📝 Ubuntu Chromium DEB file are actually snap wrapper

The screenshot taken is the latest rev:head (currently when the post published) of chromium-browser/focal package files repository. I really surprise about this kind of packaging. Oh my God, how comes this is allowable?

Seems it start putting and using wrapper to use snap on rev:1505 , correct me if I wrong because I don’t use bazaar source code management so much compare to cvs, mercurial and git.

From the tagged 75.0.3770.80-0ubuntu1~snap1 entries, the change log said you been using snap in place of deb file starting from this version (since Eoan Ermine), it also don’t link any bug report for the discussion about decision on start using snap file:

chromium-browser (75.0.3770.80-0ubuntu1~snap1) eoan; urgency=medium

  * Upstream release: 75.0.3770.80
    - CVE-2019-5828: Use after free in ServiceWorker.
    - CVE-2019-5829: Use after free in Download Manager.
    - CVE-2019-5830: Incorrectly credentialed requests in CORS.
    - CVE-2019-5831: Incorrect map processing in V8.
    - CVE-2019-5832: Incorrect CORS handling in XHR.
    - CVE-2019-5833: Inconsistent security UI placement.
    - CVE-2019-5834: URL spoof in Omnibox on iOS.
    - CVE-2019-5835: Out of bounds read in Swiftshader.
    - CVE-2019-5836: Heap buffer overflow in Angle.
    - CVE-2019-5837: Cross-origin resources size disclosure in Appcache.
    - CVE-2019-5838: Overly permissive tab access in Extensions.
    - CVE-2019-5839: Incorrect handling of certain code points in Blink.
    - CVE-2019-5840: Popup blocker bypass.
  * Install the chromium snap in place of the debian packages, and make the
    wrapper script rename the desktop file in well-known desktop launchers
    (currently GNOME Shell and Unity)

 -- Olivier Tilloy <[email protected]>  Wed, 12 Jun 2019 09:57:03 +0200

I wonders if everyone are concern about this. Why need put backdoor wrapper inside a deb file with intention to install snap package? Why not just orphan / deprecate the package and let user install it by him self via snap directly?

If you don’t understand how debian package works. Everything inside debian is the where you put packaging stuff, it means you put meta information and only do changes (patching) from this directory. When a package is being installed, first <strong>debian/*.preinst</strong> (please check this file) is called for installation, then debian/*.postinst for configuration. If all goes well, then the status of the package is successfully installed. Outside debian directory should containing upstream source code. So now it so funny this package don’t have upstream files but Ubuntu developer put his wrapper file instead.

The funny part, debian/copyright said:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: chromium
Upstream-Contact: https://www.chromium.org/contact
Source: https://chromium.googlesource.com/chromium/src.git

Files: *
Copyright: 2008-2011 Fabien Tassin <[email protected]>
Copyright: 2009-2019 Ubuntu Chromium Team <https://launchpad.net/~chromium-team>
License: BSD-Style (3-clause)

which is totally confusing and wrong, there is no source here, all is self wrapper and debian packaging works. Even if mentioning using chromium snap source is also wrong, because the is no upstream source code checkout 🤔

Read more on lists.ubuntu.com/archives/ubuntu-users/2021-July/304712.html