Re: What's a safe way to have extensions in chromium in Debian?

[Enrico Weigelt, metux IT consult]

On 11.04.2017 10:22, Andrey Rahmatullin wrote:
> On Tue, Apr 11, 2017 at 04:22:40AM +0200, Enrico Weigelt, metux IT consult 
> wrote:
 

 could anyone please give me some insight, was the security problems
 are here exactly ?
>>> Extension auto-updating is considered "phoning home".
>>
>> Isn't there a way to just disable part ?
> Disabling extension auto-updating is wrong from several perspectives,
> including the security one.

hmm, I'd actually feel better w/ manual update (on user request) for the
unpackaged ones (the packaged ones of course go via apt).


--mtx


-- 

mit freundlichen Grüßen
--
Enrico, Sohn von Wilfried, a.d.F. Weigelt,
metux IT consulting
+49-151-27565287

Re: What's a safe way to have extensions in chromium in Debian?

[Andrey Rahmatullin]

On Tue, Apr 11, 2017 at 04:22:40AM +0200, Enrico Weigelt, metux IT consult 
wrote:
> >> 
> >>
> >> could anyone please give me some insight, was the security problems
> >> are here exactly ?
> > Extension auto-updating is considered "phoning home".
> 
> Isn't there a way to just disable part ?
Disabling extension auto-updating is wrong from several perspectives,
including the security one.

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Enrico Weigelt, metux IT consult]

On 09.04.2017 22:58, Andrey Rahmatullin wrote:
> On Sat, Apr 08, 2017 at 08:28:38AM +0200, Enrico Weigelt, metux IT consult 
> wrote:
>> 
>>
>> could anyone please give me some insight, was the security problems
>> are here exactly ?
> Extension auto-updating is considered "phoning home".

Isn't there a way to just disable part ?


--mtx

Re: What's a safe way to have extensions in chromium in Debian?

[Michael Biebl]

Am 10.04.2017 um 03:20 schrieb Sean Whitton:
> On Sun, Apr 09, 2017 at 11:53:54PM +0200, Martin Steigerwald wrote:
>> At least ublock origin is available as Debian package for Chromium (as well 
>> as
>> Firefox) meanwhile. But in experimental only. And it appears to be the only 
>> extension for Chromium packaged in Debian currently.
> 
> There are others: https://packages.debian.org/search?keywords=chromium

You mean one other: chromium-lwn4chrome

That's rather meager


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Re: What's a safe way to have extensions in chromium in Debian?

[Sean Whitton]

On Sun, Apr 09, 2017 at 11:53:54PM +0200, Martin Steigerwald wrote:
> At least ublock origin is available as Debian package for Chromium (as well as
> Firefox) meanwhile. But in experimental only. And it appears to be the only 
> extension for Chromium packaged in Debian currently.

There are others: https://packages.debian.org/search?keywords=chromium

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Martin Steigerwald]

Am Montag, 10. April 2017, 01:58:29 CEST schrieb Andrey Rahmatullin:
> On Sat, Apr 08, 2017 at 08:28:38AM +0200, Enrico Weigelt, metux IT consult 
wrote:
> > 
> > 
> > could anyone please give me some insight, was the security problems
> > are here exactly ?
> 
> Extension auto-updating is considered "phoning home".

At least ublock origin is available as Debian package for Chromium (as well as 
Firefox) meanwhile. But in experimental only. And it appears to be the only 
extension for Chromium packaged in Debian currently.

With Firefox I mostly try to stick with extensions packaged in Debian, but I 
do add some from addons.mozilla.org like Privacy Settings, Video 
Downloadhelper and CanvasBlocker.

Thanks,
-- 
Martin

Re: What's a safe way to have extensions in chromium in Debian?

[Andrey Rahmatullin]

On Sat, Apr 08, 2017 at 08:28:38AM +0200, Enrico Weigelt, metux IT consult 
wrote:
> 
> 
> could anyone please give me some insight, was the security problems
> are here exactly ?
Extension auto-updating is considered "phoning home".

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Enrico Weigelt, metux IT consult]

could anyone please give me some insight, was the security problems
are here exactly ?

--mtx

-- 

mit freundlichen Grüßen
--
Enrico, Sohn von Wilfried, a.d.F. Weigelt,
metux IT consulting
+49-151-27565287

Re: Graphical package installers & debconf (was: What's a safe way to have extensions in chromium in Debian?)

[Matthias Klumpp]

2017-03-23 22:04 GMT+01:00 Sean Whitton :
> Hello Jeremy,
>
> On Thu, Mar 23, 2017 at 07:14:35AM -0400, Jeremy Bicha wrote:
>> It is also useless for someone who will install Chromium from the
>> Software app (gnome-software) included in 'gnome-core' since the
>> Software app does not display debconf prompts.
>
> Do you know if this is a missing feature or a deliberate choice?

This is likely a missing feature, since PackageKit does support
Debconf prompts and GNOME PackageKit does as well. Debconf stuff is
kind of hacked into it though (but given the architecture of Debconf
and PackageKit, there is no better way to do this).
So, I guess someone would need to implement proper Debconf support in
GNOME Software.

Cheers,
Matthias

-- 
Debian Developer | Freedesktop-Developer
I welcome VSRE emails. See http://vsre.info/

Graphical package installers & debconf (was: What's a safe way to have extensions in chromium in Debian?)

[Sean Whitton]

Hello Jeremy,

On Thu, Mar 23, 2017 at 07:14:35AM -0400, Jeremy Bicha wrote:
> It is also useless for someone who will install Chromium from the
> Software app (gnome-software) included in 'gnome-core' since the
> Software app does not display debconf prompts.

Do you know if this is a missing feature or a deliberate choice?

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Sebastian Reichel]

Hi,

On Thu, Mar 23, 2017 at 12:03:00PM +0100, Martin Bagge / brother wrote:
> On 2017-03-23 07:50, Sebastian Reichel wrote:
> > I wonder if we could just add a boolean debconf question for this.
> > It could setup /etc/chromium.d/remote-extensions based on the answer
> > and provide some (dis)advantages info for selecting either option.
> 
> Probably hard to do that without violating the importancy level of a
> debconf message.
> 
> "Copyright messages do not count as vitally important (they belong in
> /usr/share/doc/package/copyright); neither do instructions on how to use
> a program (these should be in on-line documentation, where all the users
> can see them)."
>  - 3.9.1 in policy

My proposal is not an instruction how to use the program, but an
option changing the usability VS security aspect of the program.
The information is just there, so that the user knows what his choice
implies.

I wasn't aware, that the graphical software installation solutions
do not ask debconf questions, though.

-- Sebastian


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Jeremy Bicha]

On Thu, Mar 23, 2017 at 7:03 AM, Martin Bagge / brother
 wrote:
> Probably hard to do that without violating the importancy level of a
> debconf message.

It is also useless for someone who will install Chromium from the
Software app (gnome-software) included in 'gnome-core' since the
Software app does not display debconf prompts.

Jeremy Bicha

Re: What's a safe way to have extensions in chromium in Debian?

[Martin Bagge / brother]

On 2017-03-23 07:50, Sebastian Reichel wrote:
> I wonder if we could just add a boolean debconf question for this.
> It could setup /etc/chromium.d/remote-extensions based on the answer
> and provide some (dis)advantages info for selecting either option.

Probably hard to do that without violating the importancy level of a
debconf message.

"Copyright messages do not count as vitally important (they belong in
/usr/share/doc/package/copyright); neither do instructions on how to use
a program (these should be in on-line documentation, where all the users
can see them)."
 - 3.9.1 in policy


-- 
brother
http://sis.bthstudent.se

Re: What's a safe way to have extensions in chromium in Debian?

[Enrico Zini]

On Thu, Mar 23, 2017 at 10:20:00AM +0500, Andrey Rahmatullin wrote:
> On Wed, Mar 22, 2017 at 09:51:12PM +0100, Jeroen Dekkers wrote:
> > If we already know this is going to be major issue, why aren't we
> > doing the sensible thing and enable extensions by default
> The story of extensions in Debian Chromium is a strange and sad one.
> See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856183
> I cannot list all previous bugs included in that story, I think you can
> find them in the changelog.

Thanks, I've added a link to that bug page to
https://wiki.debian.org/Chromium so that it now contains some
information also on why they are disabled.


Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Sebastian Reichel]

Hi,

On Wed, Mar 22, 2017 at 12:03:02PM +0100, Enrico Zini wrote:
> now we have extensions disabled in Chromium by default. If I did my
> homeworks correctly, that prevents Chromium from phoning home by
> default, and prevents a previous scenario where extensions could be
> installed but not upgraded, becoming security issues over time.
> 
> Now, suppose I need an extension, what is the proper way to have it in
> Debian, so that it gets upgraded when needed? With that proper way, what
> amount of phoning home is going to happen?
> 
> Since this looks like it's going to be a major issue with stretch, can I
> have some authoritative wiki page / FAQ entry that tells me how I can
> deal with it cleanly, and that I can easily send to confused people?

I wonder if we could just add a boolean debconf question for this.
It could setup /etc/chromium.d/remote-extensions based on the answer
and provide some (dis)advantages info for selecting either option.

-- Sebastian


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Sean Whitton]

On Wed, Mar 22, 2017 at 10:48:28PM -0400, James McCoy wrote:
> #858526 has an attempt to produce a binary package for Chromium.  I've
> never touched browser extensions before, so extra eyes would be nice,
> but it seems to work.

Certainly well enough to be uploaded to experimental -- it's in NEW.
Thank you very much for the patch!

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Andrey Rahmatullin]

On Wed, Mar 22, 2017 at 09:51:12PM +0100, Jeroen Dekkers wrote:
> If we already know this is going to be major issue, why aren't we
> doing the sensible thing and enable extensions by default
The story of extensions in Debian Chromium is a strange and sad one.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856183
I cannot list all previous bugs included in that story, I think you can
find them in the changelog.

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[James McCoy]

On Wed, Mar 22, 2017 at 01:58:20PM -0700, Sean Whitton wrote:
> On Wed, Mar 22, 2017 at 08:16:14PM +0200, Jonathan Carter (highvoltage) wrote:
> > I'm taking a look at https://github.com/gorhill/uBlock since it's gpl-3
> > and has proper releases (I would expect that a lot of chromium
> > extensions are a licensing nightmare).
> 
> Note that this source package is already in Debian (ublock-origin) so we
> would want to add a binary package installing the Chromium extension, if
> there's a sensible way of doing that.

#858526 has an attempt to produce a binary package for Chromium.  I've
never touched browser extensions before, so extra eyes would be nice,
but it seems to work.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

Re: What's a safe way to have extensions in chromium in Debian?

[Jeroen Dekkers]

At Wed, 22 Mar 2017 12:03:02 +0100,
Enrico Zini wrote:
> now we have extensions disabled in Chromium by default. If I did my
> homeworks correctly, that prevents Chromium from phoning home by
> default, and prevents a previous scenario where extensions could be
> installed but not upgraded, becoming security issues over time.
> 
> Now, suppose I need an extension, what is the proper way to have it in
> Debian, so that it gets upgraded when needed? With that proper way, what
> amount of phoning home is going to happen?
> 
> Since this looks like it's going to be a major issue with stretch, can I
> have some authoritative wiki page / FAQ entry that tells me how I can
> deal with it cleanly, and that I can easily send to confused people?

If we already know this is going to be major issue, why aren't we
doing the sensible thing and enable extensions by default instead of
disabling it and then having to explain again and again how to enable
it because the majority of our users will at least want to use an
adblocker?

And browsing the web without any extensions is probably a way bigger
privacy invasion than the phoning home the extension system does, so
disabling it by default seems to be just privacy theater to me.
(I.e. it's a inconvenient measure that gives a feeling that Debian
does something for privacy but in practice doesn't really do much to
achieve that, similar to security theater)


Kind regards,

Jeroen Dekkers

Re: What's a safe way to have extensions in chromium in Debian?

[Sean Whitton]

On Wed, Mar 22, 2017 at 08:16:14PM +0200, Jonathan Carter (highvoltage) wrote:
> I'm taking a look at https://github.com/gorhill/uBlock since it's gpl-3
> and has proper releases (I would expect that a lot of chromium
> extensions are a licensing nightmare).

Note that this source package is already in Debian (ublock-origin) so we
would want to add a binary package installing the Chromium extension, if
there's a sensible way of doing that.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Enrico Zini]

On Wed, Mar 22, 2017 at 11:41:16PM +0500, Andrey Rahmatullin wrote:

> On Wed, Mar 22, 2017 at 08:16:14PM +0200, Jonathan Carter (highvoltage) wrote:
> > so what's going to be the best way to make these
> > available to Debian stable users?
> https://wiki.debian.org/Chromium#Extensions

Thanks, that tells me the proper way to re-enable extensions, and I
think it's valuable given that on the internet people describe all sorts
of dirty way to reenable them.

On top of that, I'd like to have some more context for what's going on,
what I lose, what I gain. Like:

What is the amount of phoning home that I get if I enable that?

If I enable extensions that way, do they get updated as new versions
come out, or do I open a security nightmare of extensions making my
browser more and more vulnerable as they age?

(I noticed that I can manually trigger an update in
"chrome://extensions/", enable Developer Mode, click on "Update
extensions now")


Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Andrey Rahmatullin]

On Wed, Mar 22, 2017 at 08:16:14PM +0200, Jonathan Carter (highvoltage) wrote:
> so what's going to be the best way to make these
> available to Debian stable users?
https://wiki.debian.org/Chromium#Extensions

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Re: What's a safe way to have extensions in chromium in Debian?

[Jonathan Carter (highvoltage)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hey Enrico

On 22/03/2017 13:03, Enrico Zini wrote:
> Now, suppose I need an extension, what is the proper way to have it in
> Debian, so that it gets upgraded when needed? With that proper way, wh
at
> amount of phoning home is going to happen?

Seems like it's at least possible to install system-wide plugins:

https://developer.chrome.com/extensions/external_extensions#preferences

Those instuctions cover chrome but seems easily adaptable to chromium.

The problem with any ad blocker is that it needs up to date block lists
and related data which is usually stored upstream and opens up a door
for phoning back home.

I'm taking a look at https://github.com/gorhill/uBlock since it's gpl-3
and has proper releases (I would expect that a lot of chromium
extensions are a licensing nightmare).

You mention that this is going to be a huge deal for stretch users, and
I agree with you, but we're deep into freeze so these won't be able to
go into stretch, so what's going to be the best way to make these
available to Debian stable users?

- -Jonathan
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEExyA8CpIGcL+U8AuxsB0acqyNyaEFAljSv24ACgkQsB0acqyN
yaEu2w/9EO/iZiQMDvULU+hyegJqfDM359Kwp0S0IGyXcrMlBRguTtqqM6henWmL
h3zt64cPfASCViYlOnYWiWiNh1OCMur1dDACi1qfE+ZPDFSF47IvrG2IKjt3UE5Z
2GvC6ig5GO6Pbt/jL9GSAUMFEoE8qicSmfb6CyHwtduw/fqA5LvEx0z3ME70cVVX
AFiCxonWg4pXjw0hVmiLsf6ZessZ6b/ObBnzRQosMg6nJFtFnosHKB1bQkMIRUdS
gyu2HWxoAiXJCG0Yb8xXYrs7M90UlYw33M1OlAvUMmUHKHt5mZQZpCJjSjLziOo9
VQzvLgVoHpJcG9GiD7JKOUcyMbSY1gSoY/Xzuevxtai+Uct8JU2FKrCXGjIxGJu0
5sCBFjntTIMR4ciKBPCUtMT8VNiBWvqRNHylQsVo+Hidlj5jg/QWR7D+ummt3kTC
Ckmjf/t/oXXZmthhO+rPXgCfdAQtItNepF3oImIyIBB61pMKAQQ+C58bvBsugqXP
I5jIE1VB7f+dOqyg5s7zbxycZNI0iU/HWJmHeMNF+dhGhd6TYXuUGLt2fVK/F9eI
PndhA2TKT7hkmKLEYNkrFImIME6DxGOISfXm+HM+AM1D47ClLuIm/fXIWmAnQLXL
KJdShEIzwnmRMw/9DHQ+XD854rW4xY0e9+vbum1BJG+vJtYSoZI=
=SqvO
-END PGP SIGNATURE-

Re: What's a safe way to have extensions in chromium in Debian?

[Arturo Borrero Gonzalez]

On 22 March 2017 at 12:03, Enrico Zini  wrote:
> Hi,
>
> now we have extensions disabled in Chromium by default. If I did my
> homeworks correctly, that prevents Chromium from phoning home by
> default, and prevents a previous scenario where extensions could be
> installed but not upgraded, becoming security issues over time.
>
> Now, suppose I need an extension, what is the proper way to have it in
> Debian, so that it gets upgraded when needed? With that proper way, what
> amount of phoning home is going to happen?
>
> Since this looks like it's going to be a major issue with stretch, can I
> have some authoritative wiki page / FAQ entry that tells me how I can
> deal with it cleanly, and that I can easily send to confused people?
>

There are some really important extensions, like adblock and privacy
badger by the EFF [0].

The lack of them is really annoying.

[0] https://www.eff.org/privacybadger

What's a safe way to have extensions in chromium in Debian?

[Enrico Zini]

Hi,

now we have extensions disabled in Chromium by default. If I did my
homeworks correctly, that prevents Chromium from phoning home by
default, and prevents a previous scenario where extensions could be
installed but not upgraded, becoming security issues over time.

Now, suppose I need an extension, what is the proper way to have it in
Debian, so that it gets upgraded when needed? With that proper way, what
amount of phoning home is going to happen?

Since this looks like it's going to be a major issue with stretch, can I
have some authoritative wiki page / FAQ entry that tells me how I can
deal with it cleanly, and that I can easily send to confused people?


Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: PGP signature