or> not, we should figure out what they do and if they need to be removed.
AFAIU that code allows dynamically linking Widevine (sorry cannot stillcheck myself), but it is _disabled_ at build time
is this enough to be FSDG compliant?
given all the above, it seems to me that ungoogled-chromium binariesprovided by Guix substitute servers _and_ sources provided by Guix buildfarms (are provided by them, right?) does not ship with DRM enabled
to sum it up: AFAIU for users to be able to use Widevine they mustcreate a custom package definition _outside_ official Guix channels*and* download the shared object "libwidevinecdm.so" from Chromium,installing it "manually" system wide or locally
HTH!CiaoGiovanni

[1]https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-do-i-install-widevine-cdm
[2] I mean by stripping away any bit of source code that allows users todynamically link potentially proprietary shared objects in the software
-- Giovanni Biscuolo
Xelera IT Infrastructures
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlxtHEwACgkQ030Op87MORJl5w/+JddYSZeBKTdqiGMOuJo6h1oWsJB5UgW5+h8EBsrbZSRRRO9RtF2UDLusHAQwJX3JDowo4lMb5DUERHUHPnbACvKQFWBwDeuWK+jRdo+/naodu4UPX7/gHerqpwyYjn30Zxn6GXtdnKkISGOPXrGqpi5dJChcIpSDwaQkTn8G7guPM3KC/+mMjDeEOnDTzhoqXfM/YyKQIXcOU823HH9Jvb0vJiEfzBmg1Gty7KzM6jJew6yxFPtzaseNSiD0hZj4U+9ZAcGhEFE0zn7BXTsadUUsX09pk687vevi2Kk69fskLviZJ6Id56ycebuRZ7C2Ao/2g+nr8nU2cNWKi6DDOYEKF8YXbZfheT28s0ojkLTGH87M7q6sZNVgIE5Cmp4pxTXKE8LvcPhED/QODzw4Ez+nVEozT3/+JBoUuhkl4NZbgNN+Wuz7rEczC4XZpc075JhdnnudzY4P9mbt9lJnHWwSrX/xIpRlTRguRrnSV671LkHUa7HWmVQAtNO8tLWXHlKRRxIAVOPCsyvoP8PRlpxugrIaoORVC1f4YqX7XT91aQshTWiygtrp6NBCLmpG6AvTj6yUOoMiJFB3iFNfPLVuyMC3AwdR/hHok2xpG0ae2QQY9My131I249z9IiGNxYM6F+TDbkgxSH5Uak0NvQuSF+Emc4GmQcWWmohNC/Q==3yTE-----END PGP SIGNATURE-----
J
J
Jelle Licht wrote on 20 Feb 2019 11:09
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
87a7iqdb5b.fsf@fsfe.org
Jason Self <j@jxself.org> writes:
Toggle quote (11 lines)> Leo Famulari wrote:>> To clarify this general point about Guix for anyone who is reading>> along, as a matter of policy the end user does not receive non-free>> source code from Guix.>> Right; the source is downloaded from commondatastorage.googleapis.com> but that is a technicality. What I'm saying is that the recipe should> be updated to cause it to download an already-cleaned up version> directly from Guix (it could be hosted somewhere on gnu.org for example> but exactly where can be up for negotiation) and that this excuse of
I would argue that this way of thinking is one of the issues Guix andthe broader reproducible builds community is trying to solve (in anethical way). Practical software freedom also includes the possibilityof not being dependent on even the gnu.org infrastructure.
Toggle quote (4 lines)> "they're getting it elsewhere" shouldn't be usable as an excuse to> sidestep the FSDG. It's still causing the user to download the software> due to the recipes provided by Guix.
The implied tone of your message comes across as needlesslyaggressive. I am not sure if the GNU Kind Communications Guidelinesapply here, but I still urge you to give the broader Guix community thebenefit of the doubt in that they are committed to the FSDG andeverything it entails.
This is like arguing that curl could be used to download proprietarysoftware; An unmodified Guix will never present a user with non-freesoftware. If it does, this can be considered a bug and should be fixedASAP. Your proposal implies that someone else still downloads thenonfree upstream sources to modify them, so I see this as even more of acase of working around the spirit of the FSDG.
Toggle quote (11 lines)>>> The tools provided by Guix to access source code only return source>> code that is freely licensed. If the sources have to be modified to>> ensure this, the unodified source code is not provided to the user.>> It's still being downloaded into their computer and then being cleaned> up after the fact. If there weren't freedom problems with it there> wouldn't be a need for a clean-up program (ungoogled-chromium in this> case) to be running -- as a process on the user's computer -- to do> this.
I do not really get the point you are trying to make, because thesoftware has to be downloaded at some point in time. Offering atransparent solution in the form of the Guix store, where theproblematic bits of software only exist in a transient state seems likeit improves the situation across the board.
Whether this fits the letter of the FSDG is an interesting discussion tobe had, but arguing that it goes against the core principles is simplysilly :).
Toggle quote (8 lines)>> And inhttps://www.gnu.org/distros/free-system-distribution-guidelines.> htmlwe have:>> "For instance, a free system distribution must not contain browsers that implement EME, the browser functionality designed to load DRM modules.">> So that should make it quite clear.
I feel most folks here agree on this, at least, so if ungoogled-chromiumstill implements a functioning EME, that is a bug.
Respectfully yours,- Jelle
J
J
Jason Self wrote on 20 Feb 2019 14:03
(address . 34565@debbugs.gnu.org)
1550667811.25277.1.camel@jxself.org
Jason Self wrote:
Toggle quote (14 lines)> I should probably add on that this position comes from my interaction> with the FSF in 2010: When LibreWRT was founded in 2010 (before it> later merged into libreCMC) we submitted a similar question to the> FSF,as to if it was sufficient for the LibreWRT build scripts (which> would be run by the person building the firmware image from source> and would have completely automated, just like how someone might> instruct Guix to build from source) to download Linux and then run> the Linux-libre deblobbing scripts on it vs having the build scripts> instead download tarballs that were already cleaned up. I can't seem> to find the email from back then but the response was that we needed> to use already cleaned-up tarballs, not ask the user to clean up the> software afterward even if automated. So that was what we did. Guix> should do something similar.
I haven't been able to find this conversation in my email. As it seemsto be directly relevant to Guix, since it seems to also be the exactsame method they use, I have emailed the FSF asking if they can locatethis in their ticketing system and to re-send the conversation to me.More to come.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbVAkAAoJEJ0NsxtUWjGYn2gP/ixSgVt8SsabNCn8CLnq0wXdcwnudZoYBrvVc26fsO+px1yH+Om24UHXRlwKjfsEnaZEW8G6EUSbYMWbqOxwVvHBktinWyp0INAriLPsdCy6PgHnOy5rSA0JVLkFTopY4Gfefn4ha/VBmXeedb8uODeZa1Uaijnr18j6F6Db1Hoe0cLp/9iM2WbpkoQ0SFwdxWCXNRq1w8r/Xd2ZEvds/l+BbWEF1c2Yr0MonG8krXQukfzhgIHEg+f6LUHlO53wr2YQMXYM97H5BF6EKqlSCc6kEEI0FZpCCPpBphDz9DJMh79rqXL6r8XrDJDet7jhVJ20Qg5onJqsaBL6W+chIs3qBmqWuVEHa3nvURerNBEMgZiPDZt0SfbHaZrDxjoA9zUBbKMRm1d4vJtK2NNXauNQNc0059VUN2jslCO+AsEL1SCP4C4YRiMxRQGgBbeU8mefDSIM8k3+9N+dQhwESVpU5i5qRpkngIHf+S8aOA43vDP7bXrupgu9T6awX6og0Ptsw6lxsUihBiX6peVDvYTGePzyWuQb2XpxGqPkGTVD9ihlaoLRypnY3X7rKwtgRcqb2qm+IsqUs1kuykzuSQqSfz1mLF4Rlbv4Ss7dIeJtz2JgLPX7jUc3GPtpTmNQVG9gXhlrIFqIW64WcpoyyxpjxyFNQT/BjuAO+3tykA0Q=Lshi-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 20 Feb 2019 15:37
87wolumspw.fsf@fastmail.com
Jason Self <j@jxself.org> writes:
Toggle quote (11 lines)> A different but related matter is the build process itself. I> understand this is not exactly related to the DRM matter but it does> seem similiar. I can open another bug over this if needed. I have> recently submitted upstream's Chromium 73.0.3683.45 into my FOSSology> instance for analysis. Actually, less than a third of the total files> were classified as "BSD-like". In total it found 162 unique licenses.> Of course, automated licenses analysis is never perfect and I have not> fully vetted any particular results but it does help to at least> indicate that which is very clearly free software and that which needs> further investigation.
To avoid duplicate work, it would be useful if you ran this analysis onthe tarball produced by `guix build --source ungoogled-chromium`.
Toggle quote (6 lines)> Even in the short time I was reviewing it I found a number of freedom> problems. I don't mean that to be an exhaustive list of everything,> merely an indicator of a symptom:>> * unrar (license denies freedom 0)
UnRAR is not present in the Guix source.
Toggle quote (2 lines)> * third_party/blink has some images under CC-BY-NC-SA-2.0
I cannot find these images: grepping for CC-BY-NC-SA or 'CreativeCommons' did not aid. Did you record the absolute paths to these files?
Toggle quote (2 lines)> * Google Toolbar is in there, with a non-free EULA
My grep-fu is really failing me today. Where is this located?
Toggle quote (12 lines)> Taking this and considering Guix's build process: The method of> building seems to involve downloading Chromium, then runnning> ungoogled-chromium over it, and then building. I'm not sure if any> other packages have their freedom problems fixed in this way but this,> just like build flags, should not be sufficient. Freedom problems> should not be hidden/removed after the fact by asking the user to run a> clean-up program after downloading the source, even if that has been> automated by the package manager. What is sent to the end user to> compile should itself be 100% free software and FSDG compliant from the> beginning. If not it still amounts to distributing non-free software to> the user when they want to, for example, do guix build -S chromium.
As Leo says, `guix build --source` should never return nonfree softwareas a matter of policy. Ungoogled-Chromium is no different: running`guix build --source ungoogled-chromium` will run the pruning scriptsand generate a sanitized tarball, or (more likely) transparentlydownload an already-processed source from the build farm.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlxtZhsACgkQoqBt8qM6VPqsOgf/SymCu2BiYdx8tadD4zwI1gkUYVznrflJYFeHTQuF6cx7vmMxL0HPyPTMgEQEm8q3EXdvHOpY/j5eW/KwSv5O5/ICwaHk36zvA3AVQTgzpXfvQNjjtxRT5rIqeSzVDEGtbsX1X+mZCeXsIv1qoJzAaOT0E9kV8qONEcYvdUh084GAGKyku+2kO452yW+2iyKGbljWWwevx3IcDpP5Vuy8IctY224sXIH6p5LrEibEX2Cw/3PWohjse1j2GOrVPAD39oggU4hIoHbXKYMYX/fDAHZlfFLW2mjS5cjEzOV9IZpld1rHS1w0W5i+PEp+/7Vq8B/SvX/AxXV1zRLKljw60g===AyoI-----END PGP SIGNATURE-----
M
M
Marius Bakke wrote on 20 Feb 2019 15:48
(address . 34565@debbugs.gnu.org)
87sgwims6k.fsf@fastmail.com
Giovanni Biscuolo <g@xelera.eu> writes:
Toggle quote (5 lines)> Hello,>> maybe Marius Bakke have something interesting to say about his> judgements on this "DRM matter"
[...]
Toggle quote (5 lines)> to sum it up: AFAIU for users to be able to use Widevine they must> create a custom package definition _outside_ official Guix channels> *and* download the shared object "libwidevinecdm.so" from Chromium,> installing it "manually" system wide or locally
This analysis is correct. For DRM to work, the user has to build with"enable_widevine=true", and then somehow obtain 'libwidevinecdm.so' andmake the browser use it.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlxtaNMACgkQoqBt8qM6VPotoAgAwQNR32dh2V6rnTLfpdqzb4INoSKuM6Z2LLwqrFJDd0UZnS7EqBWduZ4AMBkRWvS/B2kN6v65x1rUT/2XN41vYzoEfTMEit5or8eH4XqnqFL7WkpeEVmjacVhNwk16giGflLlVwahyIMgHDzaiasZUeoqB/lGLHA+669GVAywPQ48dsLuecTz+FRPKDaGGhSccTStHja6lDrDuG5LULPXbtZ+VKjV44lEFrC+mN697NujfT3UaJCLLJ+IQmPgEObPiK8PCBYdRYdXMuJNnAw0K6zU0x7hdvGXpX7g0LG3gkYygshMHzyHZIBedQqv7TfA/5N9J+KaySHqLMFZtahrJA===DLQ4-----END PGP SIGNATURE-----
J
J
Julien Lepiller wrote on 20 Feb 2019 17:18
(name . Jason Self)(address . j@jxself.org)(address . 34565@debbugs.gnu.org)
ece143d1e11fcb21e4c91ea33e959a3c@lepiller.eu
Le 2019-02-20 14:03, Jason Self a écrit :
Toggle quote (21 lines)> Jason Self wrote:>> I should probably add on that this position comes from my interaction>> with the FSF in 2010: When LibreWRT was founded in 2010 (before it>> later merged into libreCMC) we submitted a similar question to the>> FSF,as to if it was sufficient for the LibreWRT build scripts (which>> would be run by the person building the firmware image from source>> and would have completely automated, just like how someone might>> instruct Guix to build from source) to download Linux and then run>> the Linux-libre deblobbing scripts on it vs having the build scripts>> instead download tarballs that were already cleaned up. I can't seem>> to find the email from back then but the response was that we needed>> to use already cleaned-up tarballs, not ask the user to clean up the>> software afterward even if automated. So that was what we did. Guix>> should do something similar.> > I haven't been able to find this conversation in my email. As it seems> to be directly relevant to Guix, since it seems to also be the exact> same method they use, I have emailed the FSF asking if they can locate> this in their ticketing system and to re-send the conversation to me.> More to come.
I think the situation is different though. You can see the build scriptinside the "origin" record as the liberation procedure that anyone cansee and verify. It's also a procedure targeted at our build farms, sothat they can produce the liberated source code. Users never manipulatenon-free source code, unless something is wrong on the build farm side.
Essentially, users only download the liberated sources, and build thepackage from that, or they download the sources from the build farmand build the package from that. The source they download is theone that `guix build -S foo` gives you, and the semantics is"give me the sources to build foo", not "build the sources of foo".
I think that this way is more transparent, since we can independently,altough with tooling not provided by guix, check and re-run theliberation procedure that is documented as part of the guix packagerecipe. This is much better than trusting someone to have actuallyrun the right liberation procedure as you can examine both the resultand the procedure itself.
I hope this is clearer now :)
Well, I'm still interested by that discussion on libreWRT.
A
A
Adonay Felipe Nogueira wrote on 20 Feb 2019 21:15
(address . 34565@debbugs.gnu.org)(name . Jason Self)(address . j@jxself.org)
bc360447-79ad-87d7-181a-a25da8b7a87a@hyperbola.info
Em 20/02/2019 13:18, Julien Lepiller escreveu:
Toggle quote (6 lines)> I think the situation is different though. You can see the build script> inside the "origin" record as the liberation procedure that anyone can> see and verify. It's also a procedure targeted at our build farms, so> that they can produce the liberated source code. Users never manipulate> non-free source code, unless something is wrong on the build farm side.
I'm not taking any sides here, but to give some more information, if forexample you do `guix edit ungoogled-chromium' you will be presented tothe package definition of Ungoogled-Chromium, taking that as an exampleyou can see that it has a "source (origin ...) ...)" definition, insidethe inner part (the "origin") you have:
* the upstream download location and method, see (method ...), (uri ...)and (sha256 ...);* patches that should be applied immediatelly after downloading andextracting the source files, per (patches ...);* snippets and modules to be used with these, also to be appliedimmediatelly after downloading and extracting the source files, as seenin (snippet ...) and (modules ...).
When `guix build -S ungoogled-chromium' is done, first it checks thebuild farms for the "prepared" source that matches the given packagedefinition, version, hash and so on; and lastly it tries to "prepare"the source according to (patches ...) and (snippet ...) declarationsbefore even telling the user that the download is ready/done.
Having the (origin ...) visible in this way brings the advantages thatthe people of Guix told about here, but as far as I can tell, the useralso sees the original location of the non-free source from upstream ifthey do `guix edit ungoogled-chromium'.

-- - Página com formas de contato: https://libreplanet.org/wiki/User:Adfeno#vCard- Ativista do software livre (não confundir com o gratuito). Avaliador da liberdade de software e de sites.- Página com lista de contribuições: https://libreplanet.org/wiki/User:Adfeno#Contribs- Para uso em escritórios e trabalhos, favor enviar arquivos do padrão internacional OpenDocument/ODF 1.2 (ISO/IEC 26300-1:2015 e correlatos). São os .odt/.ods/.odp/odg. O LibreOffice é a suíte de escritório recomendada para editar tais arquivos.- Para outros formatos de arquivos, veja: https://libreplanet.org/wiki/User:Adfeno#Arquivos- Gosta do meu trabalho? Contrate-me ou doe algo para mim! https://libreplanet.org/wiki/User:Adfeno#Suporte- Use comunicações sociais federadas padronizadas, onde o "social" permanece independente do fornecedor. #DeleteWhatsApp. Use #XMPP (https://libreplanet.org/wiki/XMPP.pt),#DeleteFacebook #DeleteInstagram #DeleteTwitter #DeleteYouTube. Use #ActivityPub via #Mastodon (https://joinmastodon.org/).- #DeleteNetflix #CancelNetflix. Evite #DRM: https://www.defectivebydesign.org/
Attachment: signature.asc
R
R
Ricardo Wurmus wrote on 20 Feb 2019 22:49
(name . Adonay Felipe Nogueira)(address . adfeno@hyperbola.info)
87zhqq3zb1.fsf@elephly.net
Adonay Felipe Nogueira <adfeno@hyperbola.info> writes:
Toggle quote (9 lines)> Em 20/02/2019 13:18, Julien Lepiller escreveu:>> I think the situation is different though. You can see the build script>> inside the "origin" record as the liberation procedure that anyone can>> see and verify. It's also a procedure targeted at our build farms, so>> that they can produce the liberated source code. Users never manipulate>> non-free source code, unless something is wrong on the build farm side.>> I'm not taking any sides here, but to give some more information […]
I would appreciate it if this discussion could be moved elsewhere. Thisis about whether the package in Guix contains “Widevine DRM”. As far asI understand it does not (as a third-party binary needs to be obtained).
If it does after all contain objectionable files please point them outso that we can remove them ASAP.
Thanks!
--Ricardo
J
J
Jason Self wrote on 21 Feb 2019 03:19
(address . 34565@debbugs.gnu.org)
1550715570.3891.5.camel@jxself.org
On Wed, 2019-02-20 at 22:49 +0100, Ricardo Wurmus wrote:
Toggle quote (3 lines)> If it does after all contain objectionable files please point them> out so that we can remove them ASAP.
That was done earlier in the thread. It might also be interesting totry building with enable_widevine=true.
In the context of the FSDG's "a free system distribution must notcontain browsers that implement EME, the browser functionality designedto load DRM modules", I wonder if the browser would still be consideredas "implementing" the "functionality ... to load DRM modules" from theFSF's viewpoint since it's only a build flag and the support forloading the module (even if not provided by Guix since it's non-free)seems otherwise intact.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbgqzAAoJEJ0NsxtUWjGYhi4P/1pB19ZHhMp5Z/C6OuvKUlT/foJ+vuUbltzazI6FPxwnu1VNC5pyMcDVNFd6KzzwwgGlQrEj2FOs/jkjRR2YjEfVOit2SyX9O0Vt5SH5S04ejquxKXLRrose7s7qO7yi84kOMfA8v7bUVM7SPdyBG4zPGXToTodOeNVgr0HMhst3AVC9ul0YqeF56Od0EwjiTitDam0hHycKy2w9rgz0sScfA3v1HpMzXrepXfROcwlblxHiF5Nsy4zSGiJ5MOK/UCQFz7SZLY2RINFnZHPrR2munjj71qQRSlXWY9ebBC0MoE/gOh9FWXgJTWWyuRVb/x+D9/NfDIlCIzp2Ztr3GUthaxArY0T8HRzh132a2sWtLnObxe1/dsjhmzm1TRhzMm7fYJkrwo+vOWUenryOHexAkkXvrPhH4/PAIdUSZKqtoX3+FSkBzgizatylMdHuLWIKSR/BQeAetpiCTn5pj1tyeTqNdycrdYwE+s4jSttUyO82ZEVkprZY9C9G4AxVUSmoZ5B3icjISXQVJdxdP2vGjiofpqfkHoq0Moc3UkvFhF6ebItgd1TqsjW7gA+/m6i30e4UdDAg933I9eiQ5GwjlfGXhd+IIV6qLhXpjokGqVY+awaeRBkIuUtzY6QrgWCWuZ5Cgn7OVOntAGGKaebx3MXPuzTXMU1rrA5sn4qL=l8JR-----END PGP SIGNATURE-----

J
J
Jason Self wrote on 21 Feb 2019 03:43
(address . 34565@debbugs.gnu.org)
1550716997.3891.12.camel@jxself.org
Marius Bakke wrote:
Toggle quote (2 lines)> not present in the Guix source.
Please keep in mind I was discussing upstream Chromium in that piece.It's also not an exhaustive list.
Toggle quote (4 lines)> I cannot find these images: grepping for CC-BY-NC-SA or 'Creative> Commons' did not aid.  Did you record the absolute paths to these> files?
Of course - FOSSology records everything as it recursively unpacks andsearches files, metadata of files, etc. 
1.third_party/blink/web_tests/fast/backgrounds/size/resources/SquirrelFish.svg has within it:<a rel="cc:attributionURL" href="http://www.flickr.com/photos/goopymart/">http://www.flickr.com/photos/goopymart//a ; / a rel="license"href="http://creativecommons.org/licenses/by-nc-sa/2.0/"CC BY-NC-SA2.0</a></div>
2. chrome/test/data/extensions/api_test/wallpaper_manager/test_bad.jpgcontains:xmpRights:WebStatement="http://creativecommons.org/licenses/by-nc-sa/2.0/
3. chrome/test/data/extensions/test.jpg contains within it:http://creativecommons.org/licenses/by-nc-sa/2.0/
4. chrome/test/data/extensions/api_test/wallpaper/test.jpgIdentified by FOSSology as being identical to file 3.
5. chrome/test/data/extensions/api_test/wallpaper_manager/test.jpgcontains within it:http://creativecommons.org/licenses/by-nc-sa/2.0/
Toggle quote (2 lines)> My grep-fu is really failing me today.  Where is this located?
chrome/test/data/import/firefox/macwin.zip/Profiles/brn6z0fz.default/extensions/{3112ca9c-de6d-4884-a869-9855de68056c}/chrome/google-toolbar.jar
chrome/test/data/import/firefox/macwin.zip/Profiles/brn6z0fz.default/extensions/{3112ca9c-de6d-4884-a869-9855de68056c}/LICENSE.txt
Keep in mind this was not an exhaustive report of all of upstreamChromium 73.0.3683.45 and there is much left out. They were intendedonly as examples to show freedom problems within Chromium itself.
As for the rest I guess we'll need to wait on a response from the FSFsince I seem to be receving pushback myself.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJcbhBFAAoJEJ0NsxtUWjGYjtAP/3tqhVnUuT0mv9mANEm7RBWk8RupJmjA+LQkxoao7QDM55DcbzZL2zvlHnnvyjnoJnMyq2xwqliQ4JmBq3fJGn3TZw1mDnvHRmfFEFDv0yOXG1MyYLVBmr3vyBrCjOsCRnuh8BPTpA8F4WYvY3CcYnLUjHKoUDYd7PTLffGxHYftVJbujX9tZPo2M7/6X90uVWYcLzC1W+dVRabPBlkR8ZvxI/b6HrMIhU618zeWgUvkdhP8+UrmHlaoaFefeXkH8VThHQKuaiP8Us6aw1ohxshalyURXL9gXKGXDFjVrgsJQ/+ObfKIuijAwXN7d9g3FOzKp5fFnR73+SDt7y8sdMohS7jgpXQWKqzKscTJGlKGIdX1impVHvmxq9vmrMAnaQuQVt5UWlKn2y5tQ3bnaEpy83ZK/IbopnE4EZ87eEq1uS+ThK/EvKfEjIY1RYjAkw/rrJI4vAj1aqCU9KuMkKD4x7dRtjY4gtiKXhH2qpf6edKC43V/T+8g8XfX3zM3YykWHZHkw8FOnDZoLHzN7xFxQze7G7gtcjz+BzHnbb8WaACeCKGsJHEVPmjXsDMm9fDzE4HsM38fc9mGcp/OiSPFje2897jfYbKYmijt1qaVuEOJM882nzHjQsIxuTkMCNZAUFchVK9A1B0sQrZlIMfjdTjGDMmzojRO9x0LVWG6=ezW/-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 21 Feb 2019 08:51
877edtmvfb.fsf@fastmail.com
Jason Self <j@jxself.org> writes:
Toggle quote (6 lines)> Marius Bakke wrote:>> not present in the Guix source.>> Please keep in mind I was discussing upstream Chromium in that piece.> It's also not an exhaustive list.
I don't think upstream Chromium is relevant to this discussion.
Toggle quote (7 lines)>> I cannot find these images: grepping for CC-BY-NC-SA or 'Creative>> Commons' did not aid.  Did you record the absolute paths to these>> files?>> Of course - FOSSology records everything as it recursively unpacks and> searches files, metadata of files, etc. 
I was not aware of FOSSology, and admit that I have not checked filemetadata. It would be great to have this tool in Guix!
None of the reported files are present in the Guix source. I believethey are all scrubbed by the Ungoogled binary pruning script.
I really appreciate your effort here, but please only use this bugtracker for problems that affect the Guix package. Thanks!
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlxuWGgACgkQoqBt8qM6VPo+Jgf/Sy7SS9Pl+GpZ0AJ+WEueR6dO/eVtv37l45cgppEmpMDrEg+FWoxwVcvFNSdIXbDdkTkncFQU0PiTB0+2s4DqaoWrnofoKn0CDYsyOy5pmbBupZJP2Z5J9UbXmoTT/3VYzpP1xtKi1FhgFdSvxDk8X8NXagGl0ZeUSeQMdDJJiPlsuCq/d5SkP6LWAA5hoAtLImRdtMcp3Btr20a+SBtgEBWNM8A0IX+lW3bHBlC3Qw0DaVWLRPMmAwL0xY5IikT5Jv+knd/zb3iJ8kydMUHOI0Y2bEA/GPMywucuRFCXyiSBm2aisp/W7etNwnvD32ZrLVqfsthypYjtLh0B7wYs1Q===T/h/-----END PGP SIGNATURE-----
N
(name . Marius Bakke)(address . mbakke@fastmail.com)
20191012111417.bqw7xynqpcqtawgx@uptimegirl
Marius Bakke transcribed 1.2K bytes:
Toggle quote (18 lines)> Giovanni Biscuolo <g@xelera.eu> writes:> > > Hello,> >> > maybe Marius Bakke have something interesting to say about his> > judgements on this "DRM matter"> > [...]> > > to sum it up: AFAIU for users to be able to use Widevine they must> > create a custom package definition _outside_ official Guix channels> > *and* download the shared object "libwidevinecdm.so" from Chromium,> > installing it "manually" system wide or locally> > This analysis is correct. For DRM to work, the user has to build with> "enable_widevine=true", and then somehow obtain 'libwidevinecdm.so' and> make the browser use it.
Can this bug be closed?The wording is very vague ("may") and for Guix to distribute widevine.solegally, you have to get permission and sign an NDA with Google, both ofwhich are reportedly hard for 3rd party devs even, not sure how hard it isfor new operating systems. Your stand on software with NDAs should be clear(as per policy not applicable, no NDAs).So even if traces of the code to build this might still be left, you haveto master additional steps to make it work, and after having read someof widevine.so I doubt it would work out of the box with Guix System(elfpatching could get it to work with Guix, but you are still enteringthe field where official distribution requires legal paperwork).
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAl2htYkACgkQ4i+bv+40hYjG2Q//d7H86A6PbQCJ+XD+PFCaQyNNEIe8CHjqaP2Uh97s6BQ5m3fOlLYp8wzwfKs9c5WKHU2cWhV/ifOPufTh0z3U+1jY80cpzTfbT+JmOA7Hmk/8L0oegtGgKQrjbK2ecA3TabsB4JbtPKDsUdzuhu00XWFOlUtMtont3ur2eVZbN6Y1NhjDL71qXWk6OVWk7/bSVDch/2W5R2S6YzbZDGl2YbMFjwHrhQD/ab06rQR3pTDLDdvYL1NzemNIT5D6dV1NIbCbxbhf4+e6coImLygAuzCUE6Ujwy9LXVAfPcpeQvnZ7tAypeHt7jC6CWN/+6Pq1RUV3QHL9RRE0awGR0siEJJvRJfBSho8qJJtog7dBFrbF+h0leALqoVpiNyk/DiWUYT9IWXCaCGkjngCYmrH6ycarBvP3tkYw9viDLZQl2AA5cDFaN/ddNUeA5qajGdJ+zMqRmxVhxDPLJr3gnsJc+ZOs/9o1cCNmU2Zs7hFMY1MdgEyGaf+KE0K7ImAopWZNA+eDUP9/zuuwdWaWssmc2s3UopO59Q44pfrvwPB6+AbdsL1r/wtAdtZVHS/tlR25ssUq40rMianw77ClkLvHJTMPxRH0jG/ltLmq5DDZbJR9y/WbQQVGKfI4zFVfyEqFgYcie3LQzCzHenYytOMgWWftH2+E7KEUj4oDignWrY==REzv-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 12 Oct 2019 13:32
Re: bug#34565: ungoogled-chromium may contain Widevine DRM
(name . ng0)(address . ng0@n0.is)
87lftq2o7v.fsf@devup.no
ng0 <ng0@n0.is> writes:
Toggle quote (21 lines)> Marius Bakke transcribed 1.2K bytes:>> Giovanni Biscuolo <g@xelera.eu> writes:>> >> > Hello,>> >>> > maybe Marius Bakke have something interesting to say about his>> > judgements on this "DRM matter">> >> [...]>> >> > to sum it up: AFAIU for users to be able to use Widevine they must>> > create a custom package definition _outside_ official Guix channels>> > *and* download the shared object "libwidevinecdm.so" from Chromium,>> > installing it "manually" system wide or locally>> >> This analysis is correct. For DRM to work, the user has to build with>> "enable_widevine=true", and then somehow obtain 'libwidevinecdm.so' and>> make the browser use it.>> Can this bug be closed?
Yes, I am closing this now; thanks for the reminder.
The actual Widevine implementation is not part of Chromium, and theinterfaces for loading it are disabled at build time.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl2hueQACgkQoqBt8qM6VPoDFwgA0IBYI13YDCMtuIE9ojoc8iremaTOF/dENwhDZb9wyQfnG3cGr/CSbJv3tWesT8TEjG3JfaCAaV3bOKJex64d3N9n2XE6uc93/h2aPMQjncj63/uOEJw6Pcuu7YuxT2XJMjgfL2l/Vunj9JELSBuMo/zYYQukh/BAmRueM246x1ZILBpXC8zVoR2CvGAfVs/01Hg5LnLfo2NhXZBJGl25oF+uN4sSC1rdr+VwSQCZrGbAKM51xeLE+B/0VGVp4nv/yTE5jJQzBLlSBdVWh9TwoRmKrpFqZWzwr/0O54xltDP9IvXzBszhsirOuPE3jEtlcysIERGkE+HPAI6Hay88ew===sJ5i-----END PGP SIGNATURE-----
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 34565@debbugs.gnu.org