You are not logged in.
I noticed that the new release of chromium pulls down pipewire and its deps which got me wondering about potential security concerns about building in some features of chromium that I don't use like desktop sharing, google hangouts services, and widevine...
1) Would rebuilding without these offer any tangible security benefit?
2) Does this PKGBUILD look sane/can any deps or build deps be removed?
3) Are there any other optional features to consider disabling?
Diff from current chromium PKGBUILD.
Full PKGBUILD draft.
Last edited by graysky (2019-06-15 13:28:19)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
On side note: pipewire aims to be more secure replacement for pulseaudio so in the future it isn't bad having it installed.
Offline
I do not use Wayland. I do not use screen sharing. I do not need additional packages in my system. Absurd.
cdparanoia graphene gst-plugins-base gst-plugins-base-libs gstreamer libvisual pipewire rtkit sbc
Google Chrome does not require the existence of a pipewire from me. Although I can use it (provided that the required library is installed libpipewire-0.2.so.1).
https://cs.chromium.org/chromium/src/th … re.cc?l=50
I can turn it off.
chrome://flags/#enable-webrtc-pipewire-capturer
Fedora does the same with his Chromium from version 73.
https://src.fedoraproject.org/rpms/chro … nch=master
Pipewire is not required when installing chromium, this is an optional dependency (and not a necessity).
Offline
@latalante1 - You should open a bug report asking to have it listed as an optdep then.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
@latalante1 - You should open a bug report asking to have it listed as an optdep then.
Uninstalled. I switched to google chrome.
You can disable both pipewire and widevine.
chrome://flags/#enable-webrtc-pipewire-capturer
chrome://settings/content/protectedContent
https://bitmovin.com/demos/drm
Offline
I understand there are switches to disable, but as you pointed out, pipewire requires approx 100M of deps and I think if you compile against it (as the official PKGBUILD does), you cannot run chromium without it. My strategy is to recompile without it and since I have to spend the time to do that, am wondering about disabling some other stuff I don't want compiled in (widevine and hangouts services are two others I found). Feedback by users with more knowledge to my questions in the original thread are still welcomed
EDIT:
@latalante1 - I added my current build of chromium-no-extras to repo-ck should you wish to use it.
Last edited by graysky (2019-06-16 14:56:30)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Fedora does the same with his Chromium from version 73.
Pipewire is not required when installing chromium, this is an optional dependency (and not a necessity).
It is not so sweet. When installing a chromium, the pipewire and its dependencies (same large) are added.
Offline
@latalante - Right:
...pipewire requires approx 100M of deps and I think if you compile against it (as the official PKGBUILD does), you cannot run chromium without it.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
It annoys strongly.
Google Chrome takes 23 functions necessary for the operation (pipewire support).
pw_core_destroy, pw_core_get_type, pw_core_new, pw_init, pw_loop_destroy, pw_loop_new, pw_properties_new_string, pw_remote_add_listener, pw_remote_connect_fd, pw_remote_destroy, pw_remote_new, pw_stream_add_listener, pw_stream_connect, pw_stream_dequeue_buffer, pw_stream_destroy, pw_stream_finish_format, pw_stream_new, pw_stream_queue_buffer, pw_stream_set_active, pw_thread_loop_destroy, pw_thread_loop_new, pw_thread_loop_start, pw_thread_loop_stop
Linux distributions add to the Chromium the entire pipewire library with additions (~100MB).
I prefer the solution of google.
Offline
In the margin. I have not met with such slow Chromium as it is in Fedora. About 23% slower in the benchmark browserbench compared to google chrome.
Is it because of using them to compile gcc instead of clang? I've heard that Skia is only optimized for him. That's a big difference.
One more difference. Google Chrome running in chroot with fedora is faster by about 5-8% (browserbench and other tests) from the same fired under Arch Linux. Everything is the same: chrome, kernel, xorg, graphic drivers. Major diffrence. What could be the reason? The main candidate in my opinion is the latest version of glibc (compiled with the help of gcc 9.1.0).
Edit:
Fedora Firefox also compiles using gcc and is well optimized (probably thanks to PGO + LTO).
Edit2:
Perf top: comparison google chrome (launched browserbench). It marks the difference in memcpy.
Arch Linux
2.78% libc-2.29.so [.] __memcpy_ssse3
2.57% chrome [.] Clamp_S32_opaque_D32_nofilter_DX_shaderproc
2.30% chrome [.] v8::internal::Scavenger::ScavengeObject<v8::internal::FullHeapObjectSlot>
1.81% perf [.] hpp__sort_overhead
1.79% [kernel] [k] copy_user_generic_stringFedora
2.62% chrome [.] Clamp_S32_opaque_D32_nofilter_DX_shaderproc
1.91% perf [.] hpp__sort_overhead
1.90% [kernel] [k] copy_user_generic_string
1.67% chrome [.] Builtins_LdaNamedPropertyHandler
1.67% libc-2.29.so [.] __memcpy_ssse3
Last edited by latalante1 (2019-06-18 19:03:55)
Offline
I noticed that the new release of chromium pulls down pipewire and its deps which got me wondering about potential security concerns about building in some features of chromium that I don't use like desktop sharing, google hangouts services, and widevine...
I am also very concerned about this.
1) Would rebuilding without these offer any tangible security benefit?
2) Does this PKGBUILD look sane/can any deps or build deps be removed?
3) Are there any other optional features to consider disabling?
+ chromedriver can also be disabled [ https://packages.debian.org/sid/amd64/c … r/filelist ].
I do not need additional packages in my system. Absurd.
It annoys strongly.
I fully agree and confirm.
Offline
+ chromedriver can also be disabled [ https://packages.debian.org/sid/amd64/c … r/filelist ].
I don't see a compile time option for it, but there is a reference to calling ninja to build it:
...
gn gen out/Release --args="${_flags[*]}" --script-executable=/usr/bin/python2
ninja -C out/Release chrome chrome_sandbox chromedriver
And some manual packaging:
...
ln -s /usr/lib/chromium/chromedriver "$pkgdir/usr/bin/chromedriver"
...
cp \
out/Release/{chrome_{100,200}_percent,resources}.pak \
out/Release/{*.bin,chromedriver} \
"$pkgdir/usr/lib/chromium/"
...
Perhaps removing that token from the build and modifying the cp command is sufficient given that the debian package you referenced literally supplies the executable and some docs.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
chromium-driver in debian - optional dependency. I never install it there. No problems noticed.
Thanks for chromium-no-extras from your repo, @graysky!
Offline
...pipewire requires approx 100M of deps and I think if you compile against it (as the official PKGBUILD does), you cannot run chromium without it.
Would be a good idea to split the pipewire package and stuff plugins like libspa-ffmpeg (pipewire ffmpeg stream elements) and libgstpipewire (gstreamer element for pipewire) in their own packages? If that doesn't break anything that can't be fixed by declaring them as optdepends, then the dependency tree of the official packages could be cut down drastically. gstreamer has its plugins in separate packages as well.
Edit: Submitted as bug #62976
Last edited by progandy (2019-06-22 14:43:46)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
@progandy - Nice suggestion. Recommend you open a bug report against the official package to request it. For me, I am happy to simply drop these things and that is one purpose of this thread.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Guys, make Arch lightweight again! Otherwise, we will drown in the trash.
Offline
Hooray! Now pipewire and its dependencies are already an optional dependencies of chromium!
Thank you very much to @progandy and everyone who helped!
Offline
Hello,
i have problem with chromium-no-extras.
/usr/lib/chromium/chromium: error while loading shared libraries: libre2.so.0: cannot open shared object file: No such file or directory.
re2 is installed. How can i solve this please ?
Excuse my english, i'm french.
Offline
@n3os - re2 was recently updated, you need to rebuild against it. Alternatively, I provide a pre-compiled package on [repo-ck], see my sig or the wiki, although it isn't ready yet, it takes 4-1/2 hours for me to build this and it is currently building.
Last edited by graysky (2020-03-07 17:41:06)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
@n3os - re2 was recently updated, you need to rebuild against it. Alternatively, I provide a pre-compiled package on [repo-ck], see my sig or the wiki, although it isn't ready yet, it takes 4-1/2 hours for me to build this and it is currently building.
OK thanks for the quick reply and for your job. Good evening.
Offline
graysky wrote:@n3os - re2 was recently updated, you need to rebuild against it. Alternatively, I provide a pre-compiled package on [repo-ck], see my sig or the wiki, although it isn't ready yet, it takes 4-1/2 hours for me to build this and it is currently building.
OK thanks for the quick reply and for your job. Good evening.
You're welcome, it's live now.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline