Hacker News new | past | comments | ask | show | jobs | submit login

Chromium, as built in many open-source distributions, uses a per-distribution Google API key for service access. [1] [2] [3]

If built without API keys, Chromium warns 'Google API keys are missing. Some functionality of Google Chrome will be disabled.' [4] [5]

The APIs used include [6]:

* Calendar API

* Contacts API

* Drive API (Optional)

* Chrome Remote Desktop API

* Chrome Spelling API

* Chrome Suggest API

* Chrome Sync API

* Chrome Translate Element

* Chrome Web Store API

* Chrome OS Hardware ID API (Optional, Chrome OS)

* Device Registration API (Optional, Chrome OS)

* Google Cloud DNS API

* Google Cloud Storage

* Google Cloud Storage JSON API

* Google Maps Geolocation API (Optional)

* Google Maps Time Zone API

* Google Now For Chrome API (Optional)

* Nearby Messages API

* Safe Browsing API

* Speech API

[1] https://git.alpinelinux.org/aports/tree/community/chromium/A...

[2] https://github.com/archlinux/svntogit-packages/blob/packages...

[3] https://git.launchpad.net/~chromium-team/chromium-browser/+g...

[4] https://chromium.googlesource.com/chromium/src/+/9a11dadde80...

[5] https://sources.debian.org/patches/chromium/83.0.4103.116-1~...

[6] https://www.chromium.org/developers/how-tos/api-keys




To elaborate, the following distributions of Chromium are violating the Google API terms of service [1] [2] by publishing the API secret key publicly in the build source code responsible for building Chromium:

* Alpine Linux (community port) - https://git.alpinelinux.org/aports/tree/community/chromium/A...

* Arch Linux (svntogit, AUR) - https://github.com/archlinux/svntogit-packages/blob/1e8f3fe7... - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=chrom...

* Fedora Linux - https://src.fedoraproject.org/rpms/chromium/blob/e78656ce58d...

* Gentoo - https://github.com/gentoo/gentoo/blob/9acf51b665b6f4b5b97edb...

* OpenSuSE - https://build.opensuse.org/package/view_file/openSUSE:Factor...

* Slackware - http://www.slackware.com/~alien/slackbuilds/chromium/build/c...

* Ubuntu, Linux Mint (Canonincal Chromium Snap) - https://git.launchpad.net/~chromium-team/chromium-browser/+g...

[1] https://developers.google.com/terms (specifically: "You will only access (or attempt to access) an API by the means described in the documentation of that API. If Google assigns you developer credentials (e.g. client IDs), you must use them with the applicable APIs. You will not misrepresent or mask either your identity or your API Client's identity when using the APIs or developer accounts." and "Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep your credentials confidential and make reasonable efforts to prevent and discourage other API Clients from using your credentials. Developer credentials may not be embedded in open source projects.")

[2] https://www.chromium.org/developers/how-tos/api-keys (specifically: "Note that the keys you have now acquired are not for distribution purposes and must not be shared with other users.")


The Arch Linux one sort of doesn't count. The AUR is a user-created package repository. Anyone can make a build and add it to the AUR.


Can you elaborate on what you mean by "doesn't count"?


It's not an official package. The Arch Linux project cannot be held responsible for what non-official packages do.


I agree with you. I don't think any Chromium distributions are at risk of their keys being revoked - I don't believe Google will take any action here.

But, I also don't see anyone ever talk about this, and I think it's worth people being aware.


Some of them could have agreements with Google that let them do that.


Let's say this is true.

If I fork one of the aforementioned Chromium packages, is my fork covered under that agreement? Is my right to build and produce my own binaries from the original unmodified source still intact?


Presumably not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: