Re: [GNU-linux-libre] DSFG in perpetuity

[Isaac David]

I was about to say that, although worrisome, spyware capabilities
have no impact in determining whether a piece of software belongs
in a FSDG distro or not. Good thing I double-checked with the
guidelines, because they actually do.

Luke wrote :

[A]s of the date of the e-mail there
was still some freedom issues and plenty of links to Google.com which
could still be stripped out.

List of good patches:
https://github.com/Eloston/ungoogled-chromium/tree/master/resources/patches

Compare to QTWebengine's (outdated) Chromium:
https://github.com/qt/qtwebengine-chromium


This doesn't tell us much unfortunately.


- Debian freedom patches not applied, e.g. files missing licenses:
https://github.com/Eloston/ungoogled-chromium/blob/077e441e6654e4658de37c9d665e58f61b262961/resources/packaging/debian/buster/source/lintian-overrides
https://github.com/qt/qtwebengine-chromium/blob/b45f07bfbe74c333f1017810c2409e1aa6077a1b/chromium/tools/trace/trace_data.js


What does that mean exactly? If I were to guess, lintian incorrectly
confused trace_data.js for a blob, and ungoogled-chromium is reversing
that overstep.


- There may still be connections made to Google API.
https://github.com/qt/qtwebengine-chromium/search?p=2&q=%22www.googleapis.com%22&type=&utf8=%E2%9C%93

I'm just
not convinced they completely resolved it in their fork. So far
ungoogled-chromium is the only project I've compiled and ran with
Wireshark that did not have random connections to Google.com while the
browser is idling.


By *the only project* do you mean you also tested with Qt
Webengine-based programs? Conclusions about Chromium need
not apply to Qt Webengine.

--
Isaac David
GPG: 38D33EF29A7691134357648733466E12EC7BA943
Ring: c8ba5620e080bef9470efb314c257304ff9480f5
Tox: 
0C730E0156E96E6193A1445D413557FF5F277BA969A4EA20AC9352889D3B390E77651E816F0C

Re: [GNU-linux-libre] DSFG in perpetuity

[Luke Shumaker]

On Tue, 03 Apr 2018 16:40:09 -0400,
Isaac David wrote:
> > - Debian freedom patches not applied, e.g. files missing licenses:
> > https://github.com/Eloston/ungoogled-chromium/blob/077e441e6654e4658de37c9d665e58f61b262961/resources/packaging/debian/buster/source/lintian-overrides
> > https://github.com/qt/qtwebengine-chromium/blob/b45f07bfbe74c333f1017810c2409e1aa6077a1b/chromium/tools/trace/trace_data.js
> 
> What does that mean exactly? If I were to guess, lintian incorrectly
> confused trace_data.js for a blob, and ungoogled-chromium is reversing
> that overstep.

IDK about the trace_data bits, but the jsmin license bits look like
real freedom issue:

# temporarily allowing (need to fix path in Files-Excluded)
license-problem-json-evil 
third_party/trace-viewer/tracing/third_party/tvcm/third_party/rjsmin/bench/jsmin.c
license-problem-json-evil 
third_party/trace-viewer/tracing/third_party/tvcm/third_party/rjsmin/bench/jsmin.py

That said, it seems that that code was purged from upstream Chromium
in 2009 / v1.3.14 (based on the ChangeLog)?

So... why is it coming up?

-- 
Happy hacking, 
~ Luke Shumaker

Re: [GNU-linux-libre] DSFG in perpetuity

[Luke]

On 04/03/2018 04:40 PM, Isaac David wrote:
> I was about to say that, although worrisome, spyware capabilities
> have no impact in determining whether a piece of software belongs
> in a FSDG distro or not. Good thing I double-checked with the
> guidelines, because they actually do.
Yes, per: "The distro must contain no DRM, no back doors, and no spyware."
https://www.gnu.org/distros/free-system-distribution-guidelines.html
>
> Luke wrote :
>> [A]s of the date of the e-mail there
>> was still some freedom issues and plenty of links to Google.com which
>> could still be stripped out.
>>
>> List of good patches:
>> https://github.com/Eloston/ungoogled-chromium/tree/master/resources/patches
>>
>>
>> Compare to QTWebengine's (outdated) Chromium:
>> https://github.com/qt/qtwebengine-chromium
>
> This doesn't tell us much unfortunately.

The patches mention various places where Google API and pre-compiled
binaries are being removed, obviously QT is 4 years behind the latest
patches which makes it more difficult to do a 1:1 comparison.
I would say many of the issues are resolved due to their scrubbing.

>
>> - Debian freedom patches not applied, e.g. files missing licenses:
>> https://github.com/Eloston/ungoogled-chromium/blob/077e441e6654e4658de37c9d665e58f61b262961/resources/packaging/debian/buster/source/lintian-overrides
>>
>> https://github.com/qt/qtwebengine-chromium/blob/b45f07bfbe74c333f1017810c2409e1aa6077a1b/chromium/tools/trace/trace_data.js
>>
>
> What does that mean exactly? If I were to guess, lintian incorrectly
> confused trace_data.js for a blob, and ungoogled-chromium is reversing
> that overstep.

Yes, it was presumed to be a blob by Debian (and it is currently missing
license header)

>
>> - There may still be connections made to Google API.
>> https://github.com/qt/qtwebengine-chromium/search?p=2&q=%22www.googleapis.com%22&type=&utf8=%E2%9C%93
>>
>>
>> I'm just
>> not convinced they completely resolved it in their fork. So far
>> ungoogled-chromium is the only project I've compiled and ran with
>> Wireshark that did not have random connections to Google.com while the
>> browser is idling.
>
> By *the only project* do you mean you also tested with Qt
> Webengine-based programs? Conclusions about Chromium need
> not apply to Qt Webengine.
>
Of the projects I've tested: Ungoogled-chromium - no google connections
found presently, Inox - Leaks google account data on settings page
(fixed in recent commit)
I have not used QTWebengine in over a year and never ran a leak test. -
If someone has the time to do this and verify there are no freedom
issues, they can be removed from the conclusion as you mentioned.

Re: [GNU-linux-libre] DSFG in perpetuity

[Luke]

On 04/03/2018 05:32 PM, Luke Shumaker wrote:
> On Tue, 03 Apr 2018 16:40:09 -0400,
> Isaac David wrote:
>>> - Debian freedom patches not applied, e.g. files missing licenses:
>>> https://github.com/Eloston/ungoogled-chromium/blob/077e441e6654e4658de37c9d665e58f61b262961/resources/packaging/debian/buster/source/lintian-overrides
>>> https://github.com/qt/qtwebengine-chromium/blob/b45f07bfbe74c333f1017810c2409e1aa6077a1b/chromium/tools/trace/trace_data.js
>> What does that mean exactly? If I were to guess, lintian incorrectly
>> confused trace_data.js for a blob, and ungoogled-chromium is reversing
>> that overstep.
> IDK about the trace_data bits, but the jsmin license bits look like
> real freedom issue:
>
>   # temporarily allowing (need to fix path in Files-Excluded)
>   license-problem-json-evil 
> third_party/trace-viewer/tracing/third_party/tvcm/third_party/rjsmin/bench/jsmin.c
>   license-problem-json-evil 
> third_party/trace-viewer/tracing/third_party/tvcm/third_party/rjsmin/bench/jsmin.py
>
> That said, it seems that that code was purged from upstream Chromium
> in 2009 / v1.3.14 (based on the ChangeLog)?
>
> So... why is it coming up?
>
That file appears to have been removed on the most recent upstream sync,
as you said, so no longer an issue.
https://github.com/qt/qtwebengine-chromium/search?utf8=%E2%9C%93&q=tvcm&type=