⚠️ Warning: This post is over a year old, the information may be out of date.
📝 Ubuntu Chromium DEB file are actually snap wrapper
📅 | ⏰ 2 minutes
The screenshot taken is the latest rev:head (currently when the post published) of chromium-browser/focal package files repository. I really surprise about this kind of packaging. Oh my God, how comes this is allowable?
Seems it start putting and using wrapper to use snap on
, correct me if I wrong because I don’t use
bazaar source code management so much compare to
From the tagged 75.0.3770.80-0ubuntu1~snap1 entries, the change log said you been using snap in place of deb file starting from this version (since Eoan Ermine), it also don’t link any bug report for the discussion about decision on start using snap file:
chromium-browser (75.0.3770.80-0ubuntu1~snap1) eoan; urgency=medium * Upstream release: 75.0.3770.80 - CVE-2019-5828: Use after free in ServiceWorker. - CVE-2019-5829: Use after free in Download Manager. - CVE-2019-5830: Incorrectly credentialed requests in CORS. - CVE-2019-5831: Incorrect map processing in V8. - CVE-2019-5832: Incorrect CORS handling in XHR. - CVE-2019-5833: Inconsistent security UI placement. - CVE-2019-5834: URL spoof in Omnibox on iOS. - CVE-2019-5835: Out of bounds read in Swiftshader. - CVE-2019-5836: Heap buffer overflow in Angle. - CVE-2019-5837: Cross-origin resources size disclosure in Appcache. - CVE-2019-5838: Overly permissive tab access in Extensions. - CVE-2019-5839: Incorrect handling of certain code points in Blink. - CVE-2019-5840: Popup blocker bypass. * Install the chromium snap in place of the debian packages, and make the wrapper script rename the desktop file in well-known desktop launchers (currently GNOME Shell and Unity) -- Olivier Tilloy <ol[email protected]> Wed, 12 Jun 2019 09:57:03 +0200
I wonders if everyone are concern about this. Why need put
backdoor wrapper inside a deb file with intention to install snap package? Why not just orphan / deprecate the package and let user install it by him self via snap directly?
If you don’t understand how debian package works. Everything inside
debian is the where you put packaging stuff, it means you put meta information and only do changes (patching) from this directory. When a package is being installed, first
(please check this file) is called for installation, then debian/*.postinst for configuration. If all goes well, then the status of the package is successfully installed. Outside
debian directory should containing upstream source code. So now it so funny this package don’t have upstream files but Ubuntu developer put his wrapper file instead.
The funny part,
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: chromium Upstream-Contact: https://www.chromium.org/contact Source: https://chromium.googlesource.com/chromium/src.git Files: * Copyright: 2008-2011 Fabien Tassin <[email protected]> Copyright: 2009-2019 Ubuntu Chromium Team <https://launchpad.net/~chromium-team> License: BSD-Style (3-clause)
which is totally confusing and wrong, there is no
source here, all is self wrapper and debian packaging works. Even if mentioning using
chromium snap source
is also wrong, because the is no upstream source code checkout 🤔
Posted by: Robbi Nespu