I dont think it matters e.g mint,ubuntu,kali…etc can be used from
dvd/flash and you can upgrade and install packages like normal OS (if
you choose i want to try the OS) its all gonna be in RAM anyway.
Patrick via Whonix Forum:
No, but why im not excited to report that because upstream has newer version and to my experience the first question going to be asked can you build the newer version and see if that happen? And about debian upstream they are late with 3 versions of chromium so if i open a ticket about this issue maybe i will see the answer after decade or maybe never. (but if you are interested we can debug it, but i see better to wait for the newest version and see if this behavior continue)
Does it disable WebRTC (thats the point im talking about not mitigating risks or no)? If yes, how to achieve that within chromium-debian (from chromium itself without extensions and without rebuilding it manually)?
Though back and forth about this not much benefiting here because even if the end result is as i said webrtc cant efficiently be blocked within chromium it matters more to privacy not security (at least generally).
It isn’t an issue. You are doing it wrong. They are both verifiably the exact same. I even showed you the contents of the desktop file to prove that.
Yes, how many times do I need to say this?
AFAIK --force-webrtc-ip-handling-policy can be used as a command line argument to configure the policy.
https://peter.sh/experiments/chromium-command-line-switches/#force-webrtc-ip-handling-policy
What you said is wrong.
The 3 choices to grab the latest non-ESR FF are:
- Flatpak
- Apt pinning + install from Debian Sid
- Manually installing the tarball from the official FF site. (Alternatively forking/re-pruposing Tor Browser downloader to fetch and verify the code).
Given that there is no upstream support for updated Chromium releases for Linux and that Debian will always lag behind because they are stretched too thin, I think having the freshest FF is better in this case and less likely for the user to be running code with 100< gaping holes known for 6+ months.
They do have a default browser installed.
Chromium is more like a browser toolkit. Something Google can use as a base to maintain proprietary Chrome or third parties can use to create browser forks. But it’s not a “standalone browser project”. What I mean by that, it’s not maintained as per convention, as other Open Source browsers are maintained, i.e. stable releases and binary builds available for public download. The “real browser project” is Chrome, but it’s proprietary.
And since no other third party fills this void either…
… Chromium by itself unfortunately isn’t a suitable option.
1 Like
Chromium is a fully fledged browser. Chrome == Chromium with very few unimportant changes: Chromium Docs - The Difference between Google Chrome and Chromium on Linux
They just leave packaging to the distro.
…which results in total failure. (Due to lack of stable releases?) Hence…
Debian version of Chromium reported to be exploited in the wild.
Patch Google Chrome with the latest updates – if you don’t, you’re vulnerable to a zero-day that is actively being exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.
Criminals are targeting users of Chrome with outdated installations, CISA said in an advisory note urging folk to update their browsers immediately.
“Google has released Chrome version 86.0.4240.183 for Windows, Mac, and Linux addressing multiple vulnerabilities, including vulnerability CVE-2020-16009. Exploit code for this vulnerability exists in the wild,” said the agency in a statement.
Debian affected by CVE-2020-16009 at time of writing, see:
3 Likes
Now discussed on debian-security mailing list:
Might be an option. Last resort. Not nice to have two updating systems. Already confusing in Whonix to have upgrades from Debian and separately for Tor Browser.
I guess not sustainable due to dependency hell (FrankenDebian).
Also an option but flatpak probably better.
Linux Mint Debian Edition (LMDE)
LMDE 4 (a.k.a. Debbie) is based on Debian Buster (version 10),
Would downloading the chromium package from LMDE and uploading to Kicksecure repository be an option?
Are LMDE packages (supposed to be) compatible with Debian?
LMDE has a newer version of chromium:
- Chrome: 86.0.4240.183
- LMDE: 86.0.4240.198~linuxmint1+ulyana
Frankly their security process is inferior to Debian and I wouldn’t import anything from that distro.
Yes though Debian Testing
Please elaborate.
Still Debian testing?
Their infrastructure was hacked and had a link to backdoored versions - while that won’t affect end to end signed packages it doesn’t inspire confidence. Also they do not have a security team nor do they assign CVEs to affected software like Debian does also they don’t have the resources to implement reproducibly built packages like Debian does so any Mint specific packages will be a risk in the future.
https://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/
They used to have a frankenDebian thing going on, but it changed in recent versions. However they are way behind on releasing versions that track Debian stable. For example LMDE 4 was only just released a few months ago this year, Depending on anything from LMDE means running something compatible with old-stable for a very long time which might introduce dependency hell.
1 Like
That’s not the only CVE being exploited in the wild it’s affected by.
https://security-tracker.debian.org/tracker/CVE-2020-16013
https://security-tracker.debian.org/tracker/CVE-2020-16017
Likely many more.
2 Likes
What about chromium sourced from snap store?
Related:
They do little oversight of package safety/maintenance. A hidden cryptocurrency miner was slipped thru in uploads. Major apps lacked updates for a long time. Server components of the snap packaging system remain closed which gives Canonical control over the tech. Avoiding the support and proliferation of their lock-in format is a good move IMO.
Also Ubuntu anything has the tendency to be half baked abandonware once Canonical grows bored with it after they fail to monetize it.
1 Like
Good points. Quoted in the dedicated snap forum thread. Snap Store / snaps / snapd / snapcraft.io - a new software source? - #6 by Patrick Please redirect further discussion on snap there. Leave a link here if relevant.
Would also appreciate an opinion on flathub in https://forums.whonix.org/t/flathub-as-a-source-of-software/10706 as this might also turn out as suitable software source for Firefox and/or Chromium.
Chromium version comparison
snapstore
- Install chromium on Linux | Snap Store
- https://web.archive.org/web/20201214074838/https://snapcraft.io/chromium
latest/stable 87.0.4280.88 3 December 2020
vs flathub
- Install Chromium Web Browser on Linux | Flathub
- https://web.archive.org/web/20201214074848/https://www.flathub.org/apps/details/org.chromium.Chromium
December 4, 2020 Version 87.0.4280.88
I cannot find any version number for Chrome, Chromium but I guess it’s the same as Chrome OS as published on the google blog.
- https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-chrome-os.html
- https://web.archive.org/web/20201214075327/https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-chrome-os.html
Shows the same version number.
In conclusion, both snapstore and flathub are up to date.
1 Like
There’s no stable Chromium version, there’s a daily release. Chrome however does have stable point releases as noted on wiki:
87.0.4280
1 Like
Debian removes Chromium from the next release:
1 Like
ungoogled-chromium
- Install ungoogled-chromium on Linux | Flathub
- https://web.archive.org/web/20201220105509/https://flathub.org/apps/details/com.github.Eloston.UngoogledChromium
December 15, 2020, Version 87.0.4280.88
- updates are slower
- looks less authoritative
- flathub link
- /apps/details/com.github.Eloston.UngoogledChromium
- /apps/details/org.chromium.Chromium
- flathub link
- Developer
Eloston and communityThe Chromium Authors
- github link
Therefore no longer considering ungoogled-chromium from flathub.