Hi list,
AFAIK many(/most?) of you build/package Chromium with
enable_widevine=true so that Widevine (Google's proprietary DRM
technology for EME) is supported [0] but not included (Widevine itself
won't even be built as the source-code obviously isn't part of the
Chromium tarball). The Chromium package is then distributed as
BSD-3-Clause software. So far so good.
The problem is that when users launch Chromium the proprietary Widevine
binaries (the "Widevine Content Decryption Module") will be
downloaded automatically in the background and used on demand without
any notification for the user. IMO this is a problem because the user
never agreed to download and use these proprietary binaries.
I would've expected that the download requires user permission/consent
(as it should be the case with Firefox) but so far I've been told by
upstream that Chromium's current behaviour works as intended:
https://bugs.chromium.org/p/chromium/issues/detail?id=1187154
What are your thoughts on this?
(Possible solutions/workarounds are a patch from Debian and maybe
enable_widevine_cdm_component=false.)
I'm only aware of this since a user reported it to me [1] (there's also
a report for Debian [2]) and not a big fan of the way this currently
works (I'm not a fan of Digital Restrictions Management and the
Encrypted Media Extensions in general and IMO it would be best if this
requires user permission/consent even for Google Chrome users).
[0]: So that users who need it can use it without having to recompile
Chromium.
[1]:
https://github.com/NixOS/nixpkgs/issues/115275
[2]:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23960454