remove chromium 18

Bug #1045993 reported by Daniel Hollocher
276
This bug affects 4 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Chromium 18 is out of support has has numerous security vulnerabilities. A historical listing can be found by browsing here:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
or see here: http://www.chromium.org/Home/chromium-security

For this reason, users should not be allowed to install chromium 18. Please make this happen by either updating the chromium-browser package, or removing it from the archive (or some other way that I don't know about).

Additionally, there is a collection of ppas (https://launchpad.net/~chromium-daily) for chromium that all have version 18. Those should have action taken as well, either by disabling them, removing the the version 18 binary, posting notices warning away users, or once again, some other way that I don't know about.

There are two ways that I know of that users can acquire an updated and secure version of chromium:
The ppa listed here: https://launchpad.net/~a-v-shkop
or by using Google's google-chrome package.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: chromium-browser (not installed)
ProcVersionSignature: Ubuntu 3.2.0-29.46-generic 3.2.24
Uname: Linux 3.2.0-29-generic i686
ApportVersion: 2.0.1-0ubuntu12
Architecture: i386
Date: Tue Sep 4 15:19:45 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Beta i386 (20110921.2)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: chromium-browser
UpgradeStatus: Upgraded to precise on 2012-04-22 (135 days ago)

description: updated
visibility: private → public
Revision history for this message
Daniel Hollocher (chogydan) wrote :

I've subscribed the members of the chromium-daily ppa to this bug.

description: updated
Revision history for this message
Micah Gersten (micahg) wrote :

I think this is won't fix as it stands, we don't remove out of date software from stable releases. We have plenty of software in universe that has many CVEs open. Part of the reason that things stopped with Chromium is that it's not possible to generate a source package automatically ATM. If someone has fixed this issue and has a working patch, I'd love to see it. There is an upload planned to get Chromium in precise to at least version 20. This package has always been community supported and it still is, people wanting to help with this package, please let me know. I'm gathering a list of people interested in working to keep Chromium up to date.

Changed in chromium-browser (Ubuntu):
status: New → Won't Fix
Revision history for this message
Daniel Hollocher (chogydan) wrote :

I hope you can understand that this policy is frustrating for everyone involved with chromium. There are already uptodate builds of chromium available, as I already pointed out. I can only imagine that the devs get frustrated when users complain about issues in abandoned versions. I know first hand that those that volunteer to support chromium are frustrated because of all the bogus complaints and bug reports based on outdated versions - that they continually have to say the same thing over and over "please update".

Anyway, could you at least link to the bug report that describes the blocking issues for at least getting the ppas going again?

Revision history for this message
Florian W. (florian-will) wrote :

From a security POV, this is really a problem. There might be a lot of other packages with security issues in universe, but those are probably not as widely used as chromium, one of the most popular web browsers. I've seen a lot of people assuming that chromium 18 is still fine to use, because it is what Ubuntu currently has in its repository, and that 19/20/21 would only bring new features, so it will be only updated with the quantal release. Most chromium users probably don't even notice they're using a dangerous browser for their online banking etc, even though it says that chromium is not supported by Ubuntu when they install it.

I understand chromium in Ubuntu is 100% community "supported", but it really makes Ubuntu look bad.

I'd prefer one of the following solutions, instead of ignoring the problem:
* If the community that packages chromium security updates does not exist, chromium should be removed from universe.
* If Ubuntu wants to keep chromium in the repos, either move it to main and pay someone to do the packaging work
* or import chromium-browser from debian if that is possible. They seem to do updates timely.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers