What’s The Deal With Chromium On Linux? Google At Odds With Package Maintainers

Linux users are more likely than most to be familiar with Chromium, Google’s the free and open source web project that serves as the basis for their wildly popular Chrome. Since the project’s inception over a decade ago, users have been able to compile the BSD licensed code into a browser that’s almost the same as the closed-source Chrome. As such, most distributions offer their own package for the browser and some even include it in the base install. Unfortunately, that may be changing soon.

A post made earlier this month to the official Chromium Blog explained that an audit had determined “third-party Chromium based browsers” were using APIs that were intended only for Google’s internal use. In response, any browser attempting to access features such as Chrome Sync with an unofficial API key would be prevented from doing so after March 15th.

To the average Chromium user, this doesn’t sound like much of a problem. In fact, you might even assume it doesn’t apply to you. The language used in the post makes it sound like Google is referring to browsers which are spun off of the Chromium codebase, and at least in part, they are. But the search giant is also using this opportunity to codify their belief that the only official Chromium builds are the ones that they provide themselves. With that simple change, anyone using a distribution-specific build of Chromium just became persona non grata.

Unhappy with the idea of giving users a semi-functional browser, the Chromium maintainers for several distributions such as Arch Linux and Fedora have said they’re considering pulling the package from their respective repositories altogether. With a Google representative confirming the change is coming regardless of community feedback, it seems likely more distributions will follow suit.

Broken Promises

For most users, this is little more than a minor annoyance. Sure it was nice to have Chromium available in your distribution’s package repository, but popping over to the official website and downloading the latest stable is hardly the end of the world. Those running older machines may be in for a rude awaking however, as Google no longer makes 32-bit builds available. They also don’t provide a native BSD build at the time of this writing. For those users, it may be time to give Firefox a shot.

Soon to be a memory of simpler times?

The people that are actually hurt the most by this decision are the ones who’ve spent years packaging Google’s open source browser. They’ve put in considerable time and effort to compile, distribute, and support a custom built Chromium, only to have Google pull the rug out from under them without so much as a call for comments. You might think that’s just one of the risks you take on when supporting a BSD-licensed project, which by definition offers no implied warranty, but in this case things are a little less cut and dry.

As developer Eric Hameleers explains in a lengthy blog post, he was supplied with a dedicated API key for his Slackware Chromium builds by the Google Chrome Team in 2013. He was granted “official permission to include Google API keys in your packages”, and was told that the usage quota for that particular key would be increased “in an effort to adequately support your users”, as normally the key he was assigned would only be for personal development use. Evangelos Foutras, the maintainer for the Arch Linux Chromium package, has indicated he received a similar email at around the same time.

There’s no question that Google understood how these individuals intended to use their API keys. They were even given special dispensation to circumvent API limits, a decision which must have gone through several layers of approvals. The framework for giving distribution-specific Chromium packages the same level of functionality as official builds was agreed upon and put into operation years ago, that much is certain. What’s less clear is what happened internally at Google that prompted them to terminate these existing agreements with little more than a vague blog post to serve as notification.

Keys to the Kingdom

We may never get the full story in this situation, and since a Google representative has made it clear that the decision is final, there’s not much sense fretting over it. Ultimately, Google is going to run their business as they see fit. If they think allowing unofficial builds of Chromium to tap into their cloud services such as Sync isn’t worth it, it’s their prerogative to block them. Those who believe firmly in the concept of free and open source software would tell you that this is a perfect example of why you should have been using Firefox or another truly libre browser in the first place.

On the other hand, hackers as a whole aren’t overly fond of being told what to do. Finding unconventional solutions to arbitrary limitations is the name of the game, so what options exist for those who can’t or won’t use the official Chromium builds from Google? Foutras has put forward an interesting suggestion that, at least on the surface, doesn’t seem to run afoul of Google’s Terms of Service. Though that certainly doesn’t mean they’ll be happy about it.

Put simply, there doesn’t appear to be any technical reason that a third-party build of Chromium couldn’t simply use the official API keys that ship with Chrome. These keys have been publicly known since at least 2012, and in all that time, have never been changed. While actually distributing a build of Chromium using these keys may be enough of a gray area that mainline distributions would steer clear, a separate script that executes on the end-user’s machine and slips the keys into the relevant environment variables may be a loophole Google wasn’t expecting.

151 thoughts on “What’s The Deal With Chromium On Linux? Google At Odds With Package Maintainers

    1. I hope that’s how it works.. But I expect it to become “Google breaks everything it didn’t package itself” i.e. – give us your data, NOW!
      Which with how many google sourced plugins and drm things are used almost ubiquitously across certain parts of the internet…

      1. I’ve never used chrome (knowing it was a google product), and my life continued just fine without it.

        In the Australian news recently is google threatening to pull access to their platform if they have to pay for news content (as they should) – behaviour amounting to what is commonly termed “blackmail”.

        It has been many years since they dropped the statement from their corporate goals – don’t be evil. I could see back then exactly why they did. Some others did too: “Mr Robot” predicted it very nicely without actually saying the words… E-corp = Google

  1. This is in line with other Google efforts to benefit from open source while not allowing for competing products. They want the developers but also want all the control. We have seen this happen in other open source projects that have been sponsored by Google such as Istio.

    1. When CyanogenMod leadership formed Cyanogen Inc, their excuse for why it was OK to do many of the things they did in the process of doing so was basically “Well Google does it too with AOSP”

      AOSP is a great model of how NOT to run an open source project if you want anyone external to bother contributing. Apparently way back in the past some Android developers at Google lamented how few people contributed upstream, but when you do development behind closed doors for months and no one outside of your organization knows anything about your design direction, it’s basically RNG whether or not any submission is a complete and total waste of time.

    1. “What’s up with US anti-monopoly laws?”

      What’s up is that the antitrust laws aren’t even remotely written correctly to cover modern situations. Considering that the most recent revision to the actual laws is the Celler–Kefauver Act from 1950, Congress really should do something. However, that is about as likely as a publicly traded company caring about ANYTHING other than their bottom line.

    2. Most monopolies in the US are government sanctioned. Hence the reason the US is falling behind the rest of the world in infrastructure. Just look at Comcast, Spectrum (Charter/Time Warner), Ma Bell, AT&T, and just about every power corporation in existence.

      1. Then again due to the vast distances needed to cover by said infrastructure, the only comparable markets are India and Russia. Maybe China, but that market is a really weird communism/raw capitalism catdog.

        It’s quite the difference if you need to build and maintain a 10km line or 100km. Or multiples of that…

        1. Want fast cheap internet? Look to how Romania solved the problem: Piracy-fueled shared internet through LAN, assembled block by block and ignoring pesky rules.

      2. Corporations own your politicians. Duh.

        They arent donating billions of dollars to political parties with absolutely no expectation of anything in return. Corporations would never act without a profit motive.

        I’m always amazed when I meet people who have been asleep for 2 decades.

          1. It’s a good start. But in the end, I think it’s absurd to think that the richest person in the room wont be calling the shots. The budget for lobbyists is about a hundred times bigger than the budget of anybody responsible for holding them accountable.

          2. The problem is called regulatory capture: when businesses buy the government to harm the competition and secure profits.

            The solution: stop regulating every little thing. The more power the state grabs at the excuse of saving the economy from the bad actors, the more that power will be abused by the very same.

    3. THe initial Google, made by 2 guys in o a garrage is dead. “do not evil” WAS the previous motto. The CURRENT motto is “do the right thing”. but they don’t tell you lthe last pat of the sentence: “for our vantage”. So the sentence, complete, is “do the right thing for our (of Google) vantage”. Don’t try to fight the golem, knew down in front of him and serve him: buy Alphabet stock options.

  2. Google can go pound sand.

    Oh, how I wish I could stop utilizing ANYTHING from Google. Many years ago (back when “don’t be evil” was still a thing) I had a lot of respect for them, but now I hate them with the boiling heat of a thousand suns, and I add a few more suns’ worth every time I am forced to deal with one of those idiotic “captcha” pieces of crap. I would love to find a way around those, but my programming skills are minimal at best (can it be done in TI-BASIC from the 80s? No? I’m out.), so I lack the ability to do anything about it.

    1. The only problem I have with the anti-Google sentiment is that the alternatives are worse.

      Just look at smartphones. If your not on Google your on Apple.

      With Apple you can’t even run your own code on your own device without using one of their overpriced computers and paying $100/year to join their club. (Yes they have a free tier but it’s emulator only). And forget about distributing anything outside of their store.

      As a maker, if you want to control something you built with your phone.. well Apple devices have no bluetooth serial protocol so it’s going to be 10 times more expensive and 100 times more complicated.

      I still prefer Google as a lesser evil.

      1. MicroG is a thing, same as third party Android releases without Google.
        Buuut then there’s the problems with manufacturers locking down for flashing different version, or even rooting for De-Googling Android.
        All because they both also want to snarfle user data and preserve the faux impression of a safe, walled garden.

      2. There are options without Google or Apple still using a ‘smart’ phone.

        Though for me – use a dumb phone as a modem/phone and real tablet/laptop with LibreBoot bios, OpenBSD (as I usually mention Linux, I figured I’d spread the love around) and a browser that doesn’t suck up all your data for the Google overlords. Be a better experience all round.

          1. Personally I use a variety of browsers – though I default to Firefox I’d say.
            Picking a browser can be one heck of a rabbit hole to fall down, there are mindboggling numbers of options, though many won’t fit every possible need.

            Heck you could even browse, or interact with the internet in other ways on the terminal alone if you really wanted to. I mean who doesn’t grep wget generated lists for all the download links they are interested in, when the site doesn’t offer anything but manual one at a time downloads…

      3. One could just install Plasma Mobile, or postmarketOS or even the mobile OS that is currently supported by the Linux Foundation ie. Tizen. And as for the Google Chrome Browser, why not try Iridium or Firefox or Brave or my personal favourite :) “Ungoogled Chromium”. The only thing that the Corporations of American like Google, Microsoft, or Apple have succeeded in doing in 20/30 years is make the average Joe computer illiterate.

    2. I’m extremely grateful for the Google captchas, I see enough spam on the internet as things are, I have no desire to wade through even more of it. When image recognition gets good enough and easy enough to use to bypass those captchas we’re going to have a hell of a time. :-(

      1. My issues with googles captcha is that I do not like being used as an unpaid employee who generates or validates training data sets for AI systems.

        They shuffle up their collection of images and send each of them randomly to thousands of humans and use the ones that with a 99% confidence interval of agreement by human eyes and brains as valid training data. It may also help detect colorblind people and add extra information to their google metadata profile.

        1. “I do not like being used as an unpaid employee who generates or validates training data sets for AI systems”

          But you are doing that every day as you drive your car down the street. Also you are training ai every time you go into a store, what do you buy, what do you look at, etc. You are doing it right now with your choice of idiom in your comments.

          Guess what? Big brother is looking over your shoulder and you can’t do anything about it.

        2. “My issues with googles captcha is that I do not like being used as an unpaid employee who generates or validates training data sets for AI systems.”

          I agree, 100%. This is one of my biggest issues with Captcha, and there simply needs to be a way around it.

    3. “Don’t be evil” is still in their code of conduct. The articles about how they removed it were clickbait trash as Google/Alphabet only removed it from the preface but kept it as the closing sentence.

      “And remember… don’t be evil, and if you see something that you think isn’t right – speak up! “

      1. If you speak up, your mouth will be writing a check for a one way trip down to the HR office with your devices and your badge. There’s very little incentive to speaking up there, unless you fancy making yourself a martyr noone outside the Bay gives a damn about. Some people have but it doesn’t really make a difference and won’t change their behavior unless and until there’s action from the Government (fat chance there) or the people working there organize and vote on a general strike or work-to rule, which won’t happen either.

    4. The idea of building a smartphone out of a Raspberry Pi and a small handful of modules has some appeal to it. It’s on the list of things I’d like to do someday but right now that’s a little bit beyond my maker skill level.

      1. If you want a small package or smartphone like experience it is probably never going to be really possible, those things are too much custom design to fit the form factor and user experience.

        But functional and not stupidly large can be done, looks pretty trivial even (at least if you define not stupidly large as being in the ballpark of the 90’s ‘mobile’ phones, which probably would give a nicer user feel being a ‘little’ bigger than the stupid lets try to get 1 micron thick phone trend, already well beyond a comfortable ergonomic thickness in this pursuit of stupidly thin.. Just got to fit a belt hook/pouch for it…

        1. I hope parent poster was sarcastic. Anyway, Edge would be a official chromium build, so they either have official sync API-keys, or more likely, microsoft runs their own sync servers to keep track of you.

      1. “The issue is who will pay for storage, bandwidth and maintenance for a service used by at least dozens of thousands of users…”

        Crazy idea, but maybe those users could pay, who use the service?
        I mean, it should be technical users anyway, so it also should not be too hard to explain to them, that google does ot continue sync for chromium – so we need to roll out our own.
        And since it is not really lots of data (I assume), costs should be reasonable.

  3. I used to use Chrome. Currently I use Firefox. Either way I use the same browser on my work desktop, home desktop and phone. I love how they all sync up so browser history, form auto-fill settings, etc.. go with me. I assume this is the kind of thing we are talking about here.

    For my own reasons I have a LAMP server, always on, port forwarded from my cable modem. I’d love it if I could run something on that which serves as the common point between browsers instead of some big privacy consuming corporation.

    I imagine installing some webservice app on the LAMP box, securing it with an SSL sertificate and a strong password. Then installing an extension in my browser on each device, inputting the url and login info for the webservice then everything is synced, no Google or Mozilla involved.

    Has anyone made anything like this? I have too many other projects to start this one right now. I’d also rather not spend a whole bunch of time learning browser APIs that will probably get obsoleted every couple fo years anyway.

      1. No need for this really though.. All Mozilla have is the metadata of your browsers, they can’t see your actual bookmarks.

        And it’s a bit difficult to get Firefox to talk to a private syncserver.

        1. > it’s a bit difficult

          Make me remembering a quote from Dwane “The Rock” Johnson

          > If someone says it can’t be done, is the person telling more about own limits than about your limits.

    1. I woulda thunk you’d simply make a directory available on teh server, and make that the default place to save bookmarks and passwords.

      Or you can use Bit torrent sync for everything you need to sync between devices, no server required.

      1. I like that idea, but remotely pulling a directory full of bookmarks all the time from one location seems like a recipe for instability – program tries to interact, server is a touch slow because you are in the arse end of nowhere on a wireless link, does it time out gracefully? Among other such issues, heck – some programs I’ve tried recently seem to go on the fritz just accessing a slow USB harddrive.

        Now syncing to that same server is great – everything should end up with the same details, but all programs have local access to the most up to date version, so your system should be as stable as it can be, no weird edge case a programmer missed, that hadn’t come up before.

        1. Yes the BTsync would have a local copy and try to synch it in background when new version saved. So it would be there still if you were off teh interweb, then synch when you got back on teh interweb

        2. “I like that idea, but remotely pulling a directory full of bookmarks all the time from one location seems like a recipe for instability – program tries to interact, server is a touch slow because you are in the arse end of nowhere on a wireless link, does it time out gracefully? Among other such issues, heck – some programs I’ve tried recently seem to go on the fritz just accessing a slow USB harddrive.”

          Are you suggesting that inconveniencing exceptions like this are sufficient reason to not do the thing? Sure latency or service brown-outs should be a scenario dealt with. But, if you are wanting to sync browsing history, or any of it really, and it can’t on startup, then try again next startup, or on some interval. It really doesn’t get much harder than implementing a clustering paradigm when saving and polling any data selected to be sync’d. Fault tolerance is ultimately the goal and sync’ing is the fringe benefit.
          The whole reason this kind of service is a thing, is because the Tech-Giants have the infrastructure to support it. Every person with an email account could achieve the same thing for the most part (secured access of course) with a plug-in allowing scripting like GreaseMonkey or TamperMonkey.

          While I could continue on in technical fashion to describe a viable first-gen private syncing scheme using secure-email as the medium, the muse should be there enough to get the point across.

          The concept of graceful handling of error or lack of services for a given session of course would be handled for a completed product, why worry it wouldn’t? The purpose of the exercise, is for independent little folk like us, to compete with the current execution by Big-Tech – they can take there ball and go home, well play with something we conjure up. Infrastructure is the only real variable to contend with for this problem, that and being able to make a plug-in\\extension or run user-scripts.

          Now, your sync experience will likely be handled in json, or some such structure, and not include the saving of images and such, but your only limits are of how large an email message you can send, and this is only using this solution. This solution negates the need of the users requirement to run a server to store the sync data, that they directly provide, i.e. a sftp server or something.

          The narrative is that Hackers are the bad-guys, the nuance that Hackers are a broader community of individuals that contain Crackers, and Red, Black, and White Hats, etc. is lost upon the Mundane populace. But all that we have was crafted by Hackers, all of it – so hack and solve the problem that’s what hacking is at its core. Anything is possible in code – no problems, only solutions!

          End of line.

          1. That’s a mighty big line…

            You are quite correct ‘for a completed product’, which isn’t really what RW seemed to be talking about just pointing to a remote filesystem or syncing the files used by your stock browser.

            Not saying we shouldn’t try, or that its not possible at all, just that there is a rather sizeable pitfall you can fall into if as RW suggested you put all your bookmarks etc on your server and point your local filesystem to that internet share its going to be rather latent (and that’s ignoring any security worries having all that data web accessible). And those pitfalls don’t all magically go away just because its locally synced either, as syncing can fuck up running services moving stuff underneath them unexpectedly (and propagating errors you haven’t noticed yet)…

  4. To me this doesn’t sound all that weird to be fair.

    That Google has specific cloud services that they have made for their own use isn’t particularly odd.

    From a security standpoint, I would suspect that Google might see that this third party access to their cloud service for things like bookmark, password/login-credentials and history syncing being a bit of a potential security issue. Something that can put them into legal trouble if left in the current state.

    Can Goolge trust that these third parties does a good enough job to ensure security?

    The answer is “most likely not.”

    The situation needs to be look at from the perspective of shareholders, judges/legal-system, and the board in charge. They aren’t programmers, but even a programmer should see the obvious issues here.

    That Google decides to not have these parts of their API as publicly usable by third parties is honestly expected.

    Why the door weren’t properly closed to begin with, is a different question.
    If people at Google handed out API keys to third parties and why is also a different question.

      1. I never state that “security is the issue!”

        But rather that the situation can be seen as a potential security issue if viewed form a certain standpoint.
        Since after all, the synch service does provide Passwords/login-credentials.

        If the information is out in the blue or not is frankly not important.

        But rather the fact that the synch service is supposed to be exclusive to Google’s own products, and the clear case that it isn’t can be seen as a security issue if you ask less knowledgeable people.

        My suspicion is simply that it can be grounds for Google’s stance, and their desire to not remotely care about user feedback is interesting. They might simply have a track record to keep as far as shareholders are concerned.

          1. I’ll be short here and say that actual technicalities isn’t what I am talking about.

            I am talking about how a feather can be turned into a whole bird if looked at from the right angle.
            Simple, how something totally unimportant can be blown way out of proportion.

            Just look back at Supermicro, they had one of their resistor networks identified as being a possible spy chip by 1 news outlet for some odd reason… Their stock prices fell noticeably as a result. And they even lost some contracts due to the surrounding debate around the issue.

            Yes, it were just a boring old resistor network that some news reporter decided to write up some bullshit story about it being a spy chip. (It might have been a capacitor network though, but still, a jelly bean part.)

            What is actually the case in reality isn’t always important as far as relations with news media, shareholders, and other organizations are concerned.

            If Google’s service that is supposed to be used by only Google’s own products is also accessed by other non Google programs, then that can be seen as a security issue.

            It doesn’t matter if it actually is a security risk or not.

    1. I really can’t wrap my mind around this take. I agree they are free to cut off whoever they want since they own the servers and wrote the code (even if it is FOSS), but the security angle is nothing but a strawman to justify pushing users to proprietary Chrome where they can make more $$$ using the tracking features they add on top of Chromium.

      1. My take is simple.

        If you state to a random person that Google’s account syncing service intended to only be used by Google’s software and provide said software with search history, bookmarks and login credentials between devices synched with each other is accessible by non Google products, then it isn’t too far fetched for some individuals to worry about security implications. Regardless if such security risks actually exist or not.

        Most shareholders would prefer to see some actual security framework in place if third parties are going to have access to the service, since if Google got hacked, then that doesn’t really give good headlines to say the least. (And if you are a shareholder, you want stock prices to rise, not plummet, unless one wants to buy more.)

        In short, it might simply be less work for Google to cut out third parties from this service than to make the shareholders happy, or even inform shareholders that the service is secure enough. (Since honestly, if a third party could just snoop in and take data, then there is something rotten at the core to begin with, even without third party support.)

        Though, it is a legit question in regards to security in how these third parties handle the data that they do have access to. This is also part of the same can of worms.

        Why Google does something now, almost a decade later is a good question in itself. Maybe it has just been forgotten on the warehouse shelf and no one has simply asked much about it until now.

        Google is a very large company after all, things can be forgotten within its walls. Also how a lot of security issues prop up btw, simply realizing that one opened a door a few years ago for some temporary reason or another, might be time to close it before something uninvited crawls in… (A good reason for why one should add a “this project should probably have terminated by now, please check the following….” to one’s calendar when working on various longer term projects. (If the project is still running, then push that reminder forth in time, and update the list of things to check…))

        IT security is like running a somewhat moody nuclear power plant.
        And people concerned about security is similar in nature in both fields.
        And if something goes wrong, the fallout can be similar as well.

        And I’ll just repeat.
        I am not saying that Google’s synch service is unsecure.
        I am just saying that people that Google cares about (Shareholders) can potentially view as having a risk of being unsecure.

        1. I get what you’re saying, but if they cared about risk to Shareholders, they wouldn’t do things that a final our way or the highway when dealing with a community that can solve the issue for which open source usually benefits from – fixing of issues. They’ve not tried to work with anyone, they just did a Eric Cartman.
          And given the ever aggressive moves they’ve made in other areas of society, it isn’t my impression that they care so much about what Shareholders have to say, they’re along for the ride and will not dictate what the company does. And there are no legal, moral, or ethical consequences that they seemingly can’t ride out themselves if any, facts in evidence. This is simply a power play by those in charge, which may or may not be the same ones who were in charge when the felt “do no evil” was a good slogan.

          But I ain’t one to gossip… .

      2. I agree with everything but the part about them writing the code.

        How much of Chrome did Google really write?

        It’s based on their fork of Webkit.

        The KDE developers don’t get enough credit. They wrote KHTML which was pretty much the best thing out there for html and css. They never really did very well handling Javascript though so Apple replaced that part and named the result Webkit. I guess Google didn’t like the world knowing their code came from Apple and KDE so they renamed it again to Blink.

        The rest of the browser is mostly just a UI shell.

        Chrome, Edge, Opera, Safari… what difference does it make? The engine is the same. It’s just a theme and a bookmark manager and a choice of which company gets your data first. (ultimately to sell to all the others anyway)

    2. That makes absolutely no sense.
      The keys to access the service, that Chrome uses are known. When Google will change them, they can’t secure them against reverse engineering. So there is no possibility to force that no external software but Chrome can acces the cloud services.
      What changes, when other keys can access too, like it’s currently done?
      Additional, when the cloud service is secure, how can external software change this?

      Again, this makes absolutely no sense.

  5. Google is new Microsoft. It’s a chance to make services like sync more p2p+encryption then centralised, it could also push distributors to set something like duckduckgo as a default search engine. Our privacy could only benefit from this. Other good effect can be in better separation of standard APIs and proprietary spyware in future releases

      1. My guess would that they are missing googles installer which will eventually install a process to allow google to remotely update the browser even when not running. But I’m only guessing.

  6. I’m guessing this is directly related to MS using chromium as the basis for their new browser, but it’s just a guess. Time to make good on my 15-year-old intention to learn lynx.

      1. Also links … took me a few years to realise that links and lynx were different projects, between the rare occasions I needed a text mode browser, thought I was forgetting the spelling, and wondered why they’d do one thing, then change it, then go back to the way they were doing it LOL

    1. The official Linux Chromium packages are designed to be relatively distro agnostic. That was one of the reasons individual distros were building their own. You should certainly be able to use their generic build on your machine, but the integration/performance is debatable.

  7. I’m not sure that this will affect too many users. Many Linux and BSD users already switched to Firefox, and use Chromium only when necessary, such as for Skype, while non-Linux users (Windows, Android,…) use official builds anyway.
    This will just push remaining Chrome users to Firefox.

    1. Skypeforlinux is a thing.

      Hulu and Netflix work in Firefox if you have DRM turned on. Of course I don’t know what all privacy issues turning on that blob might bring with it.

      Pandora worked the last I checked though I would rather use Pianobar anyway.

      The only things I need Chrome for anymore are Duolingo (if I want to do the voice exercises) and the various ___2meeting clients that some of my coworkers in other departments use. Our own department uses MS Teams which like Skype has a perfectly good Linux client.

      I understand Mozilla is working on the missing voice recognition features which should make the voice exercises work in some future version.

      For day to day use I dropped chrome a long time ago because it was unreliable for me. Also I preferred the javascript and web developing debugging utilities available in Firefox over those in Chrome anyway.

  8. The non support for 32 bit is a real pain if you often surf from a raspberry pi. It complains about being unable to upgrade…the other options aren’t so hot either.
    It’d be nice if the pi 64 bit opsys would be up to speed, but if I understand correctly, there are eye-pee issues around the graphics acceleration for it, making it lower performing for video in browsers than the 32 bit version.

    1. You can get video accel in 64 bit on a Pi, though perhaps not yet with the Raspbian beta 64 bit stuff (I loose track of that, but video acceleration can work).

      The real issue you will have on the web video playback with a 64 bit install is that widevine does not exist (or at least didn’t not long ago when I lasted looked) for 64bit arm at all – so you can’t use any of the streaming services as they all seem to require it.

  9. Ahh FFS… This is the final straw with Google for me. This is the article I’ll be sending to their recruiters every time they contact me from now on.

    Why hasn’t anyone made a third party services option to emulate the google sync services, but in a way that lets people own their data?

    1. And to tack on one more bit- The reason that the official Google Chrome linux build is not a feasible option, is that it lacks hardware accelerated video playback. There aren’t any technical reasons for this, as you can enable it yourself in your own build.

      That said, I’ve never been able to successfully get my own build to use the set of developer keys that I (legitimately) pulled from Google services. This is the reason my system76 laptop sounds like it’s going to take off when I watch a youtube video…. Another service we need an alternative for…

      Google, if you want to do the community right while still sticking to the word of your one overzealous attorney that made this decision, then I’d suggest enabling hardware support on the official Chrome build WITH DRM support, so that users don’t have to open Firefox to use Tidal.

    2. Self-host a nextcloud instance and pay for your own email. I would have said host your own email, but if you come from a dynamic IP you’re going to get spam-listed these days.

      1. In Linux with Exim (as MTA, for mutt as MUA, eg) you can configure it to relay to the public host machine (I use Exim again) and no one can figure where the first machine is, so only have to care about the public host IP being clean. Spam is not new, and I investigated this for other reasons (DefCon’s Wall of Sheep showing pwd).

        The trick is AutoSSH for tunnels (I use two, send and receive, meaning all is/was encrypted no matter what protocol or configuration) and “self = send” in the smarthost section of Exim in first computer. Read all this ages ago, so it was documented somewhere. Probably new kids will set up a VPN joining all their gadgets and the public host.

        Now get of my non-existant lawn. I feel old… so much forgotten in a couple of decades. I will not blame current teen/young adult lazyness, but the corporate bitch the web has become in that time.

      2. > I would have said host your own email, but if you come from a dynamic IP you’re going to get spam-listed these days.

        Get a cheap VPS (something suitable for the purpose will start around $5-$10 per month). At least one static IPv4 address should be included; if not, keep looking. Put the Linux distro of your choice (Gentoo!) on it. Put the mail server (Postfix) and IMAP server (Dovecot) of your choice on it. Optionally set up a webmail server (last one I used was Roundcube, IIRC). Get a hostname for maybe $10-$15 per year at most. Set up Let’s Encrypt to get free SSL certificates.

        You could also get a static IP from your ISP. I hosted my email on a server at home with a business-grade cable-modem service for the first few years, but moving mail to a VPS and changing the cable-modem service from business to residental got me faster speeds all around at a lower monthly cost.

  10. Google is evil. Except infrequently their actual search engine (still the best to find leaked datasheets and stuff i have to admit) i don’t use any Google stuff (yes, no smartphone here!) so i don’t care.
    And for their captchas: I am forced to allow they javascript to pass them, this will send them at least some data ($IP is going to $address), i hate it. I understand we need captchas, but please not from a global data collection company.

  11. For me, a browser lacking the Google cloud connections, is a feature, no problem there. I am currently using Firefox, but some time ago I evaluated the possibility of using Chromium variants without the Google stuff, like Ungoogled Chromium. But usually this was not straightforward. This changes could make my wish come true, having an Ungoogled Chromium on the repo without further headaches.

    By the way, on the phone I have been using for years LineageOs for microG: a version of LineageOs with a free implementation of the Google APIs built in, and with F-Droid as app store. This way you can continue using most apps. Not without some problems, but most apps work and you can cut the ties to Google.

    1. Lacking the cloud connection would be amazing. It has absolutely nothing at all to fo with anything mentioned in this article. You are clearly a little confused, or commenting on the wrong article maybe.

  12. This comment is poorly reasoned. Lacking a hardware root-of-trust on the end user’s device that is entirely under Google’s control, Google has no technical means to restrict use of their APIs to authorized software only. As suggested in the article, any “secret” API keys shipped with the software can be trivially extracted and shared. Likewise, a user is free (either intentionally or via subversion) to share their own Google credentials with non-authorized software running on their machine. As a result of these facts, strict enforcement of API security begins only at the edge of Google’s cloud, and nothing about restricting the capabilities of API keys adds meaningfully to the user’s or Google’s security.

    Rather than enhancing security, what Google is doing is deterring competition, via both technical and legal means. The existence of alternate Chromium-based browsers complicates, and thus decreases the profits of, Google’s primary income source, which is user metadata harvesting and monetization. Techniques involving the embedding of Google-exclusive API keys in Chrome serve to confound the use of non-Google software by forcing external developers to extract these keys in order to get their software to work. This renders the process of making, distributing and installing non-Google software more complex, and likely more off-putting to the end user. The end result is an increase in the use of Google software, to the exclusion of others, with a corresponding increase in profits.

    Additionally, Google uses its terms of service and software license contracts as legal deterrents to those who would re-use their exclusive API keys. The reproduction of Google’s API keys within other software distributions is undoubtedly prohibited by Google’s software license, making it legally untenable to ship software including these keys. However once these keys are installed on a user’s machine, they become available for use by other application without copying. Despite this, their use by non-Google software will likely be prohibited by causes in Google’s end-user ToS agreement. Should any non-Google distribution include code that accesses the installed keys, look for Google to sue (or threaten) select high-profile corporate users of that software for breach of ToS. The risk of possible legal action, however unlikely in practice, will drive many users to only use Google software.

    Bottom line, this action is not about increasing security for end-users, or even for Google’s own infrastructure. Rather, this is about eliminating losses to their business incurred by competition. The comparison to Microsoft’s behavior in its anti-competitive heyday is apt. While Microsoft got slapped for a few big-ticket actions, most of its anti-competitive behavior went unchallenged.

    1. Bottom line, this action is not about increasing security for end-users, or even for Google’s own infrastructure. Rather, this is about “eliminating losses”.

      Another term for that is “profit”. It actually guides every action made by every single corporation on this planet. I think most people already understand that quite well, all you really did was spend paragraphs repeating the lies google spewed.

      1. I repeated no Google lies. I simply made plain their true anti-competitive motivations, which are often misinterpreted (with help from their own disinformation) as an effort to “improve user security”.

        Make no mistake, I consider their behavior to be despicable.

    2. Thank you for a very erudite exposition of your thoughts.

      I recall when M$ was claiming IE could not be unbundled from Windows as it was integral to the OS, in a bald faced effort to deny Netscape market share.

      This does not seem very different, trying to fence off a chunk of what should be an open ecosystem.

      1. Dont fight back, fight forward. Dont fight, workaround.

        Understand that part of the “problem” is that it is someones business.
        So make it possible there are other business possilble.
        And ignore those who ignore you.

  13. Wait, Google doesn’t trust 3rd parties? Let me have another look at any terms and service agreement and see how many times 3rd party is mentioned. Be back in a year once I follow all the links, look up all the words I don’t know, take a crash course in Lawyer Speak.

  14. The Google Chrome source code is a descendant of the K Desktop Environment Konqueror web browser application, as is Apple Safari and Microsoft Edge, and many others.

    Konqueror, started in 1994, did in fact conquer the entire world. Its home page lives at https://apps.kde.org/en/konqueror

    That much said, various individuals at Google from time to time make uninformed decisions that render those individuals nonworthians, but that does not necessarily make upper management involved —I guess they are not even aware of this particular situation— or Alphabet and Google as a whole evil. This decision should be rolled back.

    1. “I guess they are not even aware of this particular situation.”

      Gee thanks for making wild uninformed guesses google marketer. Maybe you volunteer to be part of their marketing team, maybe they pay you. I’m not sure which is more disgusting.

      1. Not more than a few months ago, a team at Google began a campaign —not approved by top management— against an official of the European Union. When Sundar Pichai got wind of it from nobody at Google, he immediately shut it down and apologized publically to the European Union for what had happened.

        Google has well over a 100000 employees. Obviously Sundar Pichai does not personally make all decisions, or even have a practical possibility of knowing of each decision that is being made each day. A big part of running such a big organization is correcting the course when things go wrong. He did that in the EU case, and I think you should give Google some credit for making it right.

        FYI, I am not and have never been an employee of Google, nor any company providing services or products to any Alphabet Inc company, as far as I know.

        1. Do you actually expect anybody to believe that you would tell us if you were? Do you really ex0ect people to be that gullible?

          Nobody said that any specific person was responsible. But you’re just making up a story about how it probably wasn’t Google as a whole. Without any reason or logic at all. Just… it’s not impossible, so you feel like you should try to convince people it is true.

          Manipulative as fuck

    1. People are already doing that. And in case any proof shows up, there will be a press release from the advertisement sellers. It will say “best quarter ever”. Consider that press release true, because those with a marketing budget are no adapting slowly.

  15. “What’s less clear is what happened internally at Google that prompted them to terminate these existing agreements with little more than a vague blog post to serve as notification.”

    There is exactly one thing that guides every single decision corporations like Google make: profit. Only somebody with their head in the sand could call that “less clear.”. It is %110 clear.

    1. If you refer to the Andoird/Java case, that was certainly different. That was about providing an alternative implementation using the same (code) API design, not about letting others consume the (web) APIs your host.

    1. Yes, but clean it before using = disable “telemetry” and stuff. I’m afraid Chrome is _really_ nasty, but Firefox might not be _that_ “clean”/whatever in terms of privacy and stuff as i and others would like. Iirc Mozilla is (was?) using Google stuff for analytics and “malware blocking” and stuff. And i am still angry at Mozilla for making digital signature (with THEIR key of course) of addons mandatory. (Altough yes, it is FOSS, so i could hack the code, but as with a lot of projects it is way too much stuff to download/install/compile/understand.)

  16. I repeated no Google lies. I simply made plain their true anti-competitive motivations, which are often misinterpreted (with help from their own disinformation) as an effort to “improve user security”.

    Make no mistake, I consider their behavior to be despicable.

  17. Dear author,
    what the heck did you meant with this?

    “You might think that’s just one of the risks you take on when supporting a BSD-licensed project, which by definition offers no implied warranty, but in this case things are a little less cut and dry.”

    This is just BS, how would anything change if it were licensed under GPL or other propertiary license?
    This is BS.

    1. AFAIK, no software offers any warranty for “fitness, merchantability” etc., especially for personal use. Even the business versions, that include premium tech support, have no warranty.

  18. I don’t get why this is a big deal, just drop the chrome sync and implement click-to-call without their API. Stop sending stuff to scroogle from chromium and it works fine as a browser.

  19. Another possibility: use your own API keys. The YouTube plugin for Kodi follows this approach. Developers tried using a shared key at first, but it didn’t scale; users running the plugin later in the day were more likely to bump up against API limits. They then described how you could get your own key and set up the plugin to use it. At first, you had to log in and edit config files, but now there’s an interface that lets you punch the keys in from within Kodi.

  20. I switched to Firefox when Ubuntu made chromium a snap exclusive package. Firefox is great and it’s developed by a foundation that is dedicated to open source and respects user privacy. Chrome and chromium are developed by one of the largest, most manipulative companies in existence that makes money by selling your data to advertisers.

  21. Maybe check out the Purism Librem 5? They’ve taken on a monumental task, but seem to make good progress toward a smartphone that’s actually good and open in true FOSS spirit. They seem to be working closely with upstream in Gnome and other projects to avoid digging themselves a hole of unmaintainability.

  22. I don’t see a reason to pull chromium from repositories, as I don’t think it will be “semi-functional”. It still can open websites, play videos, etc. I don’t care about sync functions or geolocation and inhanced spell check, since I don’t use these features. Moreover, pulling chromium from repositories gives benefit to Google, as most of the users will just switch to Chrome.

  23. In some cases it’s even better that google blocked there sync service for unofficial browsers. This opens the dor for development of google independent synchronization service with e2e encryption, ability to run your own server. or integration with mozilla sync service. this can be added to many chromium forks, and it will be good for end users if they don’t using official chrome.

    1. Jumped through all the hoops and made a developer key and exported it in my .zshrc (it may be .profile or .bashrc for you). I had to improvise a bit since the instructions are missing a few details. I think for create OAuth Client ID I used Desktop app instead of Browser app since that was not available.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.