> And much of the documentation about Chromium and V8 is not public.
Nearly all the documentation is public... Private stuff is mostly accidentally created google docs where the engineer has selected "anyone within google.com with the link" instead of "anyone with the link". Anytime I request one of those documents be opened up, it has been done within a matter of hours.
> We've built it so that our servers never have to see any sensitive information.
If true, this is a key selling point and should probably be somewhere near the top of the homepage. I didn't get that point from reading any of the copy.
I'm always curious when I see this. Is it about potential IP in the code? References to clients in the code? Secrets?
In my last job they were worried about it too, but decided the cons outweighed the pros. Some of our code was client-specific (CanvaMapper etc.), but we would remove brand names and then go for it.
> ...we've made a genuine effort to publish our code
> (Coming soon!)
A privacy-focused product should surely not launch until its code is publicly available, especially if phrases like "Built to be audited" are used to promote it. There are no links on the site itself, or the Chrome or Firefox extension pages over a year after they were published.
And one of the three reviews on the Firefox extension is from a user with the same username as the publisher of the Chrome extension.
A black box with some bold marketing claims and a dodgy review doesn't inspire confidence.
>Their Github Pages page was censored. They are unable to participate in the maintenance of an open source repository. This was done, according to Github, as a requirement to comply with the laws of its state.
Software export is restricted to varying degrees, mostly encryption but there are other circumstances where export control exists on software (they used to be far more severe but have become considerably reduced). The BIS - https://www.bis.doc.gov - handles this and other CCL items.
To export anything that contains encryption over 64 bits you have to register with the BIS and be reviewed before you export. Even open-source software requires that you notify the BIS.
Conservative defaults and easier to audit since it is implemented in a high-level language / runtime. The runtime (java) needs auditing of course, but that cost is distributed over many projects.
> So, it's a browser, got some screenshots? What's the ACID test score?
For the screenshots you need to scroll down the home-page. ACID test score is probably zero; when we last tried it, it was failing catastrophically.
> What rendering engine does it run on?
We haven't named it. It is a library inside the project. I believe the Lobo project wanted to spawn it of as a separate library called COBRA.
> Privacy, but no https?
It does support https. The bullet point in the roadmap was not clear: we need to take it beyond "it works; let's ship". We need to properly configure the networking library (okhttp) with the correct cipher-suites and fallbacks, for example.
> It's an evolution of the Lobo project apparently?
> I would be really surprised if they have any of the items you hypothesise
Turns out their "Software License and Support Agreement" is online. [1]
Some relevant excerpts:
Embarcadero will collect information about your use of the Community Edition for auditing purposes and improve our products and services. For more information about our collection, use and disclosure of personal data, please review Embarcadero's Privacy Statement at https://www.embarcadero.com/privacy-statement.
Curiously, clicking the link above does not produce any privacy statement, it just redirects to a generic 'legal' page. [2]
If Licensee is entering into this Agreement as an entity (e.g., as a corporation, a partnership, or other organization) or as an individual, Licensor may, at its expense, audit (electronic or otherwise) Licensee’s records and systems as they may relate to the use of Products, including, but not limited to, the number of copies of the Product in use by Licensee, the designated CPU(s) on which the Product is installed, the access of the Product including access to machine IDs, serial numbers and related information. As part of any such audit, Licensor or its authorized representative will have the additional right, on fifteen (15) days’ prior notice to Licensee, to inspect Licensee or the Named User’s records, systems and facilities, including machine IDs, serial numbers and related information, to verify that the installation, use of, and access to any and all Product is in conformance with this Agreement and its applicable terms. Additionally, within fifteen (15) days of such prior notice for audit, Licensee will provide Licensor all records and information requested by Licensor in order to verify that the installation, use and/or access of the Product is in conformance with this Agreement. Licensee and the Named User will provide full cooperation to enable any such audit. If Licensor determines that Licensee or the Named User’s installation, use of or access to the Product is not in conformity with this Agreement, Licensee will immediately take such steps as are necessary to bring Licensee and the Named Users’ installation, use and/or access into compliance with this Agreement, and pay the reasonable costs of the audit, in addition to any penalties, fees, or other remedies available to Licensor at law. Any such audit shall be conducted during regular business hours at Licensee’s facilities and shall not unreasonably interfere with Licensee’s business activities. If an audit reveals that Licensee has underpaid fees to Licensor, Licensee shall be invoiced for such underpaid fees (based on the list prices in effect at the time the audit is completed); and if the underpaid fees exceed 5% of the License fees already paid, then Licensee shall also pay Licensor the reasonable costs of conducting the audit.
> Not wanting to support it is a strange argument for not documenting it.
Seriously, no. That happens all the time in all kinds of software environments. Someone adds a crazy hack in a product with an API. Do you add it to the API, even though bits of it may leak visibly into the stuff seen by the customer? Hell no. That's what happened here.
This is the first time I've heard about this. How so?
reply