[bug#28004] Chromium

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#28004] Chromium

From:	Ludovic Courtès
Subject:	[bug#28004] Chromium
Date:	Fri, 13 Oct 2017 08:51:13 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Heya,

Leo Famulari <address@hidden> skribis:

> On Wed, Oct 11, 2017 at 09:52:46PM +0200, Ludovic Courtès wrote:
>> ng0 <address@hidden> skribis:
>> > could this patch be merged into master now?
>> 
>> Probably (I think at the time Marius submitted it the ‘ld’ wrapper
>> enhancements were not in ‘master’ yet.)
>> 
>> For the security aspect though, given that it’s a fairly critical
>> component, I’d like to have Leo’s opinion.  Thoughts?
>
> Any questions in particular?

Not really, I was wondering about the Marius’ warning as to the
difficulty of keeping it up-to-date.

> For me, the primary question is maintenance.
>
> As Marius pointed out when sending the patch, major version upgrades may
> be difficult, and timely delivery of security updates cannot be
> guaranteed. But these caveats apply to every package. [0] They aren't a
> reason to exclude Chromium from Guix.

Right.  A browser is particularly sensitive though.

> Now, if we add the Chromium package and then let if fall behind for
> weeks or months, that will be a problem, and we will need to remove it.
> It's relatively easy to remove packages of end-user applications, since
> it's rare that other packages depend on them.
>
> As always, I'm willing to help with security updates as much as my
> volunteer schedule allows.
>
> The other issue will be bugs caused by the use of non-bundled libraries.
> Presumably, important bugs are fixed in the bundled libraries before
> they are released by the upstream library (if ever). But again, this is
> an issue with all of our packages. We will address these issues when we
> find them.

Yeah.

> There was a new release last month, 61.0.3163. I'd like to try updating
> to it this weekend if I have the disk (does anyone know how much is
> required) and computing power. Then we can push :)

Sounds like a plan!

> [0] Users who really need to rely on the security of Chromium or Chrome
> should use the "official" installation from the Chromium or Google
> teams, and turn on auto-updates. Every update can be expected to fix
> critical bugs.

I get your point, but OTOH getting binaries from Google is not something
I feel like recommending.  :-)

I think we should make sure that our package does not call home in any
way.  That’s what I expect from a security- and privacy-conscious
distro.

WDYT?

Thanks for your feedback!

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#28004] Chromium, ng0, 2017/10/10
- [bug#28004] Chromium, Ludovic Courtès, 2017/10/11
  - [bug#28004] Chromium, Leo Famulari, 2017/10/12
    - [bug#28004] Chromium, ng0, 2017/10/12
    - [bug#28004] Chromium, Ludovic Courtès <=
    - [bug#28004] Chromium, Marius Bakke, 2017/10/18
    - [bug#28004] Chromium, ng0, 2017/10/19
    - [bug#28004] Chromium, Marius Bakke, 2017/10/24

Prev by Date: [bug#28594] nototools (required for building Noto from source)
Next by Date: [bug#28594] nototools (required for building Noto from source)
Previous by thread: [bug#28004] Chromium
Next by thread: [bug#28004] Chromium
Index(es):
- Date
- Thread