With enable_widevine=true Chromium downloads Widevine without asking the user

53 views
Skip to first unread message

Michael Weiss

unread,
Mar 18, 2021, 2:02:49 PMMar 18
to chromium-packagers
Hi list,

AFAIK many(/most?) of you build/package Chromium with
enable_widevine=true so that Widevine (Google's proprietary DRM
technology for EME) is supported [0] but not included (Widevine itself
won't even be built as the source-code obviously isn't part of the
Chromium tarball). The Chromium package is then distributed as
BSD-3-Clause software. So far so good.

The problem is that when users launch Chromium the proprietary Widevine
binaries (the "Widevine Content Decryption Module") will be
downloaded automatically in the background and used on demand without
any notification for the user. IMO this is a problem because the user
never agreed to download and use these proprietary binaries.

I would've expected that the download requires user permission/consent
(as it should be the case with Firefox) but so far I've been told by
upstream that Chromium's current behaviour works as intended:
https://bugs.chromium.org/p/chromium/issues/detail?id=1187154

What are your thoughts on this?
(Possible solutions/workarounds are a patch from Debian and maybe
enable_widevine_cdm_component=false.)

I'm only aware of this since a user reported it to me [1] (there's also
a report for Debian [2]) and not a big fan of the way this currently
works (I'm not a fan of Digital Restrictions Management and the
Encrypted Media Extensions in general and IMO it would be best if this
requires user permission/consent even for Google Chrome users).

[0]: So that users who need it can use it without having to recompile
Chromium.
[1]: https://github.com/NixOS/nixpkgs/issues/115275
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23960454

Lei Zhang

unread,
Mar 18, 2021, 2:29:46 PMMar 18
to Michael Weiss, chromium-packagers
In general, when a downstream distribution wants something that the
upstream project would prefer not to do, patching their own copy is a
common way for the distribution to achieve their goals. Upstream is
happy to not have the extra burden. Downstream gets to do what makes
sense for them.
> --
> You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.
> To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-packagers/YFOUxN0RpnWDPGvZ%40jarvis.primeos.dev.
Reply all
Reply to author
Forward
0 new messages