My thoughts on Slackware, life and everything

Tag: widevine (Page 1 of 5)

Chromium security updates (and fix for 32-bit crash)

I have updated the ‘chromium‘, ‘chromium-ungoogled‘ and ‘chromium-widevine-plugin‘ packages in my repository.

For Chromium (-ungoogled) these are security updates. The new 89.0.4389.90 release addresses several critical vulnerabilities (it’s the third release in the 89 series in rapid succession actually, to fix critical bugs) but in particular it plugs a zero-day exploit that exists in the wild: CVE-2021-21193. You are urged to update your installation of Chromium (-ungoogled) ASAP.

I made chromium-ungoogled also available for Slackware 14.2, I hope that makes some people happy.

Since I had to build packages anyway, I took the opportunity to apply a patch that fixes the crashes on 32-bit systems with glibc-2.33 installed (i.e. on Slackware-current).
In that same chromium-distro-packagers group that is the home of the discussion about Google’s decision to cripple 3rd-party Chromium browsers, I had asked the Chromium team to address the crash Slackware users are experiencing. Google is no longer offering 32-bit binaries which means, issues like these are not likely to be caught in their own tests, but they are listening to the packagers who do build 32-bit binaries. Luckily. And the fix took a while to actually get implemented, but in the end it all worked out. I assume that the patch will end up in the Chromium source code after it passes the internal review process.

The Widevine plugin package for which I provided an update, is meant for chromium-ungoogled only. The ‘real’ Chromium does not need or use it, since Chromium downloads this CDM library automatically for you. The change to the package is small: it adds a compatibility symlink. That is not needed for chromium-ungoogled itself, but I was alerted to the fact that Spotify specifically looks for ‘libwidevinecdm.so’ in the toplevel Chromium library directory. The update takes care of that.

Also, this was the last package which i compiled for Chromium that contains my Google API Key as well as the OAuth client/secret credentials. I noticed that Chromium still works as before, even now after the 15 March deadline has passed, but future builds of my package will only contain my API key. That will leave the Safe Browsing functional, but it removes the Chrome Sync and other features. If you still want Chrome Sync to work with Chromium, I just want to point you to “/etc/chromium/01-apikeys.conf” in my future packages and get inspired by its content.

Have fun!
Eric

How to ‘un-google’ your Chromium browser experience

… Aka the future of Chromium based (embedded) browsers


On March 15th 2021, Google is going to block non-Google chromium-based browsers from accessing certain “private Google Chrome web services” by unilaterally revoking agreements made with 3rd parties in the past.
Meaning, every Chromium based product not officially distributed by Google will be limited to the use of only a few public Google Chrome web services.
The most important service that remains open is “safe browsing”. The safe browsing feature identifies unsafe websites across the Internet and notifies browser users about the potential harm such websites can cause.

The most prominent feature which will be blocked after March 15th is the “Chrome Sync”. This Chrome Sync capability in Chromium based browsers allows you to login to Google’s Sync cloud servers and save your passwords, browsing history and bookmarks/favorites to your personal encrypted cloud vault inside Google’s infrastructure.
Extremely convenient for people who access the Internet using multiple devices (like me: Chrome on a few Windows desktops, Chromium on several Slackware desktops and laptop and Chrome Mobile on my Android smartphone) and who want a unified user experience in Chrome/chromium across all these platforms.
In order to boost the development of Chromium-based (embedded) browser products, Google made deals with 3rd parties as far back as 2013 (from what I could find) and spiced the API keys of these 3rd parties with access to crucial Google Webservices providing features that would draw users to these products.
If you offer a product that calls upon Google’s Web Services there is a monetary cost involved once the number of your users’ connections exceeds the monthly upper limit for free usage. So on top of providing us access to these Google APIs (in the case of Open Source Distro Chromium packagers) the Chromium team also substantially increased the non-billed monthly API consumption by the users of our distros’ Chromium browsers. This helped to prevent us poor distro packagers from being billed for Cloud API usage in case our browser packages gained popularity.
And then, early 2021, some Google white-collar people decided they had enough of these freeloaders.

When Google dropped the bomb on us – on the distro packagers in particular – a fierce discussion started in two Google Groups (posts in one group are mostly duplicated  into the other group): Chromium Packagers and Chromium Embedders. It’s like talking to corporate drones – every question we asked is replied to with the same bogus standard texts. Arrogance to the max!
Even more poignant is a parallel discussion in Chromium Embedders, where some large electronics manufacturers discovered that some of their commercial products are similarly affected. Consumer Electronic products that ship with browser-based embedded applications like Smart TV’s often use CEF (Chromium Embedded Framework) and Google will block access for CEF products to their “private” Chrome APIs just like it’s going to do with distro browsers – they are all based on the same Chromium source code and are all non-Google products.

If you wonder what happened to the Google motto “Don’t be Evil” – in 2018 that phrase was removed from the employee Code of Conduct. And indeed, looking at the discussions in aforementioned topics the top brass feels completely ‘senang‘ throwing us distro packagers under the bus while at the same time chastising us because apparently we do not adhere to their Code of Conduct.

Enough of all the bullshit – let’s look into the future. What can we do as Linux users, and what will I do as a distro packager.

Let me be clear: I do not want to take choices away from you. You can keep using Chromium, you can switch to Chrome, you can investigate whether Vivaldi or Brave (two chromium-based browsers with their own Google-free implementation of cloud sync) are better options for you.
I will however have to deal with the fact that I can no longer build a Chromium package that offers a synchronization of your private browser data out of the box. So what I will discuss in the remainder of this article are possibilities.

Chromium packages for Slackware are here to stay

… but I will remove my personal Google ID and corresponding secret from my chromium package. They will have been invalidated anyway on March 15 and are therefore useless. What I will leave in, is my “Slackware Chromium API Key” which keeps the “safe browsing” functionality alive if you use my browser.

I want to state here that from now on, I also explicitly forbid others / distros to re-use and re-package my binaries in order to  make them part of their own Linux Distribution: thinking of Slacko Puppy, Porteus, Slint and others. If needed I will use “cease & desist” messages if people refuse to comply. I am not going to pay Google for the use of my binaries in distros that I do not control. The use of my API key is automatic if you run my Chromium binaries, and it involves a monthly cost if Google’s Could APIs get called too much. I already had to negotiate several times with the Chromium people to avoid getting billed when their policies changed. So get your own API key and compile your own version of the browser please.
You can request your own APIkey/ID/string in case you did not realize that! You’ll get capped access to Google API services, good for a single person but still without access to Cloud Sync. If you introduce yourself to the Chromium team as a distro packager, they may help you with increasing your browser’s un-billed API usage.

There’s a public discussion in the Google Group threads that I referred to above, about your personal use of the official Google API keys. This could offer a way out of the blockade and would allow you to keep using Chrome Sync in a Chromium browser even after the distro packagers’ API keys have been invalidated. These official Chrome API key/ID/secret strings are contained as clear-text strings in the public chromium source code for a long time already!
While I am not going to advocate that you should do this, it is up to you (the individual end user of a Chromium-based browser) to find those strings online and apply them to your browser’s startup environment.

Let me explain a bit. When I compile Chromium, my personal API key and Google client-ID are being embedded in the resulting browser binary, and that’s why everything works so nicely out of the box. In future I will not be embedding my client-ID anymore, but my API key for the browser will remain. That his how Safe Browsing will still work (it’s associated to the API key) but Chrome Sync will stop working (because that’s associated with the Client-ID).
The good news is that Chromium browsers will check the environment when they start up, and look for specific variables that contain a custom API key and client-ID. My chromium package is built in such a way that it is easy to add such customization, by creating a “.conf” file in directory “/etc/chromium/”.
In the Slackware package for Chromium, you will find an example of how to apply such an APIkey/ID/secret combo. Just look at the file “/etc/chromium/01-apikeys.conf.sample”. If you remove the “.sample” suffix this file will then define three environment variables on startup of Chromium that tell the browser to use a specific service configuration.
And you  can also copy the Google Chrome key/id/secret into that file and then it’s as if you are using a Chrome browser when talking to Google’s cloud services.

An ‘un-googled’ browser experience

The above API blocking scenario is a “win/lose” scenario as far as I am concerned. For Google it is a “win”: they still get to collect the data related to your online activities which they can monetize. And you “lose” because in return Google won’t allow you to use their cloud sync service any longer. That is not acceptable. And it lead to a bit of research into the possibilities of turning this fiasco into a “win” for the user.
Turns out that there’s is actually an existing online project: “ungoogled-chromium – a lightweight approach to removing Google web service dependency“.
High-over: the “un-googled chromium” project offers a set of patches that can be applied to the Chromium source code. These patches remove any occurrence of Google Web Service URLs from the source code which means that the resulting browser binaries are incapable of sending your private data into Google datacenters. Additionally these patches bring  privacy enhancements borrowed from other Chromium derivatives like the Inox patchset, Debian’s Chromium, Iridium browser and Bromite.
Not just a “win” for the user but a “lose” for Google. They basically brought this down on themselves.

My conclusion was that a removal of Google associations from Chromium and at the same time improving its privacy controls is what I must be focusing on in future Chromium packages.

During my research I did look at existing alternative Chromium browser implementations. They all have their own merits I guess. I do not like to switch to Vivaldi since I think its development process is hazy i.e. not public. Only its complete release tarballs are downloadable. Or Brave – its sources are not available at all and it tries to enforce an awards system where you are encouraged to view ads – I mean, WTF? If I wanted to run a browser compiled by another party that tries to use me for their own gain, I could just stick with the official Chrome and be happy. But that is not my goal.

What I did instead was to enhance my chromium.SlackBuild script with a single environment variable “USE_UNGOOGLED” plus some shell scripting which is executed when that variable is set to ‘true’ (i.e. the value “1”). The result of running “USE_UNGOOGLED=1 ./chromium.SlackBuild” is a package that contains an “un-googled” Chromium browser that has no connection at all to Google services.
I make that package available separately at https://slackware.nl/people/alien/slackbuilds/chromium-ungoogled/

Be warned: using un-Googled Chromium needs some getting used to, but no worries: I will guide you through the initial hurdles in this article. Continue reading! And especially read the ungoogled-chromium FAQ.

The first time you start my chromium-ungoogled it will create a profile directory “~/.config/chromium-ungoogled” which means you can use regular Chromium and the un-googled chromium in parallel, they will not pollute or affect each other’s profiles.

You’ll notice as well that the default start page points to the Chrome Web Store but the link actually does not work. That’s unfortunate but I decided not to look into changing the default start page (for now). Patch welcome.

Which leads to the first question also answered in the above FAQ: how to install Chrome extensions if the Chrome Web Store is inaccessible?
The answer allowing direct installations from the Web Store afterwards is to download and install the chromium-web-store extension (Chrome extensions are packed in files with .crx suffix). You have to do this manually but the instructions for these manual installation steps are clear. Then, any subsequent extensions are a lot easier to install.

Another quirk you may have questions about is the fact that un-Googled Chromium seems to forget your website login credentials all the time. Actually this is done on purpose. FAQ #1 answers this: Look under chrome://settings/content/cookies and search for “Clear cookies and site data when you quit Chromium“. Disable this setting to prevent the above behavior.

Watching Netflix, Hulu or Disney+ content will not work out of the box, you’ll have to install the Widevine CDM library yourself. If you have been a Slackware user for a while, you may recall that I used to provide chromium-widevine-plugin packages, until the capability to download that plugin all by itself was added to Chromium source code by Google. Well… the un-Googled Chromium removed that capability again but I have updated my package repository with a version of the widevine-plugin that works with with the un-Googled browser.

Safe browsing is not available in un-Googled Chromium, since that too is a service provided by Google. Recommended alternatives are uBlock Origin or uMatrix.

Sync your browser data to an online service which is under your own – not Google’s – control

Now that we said good-bye to Google Cloud Sync, can  we still sync our passwords, bookmarks and browsing history to a remote server and access these data from multiple browsers? Yes we can!
Even better, we can sync that data to a place that is under our own control. Multiple computers using the same synchronized data will give you the same experience as your prior usage of Google Cloud Sync. This will then also not be limited to Chromium based browsers – Mozilla based browsers are able to access the same centrally stored data. Win!

The question is then: how to implement it? Is this something you can do without being an IT person or a Slackware Guru?
I will show you that the answer is “yes”, in a follow-up article dealing with keepassxc and xbrowsersync.

Have fun! Eric

Chromium 84 packages available for Slackware

chromium_iconIt took a bit longer than usual to come up with packages for the recently released Chromium 84. Google’s “Stable Channel” blog for Chrome announced the version 84.0.4147.89 just over a week ago, but as I was traveling at the time (without computer) new packages needed to wait.

And just when I uploaded these packages to the mirror server I discovered that Google already released an update yesterday: 84.0.4147.94. That will have to wait since again I am busy at the moment. Enjoy the first 84 release though!

Chromium 84 sees a lot of bugs fixed, of which 38 are security fixes. There’s also the usual UI and engine improvements but there’s really not much visible on the User Interface side. With one exception: the ‘spam’ notification popups which some web sites bothered you with are now hidden by default under a button in the URL bar. By clicking that button you can decide to show the blocked popups (or not). This feature was implemented earlier by Mozilla in their Firefox browser where it was highly valued by its users.
Under the hood, the most notable change is that Google has removed support for the insecure TLS 1.0 and TLS 1.1 ciphers. Web servers which still use these for their HTTPS content will be blocked by default and you’ll see an error.

Slackware packages for Chromium 84.0.4147.89 are in my package repository already. They are available as 64bit versions for both Slackware 14.2 and -current and a 32bit version only for Slackware-current.
There is no new 32bit package for Slackware 14.2 unfortunately, because I have been unsuccessful in my attempts to compile the package. Let’s hope future releases allow me to compile the 32bit package for 14.2 again…

Note that because of the changed status of the Widevine library (which is now automatically downloaded and kept updated by the browser), a separate “chromium-widevine-plugin” package containing the Widevine DRM library is no longer required. Widevine is a Content Decryption Module (CDM) used by companies like Netflix and Disney+ to stream video to your computer in a Chromium browser window.

Also note (to the purists among you): even though support for Widevine CDM plugin has been built into my chromium package, that package is still built from Open Source software only. If you do not want theWidevine DRM library to be downloaded at all, you will have to recompile the chromium package after setting “USE_CDM=0” in the chromium.SlackBuild script. This can not be disabled at run-time.

Chromium packages: https://slackware.nl/people/alien/slackbuilds/chromium/ (rsync://slackware.nl/mirrors/people/alien/slackbuilds/chromium/)

Enjoy! Eric

Chromium 83 – packages for Slackware, news about Widevine plugin

chromium_iconThe COVID-19 crisis caused Google to change its release calendar for the Chromium browser sources, and they decided to skip the 82 release altogether, in order to focus on keeping the 81.x versions as safe as possible while working on their upcoming 83 release.
And so this week, Chromium 83.0.4103.61 was introduced to the “Stable Channel” with lots of bugs fixed, of which 38 are security fixes. There’s also a lot of new and improved features which are introduced in this release but it seems that many of those are only available in Google’s official Chrome binaries.
One of the notable changes for Chromium users (as opposed to Google Chrome users for which it has always worked this way) is that the Widevine content decryption module is now an official component of the browser. Like with Mozilla Firefox, the Chromium browser will now automatically download the Widevine library into your personal profile and enable access to DRM-protected content. In the URL “chrome://components/” you’ll see Widevine listed as a component, displaying its current version and a “Check for update” button.

Slackware packages for Chromium 83.0.4103.61 are in my package repository already. They are available as 32bit and 64bit versions for both Slackware 14.2 and -current.

Note that because of the changed status of Widevine, a separate “chromium-widevine-plugin” package containing the Widevine DRM library is no longer required. However…
It seems that there is an issue with the online availability of a 32bit Widevine library of the version that Chromium tries to download. As long as that is not fixed and only if you are using the 32bit Chromium browser, keep using my “chromium-widevine-plugin” please.

You can test whether Widevine works on https://bitmovin.com/demos/drm and validating that the page says “Detected using Widevine” and not “Detected NO DRM“). If you can not immediately get Widevine to work with your 32-bit browser, check that the content of the file in your Chromium profile “${HOME}/ .config/chromium/WidevineCdm/latest-component-updated-widevine-cdm” points to the installed location of the chromium-widevine package, like this:

alien@darkstar:~/.config/chromium/WidevineCdm$ cat latest-component-updated-widevine-cdm 
{"Path":"/usr/lib/chromium/WidevineCdm"}

In the profile of a 64-bit browser you will see instead something like this:

alien@darkstar:~/.config/chromium/WidevineCdm$ cat latest-component-updated-widevine-cdm 
{"Path":"/home/alien/.config/chromium/WidevineCdm/4.10.1610.0"}

For newcomers: Widevine is a Content Decryption Module (CDM) used by companies like Netflix and Disney+ to stream video to your computer in a Chromium browser window.

Also note (to the purists among you): even though support for Widevine CDM plugin has been built into my chromium package, that package is still built from Open Source software only. If you do not want theWidevine DRM library to be downloaded at all, you will have to recompile the chromium package after setting “USE_CDM=0” in the chromium.SlackBuild script. This can not be disabled at run-time.

Chromium packages: https://slackware.nl/people/alien/slackbuilds/chromium/ (rsync://slackware.nl/mirrors/people/alien/slackbuilds/chromium/)
Widevine packages: https://slackware.nl/people/alien/slackbuilds/chromium-widevine-plugin/ (rsync://slackware.nl/mirrors/people/alien/slackbuilds/chromium-widevine-plugin/)

Disney+ finally works on Linux!

A little more than three weeks after the new Disney+ movie streaming service went officially live, the Disney company has added Linux support to their Widevine DRM protection. No more “Error 83”. No more need to install the Windows version of Chrome in Wine. Watching your favorite movies is now possible in the native Linux browsers – both Mozilla and Google based. Firefox will download the Widevine CDM (content delivery module) automatically, Chrome has the support built-in and for my Chromium package and other Chromium-based browsers you;ll have to install my chromium-widevine-plugin package.

I guess that a sufficiently large group of Linux enthusiasts have been complaining. And with success!

Enjoy! Eric

« Older posts

© 2024 Alien Pastures

Theme by Anders NorenUp ↑