Hi there,
I have installed Chromium Widevine using the script provided in sway edition. It is working great and I am happy with it. However, I want to learn if or how I can update the Chromium widevine. I am new to this docker thing and I was wondering if I can get insight into how to use a docker package. Also, if I can’t update Chromium Widevine, should I be concerned with security issues?
it should do updates on it’s own.
you can’t update separately as the drm has to match the chromium version.
Ok, great. So, I don’t have to worry about updating the widevine. It should update automatically.
Thank you for the explanation.
i could be wrong.
i just looked at the script, didn’t see anything for checking updates.
i don’t use that, i refuse drm, wait for someone else to chime in.
Ah ok. I do not want to use a software that is potentially vulnerable. How can I erase it then if it is not updating?
don’t jump the gun, wait for someone else.
snap & docker are suppose to be safe, i don’t think you need to worry about that as there self contained, like a virtual machine running on a host.
Yes, but only use Chromium-docker to watch drm content and not for regular use. It have older version of Chromium so yes there must be vulnerabilities. There is no other way to run drm content of ARM64(aarch64) architecture yet.
No. It never gets updated as that was the latest drm match I could find. I will see if ChromeOS was updated lately or not.
Vulnerability inside the browser can be exploited but if you can limit its use to only websites which are https and genuine ones like netflix, hulu amazon prime etc then you should not worry much.
Else you can remove it using this command.
sudo pacman -R chromium-docker
Good luck.
Thank you for the detailed explanation; I appreciate. I have other options to watch drm content and in this case I will likely remove the widevine package. I don’t want to use software that is vulnerable.
For your information, the chromium-widevine is asking for root password whenever I launch it. Thus, it is another concern of mine. I am not sure how safe it is to run a web browser as root, even if it is constrained and use specific web sites.
That is the way a docker container is set up by default to mount the container. Some people use docker containers as they are self contained and should isolate it’s self from your OS running it. Like a web server or using web apps like firefox. Basically a sandbox…
Having said that it can be run as a regular user if the right module is enabled in the kernel but some argue that doing that is not secure.
Ok, using widevine as root is more secure than as a regular user? Docker tech is totally new to me; so, I will take your words.
What I remember is that xfce and kde was giving me the same warning and they didn’t have those scripts. I guess they may have other tweaks in this case.
What would you recommend regarding the firewall then? Should I switch to firewalld? Or should I wait for a fix (I am planning to make a clean install in June when stable releases are available) and hope it is available soon?
That is the way most has it set up. If one enabled the module in the kernel (CONFIG_USER_NS=y) and add your user name to the docker group then you would would be able to launch the docker container with you as a regular user but that would be where the “Not Secure” part would come into play as you are mounting a system container as a regular user. Any uid 1000 and above is reserved for regular users and on my system docker is installed:
docker:x:968:
ufw is good but when I was going through the process of being a Certified Network Engineer one thing that has always stuck in my mind the instructor told us is “The only way to be secure is not to be connected to the internet. No matter what you do some one that is determined enough will find a way to hack you”.
I do not maintain the widevine package @spikerguy does and I have no clue why the scripts in /usr/local/bin and /usr/share/ are owned by user 1001. It does not make any sense to me being on the outside looking in.
Ok, I remember a similar procedure from the pbp wiki on running the widevine as a regular user. I couldn’t succeed at that time. Frankly, I would be ok without the widevine in my pbp. It is just that relevant tweaks seem to be coming with a base install. So, irregardless pbp users will have this issue potentially.
I will disagree with your instructor regarding the issue. With that logic even making security updates wouldn’t make sense. Besides, if you have a possible way to install, what would be harm with installing ufw?
Ok, I will wait for @spikerguy . Personally, I would opt for a firewall installed on a clean secure system than having the widevine in my system.
Just a short notice and clarification: in the Sway edition we have 2 scripts that allow running a chromium with widevine (basically the same setup that is used in the Docker image of @spikerguy) without the need for having a docker daemon running. Instead these scripts are using systemd-nspawn containers to do its job. The request for root is only to spawn up the container itself, the chromium within it is running with the same credentials as the logged on user though…
The same limitations to the upgrades apply though…
More details about the how-to here: Containerizing Graphical Applications On Linux With systemd-nspawn | John Ramsden.
The benefit of this approach IMHO: you don’t need to install and run a docker daemon on your system to watch Netflix & Co.
P.S.: I also don’t use docker (root) daemon for any container workload any more, but went with Podman instead. This is a drop-in replacement for container image runtime, but works without a root mode (most of the time at least). AFAIK Docker is only offering such non-root mode nowadays as a preview feature…
ok, the docker will never upgrade the chromium widevine as @spikerguy informed, right? I guess I would not be comfortable with a software that is vulnerable even if it is contained.
I would want a firewall running clean of any warnings/errors, if possible. I can also live w/o drm content.
You mis-understood. I said ufw was good; not to not use it. I was just pointing out nothing can keep you completely safe. The most secure networks in the world get hacked when they are connected to the internet. Government web sites, Banks and Corporate that put out big bucks with the latest technology.
Just a short remark: any software might be vulnerable… the CVEs that are published daily are just the discovered vulnerabilities. So it’s always good to check software before installing/using and validate permissions of it - hence the trend to containerize (aka sandbox) applications, so they can’t do much damage to the system / user. As the chromium instance is running isolated from the rest of the system, it can’t control your whole OS… it also only have access to a dedicated directory in your $HOME/.local/share folder for persisting the session cookies so you don’t have to login every time you want to use one of those web sites…
Ok, I understand this. At the same time, browsing with a dated browser (not even esr) in internet is something I would think twice. @spikerguy is suggesting to use widevine only for trusted/well known sites like netflix.
I would prefer a working firewall free of warnings/errors instead. I also considered installing selinux or apparmor in my Manjaro pbp for a while.
I know you have provided firewalld for a while last year. Was there any specific reason to choose firewalld over ufw?
Ah ok, thank you for clarification.
I would suggest including a warning during the installation of the widevine.
