The Debian Project thinks it's fixed an issue where Google's Chromium web browser snuck proprietary code into the fiercely Free Software oriented Debian Linux distro. That hasn't stopped Debian users from wondering how the issue got past project maintainers in the first place.
Debian user Yoshihito Yoshino first raised the red flag on the project's bug report mailing list in May, after noticing suspicious network activity from Chromium 43, the most recent stable release of the open source version of the Chrome browser.
"After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading 'Chrome Hotword Shared Module' extension, which contains a binary without source code," Yoshino wrote. "There seems no opt-out config."
Under the Debian Social Contract, distributing software without accompanying source code is a serious no-no. The fact that an important software package from an eminent contributor has distributed code sans source, without anyone noticing, has left some Debian users asking whether the project needs stricter controls.
Even worse for some users was the nature of the proprietary code that Chromium downloaded. It was reportedly a library that supported Google's "OK Google" voice recognition feature, which some security researchers have pointed out is a potential open door for invasion of privacy.
"The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as 'enabled' are definitely bothering me," wrote Debian bug forum participant Yves-Alexis Perez.
Other commenters went on to say that removing the browser extension that relies on the Hotword Shared Module was difficult, and that other bug reports suggest that even disabling it in the browser's settings might not keep it from running.
On Monday, Debian maintainer Michael Gilbert chimed in to say that the bug has been fixed, and the latest version of the Chromium package will no longer download the Hotword code by default.
That hasn't appeased Debian user Christoph Anton Mitterer, who asked that a Debian Security Announcement be raised over the issue.
"Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised," Mitterer wrote to the bug report list.
Mitterer even questioned whether Google should be trusted as an upstream contributor to the Debian project following the incident, especially given that the online ad giant's known cooperation with US government data snooping, voluntary and otherwise.
“Anyway, I haven't said that banning such software from Debian would be the only solution... but at least these incidents come far too frequent recently, so apparently something needs to be done at Debian level to pro-actively prevent future cases/compromises like this.”