This is probably not the update you want.
Let me be clear, it does fix the security vulnerabilities in this list:
CVE-2020-16044 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139 CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128
But it will not behave like Google Chrome does.
Google has announced that it is cutting off access to the Sync and "other Google Exclusive" APIs from all builds except Google Chrome. This will make the Fedora Chromium build significantly less functional (along with every other distro packaged Chromium). It is noteworthy that Google gave the builders of distribution Chromium packages these access rights back in 2013 via API keys, specifically so that we could have open source builds of Chromium with (near) feature parity to Chrome. And now they're taking it away. The reasoning given for this change? Google does not want users to be able to "access their personal Chrome Sync data (such as bookmarks) ... with a non-Google, Chromium-based browser." They're not closing a security hole, they're just requiring that everyone use Chrome.
Or to put it bluntly, they do not want you to access their Google API functionality without using proprietary software (Google Chrome). There is no good reason for Google to do this, other than to force people to use Chrome.
I gave a lot of thought to whether I wanted to continue to maintain the Chromium package in Fedora, given that many (most?) users will be confused/annoyed when API functionality like sync and geolocation stops working for no good reason. Ultimately, I decided to continue for now, because there were at least some users who didn't mind, and if I stopped, someone else would start over and run blindly into this problem.
I would say that you might want to reconsider whether you want to use Chromium or not. If you want the full "Google" experience, you can run the proprietary Chrome. If you want to use a FOSS browser that isn't hobbled, there is a Firefox package in Fedora.
Oh, last, but not least, Google isn't shutting off the API access until March 15, 2021, but I have gone ahead and disabled it starting with this update. I'd rather you read about it here (even though most users will never see this) than have it just happen.
sudo dnf upgrade --refresh --advisory=FEDORA-2021-48866282e5
Please login to add feedback.
This update has been submitted for testing by spot.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
I'm not sure that 'disabling' sync that early before EOL is the best option. Message and link popping up under toolbar does not explain what's going on and what the user can do about it: https://www.chromium.org/developers/how-tos/api-keys
It would be great to replace it with a link to some quick-doc explaining what and why will happen in March and what to do about it (that Firefox can import most data and sync it between multiple devices and platforms). Maybe in the meantime some alternative will arise, e.g. Firefox Sync adapted in Chromium or other synchronization engine, after all many distros will have this problem and probably some devs rely on that feature.
I'm using Chromium just to test website compatibility, but I installed or recommended it for many non-technical users as a Chrome replacement. I'm pretty sure most users don't check bodhi and won't know what hit them.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
Works for me.
Thank you for maintaining the rpm !
This update has been pushed to stable.
Thank you for maintaining this package and for 'ripping the patch' up front, without adding a long pain to it. Also, for whoever is here asking themselves if there is a fully functional browser with sync-ing capabilities, the answer is yes: Firefox. ;-)
Please consider keeping the package updated going forward.
While sync is certainly a useful feature, it's entirely possible to use Chromium without ever enabling it; some people might even consider the removal of this Google-specific functionality an improvement.
Firefox is a very valid alternative, and what I personally use, but the fact that the two browsers use different engines makes it quite valuable to have both in the distribution.
Is removal actually correct? The email thread says that APIs like safe browsing are still available, but they won't be any longer if the API keys get removed.
I would say replace the package with Ungoogled Chromium. This is effectively the same to end-users once the APIs are blocked, with one major gain which is complete google APIs block and removal at user-end to prevent any tracking act by google.
Personally I don't care one bit for Sync of Geolocation services. Those are one of the first things I try disable when using a browser. The warning at the startup however made me think it was a far more serious change that could hurt browsing security. I would keep the package, if I wanted the full Google experience I'd stick with Google Chrome.
Thank you for continuing to maintain the package! Your builds so far have been top notch and this persuaded me to switch to Chromium partly (earlier a full fledged Firefox user, from way back when I was using Windows). It is indeed a real shame that Google has <sha> let us all down so much! Considering how much they use Linux: Linux apps are the closest to an actual ecosystem on ChromiumOS, they regularly let their open source projects AOSP and Chromium (OS)) wither away..
As I have also posted on arnoldthebat's update (https://arnoldthebat.co.uk/wordpress/2021/02/10/important-update/comment-page-1/?unapproved=114658&moderation-hash=1f39af0354eeb66a2907c367d1c07e47#comment-114658), and as echoed in this (https://www.techrepublic.com/article/google-stripping-chromium-of-certain-api-access-is-an-opportunity-for-the-browser-to-shine/), is it potentially possible for us to use our own form of syncing for Chromium browsers alone? There are a lot of open source devs who maintain the browser, and in arnold's case, the OS, and easily 3x as many users who need it to get away from the bad tech giant. Maybe such an API should help us get away for good.. (I personally can help test this on a phone and my laptop, on atleast 3 distributions and Android, and if I could, would love to help with the code as well (I went into the medical field #( ), and I do think all of us can band together for a while to get Chromium back to where it was)
WoW! I started to use Chromium a while back, and it was glorious. Thank you for making Chromium for the masses; everyone owes you a great debt of gratitude. What you did was awesome, and it is sad. I am not much of a coder, but I am a philosopher, and I offer a eulogy (yeah, it's a program, I know; I have not lost it, work with me here).
Today, I eulogize something beautiful under the most tragic of circumstances. It is like the death of a child, something created and has part of that creator in it. We are left with the questions of what if and why. It was not due to a faceless disease or defect inherited from the parents; it was murder. We know who did it. The killer is someone that we once gladly welcomed into our home. We trusted them with our personal communications, our many questions, and the records of our lives, all with the singular promise not to be evil. That was the first lie, but not the last.
The friend that we once trusted turned on us, and in secret, they practiced the dark arts and were possessed with the spirit of Google (for they are too many). Today, they have killed their brother Chromium, and his code still cries out from the ground, but are we listening? Power corrupts, and absolute power corrupts absolutely, and now they have become death: the destroyer of worlds.
Prince Chromium is dead, and now we are left with his useless brother sitting on the throne and breaking nuts with the royal seal. The King is dead; long live the king; now, what about us?