Re: [chromium-packagers] Re: [Action Required] Update on Google API usage in Chromium

7105 views
Skip to first unread message

Dirk Pranke

unread,
Jan 15, 2021, 5:52:00 PMJan 15
to Eric Hameleers, Chromium Embedders, chromium-packagers, evan...@foutrelis.com
The emails said that for questions you should ask on the +Chromium Embedders mailing list, but I don't see anyone asking about this there.

Is there someone on embedder-dev who can respond to this?

-- Dirk

On Fri, Jan 15, 2021 at 1:14 PM Eric Hameleers <al...@slackware.com> wrote:
Today, I received the same email for my Chromium package for Slackware Linux.
When I started building Chromium for Slackware, I reached out to Google to formally arrange a Google API key/id/secret combination for use in my Chromium binaries that allow people to login to their Google account *and* use Google sync (passwords, bookmarks, history etc).

From the email I received I understand that the ability to use Google Sync will be removed from my API keys used to build this Slackware Chromium browser binary. The value of the Chromium package for endusers will drop right to zero if that is true.
I honestly see no reason to continue compiling and packaging Chromium for Slackware if the Google developers present in this group confirm this policy change by Google.
Which would be a shame since there is no 32bit Google Chrome and I have been offering 32bit Chromium packages until today for the most recent releases of Slackware. Yes, 32bit OS-es are still being used.
Developers, please comment.

Eric Hameleers
Op vrijdag 15 januari 2021 om 19:39:29 UTC+1 schreef evan...@foutrelis.com:
Does this mean that Chromium builds shipped by Linux distros will no longer have access to Sync (e.g.: saved passwords and bookmarks)?

Or would removing "google_default_client_id" and "google_default_client_secret" allow our Chromium builds to continue to function normally?

On Fri, 15 Jan 2021 at 20:06, The Google Chrome Team <chrome-...@google.com> wrote:
Google logo
As part of Google’s efforts to improve user data security, we are removing access to those APIs starting on March 15, 2021.

Hi Chromium Developer,

We are writing to let you know that starting March 15, 2021, end users of Chromium and Chromium OS derivatives using google_default_client_id and google_default_client_secret on their build configuration will no longer be able to sign into their Google Accounts.

What do I need to know?

During a recent audit, we discovered that some 3rd-party Chromium-based browsers had keys that were allowed to access Google APIs and services that are reserved for Google use only. Chrome Sync is the most notable of these APIs.

In practice, this means that a user would be able to access their personal Chrome Sync data (such as bookmarks) not just with Chrome, but also with a non-Google, Chromium-based browser. Please note that users would only be able to access their own Chrome Sync data, and only a small fraction of users of Chromium based browsers were impacted. We have no reason to believe that user data is being abused or accessed by anyone other than the users themselves.

As part of Google’s efforts to improve user data security, we are removing access from Chromium and Chromium OS derivatives that used google_default_client_id and google_default_client_secret on their build configuration to Google-exclusive APIs starting on March 15, 2021. Guidance for vendors of Chromium derivative products is available on the Chromium wiki.

What does this mean for my users?

Users of products that are incorrectly using these APIs will notice that they won't be able to log into their Google Accounts in those products anymore.

For users who accessed Google features (like Chrome Sync) through a 3rd-party Chromium-based browser, their data will continue to be available in their Google Account, and data that they have stored locally will continue to be available locally.

As always, users can view and manage their data through Google Chrome, Chrome OS, and/or on the My Google Activity page, and they can also download their data from the Google Takeout page, and/or delete it from this page.

What do I need to do?

To avoid disruption, follow the instructions for configuring and building Chromium derivatives in the Chromium Wiki (link provided above).

Possible ways to implement this are:

  • Removing google_default_client_id and google_default_client_secret from your build configuration.
  • Passing the --allow-browser-signin=false flag at startup.

Your projects that may be affected by this change are listed below:

If you have any questions or require assistance, please contact embedd...@chromium.org.

Sincerely,

The Google Chrome Team

Was this information helpful?

YES   NO
 

© 2021 Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043

You have received this mandatory service announcement to update you about important changes to Google services you use.

--
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-packagers/8f555d67-bc0e-48c0-91f4-881fa0ea6a9an%40chromium.org.

Evangelos Foutras

unread,
Jan 16, 2021, 7:09:46 PMJan 16
to Chromium Embedders, Eric Hameleers, chromium-packagers, Dirk Pranke
Well, the main concern here is whether the Chromium builds shipped by numerous Linux distributions could continue to work with Sync, like they have for the past decade. Otherwise, as Eric said, the value of a Chromium package drops significantly and it becomes inferior to proprietary Chrome.

I would also be interested to know why this is suddenly a security issue, considering that Chrome's keys have been public since at least 2012 (and still to this day embedded in the chrome binary!). [1] [2]

The announcement makes it seem like our Chromium builds have been using API keys with unwarranted access, even though explicit permission to use them was provided back in 2013 when a member of the Chrome team contacted me about adding them to the Arch Linux chromium package:

(excerpt from the initial email follows)

Note that the public Terms of Service do not allow distribution of the API keys in any form. To make this work for you, on behalf of Google Chrome Team I am providing you with:

  • Official permission to include Google API keys in your packages and to distribute these packages.  The remainder of the Terms of Service for each API applies, but at this time you are not bound by the requirement to only access the APIs for personal and development use, and
  • Additional quota for each API in an effort to adequately support your users.

Jochen Eisinger

unread,
Jan 19, 2021, 4:03:20 AMJan 19
to Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers, evan...@foutrelis.com
Hey,

I'm sorry to be the bearer of unwelcome news, but this change will indeed happen.

We won't remove the API from your key, but we'll limit the quota to the quota for development. It's true that this will make the keys unsuitable for production use.

best
-jochen

You received this message because you are subscribed to the Google Groups "Chromium Embedders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to embedder-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/embedder-dev/CAEoffTByYuVk%3DOSDfFWjbbLnzKM1Pd%3DfdXR5OP%2B5esHnr6LVbQ%40mail.gmail.com.

Evangelos Foutras

unread,
Jan 19, 2021, 5:04:13 AMJan 19
to Jochen Eisinger, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers
In that case, what's stopping us from switching our Chromium builds to use Chrome's keys? [1] [2]

And unless you obscure Chrome's keys, how does killing our keys improve user data security?

Jochen Eisinger

unread,
Jan 19, 2021, 11:38:44 AMJan 19
to Evangelos Foutras, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers
I'm aware that you've been in contact with a Chrome team member about this, however, the Terms of Service don't allow this usage, and they didn't have authority to change the terms.

I'm also aware of the keys not being secret, but that doesn't imply that it's ok to use them for other products.

best
-jochen

Evangelos Foutras

unread,
Jan 19, 2021, 2:40:11 PMJan 19
to Jochen Eisinger, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers
The keys being public implies that user data safety is not significantly improved by limiting the keys of Linux distributions shipping Chromium.

I honestly don't see the issue if a Chromium build were to use Chrome's keys. They have been publicly known since 2012 and have not been rotated even once during the past 8 years or so. Unless you are planning to obfuscate them in the chrome binary, this is nothing more than a security theater, in my opinion.

At any rate, good job throwing your colleague(s) behind the permission to distribute our keys under the bus, and in the process alienating a potential source of quality bug reports for Linux-related issues.

And with that, I'm out. Cheers.

Jochen Eisinger

unread,
Jan 19, 2021, 3:52:32 PMJan 19
to Robert Nagy, Tom Callaway, Evangelos Foutras, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers
To reiterate, the APIs were not designed to be used by third-party software, so short of a complete rewrite, there is no unfortunately no option.

best
-jochen

On Tue, Jan 19, 2021 at 9:23 PM Robert Nagy <rob...@openbsd.org> wrote:
Hi

Just as a note, this will also affect all BSDs shipping chromium.

On 2021. Jan 19., at 20:59, Tom Callaway <spo...@gmail.com> wrote:


This is a really unfortunate result, especially for those of us (most of us) who have been maintaining chromium for our respective Linux distributions since the beginning.

Is there really no way for us to continue to access the Sync (and the other "Google Exclusive" APIs) in our Linux distribution packaged Chromium builds?

Tom

--
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.

Dirk Pranke

unread,
Jan 19, 2021, 4:02:00 PMJan 19
to Eric Hameleers, chromium-packagers, robert, evan...@foutrelis.com, joc...@chromium.org, Chromium Embedders, tcallawa
jochen@ represents the Chrome team on this (including the Google members of the Chromium team, which includes myself), so we're attempting for this to not be a deafening silence. This change should also not be interpreted as the result of an internal struggle or power grab.

-- Dirk

On Tue, Jan 19, 2021 at 12:56 PM Eric Hameleers <al...@slackware.com> wrote:
Well, it is obvious that this Google employee called jochen (no idea about his legal status) is adamant at alienating a community of distro packagers who for many years have been providing a service both to distro users (I repeat, the latest Chromium for Slackware is still available as a 32bit build) and to Google themselves (offering people an alternative to the Open Source Firefox and thereby increasing the number of consumers of the Google platform services which will surely have been very profitable).

Frankly, I find his statement insulting to us distro packagers and an offense to his colleagues who have collaborated with us for a long time through this Google Group to provide stable native binaries for our distros (thanks guys, really).

I can understand that Google wants to do something about abuse of their resources by commercial 3rd parties who ship embedded Chromium in their products and thus saving on infrastructure cost, but we are providing these packages for free, as a community service to users of our Linux distros which are also free. Please explain to me why this is a good thing jochen.

This is only going to convince people to switch to Firefox. At least that browser can be built from source without effort, and its users are actively encouraged to use Mozilla Sync.  When the advantage for Chromium users to be able to access their data across all platforms (Linux, Windows desktops, Android phones) is taken away from us, there is no point in continuing to provide native distro builds. The value of 'just another browser' is zero.
Jochen, should we start telling the users of our distros what is happening and point them to the Mozilla alternative?

Also, I am surprised at the deafening silence of our friends of the Google Chromium team. Are we all left to hang out and dry here? Is this an internal political struggle or power grab?

I am considering an alternative approach to just stopping with my Slackware packages - and that is to inform my users about the public availability of Google's own API keys, plus the fact that you just have to export them in your shell environment as values for the GOOGLE_API_KEY, GOOGLE_DEFAULT_CLIENT_ID and GOOGLE_DEFAULT_CLIENT_SECRET variables before you start Chromium.

Eric

Op dinsdag 19 januari 2021 om 21:23:12 UTC+1 schreef robert:

Jochen Eisinger

unread,
Jan 20, 2021, 3:28:13 AMJan 20
to Eric Hameleers, chromium-packagers, Dirk Pranke, robert, evan...@foutrelis.com, Chromium Embedders, tcallawa


On Tue, Jan 19, 2021 at 10:23 PM Eric Hameleers <al...@slackware.com> wrote:
Hi Dirk,

Good to hear that you are all in alignment over there at Google, but please address my actual questions, remarks, frustrations and doubts and ignore the sarcasm.

Eric

Op dinsdag 19 januari 2021 om 22:02:00 UTC+1 schreef Dirk Pranke:
jochen@ represents the Chrome team on this (including the Google members of the Chromium team, which includes myself), so we're attempting for this to not be a deafening silence. This change should also not be interpreted as the result of an internal struggle or power grab.

-- Dirk

On Tue, Jan 19, 2021 at 12:56 PM Eric Hameleers <al...@slackware.com> wrote:
Well, it is obvious that this Google employee called jochen (no idea about his legal status) is adamant at alienating a community of distro packagers who for many years have been providing a service both to distro users (I repeat, the latest Chromium for Slackware is still available as a 32bit build) and to Google themselves (offering people an alternative to the Open Source Firefox and thereby increasing the number of consumers of the Google platform services which will surely have been very profitable).

Guess I should have introduced myself, sorry about that. I'm a Director of Engineering at Google, working on Chrome since 2009. I'm also aware of and grateful for the work done by packagers, it's not my intent to alienate you. At the same time, I'm aware that this is unwelcome news, and I don't expect you to take it lightly.


Frankly, I find his statement insulting to us distro packagers and an offense to his colleagues who have collaborated with us for a long time through this Google Group to provide stable native binaries for our distros (thanks guys, really).

I can understand that Google wants to do something about abuse of their resources by commercial 3rd parties who ship embedded Chromium in their products and thus saving on infrastructure cost, but we are providing these packages for free, as a community service to users of our Linux distros which are also free. Please explain to me why this is a good thing jochen.

This is not a security nor an infrastructure cost decision, but we're taking this action to ensure that the user of our internal APIs is in compliance with our policies.
 

This is only going to convince people to switch to Firefox. At least that browser can be built from source without effort, and its users are actively encouraged to use Mozilla Sync.  When the advantage for Chromium users to be able to access their data across all platforms (Linux, Windows desktops, Android phones) is taken away from us, there is no point in continuing to provide native distro builds. The value of 'just another browser' is zero.
Jochen, should we start telling the users of our distros what is happening and point them to the Mozilla alternative?

I think it would be good to let your users know once you've decided how you'll react, so they in turn have time to make their decisions.


 

Also, I am surprised at the deafening silence of our friends of the Google Chromium team. Are we all left to hang out and dry here? Is this an internal political struggle or power grab?

I am considering an alternative approach to just stopping with my Slackware packages - and that is to inform my users about the public availability of Google's own API keys, plus the fact that you just have to export them in your shell environment as values for the GOOGLE_API_KEY, GOOGLE_DEFAULT_CLIENT_ID and GOOGLE_DEFAULT_CLIENT_SECRET variables before you start Chromium.

That would still be prohibited by our policies, and may be broken in the future without notice.

best
-jochen

Jonathon F

unread,
Jan 20, 2021, 12:44:10 PMJan 20
to Chromium Embedders, Chromium Embedders, chromium-packagers
My question here is, since when has Chromium been third-party software?

Linux distributions are not embedding Chromium in third-party software  - it's being built as-is directly from the source tree. There are even specific (official?) instructions for building on Arch Linux: https://chromium.googlesource.com/chromium/src/+/master/docs/linux/build_instructions.md#Arch-Linux

I can understand an API restriction where Chromium's engine is being embedded in another browser-based project (e.g. Steam, mobile apps, ...) but I really can't see how building Chromium from source is the same as embedding it in third-party software.

J

Dirk Pranke

unread,
Jan 20, 2021, 3:27:01 PMJan 20
to Jonathon F, Chromium Embedders, chromium-packagers
If you're asking in the sense of "why are we talking about this on embedder-dev@ and not chromium-packagers@", it's only to avoid cross-posting.

If you're asking in the sense of "why is Chromium considered third party software", it's in the sense that anything that is built and distributed by someone other than Google is third party (to Google), I believe.

-- Dirk

You received this message because you are subscribed to the Google Groups "Chromium Embedders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to embedder-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/embedder-dev/658b0ade-e1b8-4dc6-9bdb-d7582d416f63n%40chromium.org.

John Abd-El-Malek

unread,
Jan 20, 2021, 3:41:55 PMJan 20
to Dirk Pranke, Jonathon F, Chromium Embedders, chromium-packagers
Folks: I'd like to remind everyone that Chromium has a Code of Conduct. While I understand people might not be happy with this announcement, please assume the best intent of everyone involved and there's no need to be disrespectful.

Dirk Pranke

unread,
Jan 21, 2021, 4:39:49 PMJan 21
to Jonathan Nieder, Jochen Eisinger, Robert Nagy, Tom Callaway, Evangelos Foutras, Eric Hameleers, Chromium Embedders, chromium-packagers
On Thu, Jan 21, 2021 at 12:17 PM Jonathan Nieder <jrni...@gmail.com> wrote:
Hi,

> To reiterate, the APIs were not designed to be used by third-party software, so short of a complete rewrite, there is no unfortunately no option.

This looks to me like a change in approach: in the past, the Chromium project was supportive of Linux distributions building a copy of Chromium from source for people to use.

Is that no longer a goal?
Puzzled,
Jonathan

There has been no change to the browser source code per se, and you can still build a perfectly functional browser, except that now it can't use Google/Chrome Sync. 

We know this affects users on platforms where there isn't a supported version of Chrome, and probably other users as well.

-- Dirk 

Adam Goode

unread,
Jan 22, 2021, 9:23:33 AMJan 22
to Jochen Eisinger, Robert Nagy, Tom Callaway, Evangelos Foutras, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers
Can we talk about what the redesigned APIs would look like? If the old APIs are going to become restricted soon, it would be good to see if we can replace them with something that works for everyone. Distro-specific Chromium builds are important for many reasons.

Are there particular requirements that can be shared with the list?


Thanks,

Adam


You received this message because you are subscribed to the Google Groups "Chromium Embedders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to embedder-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/embedder-dev/CALjhuieH6fB4KK%3DFNffJxm267BW0sDiN-gAMFoVt9XzXmNfuZg%40mail.gmail.com.

Jochen Eisinger

unread,
Jan 22, 2021, 2:05:47 PMJan 22
to Jonathan Nieder, Dirk Pranke, Robert Nagy, Tom Callaway, Evangelos Foutras, Eric Hameleers, Chromium Embedders, chromium-packagers
Unrelated to the upcoming limitation of API keys, we'll likely update the way the quota limitation is implemented in the near future which would break the flow you've described.

On Fri, Jan 22, 2021 at 7:09 AM Jonathan Nieder <jrni...@gmail.com> wrote:
Dirk Pranke wrote:

> There has been no change to the browser source code per se, and you can still build a perfectly functional browser, except that now it can't use Google/Chrome Sync.
>
> We know this affects users on platforms where there isn't a supported version of Chrome, and probably other users as well.

Thanks, Dirk.

It sounds like this means two things for packagers:
- any high quality package will need to provide affected users with instructions for generating personal API keys. That way, Chromium's support for these features can still be useful, though it would require more fuss to make use of it. This makes the terms behind the API keys less murky, which seems valuable regardless (e.g., for users who plan to make use of their freedom to further modify the package they received from a distributor).
- we'll need to find a way to provide a reasonable experience for users who haven't done that yet, and to make this more discoverable.

We have a month and a half or so to work on it, which is not ideal but is better than it coming without warning.

Thanks,
Jonathan

Jochen Eisinger

unread,
Jan 22, 2021, 2:07:04 PMJan 22
to Adam Goode, Robert Nagy, Tom Callaway, Evangelos Foutras, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers
Sorry, there are currently no plans to develop alternative APIs for these features.

Lord Anton Hvornum

unread,
Jan 22, 2021, 7:26:50 PMJan 22
to Chromium Embedders, joc...@chromium.org, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, eric.ha...@gmail.com, Chromium Embedders, chromium-packagers, ago...@chromium.org
Seams odd to start dropping a large portion of peoples features for something a few people did.
Why not have a trusted tier model? Users & Communities who've earned a reputation over the years, shouldn't that mean something?
Or we stopped caring when we hit 50k+ users with a steady growth because more new users come in than the old ones care to stay?

(It really grinds my gears that society is punishing the masses more and more for every little thing a few shady people do.)

I hope my passwords still Syncs actively between browser sessions, otherwise this is a deal breaker (as with many other weird things Google have done the last two years that I've put up with).

asmqb7

unread,
Jan 24, 2021, 5:24:03 AMJan 24
to Chromium Embedders, anton...@gmail.com, joc...@chromium.org, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, eric.ha...@gmail.com, Chromium Embedders, chromium-packagers, ago...@chromium.org
Hi all, 

This has garnered a small but notable amount of attention over at https://news.ycombinator.com/item?id=25886218, which points to https://bodhi.fedoraproject.org/updates/FEDORA-2021-48866282e5, the release notes for the Fedora Chromium 88 package which clarify that Sync has been preemptively disabled in anticipation of the shutdown, likely to raise (necessary) awareness about the situation. As just another random Chromium user, I'm very curious about this unexpected change, like others are and even more will soon be.

The responses from the Chrome team add limited but helpful color to what appears to be a complex situation. I might be reading everything completely incorrectly, but I get the impression that Something Interesting has happened, possibly very recently, with regards to downstream consumption of the Chromium/Chromium OS open-source projects; a key consideration appears to be that every successful downstream use of the Chromium open-source project in particular has generally implemented independent sync services that do not take advantage of the existence of proprietary endpoints made available through Google servers for the purposes of adding value to Chrome and Chrome OS, and which until now have coincidentally also worked in Chromium and Chromium OS.

I have a few hopeful questions, which I understand might be based on incorrect assumptions or simply irrelevant at this point.
  1. Might some EULA clarifications concretely frame the proprietary nature of the Sync Service and its licensed use being restricted to first-party, effectively unmodified versions of Chromium/Chromium OS?

  2. Might it be useful to extend (1) to explicitly differentiate between Chromium and Chromium OS, such that distinct agreements can be applied to each?

  3. Could it be effective to transition the preexisting Linux distribution API key agreement over to a limited-access arrangement that allows trusted package maintainers to roll new key sets for successive Chromium releases, with old keys expiring after (not a misprint) 2-4 weeks? (This would effectively funnel (Chromium,Sync,Linux) users into a first-class evergreen update cadence, which can't be bad for security, and it might even get distributions into a better place too.)

  4. Given that a) the sync system is fundamentally proprietary, b) the BSD-licensed-but-effectively-source-available nature of the sync client implementation, c) all Sync features being opt-in, d) the existence of alternative browsers with first-class sync capabilities, and e) the amount of entropy that is necessarily transmitted when using Google services... might it be interesting to move the sync functionality into a proprietary add-on module that then leverages eg keybox tokens? The inspiration for this question comes from instances where I've observed Goog take a very effective spatula to authentication-related scenarios on the Android platform which (if I'm assuming correctly) may share similarities with this situation.

  5. Is it possible that the sync client implementation will be moved out of the open-source Chromium codebase in the future? This new direction makes closed-source Chrome the only inbox consumer of the open-source sync client code, with other browsers (such as Brave) coincidentally taking advantage of the fact that the code just happens to exist and works.

  6. Alternatively, would it be possible to further expand on sync/test/fake_server such that motivated individuals that wish to continue using Chromium would be able to reliably self-host their own sync services? The old Python sync server removed in 088b19e is admittedly much more accessible than the current C++ implementation, which I'm not even sure how to launch (it builds a static library?).

A couple of sidenotes/observations:
  • Up to now, ignoring branding and license restrictions, a large proportion of Linux users use Chromium on their PC and Chrome on their phone, simply because Chrome gets handed to you by the Play Store (or is already preinstalled), and Chromium gets handed to you by your distribution's package repository. You type your credentials in everywhere, and... it just works, nothing to report.

  • It's only possible to transit/export bookmarks to and from from Chrome on Android through Sync. There's no offline way to do it. Now I have to switch to Chrome on my PC if I want to coordinate the bookmarks, tabs and history on my phone going forward.

  • For the past several years Chrome Sync has provided users of both Chrome and Chromium an effective baseline password manager that everybody within the open-source Linux community has had equal access to: immediately after setting up a new machine, pulling in whatever chromium package a user's distribution provides OOTB, entering Google account credentials, and waiting a bit for tabs etc and passwords to sync, users are good to go and ready to be practically productive in the real world, using an entirely FOSS stack. This is a noteworthy service contribution to open source integration and unilateral enablement - even Debian's Chromium builds support sync, because the sync code is open source. For those users that only have basic requirements (hi), Chrome's builtin *synced* password management is great.

    Further, Google's focus on privacy enhancement has recently integrated password management into proactive breach notifications. After browsing through password_manager/ and password_manager/.../leak_detection/, I'm of the (potentially-fallible) impression that the breach notification service (which is difficult to test/examine in action externally) may continue to work for everyone, but that password change prompts will only work for users that have Sync enabled. This does make sense from a feature flow perspective.

    From the perspective of long-tail social enablement, I think it can be fairly argued that the demographic of, for example, new Linux users that don't have the motivation and/or skill to independently pursue installing a discrete password manager a) likely also aren't yet at the point of maintaining proactive security hygiene with regards to password complexity and reuse and b) may simply stop using Sync in a couple of weeks when confronted with the relative complexity of installing Chrome. These users stand to benefit the most from both the autofill-sync support Chromium has been refining since version 6.0 ten years ago, and the more recent breach notifications that apparently only provide notifications without stepping users through proactive mitigations unless Sync is enabled.

  • For some probably noteworthy number of users that hard-depend on Sync functionality for their workflows, Chromium is now going to take the place of Internet Explorer, and be installed just to have a way to click the Accept button on Chrome's EULA.

It will be hard to quantify the full impact of the network effects caused by this change.

While I'll be sticking with Chromium myself, it'll be interesting to see if the next few weeks/months bring above-average, statistically significant viewing with the browser market share stats.

With all the above considerations in mind, I propose that one effective solution to resolving the disruption and potential security implications caused by this change would be to provide privacy-focused users and groups appropriate first-class means to setup and maintain alternative sync services that are compatible with the sync client functionality currently present in Chromium.

asmqb7

highbaser

unread,
Jan 24, 2021, 7:23:40 AMJan 24
to Chromium Embedders, asm...@gmail.com, anton...@gmail.com, joc...@chromium.org, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, eric.ha...@gmail.com, Chromium Embedders, chromium-packagers, ago...@chromium.org
TL;DR
  • Google has unreal, out of touch, idealist internal policies which they don't want to change because this is how they feel safe.
  • Google doesn't want its APIs used by anyone but them, because it's not designed for external usage.
  • Google doesn't want to rethink, refactor or replicate its sync API for external usage not because they didn't have their hundreds of billions of dollars to do so but because it's not their profitable interest. Less usable Chromium (without sync) means more installations of official Chrome --- which is closed-source BTW so it controls the user instead of letting the user control the software.
  • Google has profited well of free labor done by the open-source community Chromium developers. Now it's time to spit them in the face and turn away from them, then focus only on corporate interests, policies and profit.
I'm kind of happy that this has finally happened as Chromium maintainers will need to create their own sync servers so that all of our personal data (browser history, account information, passwords, cookies, etc.) will go somewhere else than Google's servers where it's analyzed by their AI and used for our profiling, surveillance and manipulation through advertisements.

2021 is still holding 2020's beer. :)

Peace

Eric Hameleers

unread,
Jan 24, 2021, 9:59:36 AMJan 24
to Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, joc...@chromium.org, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, Eric Hameleers, Chromium Embedders, chromium-packagers, ago...@chromium.org
highbaser,  I do not know where you developed that idea that "Chromium maintainers will need to create their own sync servers". Chromium is being maintained by Google so your remark is irrelevant. If you meant to say "Chromium package maintainers" then your remark shows ignorance about what a distro packager actually does.

If someone starts a project to create a truly open Sync server for Chromium then I would consider packaging it for Slackware of course. The Brave project has built a Sync server for their Chromium-based Brave browser: https://github.com/brave/go-sync and it is open source but uses Amazon Cloud for their database backend storage. Understandable since they offer this for a potentially large group of users. But like Mozilla's original Weave sync server, I would like for a Chromium Sync server to be written in such a way that it can be self-hosted. I only trust myself.
Perhaps highbaser, you can start such a project. Put your money where your mouth is, so to speak.

Eric

Op zondag 24 januari 2021 om 13:23:40 UTC+1 schreef highbaser:

Paweł Hajdan Jr.

unread,
Jan 25, 2021, 4:18:18 AMJan 25
to Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, joc...@chromium.org, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, Eric Hameleers, chromium-packagers, ago...@chromium.org
FYI, the 2013 special terms, additional quota, and exact wording of the email I sent to packagers passed the internal approval process, including legal, engineering, and VP-level management.

If this reversal was better communicated, we could have a less confrontational, more productive conversation. I recognize that everyone seeks to do the right thing though: protect user data, and offer users a great web browser experience that is 100% open source.

How about giving users an option to allow Chromium access (opt-in) - is that a possible path forward?

Best,
Paweł

Jochen Eisinger

unread,
Jan 25, 2021, 4:35:12 AMJan 25
to Paweł Hajdan Jr., Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, Eric Hameleers, chromium-packagers, ago...@chromium.org
Hey Pawel,

On Mon, Jan 25, 2021 at 10:18 AM Paweł Hajdan Jr. <phajd...@chromium.org> wrote:
FYI, the 2013 special terms, additional quota, and exact wording of the email I sent to packagers passed the internal approval process, including legal, engineering, and VP-level management.

If this reversal was better communicated, we could have a less confrontational, more productive conversation. I recognize that everyone seeks to do the right thing though: protect user data, and offer users a great web browser experience that is 100% open source.

How about giving users an option to allow Chromium access (opt-in) - is that a possible path forward?

Unfortunately, this is not an option (Jonathan also suggested that somewhere up thread). If I had a better option to offer, believe me, I would have shared that already.

best
-jochen

Lord Anton Hvornum

unread,
Jan 25, 2021, 4:54:56 AMJan 25
to Chromium Embedders, joc...@chromium.org, eric.ha...@gmail.com, Chromium Embedders, highbaser, asm...@gmail.com, Lord Anton Hvornum, Robert Nagy, Tom Callaway, evan...@foutrelis.com, Dirk Pranke, chromium-packagers, ago...@chromium.org, phajd...@chromium.org
Mind sharing what the blocker is for such a feature?
Is it the complexity of protecting users while still allowing sync functionality?

If I opt in by signing in with my Google account to enable sync, wouldn't certificate pinning (against google PKI) be a valid protection against evil logins wouldn't signing a browser binary and having a submission process protect the bulk if not all users?
If people create fake drop sites and removes the pinning and features etc, having a limited verification process for trusted communities and communities with perhaps a large amount of "followers" (like youtube has for their monetization plans) ensure no malicious miss-configurations are done. Users can ALWAYS circumvent this by creating fake versions of everything, including Google Chrome, but you have to trust someone - and I trust my maintainer group's official repositories. So should Google.

I doubt that <insert favorite Linux dist> would want to break these terms and risk being banned from all google related services such as indexing and potential hosting services.

---

tl;dr: What are we trying to combat with this "feature" really?
It's open source - why not source crowd ideas for solutions instead of just stone walling?

Evangelos Foutras

unread,
Jan 25, 2021, 6:49:52 AMJan 25
to Jochen Eisinger, Paweł Hajdan Jr., Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, Robert Nagy, Tom Callaway, Dirk Pranke, Eric Hameleers, chromium-packagers, ago...@chromium.org
On Mon, 25 Jan 2021 at 11:35, Jochen Eisinger <joc...@chromium.org> wrote:
Unfortunately, this is not an option (Jonathan also suggested that somewhere up thread). If I had a better option to offer, believe me, I would have shared that already.

So nothing is an option for you, other than shipping Chromium without Google functionality. Because only Chrome users are important enough to deserve unnecessary features such as "Safe Browsing". How awful of 2013's "legal, engineering, and VP-level management" to allow Chromium users to enjoy Safe Browsing and their data synced across their devices. Even more so, considering "they didn't have authority to change the terms" as you say.

Does the Chrome team seriously suggest it is OK to ship Chromium to users without Safe Browsing?

Jochen Eisinger

unread,
Jan 25, 2021, 6:59:31 AMJan 25
to Evangelos Foutras, Paweł Hajdan Jr., Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, Robert Nagy, Tom Callaway, Dirk Pranke, Eric Hameleers, chromium-packagers, ago...@chromium.org
The change we announced impacts the ability to "Sign into Chrome" and consequently first party features that depend on being signed into Chrome. This does not include Safe Browsing, which doesn't depend on being signed into Chrome, and is available to third parties for non-commercial use (cf https://developers.google.com/safe-browsing).
 

--
You received this message because you are subscribed to the Google Groups "Chromium Embedders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to embedder-dev...@chromium.org.

Evangelos Foutras

unread,
Jan 25, 2021, 7:24:39 AMJan 25
to Jochen Eisinger, Paweł Hajdan Jr., Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, Robert Nagy, Tom Callaway, Dirk Pranke, Eric Hameleers, chromium-packagers, ago...@chromium.org
On Mon, 25 Jan 2021 at 13:59, Jochen Eisinger <joc...@chromium.org> wrote:
The change we announced impacts the ability to "Sign into Chrome" and consequently first party features that depend on being signed into Chrome. This does not include Safe Browsing, which doesn't depend on being signed into Chrome, and is available to third parties for non-commercial use (cf https://developers.google.com/safe-browsing).

Safe Browsing API is listed at [1] and receives over 5 million requests per day according to the Cloud Console. It is not clear that it will continue to work after our API keys are limited and/or removed. Furthermore, "available to third parties for non-commercial use" is not sufficient for Linux distributions.

Jochen Eisinger

unread,
Jan 25, 2021, 2:16:34 PMJan 25
to Evangelos Foutras, Paweł Hajdan Jr., Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, Robert Nagy, Tom Callaway, Dirk Pranke, Eric Hameleers, chromium-packagers, ago...@chromium.org
This is a (partial) list of APIs Chrome depends on, including APIs available to third parties. The changes we announced affect the OAuth 2.0 client id and secret which are used for signing into Chrome, not the API key.

--
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-packagers/CAA407my9xjqw2EwUM7LBF4dtjnX2CKVuFN_S7ndFyexF8tmcaw%40mail.gmail.com.

Tony Ditchfield

unread,
Jan 25, 2021, 2:30:50 PMJan 25
to chromium-packagers, joc...@chromium.org, phajd...@chromium.org, al...@slackware.com, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, Dirk Pranke, chromium-packagers, ago...@chromium.org, evan...@foutrelis.com, chromium-...@chromium.org
Hi All

For devs of Chromium OS, removal of the client_id and secret results in no ability to login at all. I appreciate this may need to be posted in Chromium OS Discussions  (cc'ed) but thought it better to continue the thread here rather than splinter it, since its the same topic we are discussing.

Lack of login is of course pretty fundamental ;-). Are Google saying that open source development of Chromium OS is now dead, unless just the guest account is used?

If we enable billing for the API noted in the email, would that allow use of the API fully again? Is there a process to become an official vendor of either ChromiumOS of Chromium to allow the continued use of the API?

Apologies for any duplication on questions etc, a bit late to this conversation!

Jochen Eisinger

unread,
Jan 25, 2021, 3:24:27 PMJan 25
to Tony Ditchfield, chromium-packagers, phajd...@chromium.org, al...@slackware.com, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, Dirk Pranke, ago...@chromium.org, evan...@foutrelis.com, chromium-...@chromium.org
Hey,

you can continue to use the client id and secret for development, but not for distribution. Additional quota for first party APIs is not available for purchase.

best
-jochen

Tony Ditchfield

unread,
Jan 25, 2021, 3:38:03 PMJan 25
to Chromium Embedders, joc...@chromium.org, chromium-packagers, phajd...@chromium.org, eric.ha...@gmail.com, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, Dirk Pranke, ago...@chromium.org, evan...@foutrelis.com, Tony Ditchfield
Thanks for the clarification Jochen, its appreciated!

Eric Hameleers

unread,
Jan 25, 2021, 4:32:13 PMJan 25
to chromium-packagers, joc...@chromium.org, phajd...@chromium.org, Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, Dirk Pranke, chromium-packagers, ago...@chromium.org, evan...@foutrelis.com
I see relevance in the fact that if I look at my Cloud Console and open the page for Chrome Sync API, what does the the API description say?
I quote: "Google Chrome Sync API for use in Chromium."
You can keep replying with empty words all day long but in the end you're just throwing all of us Chromium distro packagers under the bus jochen.
I will not package and distribute a Chromium for Slackware if that package is crippled by absence of login to Chrome Sync. I will not package a Chromium build with Google's own ID and secret embedded. Instead I will do the right thing: advise people not to use Chrome but switch to Firefox, just like Fedora is already telling their users.
There's still an opportunity for you to come around and work something out with this community, but the window is closing. Start with telling the truth about why you are doing this to us packagers and the communities we serve. And stop selling the audit bullshit please. Pawel stated clearly that the agreement between Google and distro packagers was sanctioned by your own legal department and at VP level too. So I want legal statements from Google and a statement from a Google VP why you are disserving us now.

Eric

Op maandag 25 januari 2021 om 12:59:32 UTC+1 schreef joc...@chromium.org:

Dirk Pranke

unread,
Jan 25, 2021, 4:47:46 PMJan 25
to Eric Hameleers, chromium-packagers, joc...@chromium.org, phajd...@chromium.org, Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, ago...@chromium.org, evan...@foutrelis.com
Hello Eric,

Speaking now with my community-manager hat on ...

On Mon, Jan 25, 2021 at 1:32 PM Eric Hameleers <al...@slackware.com> wrote:
I see relevance in the fact that if I look at my Cloud Console and open the page for Chrome Sync API, what does the the API description say?
I quote: "Google Chrome Sync API for use in Chromium."
You can keep replying with empty words all day long but in the end you're just throwing all of us Chromium distro packagers under the bus jochen.

You have been warned once already, but I will remind you again that we ask everyone on this forum to abide by the Chromium Code of Conduct. The statement above, and your statement below about "selling the audit" do not. 

I understand that this is a frustrating topic, but please refrain from personal attacks and please be respectful.

Best,

-- Dirk

Evangelos Foutras

unread,
Jan 26, 2021, 7:56:28 AMJan 26
to Jochen Eisinger, Chromium Embedders, chromium-packagers
On Mon, 25 Jan 2021 at 21:16, Jochen Eisinger <joc...@chromium.org> wrote:
This is a (partial) list of APIs Chrome depends on, including APIs available to third parties. The changes we announced affect the OAuth 2.0 client id and secret which are used for signing into Chrome, not the API key.

You have maintained that our Chromium builds are prohibited from using Google APIs. This includes the API key, in addition to the OAuth 2.0 credentials. Unless you are now saying that the API key is fine to keep (based on which section of the Terms of Service?), then you are directing distribution maintainers to ship Chromium without Safe Browsing (among all the other lost functionality). [1] [2]

You can't randomly pick which credentials you want to limit, which go against the ToS and which are fine. Either Chromium is no longer a viable package for Linux and BSD distributions, or the Chrome team needs to come up with a way to keep these Chromium builds functional. If you don't want to bother with the latter, Chrome's keys can be used instead, which is allowed by the ToS exception given to us in 2013. [3] [4]

As a fun addendum, half of the responses so far read like "OK, too bad, so sad". [*]

[1] In my quick testing, Chromium without API keys fails to recognize links on https://testsafebrowsing.appspot.com/ as dangerous
[2] Not to mention the annoying warning with missing keys ("API keys are missing. Some functionality of Chromium will be disabled.")
[3] "Official permission to include Google API keys in your packages and to distribute these packages." seems pretty clear to me
[4] Unless, of course, the "legal, engineering, and VP-level management" of 2013 really "didn't have authority to change the terms"

Jochen Eisinger

unread,
Jan 26, 2021, 9:06:00 AMJan 26
to Evangelos Foutras, Chromium Embedders, chromium-packagers
On Tue, Jan 26, 2021 at 1:56 PM Evangelos Foutras <evan...@foutrelis.com> wrote:
On Mon, 25 Jan 2021 at 21:16, Jochen Eisinger <joc...@chromium.org> wrote:
This is a (partial) list of APIs Chrome depends on, including APIs available to third parties. The changes we announced affect the OAuth 2.0 client id and secret which are used for signing into Chrome, not the API key.

You have maintained that our Chromium builds are prohibited from using Google APIs. This includes the API key, in addition to the OAuth 2.0 credentials. Unless you are now saying that the API key is fine to keep (based on which section of the Terms of Service?), then you are directing distribution maintainers to ship Chromium without Safe Browsing (among all the other lost functionality). [1] [2]

The change affects first party APIs, you're welcome to continue to use third party Google APIs with your API key. You can configure which APIs you use with your key on https://cloud.google.com/console. The chromium code should fail gracefully if a given API is missing from the key, or if the API runs out of quota. The first party APIs are marked "private" in the API console, and in general only available if the owner of the project is subscribed to chromi...@chromium.org. I hear the feedback that a more complete list of APIs currently used by chromium and whether or not they're publicly available. I'll see to get that page updated.

The OAuth 2.0 credentials are used in chromium to get LSTs which are then used to mint tokens for other authenticated APIs. While not all authenticated APIs used by chromium are first party APIs, the one that gets the LST and that we'll restrict in mid March is a first party API.

To avoid using that API, it's sufficient to either not set the OAuth 2.0 credentials, or disabling the Google signin integration, e.g., via command line flags as described in the email you've received.


You can't randomly pick which credentials you want to limit, which go against the ToS and which are fine. Either Chromium is no longer a viable package for Linux and BSD distributions, or the Chrome team needs to come up with a way to keep these Chromium builds functional. If you don't want to bother with the latter, Chrome's keys can be used instead, which is allowed by the ToS exception given to us in 2013. [3] [4]

We never granted permission to use Chrome's API key for third party software. Also, the OAuth 2.0 integration was introduced in Chrome 69 in 2018.

Evangelos Foutras

unread,
Jan 26, 2021, 12:34:18 PMJan 26
to Jochen Eisinger, Chromium Embedders, chromium-packagers
On Tue, 26 Jan 2021 at 16:06, Jochen Eisinger <joc...@chromium.org> wrote:
you're welcome to continue to use third party Google APIs with your API key

Are you sure about that? The Terms of Service seem to prohibit it (unless you take into account the exception from 2013 which you said they didn't have the authority to give). You also wrote that Safe Browsing is free for non-commercial use, for which Chromium used in a work environment might not qualify.

Fedora also dropped all keys so I'm guessing their users are now getting Unsafe Browsing after the Chromium 88 update.

The chromium code should fail gracefully if a given API is missing from the key, or if the API runs out of quota

Safe Browsing does not work without an API key so as far as I'm concerned, the Chromium code by itself will only be good for Chromium development after March 15.

We never granted permission to use Chrome's API key for third party software.

Is Chrome's API key a Google API key? Then we have "permission to include Google API keys in your packages and to distribute these packages".

You said you're not a lawyer and can't give legal advice. I'm not a lawyer either but the above permission seems good enough to me.

Also, the OAuth 2.0 integration was introduced in Chrome 69 in 2018.

Both Arch's and Chrome's OAuth 2.0 Client IDs date back to (at least) 2013. I'm not sure where you're going with the 2018 year.

Evangelos Foutras

unread,
Jan 26, 2021, 1:19:10 PMJan 26
to Jochen Eisinger, Chromium Embedders, chromium-packagers
And a fun fact: If you go to https://www.google.com/chrome/ and click "Download Chrome" it says:

  "Not Debian/Ubuntu or Fedora/openSUSE? There may be a community-supported version for your distribution here."


"Some Linux distributions package up Chromium for easy installation." -- Yeah, back when you had different leadership I guess. 🙂

The Chrome download and the "Linux Chromium Packages" pages are going to need a huge disclaimer about the degraded functionality and security.

Jochen Eisinger

unread,
Jan 27, 2021, 10:46:55 AMJan 27
to Evangelos Foutras, Chromium Embedders, chromium-packagers
Hey,


On Tue, Jan 26, 2021 at 6:34 PM Evangelos Foutras <evan...@foutrelis.com> wrote:
On Tue, 26 Jan 2021 at 16:06, Jochen Eisinger <joc...@chromium.org> wrote:
you're welcome to continue to use third party Google APIs with your API key

Are you sure about that? The Terms of Service seem to prohibit it (unless you take into account the exception from 2013 which you said they didn't have the authority to give). You also wrote that Safe Browsing is free for non-commercial use, for which Chromium used in a work environment might not qualify.

Fedora also dropped all keys so I'm guessing their users are now getting Unsafe Browsing after the Chromium 88 update.

I asked the Safe Browsing API team to clarify on their public documentation that the use of the SB API in chromium browsers continues to be permissible.

Again, we're not asking you to change the API key, but to either build without the OAuth 2.0 client id and secret or to disable the Google signin integration. 


The chromium code should fail gracefully if a given API is missing from the key, or if the API runs out of quota

Safe Browsing does not work without an API key so as far as I'm concerned, the Chromium code by itself will only be good for Chromium development after March 15.

We never granted permission to use Chrome's API key for third party software.

Is Chrome's API key a Google API key? Then we have "permission to include Google API keys in your packages and to distribute these packages".

I'm not sure where you're trying to go with this question. I think I've made myself sufficiently clear.


You said you're not a lawyer and can't give legal advice. I'm not a lawyer either but the above permission seems good enough to me.

Also, the OAuth 2.0 integration was introduced in Chrome 69 in 2018.

Both Arch's and Chrome's OAuth 2.0 Client IDs date back to (at least) 2013. I'm not sure where you're going with the 2018 year.

Sorry, you're right about the OAuth 2.0 client id existing before. I was referring to the API we currently use to get LSTs (the one we're changing) which was introduced in 2018.
 

Tony Ditchfield

unread,
Jan 28, 2021, 1:20:57 PMJan 28
to Chromium Embedders, joc...@chromium.org, Chromium Embedders, chromium-packagers, evan...@foutrelis.com
RE: "Again, we're not asking you to change the API key, but to either build without the OAuth 2.0 client id and secret or to disable the Google signin integration. "

So we are OK to disable all the API calls marked as private and can still embed the API client_id and secret? We aren't distributing the id and secret as such since its embedded within the binary.

Jochen Eisinger

unread,
Jan 28, 2021, 3:51:28 PMJan 28
to Ross Martin, chromium-packagers, al...@slackware.com, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, evan...@foutrelis.com, Dirk Pranke, ago...@chromium.org, phajd...@chromium.org
Let me try to clarify: The exceptions some distros got back then were sound back then, but after the most recent review, we concluded that we can no longer grant this exception. My point was that there wasn't a change in our official terms, they never allowed for that use. That doesn't imply that the exception given back then was not valid. But it also doesn't imply that we can't or shouldn't reconsider our position as the environment we operate in evolves.

On Wed, Jan 27, 2021 at 11:54 PM Ross Martin <ross....@ieee.org> wrote:

Was this 2013 email really backed by a Google Vice President with full company vetting?  It seems like the truth of this is agreed upon by all parties.  Wow.  It's hard for me to imagine a more real-seeming commitment than that.

Yet according to the Googlers in this thread, the apparent commitments in these 2013 emails were not real commitments, however real-seeming.  (I hope I have accurately summarized the position.)  Yet doesn't taking this position seem a little like opening Pandora's Box?

If Google continues with this, every Open Source project will have to ask the question that if these emails for Chromium are not considered to be a real commitment by Google, then are Google's commitments to their project real?   What would a real commitment from Google even look like, that it might be stronger than these 2013 emails?  I don't know what actions each Open Source project might take to protect the Open Source community from Google after that, but certainly any actions taken won't be in Google's favor, and considerable ill-will will be generated towards Google where there was none before.

I wonder:  Has Google approved this action with full knowledge of the existence of the real-seeming commitments it had made, how denying those commitments might affect its relationship with the larger Open Source community, and how poor relations with the Open Source community might affect more of its customers and products than just Chrome?

Perhaps these other aspects should be considered for a while before implementation?

Jochen Eisinger

unread,
Jan 28, 2021, 3:55:55 PMJan 28
to Tony Ditchfield, Chromium Embedders, chromium-packagers, evan...@foutrelis.com
On Thu, Jan 28, 2021 at 7:21 PM Tony Ditchfield <tony.di...@gmail.com> wrote:
RE: "Again, we're not asking you to change the API key, but to either build without the OAuth 2.0 client id and secret or to disable the Google signin integration. "

So we are OK to disable all the API calls marked as private and can still embed the API client_id and secret? We aren't distributing the id and secret as such since its embedded within the binary.

I assume you refer to the passage in the Google developer API terms of service about how the keys and secrets have to be handled? I would assume that embedding them in the binary similar to what Chrome does is sufficient.

If this question refers to a chromium derivative, if you set a client_id and secret, you'll have to make sure that the Google signin code is disabled, e.g., by passing the flag --allow-browser-signin=false as the signin integration does not fail gracefully once the quota on the API is exceeded.
 

On Wednesday, 27 January 2021 at 15:46:55 UTC joc...@chromium.org wrote:
Hey,


On Tue, Jan 26, 2021 at 6:34 PM Evangelos Foutras <evan...@foutrelis.com> wrote:
On Tue, 26 Jan 2021 at 16:06, Jochen Eisinger <joc...@chromium.org> wrote:
you're welcome to continue to use third party Google APIs with your API key

Are you sure about that? The Terms of Service seem to prohibit it (unless you take into account the exception from 2013 which you said they didn't have the authority to give). You also wrote that Safe Browsing is free for non-commercial use, for which Chromium used in a work environment might not qualify.

Fedora also dropped all keys so I'm guessing their users are now getting Unsafe Browsing after the Chromium 88 update.

I asked the Safe Browsing API team to clarify on their public documentation that the use of the SB API in chromium browsers continues to be permissible.

Again, we're not asking you to change the API key, but to either build without the OAuth 2.0 client id and secret or to disable the Google signin integration. 


The chromium code should fail gracefully if a given API is missing from the key, or if the API runs out of quota

Safe Browsing does not work without an API key so as far as I'm concerned, the Chromium code by itself will only be good for Chromium development after March 15.

We never granted permission to use Chrome's API key for third party software.

Is Chrome's API key a Google API key? Then we have "permission to include Google API keys in your packages and to distribute these packages".

I'm not sure where you're trying to go with this question. I think I've made myself sufficiently clear.


You said you're not a lawyer and can't give legal advice. I'm not a lawyer either but the above permission seems good enough to me.

Also, the OAuth 2.0 integration was introduced in Chrome 69 in 2018.

Both Arch's and Chrome's OAuth 2.0 Client IDs date back to (at least) 2013. I'm not sure where you're going with the 2018 year.

Sorry, you're right about the OAuth 2.0 client id existing before. I was referring to the API we currently use to get LSTs (the one we're changing) which was introduced in 2018.
 

--
You received this message because you are subscribed to the Google Groups "Chromium Embedders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to embedder-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/embedder-dev/e5d20c24-8231-41e1-864a-b97dd817b83bn%40chromium.org.

Tony Ditchfield

unread,
Jan 28, 2021, 4:09:38 PMJan 28
to Jochen Eisinger, Chromium Embedders, chromium-packagers, evan...@foutrelis.com
Thanks, you assume correctly!. 

It's specifically to do with chromiumos. Without the client_id and secret, one cannot use the OS at all, unless using a guest account...

I'm pretty sure that should still work with  --allow-browser-signin=false as you note...

Jochen Eisinger

unread,
Jan 28, 2021, 4:17:04 PMJan 28
to Tony Ditchfield, Chromium Embedders, chromium-packagers, evan...@foutrelis.com
Yes, for Chromium OS you'll indeed need to set the client id and secret to be able to log in with a Google Account. The --allow-browser-signin flag only affects chromium, on chromium os, the browser gets the LST from the OS.

Note, however, that the restriction to only use this for development still applies. 

Alberto Salvia Novella

unread,
Feb 8, 2021, 6:27:55 PMFeb 8
to Chromium Embedders, joc...@chromium.org, Chromium Embedders, chromium-packagers, evan...@foutrelis.com, tony.di...@gmail.com
You are letting yourselves be too distracted by the details and the politics.

Having the sync functionalities on unmodified Chromium builds is what maximizes value to the user.

And policies, technologies and business models shall accommodate that end purpose.

Alberto Salvia Novella

unread,
Feb 8, 2021, 7:52:01 PMFeb 8
to Chromium Embedders, Alberto Salvia Novella, joc...@chromium.org, Chromium Embedders, chromium-packagers, evan...@foutrelis.com, tony.di...@gmail.com
Allowing distros to build their own packages is crucial. The goal is warranting that the binaries always match the source code.

Instead of blindly trusting that nobody sneaked something malicious into the binaries, being that the provider of the software itself or some attacker tacking over their infrastructure.

That anyone is warranted to know that any piece of software they have on their devices is transparent and well intended, despite of faith on the software provider.

This is the true potential of the Linux development model, and their users won't give up on it that easily. Most people will rather jump wagon than returning back to those ways.

Jochen Eisinger

unread,
Feb 15, 2021, 5:45:04 AMFeb 15
to Seongbin BAK, chromium-packagers, Chromium Embedders, evan...@foutrelis.com, tony.di...@gmail.com
Hey,

Access to first-party APIs was never available commercially or as part of a partnership deal, and we're not changing that this time.

best
-jochen


On Mon, Feb 15, 2021 at 5:10 AM Seongbin BAK <seon...@wayne-inc.com> wrote:
OK Jochen. My company need the Chrome Sync API sincerely.
For using the restricted API, What should third-party do?
Have to pay? or should become official partner of Google?
Could you tell me contact information for payment or partnership?
You received this message because you are subscribed to the Google Groups "chromium-packagers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-packag...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-packagers/a6c58a3a-d7e9-4b0d-8974-eac23bf65efen%40chromium.org.

Alberto Salvia Novella

unread,
Feb 15, 2021, 4:26:31 PMFeb 15
to Chromium Embedders, joc...@chromium.org, chromium-packagers, Chromium Embedders, evan...@foutrelis.com, tony.di...@gmail.com, Seongbin BAK
You know, this works like this:

If we have another web browser which we can still compile it ourselves and it has sync functionalities, and Chromium doesn't, we simply move to what makes better service to us.

You make your decisions, we make ours.

Lets be honest, if you choose to do it this way it is only because you choose to. It's the model you want to implement.

That model we don't want. Sure you will find plenty of people that don't mind, but we are not that people.

Jochen Eisinger

unread,
Mar 1, 2021, 4:02:34 AMMar 1
to Seongbin BAK, chromium-packagers, Chromium Embedders, tony.di...@gmail.com
On Mon, Mar 1, 2021 at 9:48 AM Seongbin BAK <seon...@wayne-inc.com> wrote:
On Friday, January 29, 2021 at 6:17:04 AM UTC+9 joc...@chromium.org wrote:
Yes, for Chromium OS you'll indeed need to set the client id and secret to be able to log in with a Google Account. The --allow-browser-signin flag only affects chromium, on chromium os, the browser gets the LST from the OS.

Note, however, that the restriction to only use this for development still applies. 
@Jochen. Can I ask exact meaning of the restriction?
Do you mean that using google_default_client_id google_default_client_secret with the --allow-browser-signin=false flag in Chromium OS is allowed only for development/test? not allowed for Chromium OS derivation distribution?

Yes, that's correct. Note that due to the rate limit on regular OAuth 2.0 clients, only a small number of users could sign in into the derivative anyways.

Also note that --allow-browser-signin is a Chromium only flag, as far as I know it doesn't affect Chromium OS. 

Jochen Eisinger

unread,
Mar 5, 2021, 8:21:18 AMMar 5
to Seongbin BAK, chromium-packagers, Chromium Embedders


On Fri, Mar 5, 2021 at 11:07 AM Seongbin BAK <seon...@wayne-inc.com> wrote:
Q1: Do you mean the flag (--allow-browser-signin=false) only works with standalone Chromium? The flag doesn't work with Chromium which is in CROS?
Correct
 

Q2: Could I ask exact role of Chrome Sync?
Is it affects to only Chromium browser (bookmark, history, extension)?
Or also affect to user's setting of CROS (language, apps in drawer, wallpaper)?

The change affects the LST API, without a LST, Chrome Sync but also CrOS settings syncing doesn't work.
 

Q3: How much will Oauth2.0 rate limit be decreased since 2021-03-15?
Now (2021-03-05) Oauth rate limits in GCP > OAuth consent screen is ... 100 user cap & 10,000,000 grants per day (request Oauth rate limit increase is available).

The LST API is different from the public OAuth 2.0 API. Note that we'll switch from a quota approach to an allow-list approach where accounts that want to use this API need to be subscribed to a mailing list.

Eric Hameleers

unread,
Mar 11, 2021, 1:37:44 PMMar 11
to chromium-packagers, Ross Martin, jrni...@gmail.com, chromium-packagers, joc...@chromium.org, Eric Hameleers, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, evan...@foutrelis.com, Dirk Pranke, ago...@chromium.org, phajd...@chromium.org
Now that the 15 March deadline is almost upon us, I want to ask:

Of all the Chromium Distro Packagers subscribed to this thread, who still intends to offer regular Chromium packages after 15 March? Without or with your distro-specific API Key?

I have been offering un-googled versions of Chromium since my radio silence here which was caused by the abrasive reactions from Google officials. My users are happy with the switch, and while I myself am not happy with this outcome (I still prefer to have been allowed to retain a fully functional Chromium package that can use Chrome Sync) I can work around the worst of it using a select number of extensions: KeepassXC, XBrowserSync and UBlock Origin. I would really hate to drop Chromium, I think it has been among the best browser experiences for a long time.
I am not an advocate of using the official Chrome API key and OAuth secret in my Chromium builds, therefore un-Googling of the source code to me is an acceptable compromise - if I am not allowed to use Google's services then Google should not be able collect my usage data patterns either.

If you are willing to share thoughts and experiences about packaging and supporting an un-Googled Chromium for your own distro's users, contact me (alien at slackware dot com) or post a comment on my blog if you prefer: https://alien.slackbook.org/blog/how-to-un-google-your-chromium-browser-experience/

Thanks, especially to those of the Chromium team who have helped out in the past when distro packagers ran into issues. It was (and is!) much appreciated. Eric

Op maandag 1 februari 2021 om 17:28:26 UTC+1 schreef Ross Martin:
I'd like to make one followup, since something else in this thread is bothering me.  It's this:

> Jonathan:  Hope that helps,

This may be just a signature line of yours Jonathan, but it occurs to me that in general people don't realize what might help here.  If people at Google really want to help, there are a number of things that will make this better.  The first and most obvious is to undo this decision.  I've outlined why I think it's a bad decision and why Google may not have fully thought out the consequences.  However, if Google is determined in this action, there are still some things that Google could do that might help.  I'll outline them in a series of steps below.

In thinking about these steps, realize that what Google is doing here will be judged.  So basically, the steps that might mitigate this action are the same steps that might mitigate a crime as viewed by a judge.  Some of these are 1. Recognition, 2. Intent, 3. Contrition, 4. Recompense.

1. Recognition.  It's necessary for Google to recognize that it's doing something bad here.  If Google doesn't recognize it's doing something bad, it's hard to do anything else to fix it.  So far in this forum, it seems like the full recognition of the essential badness of this action isn't recognized by Google, and that limits what Google can do to repair the damage.  In a court of law for a crime, someone who can't even recognize their crime might be ruled incompetent to serve trial and be sent to an insane asylum.  I'm not sure what the corresponding analogy is to this action by Google, but clearly Google needs to admit its fault before other mitigations can occur.

2. Intent.  So far, it seems that Google is masking its intent regarding why it is doing this.  In a murder trial it matters whether it's first degree, second degree, or third degree.  If Google is not open about its intent, Google's intent will likely be interpreted as being the most nefarious possible.  We might assume, for example, that Google is trying some power play in the browser market, and that actions against Firefox are next.  Please don't tell us that this isn't correct and expect anyone to believe it.  As we've determined, a Google VP can't be believed, so why would anyone believe a random comment from a Google employee in a discussion?  To regain any credibility here, Google needs to put its thoughts, intent, and strategies on the line here to tell us what's really going on.

3. Contrition.  Some statements from the Google VP level about how they're at least sorry to break their commitments might be helpful in attaining some forgiveness.  Right now, it seems like Google has no care and no remorse.

4. Recompense.  It seems Google has thought little about the effects these unilateral actions might have on others, the damage it might cause, or the steps that Google might take to mitigate or reverse that damage.  There's time to figure it out, but perhaps not a lot of time.

There may be some other steps that I've omitted.  I think however if you follow this criminal analogy those steps can be ferreted out.

I think that things said by Google so far in this forum have been mostly harmful, not helpful.  In particular, the attempts to defend this action as something reasonable and acceptable are in complete violation of Recognition.

Regards,

Ross


On Sunday, January 31, 2021 at 7:36:51 PM UTC-7 Ross Martin wrote:

> Ross:  What I understand you to be saying here is that if anyone wants to get a commitment from Google that Google actually keeps, it has to be in official terms
> Jonathan:  This seems like an extreme reading.

This isn't an extreme reading of Google's actions -- it's the only possible reading of them.  If you think differently, please give an example of a commitment that Google would feel obliged to keep that's short of a legally binding one.  I'm not coming up with anything, and if there's nothing it proves the point.

I believe we've established that an official letter from a VP with legal vetting isn't enough to be a commitment that Google will keep.  So what's enough?  Two VPs?  Three?  Maybe the President of Google?

Maybe if back in 2013 the Chromium developers had negotiated changes to the Official Terms?  Of course, Google could just change those terms, so that doesn't work either.  Unless perhaps the terms were unalterable.  But that means they were legally binding, which goes back to something legally binding being the only commitment that it appears Google will keep.

Don't Google's actions here basically proclaim that Google won't honor any non-legally-binding commitments to Open Source?  (Or will only honor them at its pleasure, which is the same thing.)  Again, if you disagree, give us an example scenario of what the Chromium packagers/developers should have done differently back in 2013 so that Google would now honor its commitment.  Give us an example of what any project in Open Source needs to do today to get a commitment that Google would feel obliged to honor in the future.

By the way, if you can come up with such an example, how are we to know we can trust it?  Could you please get a VP to sign off on it, and get it vetted by legal?

From where I sit, it sounds like the Chromium developers got a commitment far beyond what I would expect is normally possible, and yet Google is now violating it anyway.  If readings of this action seem extreme, perhaps one should consider that it might not be because of some fault in the reading, but rather because of how extreme Google's action is.  An action that doesn't extreme from within Google may seem very extreme looking the other direction.

I would also like to make an aside:  I ask your pardon, Jochen.  What Jonathan said made me realize that it may have sounded like I was blaming you for this message or putting it in your mouth.  The apparent message that Google won't honor its commitments seems loud and clear from Google's actions, independently from anything you've said.  I realize that you're just the messenger.  You're not responsible for this action or for the message that the action sends to Open Source.

Regards,
Ross


On Saturday, January 30, 2021 at 5:41:03 PM UTC-7 jrni...@gmail.com wrote:
> What I understand you to be saying here is that if anyone wants to get a commitment from Google that Google actually keeps, it has to be in official terms

This seems like an extreme reading. Jochen was answering questions
about official commitments with answers about official commitments.
That doesn't mean that the only way to work together is via legal
contracts --- on the contrary, it's answering in the same terms as he
was asked.

Hope that helps,
Jonathan

On Sat, Jan 30, 2021 at 8:58 AM Ross Martin <ross....@ieee.org> wrote:
>
> jochen,
>
> I believe I understand what you're saying, but to make sure let me repeat back what you've said in my own words to make sure I've got it.
>
> All commitments that Google makes are valid in the millisecond in which Google makes them, but Google can and should reevaluate its position in the next millisecond and, if it wishes, abrogate any and all of its commitments as the environment inside Google evolves.
>
> Isn't that basically equivalent to what you just said? I've exaggerated it slightly to help show how poorly it might be viewed, but I believe I haven't deviated from the fundamentals of what you've said. This clarification isn't helping Google's position.
>
> Your point that there was never a change in Google's official terms is a valid one, but it's also not a point that favors Google. What I understand you to be saying here is that if anyone wants to get a commitment from Google that Google actually keeps, it has to be in official terms, and also in terms that Google has no rights to unilaterally alter. i.e. it must be a legally binding document drawn up by lawyers, signed, witnessed, registered, etc.. Otherwise, that agreement with Google is essentially worthless, because Google feels it can change it at any time as the environment within Google evolves. Yet how many people in Open Source have such a legally binding agreement with Google, or will ever get one? My guess: none.
>
> So your statements seem equivalent to saying that no one in Open Source can trust Google to abide by any commitments that Google has made or ever will make. Correct?
>
> I personally imagine that what's going on here is the environment inside Google has changed because the VP has changed. The new VP sees no need to keep the old VP's commitments, since they are apparently viewed within Google as commitments of the VP instead of commitments of Google.
>
> What you should perhaps understand is that people external to Google view Google VPs as being important. If someone in Open Source gets an official commitment from a Google VP, they view this as a commitment of Google of the highest order, and not a transient commitment that's just the hot air of one Google VP who's here today and gone tomorrow. It might be good for Google to maintain this external illusion that Google VPs are important, and to at least treat times when Google feels it must go back on its VP's agreements as moments of import.
>
> So as I said this action by Google is going to change the perception that people have of Google, especially within Open Source. The effect will not be limited to Chromium or Chrome, because the worst thing about this isn't its effect on Chromium but its revelation that Google can't be relied upon to keep its agreements. This will affect people's willingness to engage in relationships with Google of any sort without distrust and suspicion. It's a natural consequence of the actions you're announcing.
>
> As I said, there will be far reaching and persistent consequences to this action, to all Google departments that interact with Open Source. Perhaps Google should take a step back and re-evaluate that before acting in a way that will convince everyone that Google is much less trustworthy than they believed.
>
> Regards,
>
> Ross

Alberto Salvia Novella

unread,
Mar 11, 2021, 5:21:52 PMMar 11
to Chromium Embedders, eric.ha...@gmail.com, Ross Martin, jrni...@gmail.com, chromium-packagers, joc...@chromium.org, Chromium Embedders, highbaser, asm...@gmail.com, anton...@gmail.com, robert, tcallawa, evan...@foutrelis.com, Dirk Pranke, ago...@chromium.org, phajd...@chromium.org
My analysis thrown that the reasons why I chose to use Chromium in the first place are no longer true. And Firefox is now a more capable, and dependable, candidate.

Recommended add-ons: uBlock Origin, I don't care about cookies.

Also Falkon is potentially a better candidate than Chromium, as it also uses Google Blink as engine but with much lower UI latency due to its better QT integration. The only real drawback I see with it is that you cannot install "I don't care about cookies" on it, and those cookie notifications are extremely annoying when you live in the European Union. But that is solvable without much effort.

Seongbin BAK

unread,
Mar 17, 2021, 11:14:06 AMMar 17
to chromium-packagers, joc...@chromium.org, chromium-packagers, Chromium Embedders, Seongbin BAK
What is meaning of the LST?

Jochen Eisinger

unread,
Mar 17, 2021, 1:06:38 PMMar 17
to Seongbin BAK, chromium-packagers, Chromium Embedders
It's an internal name and means "login scoped token" and gives you broad access to the respective account the token is for. 
Reply all
Reply to author
Forward
0 new messages