On Mon, Jun 2, 2014 at 3:56 PM, Hector Garcia <[email protected]> wrote:I agree. I Â -parcially- solved my personal needs uninstalling chrome
Ver 3.5 and installing Ver 3.4.Downgrading to Chrome 34 and staying there indefinitely is a *very* dangerous solution to the problem; it's really unfortunate that instructions are circulating advising users (especially the large majority who don't understand the security implications) to "fix" the problem this way. This means exposing yourself to every vulnerability that has been or will be patched in any post-34 version of Chrome. It makes all browsing more dangerous just to enable specific pages to work.Using another browser (e.g., Firefox) to access those specific pages, while using the current version of Chrome for your general browsing, would be a far better approach.-Stuart
While forty million people may pay taxes online, how many of them are doing it using Linux?
The Linux worldwide market share is very, very small. You must factor that into your calculations.
While forty million people may pay taxes online, how many of them are doing it using Linux?The Linux worldwide market share is very, very small. You must factor that into your calculations.âPhistucKOn Fri, May 30, 2014 at 7:53 PM, Hector Garcia <[email protected]> wrote:
El jueves, 22 de mayo de 2014 01:06:24 UTC-5, Matt Giuca escribió:I want to reiterate that this decision was a security decision, not a deliberate choice to shut down access to these services. (The point has been made many times before, but not recently on this thread.) The removal of NPAPI on Linux in Chrome 35 was not simply a policy decision.NPAPI is a technology from the 1990s which basically predates modern computer security. Any NPAPI plugin can completely take over your machine, and frequently, NPAPI plugins run untrustworthy code from the Internet on interpreters with security vulnerabilities. Chrome is powerless to protect you from malicious or insecure NPAPI plugins owning your machine.On Windows and Mac, there is a long deprecation plan so these plugins will continue to work a while longer while other work-arounds are found. On Linux, we ran into a practical problem: since we are moving the UI stack from GTK to Aura in Chrome 35, NPAPI plugins would not run on Chrome 35 without a serious amount of engineering effort. Since NPAPI is being deprecated, it did not make sense for Google to commit a lot of engineering effort to writing new NPAPI architecture that will be deleted within a year, especially not on Linux which has a very small market share.The timing is unfortunate, but the number of Linux users that require NPAPI plugins that aren't Flash is just too small to justify this effort.Suggestions along the lines of using sockets to allow PPAPI plugins to talk to stand-alone NPAPI plugins require a similar amount of engineering effort, and defeat the entire point of removing NPAPI, which is that it is insecure to let code downloaded from the Internet talk to arbitrary native applications.Dear MattI think you haven't done a thorough analysis on how many people are actually being affected.Let's talk about Mexico.  Our goverment tax office is "married" with third party -comercially licensed platforms , such Java and Silverlight. AFAIK the only  way to run Silverligh on Linux stations it's by piperlight, a NPAPI plugin.Put it simply, without Java and Silverlight, we cannot pay taxes.ÂAcording to official numbers, at November 2013, in Mexico,  we were ~ 40 million people who pay taxes. Is that a small user number for you?Ok we can say that almost all the accounting professionals (who take the designation of paying  taxes from their customers, the taxpayers) use IE/Windows to do their job.ÂAre we assuming that we, the 40 million people who pay taxes, we are forced to use IE / Windows in order to meet our obligations?I know this is a discussion that we should keep with mexican government. But i think Google isn't doing a good job for a change opportunity.Wouldn't be a good practice, to wait  (or develop) a good alternative to NPAPI (PPAPI only supporting for flash is far from it) before dropping it?Anyway, things are done. I didn't paid anything for chrome, I understand that Google gave it to me on a free basis. I was happy with it. I have the right to take the decision of keep using it or not. Until there is an acceptable solution, goodbye chrome..Para información de mis compratriotas, lo pongo en español..Estimado Matt.Me parece que no has hecho un análisis exhaustivo de cuantas personas están siendo realmente afectadas.Hablemos de México. Nuestra oficina de impuestos esta "casada" con aplicaciones de terceros bajo licencias comerciales, como Java y Silverlight. Hasta donde sé, la única manera de ejecutar Silverlight en los equipos Linux es usando piperlight, un plugin NPAPI .En pocas palabras, si no hay Java y Silverlight, no podemos pagar impuestos.Según cifras oficiales, a Noviembre de 2013 en México éramos ~ 40 millones de personas los que pagamos impuestos.¿Eso es un número de usuarios pequeños para tÃ?Ok , podemos decir que casi todos los profesionales de la contabilidad ( que toman la responsabilidad de pagar los impuestos de sus clientes , los contribuyentes ) utilizan IE / Windows para hacer su trabajo .¿Asumimos que, los 40 millones de personas que pagamos impuestos, estamos obligados a usar IE/Windows para cumplir con nuestras obligaciones?Sé que este es un debate que debemos mantener con el gobierno mexicano . Pero creo que Google no está haciendo un buen trabajo para una oportunidad de cambio.¿No serÃa una buena práctica, esperar ( o desarrollar ) una buena alternativa a NPAPI ( PPAPI que solo soporta  flash está lejos de serlo) antes de desecharlo?De todos modos , las cosas ya están hechas . Yo no pagué nada por Chrome , entiendo que Google me lo dio de forma gratuita .ÂEstaba contento con él.ÂTengo el derecho de tomar la decisión de seguir usando o no.ÂHasta que no haya una solución aceptable , adiós Chrome .Saludos /best regards--
--
Chromium Developers mailing list: [email protected]
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
The change from GTK to Aura has been in the works for multiple years
PhistucK:While forty million people may pay taxes online, how many of them are doing it using Linux?
The Linux worldwide market share is very, very small. You must factor that into your calculations.Maybe you missed the part where this decision will be hitting Windows by the end of the year.
Java and Linux is Liberty for us, most Windows' made applications run in Linux because of Java, calculating the raw usage of Java is "stupidity". Java Applet importance comes from high-class applications for professional users, like Stocks trading software, VPN access, in browser VNC and list can go on and on. Saying only 1% used Java Applet in the last 30 days and it's enough reason to drop it, is nonsense , this like saying , you only log-in to your bank account once a month , so it's fair to drop such support. Lets take it even further, how many POST HTTP calls vs GET getting called, maybe less than 0.001% of all calls are POST, please don't remove that (we do need the POST as well) Google's "Don't be evil" motto , is breaking day by day. Linux is the best OS, only if you can strip it down and put you Android OS on top of it, Java is the perfect companion to Android if you can cut-off Oracle and package it for free to make billions (tens of billions) from ads. How about Google to stop being self centered and stop thinking about stuff strategically , because you're becoming like Micro$oft, they linked everything almost directly to how much benefit this will bring to Windows and Office, and you're linking everything to the possibility of showing ads on it.
anyone who understands anything about NPAPI knows it is impossible to do anything security related to it. Â the API needs to die, and it should have died years ago.
On Saturday, 21 June 2014 08:38:21 UTC+1, Mike Frysinger wrote:anyone who understands anything about NPAPI knows it is impossible to do anything security related to it. Â the API needs to die, and it should have died years ago.
The problem here is that it unfortunately *hasn't* died yet.
Installing Oracle Java proudly reminds us that Java is on "3 billion devices"
> i've maintained a lot of web servers and have never needed VNC ... that's what ssh is for (also free clients in the CWS).
You've obviously never remotely installed an OS or ever rebooted a Web server and wanted to monitor its boot sequence remotely - both of which many sysadmins do regularly.
It seems the dropping of NPAPI support wasn't triggered by lack of usage or security reasons, but actually because Google are moving away from GTK and re-jigging their graphics layer from GTK to Aura (why? If there's issues with GTK, why not talk to GTK devs and get some changes made to it?). This move is being made without any possibility of supporting NPAPI plug-ins on Linux apparently - Google are claiming that they will do the same on other platforms before the end of this year.
Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.A few things to keep in mind:
- So long as they are not too crazy, we might accept patches to add NPAPI support to Linux Aura. (We won't commit to supporting it or shipping it though.)
- Once we stop supporting NPAPI on Windows, we'll proceed to remove the code entirely for all platforms, including Linux Aura.
Let us know if you have questions.Max
Google couldn't find better solution than just stop supporting NPAPI. That's unbelievable! They have thousands of workers, and what they could do is just stop supporting
ÑÑеда, 8 ÑнваÑÑ 2014 г., 6:04:18 UTC+6 полÑзоваÑÐµÐ»Ñ Max Heinritz напиÑал:Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April). The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura. We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.A few things to keep in mind:
- So long as they are not too crazy, we might accept patches to add NPAPI support to Linux Aura. (We won't commit to supporting it or shipping it though.)
- Once we stop supporting NPAPI on Windows, we'll proceed to remove the code entirely for all platforms, including Linux Aura.
Let us know if you have questions.Max
--
I don't think anybody here disagrees that the NPAPI was insecure.
The issue is that there is no way to use the java plugin now. And that
plugin is needed to work with the Administration (tax, health....) in
multiple countries.
The same way that Google found provided a replacement for flash, they
should have worked on a solution for java.
To an uneducated eye, this just seems Google lobbying against a
technology that runs terribly bad on Android (java). But I am not part
of the develpment of chromium, and there might be a very good reason
for doing the things as they were done.
Google can have very good statistics about browser usage. Have you
seen any loss of market since NPAPI was not supported?
The same way that Google found provided a replacement for flash, they
should have worked on a solution for java.
To an uneducated eye, this just seems Google lobbying against a
technology that runs terribly bad on Android (java).
--
--
On no thread related to NPAPI dismantling there's plain response to simple question: how Google Chrome users are expected to view Web documents utilizing Java-driven elements?
[...]
Open another browser, that hasn't yet abandoned Java support?
On no thread related to NPAPI dismantling there's plain response to simple question: how Google Chrome users are expected to view Web documents utilizing Java-driven elements?
It's obvious that Chrome developers will simply respond "That's not our business". Oracle, as you could notice, keeps silent.
It's obvious they are not encouraged by idea to develop Java plugin utilizing Aura.
So, from plain "ordinary" user point of view: what do you offer me to use to still be able to run Java objects on Web pages? Open another browser, that hasn't yet abandoned Java support?
I do not want to raise any flame, but looks like developers do not even assumed the users' needs and actual requirements.
I am only "pro" using modern technologies and discard older ones, but how about usability?
I will be surprise to read any answer from developers different from "We don't care" or "It's not our business to develop plugin compatible with Java".
Thanks.Sincerely,Konstantin
On Wednesday, January 8, 2014 at 6:04:18 AM UTC+6, Max Heinritz wrote:Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April). The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura. We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.A few things to keep in mind:
- So long as they are not too crazy, we might accept patches to add NPAPI support to Linux Aura. (We won't commit to supporting it or shipping it though.)
- Once we stop supporting NPAPI on Windows, we'll proceed to remove the code entirely for all platforms, including Linux Aura.
Let us know if you have questions.Max
--
This is what I am saying: proper policy would be to warn users about
Java upcoming demise long ago, not just tell them "You 're out of luck,
we don't support it in a couple of weeks".
I would like to offer developers another strategy: when something is
obviously gets poorly or not supported, aggressively advocate against
it, encourage developing alternatives and so on - starting that few
years before abandoning the piece of technology..
ÐÑ, 27.03.2015 в 21:19 Stuart Morgan пиÑал(а):
> [Whoops, somehow hit send immediately]
>
> On Fri, Mar 27, 2015 at 7:57 AM Konstantin Boyandin <[email protected]> wrote:
>> On no thread related to NPAPI dismantling there's plain response to simple question: how Google Chrome users are expected to view Web documents utilizing Java-driven elements?
>> [...]
>> Open another browser, that hasn't yet abandoned Java support?
>
> Using another browser for pages that haven't yet moved away from depending on an NPAPI plugin (including Java) is a reasonable option, yes. That was in fact addressed earlier in this thread.
>
> This is already the case for anyone trying to use such a site from a mobile device, except that they can't just open another browser, they have to move to a completely different device (assuming they even have one available).
>
> -StuartÂ
This is what I am saying: proper policy would be to warn users about
Java upcoming demise long ago, not just tell them "You 're out of luck,
we don't support it in a couple of weeks".
âLinux users just got it early, Windows and Macintosh users will get it by September.â Everyone gets it eventually.
Skipping anti-Java advocacy, since I do not have objections against it.
In my case, I really didn't care about missing Java applets till one
moment I had to access a VPS which couldn't be accessed otherwise. There
was a problem, though, since
- Google Chrome stopped doing that without printing in big red letters
anywhere on its settings "Java plugin is not supported any more" etc.
- Firefox, though formally still working, crashed along with the Java
plugin.
Finally, I found an image of old Windows VM, with ancient Opera
installed, cloned it and run. That helped. Read the above carefully: I
had to still use old API using dangerous, insecure way, since there was
no other way around.
Formally, you can still state it's not your problem. But merely stopping
supporting old APi doesn't make it vanish, it only causes more problems
with insecure software still in use.
You get rid of old APi at expense of end users who carry the burden of
handling the problems coming all of a sudden.
But - please read that carefully - (it was your
task, when planning to obsolete old API, to do all possible to warn end
user about upcoming problems and influence those who developed insecure
software to provide alternatives, since <here a picture of dread
consequences>*. Appealing to security problems works almost with
everyone.
This is a fair point. I'm not sure what level of warning we present to users as I haven't encountered a Java applet on Windows for a long time. Do we currently state on Win/Mac explicitly that the plugin will stop being supported in September, 2015? (Aside from the security warnings, which don't actually give the user a sense of impending doom, just an annoyance.)
Read the above carefully: I
had to still use old API using dangerous, insecure way, since there was
no other way around.
On Tuesday, January 7, 2014 7:04:18 PM UTC-5, Max Heinritz wrote:Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.A few things to keep in mind:
- So long as they are not too crazy, we might accept patches to add NPAPI support to Linux Aura. (We won't commit to supporting it or shipping it though.)
- Once we stop supporting NPAPI on Windows, we'll proceed to remove the code entirely for all platforms, including Linux Aura.
I think that Adobe Flash only supports NPAPI for Linux outside of Chrome and CrOS. Â Is this saying that no Flash will ever work on Linux in four months?
What are the plugin percentages, non-Chrome for Linux only? Â I think the ratios might surprise us. Â Not close to 0.7%.
- chadUbuntu
--
--
Chromium Developers mailing list: [email protected]
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
On Tuesday, January 7, 2014 7:04:18 PM UTC-5, Max Heinritz wrote:Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.A few things to keep in mind:
- So long as they are not too crazy, we might accept patches to add NPAPI support to Linux Aura. (We won't commit to supporting it or shipping it though.)
- Once we stop supporting NPAPI on Windows, we'll proceed to remove the code entirely for all platforms, including Linux Aura.
I think that Adobe Flash only supports NPAPI for Linux outside of Chrome and CrOS. Â Is this saying that no Flash will ever work on Linux in four months?
What are the plugin percentages, non-Chrome for Linux only? Â I think the ratios might surprise us. Â Not close to 0.7%.
On Wed, Jan 8, 2014 at 6:30 AM, Chad Miller <[email protected]> wrote:
On Tuesday, January 7, 2014 7:04:18 PM UTC-5, Max Heinritz wrote:Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.A few things to keep in mind:
- So long as they are not too crazy, we might accept patches to add NPAPI support to Linux Aura. (We won't commit to supporting it or shipping it though.)
- Once we stop supporting NPAPI on Windows, we'll proceed to remove the code entirely for all platforms, including Linux Aura.
I think that Adobe Flash only supports NPAPI for Linux outside of Chrome and CrOS. Â Is this saying that no Flash will ever work on Linux in four months?
Adobe deprecated NPAPI Flash on Linux almost two years ago. Linux NPAPI Flash is currently seven releases behind the main release (11.2 versus the current 11.9) and only receiving updates for significant security vulnerabilities. PPAPI Flash is current and will continue to be supported on Linux indefinitely.
I wonder if Canonical has any way to determine how many Chromium users there are on Ubuntu, so we can work out what the ratio of Chrome to Chromium users are on a typical Linux installation.
Can I just clarify some of these issues since it's a bit confusing to me. Let me know if I've gotten any of these things wrong: ...
It might help if we had some usage statistics about Chromium. I wonder if Canonical has any way to determine how many Chromium users there are on Ubuntu, so we can work out what the ratio of Chrome to Chromium users are on a typical Linux installation. I would guess there is a fairly high ratio of Chromium users, given that (at least on Ubuntu), Chromium is the path of least resistance. (You apt-get it or go to the Ubuntu Software Center to install it like you install all of your other software, instead of having to download and install a separate binary.) I personally used Chromium for years (before I needed a bugfix in the latest version so I switched to Chrome). Also many Linux users want to use as much free software as possible, so Chromium (even with a proprietary Flash plugin) is a better choice for them philosophically.
It seems like the best course of action would be to arrange for Adobe to provide a stand-alone binary of the PPAPI version of Flash for Chromium users, rather than trying to continue to support the ageing NPAPI Flash. Thoughts?
There is no support for synchronous scripting between JS and a PPAPI plugin, except for the deprecated method you found.
Note: There is also no supported way to use PPAPI from a third party plugin outside of Native Client.
--
It seems like the best course of action would be to arrange for Adobe to provide a stand-alone binary of the PPAPI version of Flash for Chromium users, rather than trying to continue to support the ageing NPAPI Flash. Thoughts?
I feel quite sure envoys have met in the past. That nothing has changed does not encourage me.
--
--
Chromium Developers mailing list: [email protected]
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
--
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.
Also Java!!Which means chrome it is not usable in Denmark any more, since all the relevant logins (bank, taxex, city services, union, health....) are done with nemid.nu a java based product.Any public plans for Java/IcedTea to support Peeper?
On Tuesday, May 20, 2014 10:26:02 PM UTC+2, Cliff Wells wrote:
On Tuesday, January 7, 2014 4:04:18 PM UTC-8, Max Heinritz wrote:The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.
While most of the discussion here centers around Flash, other products are also affected. For me, there are two:1) GNOME Shell Integration plugin2) VMware VSphere Client pluginAs many of you know, there is no native VSphere client for Linux. That means relying on the web UI. That is also no longer an option. So anyone on Linux managing a VMware instance is now sent running to Firefox. Given VMware's lack of rush to get out a native Linux client, I don't expect to see a rush to port their plugin to PPAPI anytime soon.While I can't speak for anyone else, I have no plans on running two browsers . I understand the push to get rid of NPAPI, but at the same time, if the result is a browser that is no longer usable... well... I don't need to carry on about it. If I'm forced to use Firefox so be it. But do realize that will be the result for many people.
--
I have contacted nemid, as soon as I got a propper response I will copy it here. But with no nemid, chrome cannot be used in Denmark.What about a NPAPI to Pepper wrapper? Any project working on that?
--
--
Chromium Developers mailing list: [email protected]
View archives, change email options, or unsubscribe:
  http://groups.google.com/a/chromium.org/group/chromium-dev
One of the unexpected things that stopped working is the DNSSEC Validator from the Chrome Store.
I no longer have access to internal GOOG resources, but can somebody please notify the owners of https://developers.google.com/speed/public-dns/faq#dnssec and ask them to remove references to using the DNSSEC Validator with Chrome. The reference to Firefox can stay until (and if) there is a better option that works with all browsers.
Hi Chromium community,In September 2013, we announced that NPAPI support will be phased out of Chrome in 2014, with the following schedule:
- January: block NPAPI plug-ins by default
- Mid-year: more aggressive blocking (different UI, smaller whitelist)
- Before end of 2014: remove support completely
The update here is that Linux NPAPI support may be dropped as early as M34 (goes to Stable in early April).  The reason for this timeline is that we've decided not to implement NPAPI support in Linux Aura.  We feel comfortable doing so because affected plug-ins all have 30-day launch rates below .7% of Linux Chrome users.
--
I want to reiterate that this decision was a security decision, not a deliberate choice to shut down access to these services. (The point has been made many times before, but not recently on this thread.) The removal of NPAPI on Linux in Chrome 35 was not simply a policy decision.NPAPI is a technology from the 1990s which basically predates modern computer security. Any NPAPI plugin can completely take over your machine, and frequently, NPAPI plugins run untrustworthy code from the Internet on interpreters with security vulnerabilities. Chrome is powerless to protect you from malicious or insecure NPAPI plugins owning your machine.On Windows and Mac, there is a long deprecation plan so these plugins will continue to work a while longer while other work-arounds are found. On Linux, we ran into a practical problem: since we are moving the UI stack from GTK to Aura in Chrome 35, NPAPI plugins would not run on Chrome 35 without a serious amount of engineering effort. Since NPAPI is being deprecated, it did not make sense for Google to commit a lot of engineering effort to writing new NPAPI architecture that will be deleted within a year, especially not on Linux which has a very small market share.The timing is unfortunate, but the number of Linux users that require NPAPI plugins that aren't Flash is just too small to justify this effort.Suggestions along the lines of using sockets to allow PPAPI plugins to talk to stand-alone NPAPI plugins require a similar amount of engineering effort, and defeat the entire point of removing NPAPI, which is that it is insecure to let code downloaded from the Internet talk to arbitrary native applications.
--
--
Chromium Developers mailing list: [email protected]
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
On Wednesday, May 21, 2014 11:06:24 PM UTC-7, Matt Giuca wrote:I want to reiterate that this decision was a security decision, not a deliberate choice to shut down access to these services. (The point has been made many times before, but not recently on this thread.) The removal of NPAPI on Linux in Chrome 35 was not simply a policy decision.NPAPI is a technology from the 1990s which basically predates modern computer security. Any NPAPI plugin can completely take over your machine, and frequently, NPAPI plugins run untrustworthy code from the Internet on interpreters with security vulnerabilities. Chrome is powerless to protect you from malicious or insecure NPAPI plugins owning your machine.On Windows and Mac, there is a long deprecation plan so these plugins will continue to work a while longer while other work-arounds are found. On Linux, we ran into a practical problem: since we are moving the UI stack from GTK to Aura in Chrome 35, NPAPI plugins would not run on Chrome 35 without a serious amount of engineering effort. Since NPAPI is being deprecated, it did not make sense for Google to commit a lot of engineering effort to writing new NPAPI architecture that will be deleted within a year, especially not on Linux which has a very small market share.The timing is unfortunate, but the number of Linux users that require NPAPI plugins that aren't Flash is just too small to justify this effort.Suggestions along the lines of using sockets to allow PPAPI plugins to talk to stand-alone NPAPI plugins require a similar amount of engineering effort, and defeat the entire point of removing NPAPI, which is that it is insecure to let code downloaded from the Internet talk to arbitrary native applications.
Conversely, a browser than cannot function as needed is about as useful as no browser at all. We'd be really secure if we just turned the entire computer off.
The argument that the number of users that require NPAPI plugins is too small contradicts your position that this is a security hole of significant magnitude - if there are few users then the security hole would only affect those few users. At the least there should be a way for people who simply must have NPAPI plugins to whitelist or reenable them. If I can't run the VMware VSphere console plugin, then I can't use Chrome. I could have lived with nag screens, hidden settings, etc, but blanket removal is unacceptable (not to mention the wasted hour I spent discovering why suddenly one morning I couldn't access the console during an IT crisis - love you guys for that). None of the nag screens that were claimed to be in planning ever appeared. Just went from working on Monday to utter failure on Tuesday.
--
--
Chromium Developers mailing list: [email protected]
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
I guess we will see the magnitude as soon as this reaches windows.
Just to be accurate -NPAPI usage statistics come only from those that enabled anonymous usage statistics, right?
If so, then this is not coming from all of the user base.