this post was submitted on 09 Jul 2024
601 points (98.4% liked)

Technology

60016 readers
3015 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
top 33 comments
sorted by: hot top controversial new old
[–] [email protected] 161 points 5 months ago (4 children)

Google web services take advantage of an API that only Google knows about.

Completely unsurprising. Google should have been given the anti-trust treatment long ago. There's not a saving us because the ones to save us are completely complicit. And people who write independent browsers will be smacked back down by having places like YouTube throttle them.

[–] [email protected] 61 points 5 months ago (3 children)

In the comments its not just chrome that is affected.

Its apparently all Chromium browsers.

[–] Jilanico 26 points 5 months ago (1 children)

Isn't chromium open source? How are the APIs a secret?

[–] [email protected] 68 points 5 months ago* (last edited 5 months ago) (1 children)

Simply noone ever looked and it's not documented. And the api is locked to work only on google domains so it wasn't usable to anyone to accidentally notice what's going on.

The code doesn't do anything on non-Google domains.

Luca says this - I'm inclined to agree:

This is interesting because it is a clear violation of the idea that browser vendors should not give preference to their websites over anyone elses.

Follow up question: How many other parts of the chromium codebase limited to work on (maybe other) specific domains?

[–] [email protected] 6 points 5 months ago (1 children)

The code doesn't do anything on non-Google domains.

A Google engineer adds a piece of code, does not document what exactly it does, and it was approved without question. Something is seriously wrong with this or I don't know how the Chromium project works.

[–] [email protected] 9 points 5 months ago* (last edited 5 months ago) (1 children)

I read somewhere a long time ago that chromium is a "look, but not touch" type of foss project. You can fork it, fix it, do whatever you want with the code, but on the main chromium repo they rarely accept PRs from random contributors

Here is an article from 2020, about the first non google employees getting some rights in the repo, before that all decisions was made by google employees: https://www.cnet.com/tech/mobile/google-gets-web-allies-by-letting-outsiders-help-build-chromes-foundation/ This api was added in 2013

And the workaround for this issue is really simple, and it was recommended privacy wise for a long time: don't use chromium based browsers and don't visit google related sites, as much as you can.

[–] [email protected] 3 points 5 months ago (2 children)

You can fork it, fix it, do whatever you want with the code, but on the main chromium repo they rarely accept PRs from random contributors

This needs to be discussed more by the community.

I can kind of understand what's happening. They want to have complete control over what goes in an out of Chromium. Some PM is probably overseeing the PRs, and if some PR hinders their ability to collect data, that PR gets rejected. Mighty fine project this is. Other forks probably don't have the resources to go through all the commits issued by Google and just accept them as it is. They just makes the changes to suit their own agenda. All the more reason for people to switch to Firefox

I wonder how Ungoogled Chromium is affected by all this.

[–] [email protected] 5 points 5 months ago

I don't know what needs to be discussed. Everyone owns their code, every project has some kind of hierarchy. Chromium is a project started by google, so Alphabet Inc. has a final word in any decisions. Similarly Linus Torvalds has a final say in Linux kernel development, and Lennart Poettering in systemd. That's how it always worked, and I think it's good enough.

What you can do is, you can hard fork a project, than you can have a final say there. This is actually how chromium's engine started: its Blink engine is the fork of Apple's webkit engine which is again a fork of Kde's khtml engine.

Ungoogled chromium is not a hard fork it's just a list of patches: https://github.com/ungoogled-software/ungoogled-chromium They can override google's decisions this way, but the more thing they patch the more thing they have to maintain, more work, and more things can break with each update. Afaik it's similar how all other chromium based browsers work.

Everyone said this for years now. If you care about the freedom of internet (caring about your privacy is secondary) you shouldn't use chromium based browsers. Stop using it now.

[–] [email protected] 1 points 5 months ago (1 children)

Open source doesn't mean they have to accept community input. The rights you're granted are the right to take their code and alter it for your own project, or redistribute it, not direct it.

A lot of corporate owned open source projects choose not to accept third party contributions at all (or at least without giving them actual ownership), because if they own the entire codebase, they can sell different licenses to businesses that may not like some restriction of the open source license.

[–] [email protected] 1 points 5 months ago

I prefer the VS Code approach. The entire codebase is open but owned by Microsoft. But because of the MIT licence, the community has made VSCodium. Microsoft does not interfere with VSCodium (AFAIK). This I think is a good model.

[–] vomitaur 6 points 5 months ago (2 children)
[–] [email protected] 15 points 5 months ago

This comes from hangout_services/thunk.js

I searched for hangout in the vanadium repo, no result, so it's not patched there either: https://github.com/GrapheneOS/Vanadium

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

Vanadium

Just asked in their matrix channel.

hybridstaticanimate:discord Vanadium did not enable this at build time.

hybridstaticanimate:discord There is nothing to patch.

hybridstaticanimate:discord Other browsers chose to enable this.

[–] [email protected] 1 points 5 months ago (1 children)

Kind of. Vivaldi let's you turn it off though. Privacy, disable meet extension.

[–] [email protected] 15 points 5 months ago (1 children)

Fuck Chromium. Don't let Google single handedly control how the Internet works. Don't support Chromium browsers.

[–] [email protected] 54 points 5 months ago* (last edited 5 months ago)

This is why we need to all back firefox...

I dont care if the CEO sucks, or if they have some opt-out anti-features....

Chrome monopoly is a far greater threat

[–] [email protected] 22 points 5 months ago

Google should have been given the anti-trust treatment long ago

Lina Khan on the horizon looming ominously.

[–] [email protected] 2 points 5 months ago

People are conditioned by Windows to treat it as normal that they are using something developed by a hostile entity, but that entity is kinda benevolent and doesn't do ... what it can always do and no one will notice for a few months or years.

I switched to Linux being 16, so - still sufficiently maximalist to just believe that it shouldn't be this way at all. (Still I have Chromium installed and sometimes use it, so same situation as everyone.)

For sane adult people it's hard to just say no to unhygienic parts of tech, at least in their own mind, because IRL of course you can't get rid of everything bad.

[–] [email protected] 30 points 5 months ago* (last edited 5 months ago) (3 children)

Remember this thumb rule -> if it's not open-source, you are allowing the software to do whatever it wants to do.

No regulation, law, support group is going to help you. You are digging your own grave.

[–] [email protected] 47 points 5 months ago* (last edited 5 months ago)

I agree, but... This was in open source software. Chromium. Not just Google Chrome. https://github.com/chromium/chromium/commit/422c736b82e7ee763c67109cde700db81ca7b443

hangout_services/thunk.js (via) It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the *.google.com domains - tweeted about today by Luca Casonato, but the code has been there in the public repo since October 2013 as far as I can tell.

https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs/

[–] [email protected] 7 points 5 months ago* (last edited 5 months ago)
[–] [email protected] 2 points 5 months ago (1 children)

If it's any software you didn't write yourself or audit every line of...

For a typical Linux distro that's tens of thousands of packages...

[–] [email protected] 15 points 5 months ago (1 children)

I am no expert on code-auditing. But I'm slightly at peace that there are 100s of experts looking at the code because it's open-source. But i also understand mistakes can still happen. It's not a perfect system, but it's the best solution so far.

[–] [email protected] 8 points 5 months ago (1 children)

There's some truth to that, but bad actors have managed to slip things through in the past. It happened recently with xz.

I guess my point is that we put a lot of trust in strangers when we run any code on our systems. Open or not.

[–] [email protected] 2 points 5 months ago

True. We can also not run code at all and be perfectly safe.

I wish there was a comparison. Number of 0days in open source and 0days in closed source for comparible projects and a measure for time to mitigate the 0days.

[–] SupraMario 23 points 5 months ago (1 children)

Hopefully no one comes in here and tells me Firefox does shit like this as well... I just swapped back.

[–] [email protected] 4 points 5 months ago

Firefox doesn't have a huge number of pages like Google does. The problem is collusion between browser and websites run by the same company.