ungoogled-software / ungoogled-chromium-archlinux

Arch Linux packaging for ungoogled-chromium
BSD 3-Clause "New" or "Revised" License
344 stars 38 forks source link

Noob Help needed! #261

Closed ghost closed 8 months ago

ghost commented 8 months ago

I've been running Ungoogled Chromium for a while now, and I'm loving it. However, after reading the security disclaimer on the repository, I became a little concerned.

How secure are the binaries available on this repository? Who maintains them? What does it mean for the end user that they are not reproducible?

I've been using the AUR package to download the binaries from this repository, and clarifications on these matters would be helpful.

Thank you for the amazing job.

networkException commented 8 months ago

How secure are the binaries available on this repository?

Define secure I guess. We don't do anything funky in the build itself, its a script that runs in GitHub Actions - we use pretty much the same build instructions as upstream chromium for Arch Linux.

Who maintains them?

I do, I mostly only update hashes for new versions and pull in changes to the upstream chromium build system.

What does it mean for the end user that they are not reproducible?

That you can't verify that, given the same source code you get the same output binary. You strictly speaking can't check that GitHub Action produced a proper result. But realistically GitHub Actions is not a threat actor (Microsoft is a bit too big to pull trickery with their build machines just to compromise some random browser) and you can still review all the logs, instructions, etc.