bug#34565: ungoogled-chromium contains Widevine DRM

[Giovanni Biscuolo]

Hello,

maybe Marius Bakke have something interesting to say about his
judgements on this "DRM matter"

indeed, this is a pretty ignorant (aka me) comment:

Leo Famulari <address@hidden> writes:

[...]

> I think the next steps for this subject are to first, in general, figure
> out where Widevine comes from, and then, more specifically, decide what
> to do about the files you mentioned. 
>
> As I mentioned already, other distros seem to get Widevine by extracting
> its binary from Chrome, even when using it for Chromium. It seems
> reasonable to assume that if Widevine were included in Chromium they
> would not be downloading a whole 'nother browser for that one
> component.

ungoogle-chromium FAQs [1] confirms that in order to install Widevine
users have to download a shared object (libwidevinecdm.so) and install
it system wide in /usr/lib/chromium or in $HOME/.local/lib/

I tried to install ungoogled-chromium from Guix but failed (another
story...) so I cannot see myself, but AFAIU there is no way for a user
to enable Widevine from the user interface *nor* manually

I don't know if the libwidevinecdm.so user loading must be forbidden
**programmatically** [2] to be FSDG compliant: what is the case with the
linux-libre kernel? are users forbidden to "insmod proprietery_module"
they _independently_ downloded or developed?

anyway, as Julien Lepiller already verified (Guix package definition is
there for anyone to check, and checking is very easy), Widevine stuff
only gets built when the ENABLE_WIDEVINE build option is set... and it's
not this case, so it's unlikely that users will be able to install
Widevine even following the above mentioned procedure

last but not least: AFAIU ungoogled-chromium Guix package documentation
nor Guix Manual contains information on how to obtain proprierary
extensions to any software; am I wrong?

> As for the specific files listed by Julien, they may be harmless, or
> not, we should figure out what they do and if they need to be removed.

AFAIU that code allows dynamically linking Widevine (sorry cannot still
check myself), but it is _disabled_ at build time

is this enough to be FSDG compliant?

given all the above, it seems to me that ungoogled-chromium binaries
provided by Guix substitute servers _and_ sources provided by Guix build
farms (are provided by them, right?) does not ship with DRM enabled

to sum it up: AFAIU for users to be able to use Widevine they must
create a custom package definition _outside_ official Guix channels
*and* download the shared object "libwidevinecdm.so" from Chromium,
installing it "manually" system wide or locally

HTH!
Ciao
Giovanni


[1]
https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-do-i-install-widevine-cdm

[2] I mean by stripping away any bit of source code that allows users to
dynamically link potentially proprietary shared objects in the software

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature