Nonfree files and pre-built Windows binaries in source package qt5webengine-opensource-src

Project:Trisquel
Version:9.0
Component:Packages
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed
Description

This is a list of nonfree files along with pre-built Windows binaries in nabia.

From https://salsa.debian.org/qt-kde-team/qt/qtwebengine/-/blob/master/debian/copyright:
src/3rdparty/chromium/net/tools/testserver/dist/*.pyd
src/3rdparty/chromium/third_party/blink/manual_tests/plugins/*.swf
src/3rdparty/chromium/third_party/blink/manual_tests/resources/spinbox.swf
src/3rdparty/chromium/third_party/breakpad/breakpad/src/tools/windows/binaries
src/3rdparty/chromium/third_party/breakpad/symupload.exe
src/3rdparty/chromium/third_party/crashpad/crashpad/handler/win/z7_test.dll
src/3rdparty/chromium/third_party/crashpad/crashpad/snapshot/elf/elf_image_reader_fuzzer_corpus
src/3rdparty/chromium/third_party/lzma_sdk/7zr.exe
src/3rdparty/chromium/third_party/lzma_sdk/Executable/7za.exe
src/3rdparty/chromium/third_party/unrar
src/3rdparty/chromium/third_party/webrtc/data/voice_engine/stereo_rtp_files/rtpplay.exe
src/3rdparty/chromium/third_party/webrtc/examples/androidapp/third_party/autobanh

I also found the following:
src/3rdparty/chromium/third_party/lzma_sdk/Executable/7zS2.sfx
src/3rdparty/chromium/third_party/arcore-android-sdk
src/3rdparty/chromium/third_party/swiftshader/third_party/PowerVR_SDK
tests/auto/widgets/resources/test.swf
src/3rdparty/chromium/third_party/icu/windows/icudt.dll
src/3rdparty/chromium/third_party/sfntly/src/cpp/ext/redist/cmake-2.8.5-win32-x86.zip
src/3rdparty/chromium/third_party/sfntly/src/cpp/ext/redist/icu4c-4_6_1-Win32-msvc10.zip
src/3rdparty/chromium/third_party/breakpad/breakpad/src/client/mac/testapp/crashduringload
src/3rdparty/chromium/third_party/breakpad/breakpad/src/client/mac/testapp/crashInMain
src/3rdparty/chromium/third_party/breakpad/breakpad/src/client/mac/gcov/libgcov.a
src/3rdparty/chromium/third_party/skia/platform_tools/android/bin/mac/perfhost
src/3rdparty/chromium/third_party/openh264/src/autotest/performanceTest/ios/fruitstrap
src/3rdparty/chromium/third_party/openh264/src/autotest/performanceTest/ios/iFileTransfer

Some of the pre-built binaries I listed are free software, but they are Windows binaries and likely built with MSVC or other proprietary software. As far as I know none of these files are actually used in the package, and they can be safely removed from the source package with no impact on the resulting binary.

Thu, 10/07/2021 - 18:05
Status:active» needs more info

Thank you for the report! However, I have one question.

Are any of those files (or references to them) installed in Trisquel when installing the corresponding package? If they are installed or referenced, then it is important that we clean that up. But otherwise, I believe the policy is to only clean visible things that any user might interact with. Cleaning up source code is an unnecessary burden when developer resources are already sparse.

Fri, 10/08/2021 - 23:43

No, they are not. Most of it is only relevant to Windows, macOS, Android, or iOS, or executables used as test data. unrar is used in Chromium for Google Safe Browsing, but this is not built in qtwebengine. However, I thought the policy was that there should be no proprietary software anywhere in the repository, including source packages.

Mon, 11/08/2021 - 14:01

I brought this to the dev meeting and you are totally right, any non-free binary should not be present in the repo, regardless of whether it is user visible or not. However, prebuilt binaries from free sources are not a problem as long as they are not installed. Cleaning those binaries does not provide any freedom improvements while adding maintenance burden.

So based on your research, can you provide a list of non-free binaries included? Or are all the binaries in the list possibly built from non-free sources?

Sat, 11/13/2021 - 19:43

Everything that I listed is either nonfree (no source code, or source code under a proprietary license) or a binary for Windows/macOS likely built using a nonfree compiler such as MSVC.

Fri, 11/19/2021 - 17:00
Status:needs more info» patch (needs work)

Work in progress: https://gitlab.trisquel.org/trisquel/package-helpers/-/merge_requests/576

Wed, 11/24/2021 - 13:13
Status:patch (needs work)» fixed
Fri, 11/26/2021 - 00:29
Status:fixed» active

Why was the nonfree unrar source not pruned? Removing it should not cause any problems.

Also, the same should be done for etiona, though the list of binaries may be different.

Edit: And some more files that I forgot:

src/3rdparty/chromium/third_party/win_build_output
src/3rdparty/chromium/build/android/CheckInstallApk-debug.apk
src/3rdparty/chromium/third_party/blink/manual_tests/accessibility/resources/AppletTest.class
src/3rdparty/chromium/third_party/blink/manual_tests/resources/ArrayParameterTestApplet.class
src/3rdparty/chromium/third_party/blink/manual_tests/resources/CheckerApplet.class
src/3rdparty/chromium/third_party/blink/manual_tests/resources/DrawMessage.class
src/3rdparty/chromium/third_party/blink/manual_tests/resources/StringTypeTest.class
src/3rdparty/chromium/third_party/blink/manual_tests/resources/TestApplet.class

I will run ungoogled-chromium's binary pruning script and see if there's anything else that I missed.

Sat, 11/27/2021 - 01:10

OK, so the only remaining ones I could find after running the pruning script were these:

third_party/blink/renderer/devtools/scripts/closure/closure_runner/closure_runner.jar
third_party/blink/renderer/devtools/scripts/closure/compiler.jar
third_party/blink/renderer/devtools/scripts/jsdoc_validator/jsdoc_validator.jar

The closure compiler is free software, but does not come with source code here, and it is unclear what source code corresponds to the binary. jsdoc_validator.jar also does not come with source code (though newer versions of qtwebengine seem to have it). There are other JAR files in the source tree that come without source code, but each of them comes with a URL for the source code along with the version, so I assume they are OK for now.

Meanwhile, I have also filed a bug with Debian to remove all pre-built binaries from this package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000620

Sat, 11/27/2021 - 02:03

Thanks for the input, well take a look soon.
Cheers!

Tue, 11/30/2021 - 09:27
Status:active» patch (ready)

This will be fixed as soon as the version,
qtwebengine-opensource-src | 5.12.8+dfsg-0ubuntu1.1+10.0trisquel2

hits the repository, there are several packages queued so it will take a bit longer.

Cheers!

Wed, 12/01/2021 - 05:37

But unrar still hasn't been removed.

Wed, 12/01/2021 - 09:29

Please specify the path.

Update: Oh!, I see now. that's an issue as it uses it to build, IIRC its signed so the file cannot be replaced.
I'll do some research.

Wed, 12/01/2021 - 21:51

I do not think unrar is used to build it. Also, unrar is nonfree so including it is a critical bug.

Wed, 12/01/2021 - 22:02

Indeed.
So far it cant' be build without it, which is a bad sign.

Do you know of a chromium build without using unrar as a third-party building block?
If you do, we might be able to replicate 'that' technique to remove it, if there is none, well the complete package falls on itself, right?

I'll keep digging, regards.

Wed, 12/01/2021 - 22:12

Yes, the Debian package upstream has it removed. In qtwebengine they just remove it, without applying any patch, so I assumed it was not required for the build. Meanwhile, Debian's chromium package uses this patch to disable it: https://salsa.debian.org/chromium-team/chromium/-/blob/master/debian/patches/disable/unrar.patch. Similar patches are used by Fedora and ungoogled-chromium. None of these use unrar.

Wed, 12/01/2021 - 22:26
Thu, 12/02/2021 - 08:40

I checked the build log: https://jenkins.trisquel.org/job/binary/2989/label=amd64/artifact/qtwebengine-opensource-src_5.12.8+dfsg-0ubuntu1.1+10.0trisquel3_amd64-2021-12-01T05%3A58%3A30Z.build

And it turns out that it compiles just fine, the problem is that the list of exported symbols has changed so it fails after building the whole thing. I suspect that this may have to do with the disabling of the "proprietary-codecs" option. Actually, there is no reason to disable this because it is actually a misnomer. See Guix bugs 34605 and 46337. This actually just allows Chromium/qtwebegine to use whatever codecs are provided by FFmpeg to support patent-encumbered formats.

Also, the patch to disable unrar/safe browsing is not needed, since these components are not compiled in qtwebengine anyway.

Thu, 12/02/2021 - 09:48

Actually I was wrong about what I said, this older version of qtwebengine does have safe browsing and unrar enabled, while newer versions do not.

Thu, 12/02/2021 - 11:58
Thu, 12/02/2021 - 17:00

Backported to etiona

Fri, 12/03/2021 - 03:40

For etiona, there are some more files that need to be removed:
src/3rdparty/chromium/third_party/webpagereplay/third_party/ipfw_win32/ipfw.exe
src/3rdparty/chromium/third_party/webpagereplay/third_party/ipfw_win32/ipfw.sys
src/3rdparty/chromium/third_party/yasm/binaries/win/yasm.exe

Also, the JAR files are in a different directory:
src/3rdparty/chromium/third_party/WebKit/Source/devtools/scripts/closure/closure_runner/closure_runner.jar
src/3rdparty/chromium/third_party/WebKit/Source/devtools/scripts/closure/compiler.jar
src/3rdparty/chromium/third_party/WebKit/Source/devtools/scripts/jsdoc_validator/jsdoc_validator.jar

Fri, 12/03/2021 - 04:00

If it's ok with you, if you keep them coming I'll keep testing and updating.

Fri, 12/03/2021 - 07:40

Yeah, fine with me. I looked through the list generated by the ungoogled-chromium scripts and I did not notice anything else that should be removed. If you want you can take a look for yourself. The update_lists.py script in the ungoogled-chromium repository generates a list of binary files. Most of these binaries seem fine (e.g. certificates or other data) but the list is not too long so it is relatively easy to find the problematic files.

Hopefully in the future Debian will be more thorough with their binary pruning so that Trisquel doesn't have to continue doing this. (The version in Debian sid removes unrar and a lot of the nonfree binaries, but not all).

Tue, 12/07/2021 - 08:00

By the way, I think the Triskel iso contains qtwebengine, which means that a new iso should be released.

Sun, 12/19/2021 - 16:19
Status:patch (ready)» fixed

Let's continue that on:
https://trisquel.info/es/issues/28504

As this is removed from the repositories.

Sun, 01/02/2022 - 16:20
Status:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.