Chromium uses Widevine despite having BSD-3 license

[ptrcnull]

Describe the bug Nix installs a version of Chromium with Widevine on NixOS, despite not being enabled and goes through unfree license checks.

To Reproduce Steps to reproduce the behavior:

1. Add pkgs.chromium to environment.systemPackages
2. Rebuild system configuration
3. Check chrome://components in Chromium

Expected behavior

• Widevine is not installed if not explicitly enabled. or
• Chromium trips nonfree license checks and forces user to allow unfree packages.

Screenshots

Notify maintainers @primeos @thefloweringash @bendlas

Metadata

• system: "x86_64-linux"
• host os: Linux 5.10.18, NixOS, 20.09.3368.16fc9eb7364 (Nightingale)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.10
• channels(patrycja): ""
• channels(root): "nixos-20.09.3368.16fc9eb7364, unstable-21.05pre272691.04ac9dcd311"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

[ptrcnull]

Chromium downloads the binaries itself and stores them in $HOME/.config/chromium/WidevineCdm

$ ls -la $HOME/.config/chromium/WidevineCdm
total 16
drwx------  3 patrycja users 4096 Mar  6 18:25 .
drwx------ 29 patrycja users 4096 Mar  6 18:27 ..
drwx------  5 patrycja users 4096 Mar  6 18:25 4.10.1610.0
-rw-------  1 patrycja users   66 Mar  6 18:25 latest-component-updated-widevine-cdm

It looks like it's a known issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23960454

[primeos]

Chromium downloads the binaries itself and stores them in $HOME/.config/chromium/WidevineCdm

Oh, that's bad... :o Seems like Debian fixed this with a custom patch (https://salsa.debian.org/mimi89999/chromium/-/commit/d21192e70824befdfeed5a5145275139cd6c4ffa) but from your linked issue that doesn't seem really good either:

• It won't remove WidevineCdm automatically for existing users
  • It won't be updated -> vulnerabilities will never be fixed (which is very bad!)
• It might break other stuff: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23960454#54
  • I don't think this applies to us though (enableWideVine=true should manage it via the Nix store)

---

Brief update:

• Widevine Content Decryption Module - Version: 4.10.1610.0 is also present on my system:

  • Version: 4.10.1610.0 seems outdated, not sure though... (maybe it won't be downloaded anymore / it could be fixed now) Apparently not but looking at https://github.com/brave/brave-browser/issues/7831 this version is already more than one year old!
• I cannot get any DRM demos to work so maybe the code will only download the binaries but not execute them (which is still bad but at least a bit better).
  • https://bitmovin.com/demos/drm
  • https://shaka-player-demo.appspot.com/demo/#audiolang=en-US;textlang=en-US;uilang=en-US;panel=HOME;build=compiled
• This even happens with chrome://settings/content/protectedContent set to "Blocked".
  • It's disabled then but it will still be (re-)downloaded automatically.

[primeos]

I've submitted this to upstream: https://bugs.chromium.org/p/chromium/issues/detail?id=1187154 Let's see what happens.

[jbalme]

I've submitted this to upstream: https://bugs.chromium.org/p/chromium/issues/detail?id=1187154 Let's see what happens.

If you set enable_widevine you need a license to distribute it. See https://source.chromium.org/chromium/chromium/src/+/master:third_party/widevine/LICENSE

Over to the encrypted media folks to comment, but this sounds like WAI.

Does Nix have a Widevine license?

If Nix does not, and Google is unwilling to change how Chromium and Widevine are licensed together, the best course of action IMO would be to disable it in Nix's binaries (ie. if enableWidevine is false, enable_widevine is unset. If enableWidevine is true, enable_widevine is set and license is changed to unfree.)

I understand that building Chromium is not something the average person can do on their toaster, but I don't think the group of people that need Widevine and are unwilling to use the official proprietary Chrome binaries is very large.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[emilylange]

I am unable to reproduce this more than 3 years later on M124.

Closing this, assuming this has been fixed a long long time ago.

[r-burns]

I can confirm this is still an issue. Followed instructions in OP.

[emilylange]

Okay, thanks, I managed to reproduce it now.

Might have been a fluke or specific to my use of nix-shell back when looked into this before.

---

I want to clarify that this is not violation of the BSD-3 license chromium uses.

I do however understand that some prefer having chromium not download additional unfree blobs.

[emilylange]

There is #310209 now.

It disables the automatic download and prevents previously downloaded blobs from being loaded and executed.

With that PR, Widevine only works when going through the -wv wrapper (chromium.override { enableWideVine = true; }).

I hope this resolves the concerns raised in this issue here and makes both non-DRM and DRM users happy.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/50