I'm sorry but I'm not going to install a browser built by random people.
> NOTE: These binaries are provided by anyone who are willing to build and submit them. Because these binaries are not necessarily reproducible, authenticity cannot be guaranteed; In other words, there is always a non-zero probability that these binaries may have been tampered with.
>"I'm sorry but I'm not going to install a browser built by random people."
This.
Entering credit card information, bank account info, website logins, etc. into a binary uploaded by $random_internet_person is an absolutely terrible idea. Chrome is a dumpster fire as far as privacy goes, but I'd still trust it over that. This is why I use the new Chromium Edge as my main driver these days. Chromium reliability without the Google nonsense. Yes, you're still trusting Microsoft, but they own my OS already anyways.
Are the distributions reviewing the patchset against Google Chromium upstream and affirming that, to the best of their knowledge, no additional threats will be delivered to those who choose to use this?
The risk isn't in who compiles it. The risk is in the patches themselves coming from an untrusted third party, and being presented as a complete fork with significant functionality changes in support of the author's beliefs. If it was "here's a minimal patchset that's rebased against Chromium upstream, here's instructions to checkout Chromium and rebase our patchset onto it" then that would be possible to trust. This isn't that.
I'm not sure I understand the question. ungoogled-chromium is "a minimal patchset that's rebased against Chromium upstream, here's instructions to checkout Chromium and rebase our patchset onto it".
Apart from the patches, UC does two more things: substitute all "google.com" (and some other) domains with nonsense like "9oo91e.qjz9zk" in order to catch regressions; and prunes all binary files that are distributed with the original Chromium source.
The repository comes with a script that can do all three things. It is not a fork of Chromium, if that is what you were thinking.
I can't speak for other distributions, but for GNU Guix I have reviewed the patches and read the diffs for every new version. I assume most other packagers do the same.
> NOTE: These binaries are provided by anyone who are willing to build and submit them. Because these binaries are not necessarily reproducible, authenticity cannot be guaranteed; In other words, there is always a non-zero probability that these binaries may have been tampered with.