Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Is Chromium safe?
-
- Posts: 128
- Joined: 2019-02-11 17:22
Is Chromium safe?
Is the Chromium version in Debian save to use as it is not kept up to date like Chrome?
Google issued an alert about it's browser having some critical vulnerability this week and advised users to update to the latest version. The latest version of Chrome was released last Monday and Chromium on Debian has not yet been updates this Saturday.
Should I just use Firefox ESR, instead?
Google issued an alert about it's browser having some critical vulnerability this week and advised users to update to the latest version. The latest version of Chrome was released last Monday and Chromium on Debian has not yet been updates this Saturday.
Should I just use Firefox ESR, instead?
Re: Is Chromium safe?
The devil is in the details. Unfortunately CVE-2019-5786 was reserved by Google who has yet to provide details in the database
https://cve.mitre.org/cgi-bin/cvename.c ... -2019-5786
That said, Debian has been providing Chromium security updates, the last was February 18, 2019
https://www.debian.org/security/
https://www.debian.org/security/2019/dsa-4395
Typically after firefox-esr or chromium cve's, the Debian security team will provide an update within a few days. In the interim, I would avoid sending critical passwords with chromium, particularly via a javascript interface.
https://cve.mitre.org/cgi-bin/cvename.c ... -2019-5786
That said, Debian has been providing Chromium security updates, the last was February 18, 2019
https://www.debian.org/security/
https://www.debian.org/security/2019/dsa-4395
Typically after firefox-esr or chromium cve's, the Debian security team will provide an update within a few days. In the interim, I would avoid sending critical passwords with chromium, particularly via a javascript interface.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is Chromium safe?
^ Probably this.debiandonder wrote:Should I just use Firefox ESR, instead?
I seem to remember the chromium version falling behind a little for the last release but firefox-esr always tracked the current version very closely and was updated within a day or two of upstream.
Having said that, chrom{e,ium} has a better privsep model and so better security generally (at the expense of privacy).
deadbang
-
- Posts: 128
- Joined: 2019-02-11 17:22
Re: Is Chromium safe?
Thanks for the feedback everyone, I think I'll just wait till Chromium gets updated to the version that fixes the security problem and use Firefox ESR in the meantime. Firefox works with most websites I use anyway. It just messes up the memrise website as far as the language courses are concerned when they pronounce stuff, but works most of the time with everything else.
I switched to Chromium because Chrome was updating weekly and was bothering me. I keep going back to Chrome most of the time, but lately I'm too lazy too go through the whole setup thing and adding the adblocker and changing settings to block third party cookies and all of that.
I will just wait until Chrome 73 gets released and switch then or use Firefox ESR till I have to do something important like financial website stuff.
I switched to Chromium because Chrome was updating weekly and was bothering me. I keep going back to Chrome most of the time, but lately I'm too lazy too go through the whole setup thing and adding the adblocker and changing settings to block third party cookies and all of that.
I will just wait until Chrome 73 gets released and switch then or use Firefox ESR till I have to do something important like financial website stuff.
Re: Is Chromium safe?
let's see
Code: Select all
$ apt-cache policy chromium
chromium:
Installed: (none)
Candidate: 72.0.3626.122-1
Version table:
73.0.3683.56-1 1
1 http://debian.mirror.ac.za/debian experimental/main amd64 Packages
1 http://ftp.is.co.za/debian experimental/main amd64 Packages
1 http://ftp.uk.debian.org/debian experimental/main amd64 Packages
1 http://deb-mir1.naitways.net/debian experimental/main amd64 Packages
72.0.3626.122-1 500
500 http://debian.mirror.ac.za/debian sid/main amd64 Packages
500 http://ftp.is.co.za/debian sid/main amd64 Packages
500 http://debian.saix.net sid/main amd64 Packages
500 http://ftp.uk.debian.org/debian sid/main amd64 Packages
500 http://deb-mir1.naitways.net/debian sid/main amd64 Packages
72.0.3626.109-1 500
500 http://debian.mirror.ac.za/debian testing/main amd64 Packages
500 http://ftp.is.co.za/debian testing/main amd64 Packages
500 http://debian.saix.net testing/main amd64 Packages
500 http://deb-mir1.naitways.net/debian testing/main amd64 Packages
70.0.3538.110-1~deb9u1 500
500 http://debian.mirror.ac.za/debian stable/main amd64 Packages
500 http://ftp.is.co.za/debian stable/main amd64 Packages
500 http://debian.saix.net stable/main amd64 Packages
500 http://deb-mir1.naitways.net/debian stable/main amd64 Packages
Code: Select all
apt-cache policy google-chrome-stable
google-chrome-stable:
Installed: 72.0.3626.121-1
Candidate: 72.0.3626.121-1
Version table:
*** 72.0.3626.121-1 500
500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
100 /var/lib/dpkg/status
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
-
- Posts: 128
- Joined: 2019-02-11 17:22
Re: Is Chromium safe?
Thanks! The update came up today.
I think it was some vulnerability in Chrome that could be used to gain control of Windows 7 36-bit.
Keep calm and use Linux.
I think it was some vulnerability in Chrome that could be used to gain control of Windows 7 36-bit.
Keep calm and use Linux.
-
- Posts: 128
- Joined: 2019-02-11 17:22
Re: Is Chromium safe?
Just a update. If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message. I must not like Daily Mail.
Firefox ESR works with that site, so no worries.
Firefox ESR works with that site, so no worries.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is Chromium safe?
That's not a bug, it's a feature!debiandonder wrote:If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.
No, best not.debiandonder wrote:I must not like Daily Mail.
Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:
https://www.globaljustice.org.uk/blog/2 ... daily-mail
deadbang
-
- Posts: 431
- Joined: 2018-11-05 21:30
Re: Is Chromium safe?
Why do you prefer to use chromium and not chrome?
Chrome can be downloaded as a .deb from Google's website and it will registers apt repositories for updates.
Chrome can be downloaded as a .deb from Google's website and it will registers apt repositories for updates.
- dilberts_left_nut
- Administrator
- Posts: 5346
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Is Chromium safe?
Yay, root access to your PC for google ...MagicPoulp wrote:and it will registers apt repositories for updates.
AdrianTM wrote:There's no hacker in my grandma...
-
- Posts: 431
- Joined: 2018-11-05 21:30
Re: Is Chromium safe?
Installing a .deb from Google does not give sudo access to google on my computer. Only the installation uses sudo not the execution of the program. And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Is Chromium safe?
Because Google will not release the full source code for Chrome.MagicPoulp wrote:Why do you prefer to use chromium and not chrome?
What are they hiding, exactly?
deadbang
-
- Posts: 128
- Joined: 2019-02-11 17:22
Re: Is Chromium safe?
Sorry, I meant it must not like Daily Mail, meaning Chromium. It turned out it was Adguard adblocker that was causing the problem. Wish it had inbuilt privacy protection like Firefox. Just use Chromium because it works with all sites, not because I particularly like it.Head_on_a_Stick wrote:That's not a bug, it's a feature!debiandonder wrote:If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.
No, best not.debiandonder wrote:I must not like Daily Mail.
Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:
https://www.globaljustice.org.uk/blog/2 ... daily-mail
Daily Mail has lots of pretty pictures, BBC is too boring.
- dilberts_left_nut
- Administrator
- Posts: 5346
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Is Chromium safe?
No, but adding the repo lets them put whatever they want on your box.MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.
There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.Only the installation uses sudo not the execution of the program.
Really?And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
... and the pre & post-inst script mechanisms?
That can be called anything and contain anything.dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
Which has nothing to do with the subject.If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Snake Oil salesmen are alive and doing well.Besides, AppArmor will be by default in Buster. So applications will be even more protected.
AdrianTM wrote:There's no hacker in my grandma...
-
- Posts: 431
- Joined: 2018-11-05 21:30
Re: Is Chromium safe?
Yes good point. They do tracking, and they collect data about people. Like the Javascript code injection they use with their front-end advertising script. But if they own the browser, it is even better.Head_on_a_Stick wrote:Because Google will not release the full source code for Chrome.MagicPoulp wrote:Why do you prefer to use chromium and not chrome?
What are they hiding, exactly?
But one can assume that one does not care. I already use google mail. So at this point, I don't really care using the proprietary google chrome.
-
- Posts: 431
- Joined: 2018-11-05 21:30
Re: Is Chromium safe?
Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
It seems strange. But I did not check the internals of dpkg myself.
A chroot will not give sudo access to your real root folder but to a fake one.
It seems strange. But I did not check the internals of dpkg myself.
A chroot will not give sudo access to your real root folder but to a fake one.
dilberts_left_nut wrote:No, but adding the repo lets them put whatever they want on your box.MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.Only the installation uses sudo not the execution of the program.Really?And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
... and the pre & post-inst script mechanisms?That can be called anything and contain anything.dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.listWhich has nothing to do with the subject.If really you don't want to run sudo, you can use a chroot, that is a fake root folder.Snake Oil salesmen are alive and doing well.Besides, AppArmor will be by default in Buster. So applications will be even more protected.
- dilberts_left_nut
- Administrator
- Posts: 5346
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Is Chromium safe?
You seem to be missing some basic concepts.MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
It seems strange. But I did not check the internals of dpkg myself.
A chroot will not give sudo access to your real root folder but to a fake one.
What does "sudo access" mean?
Using a chroot is indeed giving you full access to the filesystem you are chrooting into.
The package installation procedure must have root privileges to install system files, set owner and group permissions etc and run the install scripts to add users/groups and such and set up other environment requirements for the software being installed.
By adding a repo and installing packages you are handing control of your system to whoever can put code in that repo.
The Debian repo's have systems in place to ensure provided binaries match the source code, which is all reviewable and provides a chain of trust that is verifiable.
Closed source binaries (and random 'third party' repo's) do not - use at your own risk.
AdrianTM wrote:There's no hacker in my grandma...
-
- Posts: 431
- Joined: 2018-11-05 21:30
Re: Is Chromium safe?
OK you gave your opinion.
But I thought dpkg was smart. Waiting for somone else to clarify if dpkg is smart or not.
But I thought dpkg was smart. Waiting for somone else to clarify if dpkg is smart or not.
-
- Posts: 128
- Joined: 2019-02-11 17:22
Re: Is Chromium safe?
I don't know if Chromium Debian Stretch version is safe, because I was using it today, with two tabs open and went away to make some tea. When I came back everything was frozen. Mouse didn't work keyboard din't work. Just Chromium staring at me.
This is the second time this year that I had a complete system freeze. The previous time was with Firefox Snap version on Ubuntu 14.04.
I beginning to wonder I should just try Manjaro to see if it's more stable than Debian or Ubuntu.
This is the second time this year that I had a complete system freeze. The previous time was with Firefox Snap version on Ubuntu 14.04.
I beginning to wonder I should just try Manjaro to see if it's more stable than Debian or Ubuntu.