Google Chromium, Chromeplus and Iron Browser: Why Source code and Distribution Models Matter

Google Chromium, Chromeplus and Iron Browser: Why Source code and Distribution Models Matter


The internet has been awash with the fallout from Oracle's stewardship of OpenOffice.org and Ubuntu's announcement that Xorg would be replaced by Wayland and Unity would be the next desktop. The F-word was used. A lot. No, not that F-word. The other F-word. Forking. OpenOffice.org has already forked to LibreOffice and I've no doubt that Unity haters will fork off to Gnome Shell 3. Fair enough. It's all about choice in the end and choice creates competition and competition often creates innovation and cross fertilization (as well as fragmentation). You need look no further than Google's Chromium browser to see how a project benefits from the protection of open source licences, available source code, collaboration and the capacity to accelerate development. This article is about that and a brief progress report on how far Chromium has come since I first wrote about it.

Baby, you've come far

as Chromium is based on open source it effectively provides end users with a get-out-of-jail-free card

Like Oracle (and previously Sun), many people have a visceral distrust of big corporations like Google. Yes, we love Gmail, Calendar, Docs, Buzz etc., and we salute their Summer of Code. They are our very guilty and public secret. We use them and we love them but we know too that you can't mention Google without the P-word (and sometimes the F-word too) being spat out. I mean privacy of course but Google is clever. They have bottomless pockets and employ some very clever people who come up with attractive and clever software. Lots of other equally talented programmers out there in the open source community do as well but often on a shoestring and without the constant nagging accusation of privacy violations hanging over their heads. A discussion of Google and privacy is another article in its own right but ,as Chromium is based on free software, it effectively provided end users (with the requisite skills) with a get-out-of-jail-free card. If you think Google's version of the browser is a security and or privacy risk, you can take the source code and develop your own masterpiece. Before you do though, you will need to get a clear picture.

The first big news about a Google browser was the parodied comic which explained to a waiting world some of the latest features, including the V8 engine, sandboxed tab processes and DNS prefetching. As I explained over two years ago Google's target was commercial advantage in the Windows demographic, but as the intervening period has demonstrated, the free software nature of Chromium has allowed it to be taken in other directions. Directions not dictated by Google's own agenda. To understand that we need to compare notes and see where Chromium has got to.

Chromium has garnered 10% in just over two years. If we extrapolate that figure, assuming the same rate of growth, then it should have 40% in eight years

It is a measure of how far the browser has come that when I first tried it out I had to run a Windows version under Crossweavers and my review of it revealed a pretty basic browser which, inevitably, had a long way to go. Since then the feature set has expanded massively. Extensions have blossomed too In excess of nine thousand. A nightly build release cycle has also given the user a rapidly expanding number of start up switches. In excess of three hundred. Every time I update my nightly build via the PPA for Ubuntu and type about:flags in the address bar (formerly about:labs) new features are likely to be added that extend the power and configurability of the browser. Hopefully, Google will add something like Mozilla's about:config to manage the browser chrome instead of having to rely on bespoke editing of Chromium's configuration files. In the meantime Greasemonkey-like scripts have been added by way of Userscripts which can be installed as extensions (all fifty-nine thousand of them)--and just as easily. What's more, they install incredibly fast and no extension requires a browser restart. Brilliant. Are you listening Mozilla?

It's fair to say that it has developed at a relatively rapid pace, compared to Firefox (albeit it from a lower base) breaking through the 10% barrier for the first time in September this year.

The Firefox release cycle began in 2002 with Phoenix and Firefox 4 is about to debut. It has taken eight years to get 30% of the browser market. That's still a great achievement given the inertial opposition of Microsoft but Chromium has garnered 10% in just over two years. If we extrapolate that figure, assuming the same growth, then it should have 40% in eight years--and when ChromeOS debuts. who knows?

Today, as I write, Chromium has reached version ten--less than twenty four days since version nine (criticism of its versioning strategy notwithstanding). Many GNU/Linux distros include it in their repositories and some have even made it the default browser. The social web-friendly Flock browser's latest beta has ditched Mozilla in favour Chromium. It has come a long way. Wikipedia has an excellent feature and release timeline summary.

Versions and Licences

Google developed Chrome for Windows, and based it on the source code for Chromium (available here), which is of course free software. Google had intended that Chromium would be the name of the free software project with the final project name being Chrome. However, Chromium was free and some developers had other ideas and proceeded to take it in directions not intended--and continue to release it under the Chromium name. Because of this, users of GNU/Linux could rest easy, knowing that proprietary features and privacy issues have been eliminated from builds of Chromium (RLZ tracking, Flash Player licence agreement, usage tracking and proprietary codecs: MP3, AAC and H264). You can see a comparative table of features here--albeit a few months out of date.

All of this means that users have the choice to download and install Chrome, the beta channel of Chromium (by adding a PPA to their distro repositories) or a nightly Chromium build (again via a PPA) depending on their preferences. Other options include Iron Browser and Chromeplus, two more "forks" of Chromium. And that brings us neatly to the matter of licences.

Firefox operates under a tri-licence too and no one has accused it of being non-free or closed

Chromium was released under the BSD licence. It is a "permissive" licence with fewer restrictions than the GPL, but because Chromium contained software from other projects which had been released under other licences, it includes the MIT licence, the LGPL and the MPL/GPL/LGPL tri-licence. That's not really unexpected. Mozilla's beloved Firefox operates under a tri-licence too and no one has accused it of being non-free or closed. And the source tree has been made easily accessible too. The offical GNU site and the FSF make it clear that the modified BSD licence is compatible with the GPL but that the original BSD licence is not--and recommends the former. The Chromium licence is the three clause modified BSD, although its twenty five dependencies share a multiplicity of other licences, including BSD, Public Domain, MPL, MIT, LGPL, Apache and ZLIB to name a few.Google do also actually publish a detailed list of the components of Chromium and the licences under which they are released.

One way to examine Chromium's licence credentials (or any software for that matter) is to run it through Fossology. It might sought like some dental cult but it won't abduct your browser, just analyse the licence(s). It's available in the Ubuntu repositories; the homepage has download links for Debian, RHEL, Centos and Fedora and doubtless it can also be found in their repositories too. That's the best route. Fossology can be run on the command line but it's best run from the convenience and comfort of a browser (you'll need Apache installed). Now, although we know what licences Chromium runs under, Fossology will give us the details.(Although Fossology started life as an Hewlett-Packard project, it is free software and, appropriately, was released under the GPL v2). That may be important for anyone who wants to fork software and needs to know the fine detail of the licence attaching to all the files.

Show me the source code

available source code is one of the sacred texts of the GPL in all its manifestations

Navigating the Chromeplus-account I noticed that Chromeplus has been released under the LGPL and therefore source code must be made available. There is a URL for a read only copy for non-members but despite having the SVN client installed and attempting to checkout the repository with RapidSVN (a SVN GUI), I got error messages saying it didn't exist (though I double checked things by downloading the source code for Google Native Client and that worked fine). So, what happened to the source code for Chromeplus? It's LGPL for heaven's sake. This matters because available source code is one of the holy texts of the GPL in all its manifestations.

Although Chromeplus is about five versions behind the nightly builds of Chromium it does has some nifty features not yet available in Chromium. It should not be difficult to incorporate them into either Beta or nightly build versions--but that can't be done if the code can't be studied. And after all, Chromium has been released under mutiple licences and source code is available. Rapid development (and bug squashing) flourish when you can examine the code.

What about Iron Browser? It's BSD-licenced and its homepage (at the bottom) contains a three-part link to the source code. (It is a link to Rapidshare. I'll come back to that later.) It was released only sixteen days after Google Chrome was pushed out the door. It "marketed" itself on claims that Google's latest baby wasn't so much a cry baby as a digital snitch that leaked like a sieve and phoned home more than ET. That was a clever pitch as it had a ready market among those who were already both jealous of their privacy and paranoid about Google's data mining and security profile.

Some people were therefore sceptical and tested Iron Browser's claims that it was safer than Chrome. Fire up Wireshark and see what Chrome is sending. However, the really important fact here is that the ability to download and view the source code can also test claims if you believe them to be hyperbole. For example, one sceptical user compared the source code of both browsers, did a diff and came up with a damning verdict: Iron Browser's hype is a scam. Why? Because, in the researcher's own words:

I downloaded the recently released source code for the "privacy-oriented" Iron 4 browser and compared it to the open source Chromium browser from which it was derived. I found that all Iron does is hard-code three privacy options, that were already user-configurable, and add one or two minor features unrelated to privacy, like increasing the number of thumbnails on the New Tab page. Looking back through the Chromium source code repository, those three user-configurable privacy options have been available since the first public release of Chrome, suggesting there was likely never any rationale for Iron, as one of the main [GNU/]linux Chromium developers has pointed out

How you document the fork and the source matters

What really interested me here was not just the forensic way that the claims were picked apart. It was the fact that such a thing was possible precisely because of the freedoms and legal requirements enshrined in the GPL and its derivatives. They guarantee that such claims can be tested. It also raises the question: to fork or not to fork. Or, rather, when to fork and/or when to contribute to the code. Many forks arise because of "political" differences about licencing and personality clashes in distro communities, others fork a distro or package because they prefer to work alone or have a particular itch to scratch that isn't being addressed by other developers. Then there are those whose motives could be classed as commercial and "shady". In that article, the point is well made that if you don't trust Google, why would you trust a single third party either?

What also concerned me, and others, is the way Iron Browser made the source code available. When you hear Rapidshare you tend to think of iffy torrent downloads. This cannot be the right way to distribute source code. And yet, a quick trawl through the official GNU site yields the following (truncated) excerpt that makes it clear that if you make only the binary available on one site you also must make the source code available on another internet server. Even Rapidshare:

_Can I release a modified version of a GPL-covered program in binary form only?

No. The whole point of the GPL is that all modified versions must be free software—which means, in particular, that the source code of the modified version is available to the users.

Can I put the binaries on my Internet server and put the source on a different Internet site?

Yes. Section 6(d) allows this. However, you must provide clear instructions people can follow to obtain the source, and you must take care to make sure that the source remains available for as long as you distribute the object code.

So Rapidshare is kosher but the above excerpt also makes clear that as long as the object code is available so too must be the source code. Iron Browser is hosted on its own site (see above) but the code is on Rapidshare. Rapidshare has, like many file sharing websites, been the object of numerous legal challenges and injunctions so if it ever went down permanently the code would have to be relocated. If the Chromeplus failed to do this it would be in breach of the LGPL conditions.

when I see them omitting important facets like a public source tree and outsider commit privileges, my bullshit radar goes off

This really flags up that minimal compliance with the licence conditions may make you "legal" but you have done the bare minimum. The letter, not the spirit of the licence, has been observed. There is a better way. It it predicated on trying to ensure that your product's success and distribution is not entirely dependent on a third party. What I am thinking about here is Android. Tony Mobily, the benevolent Editor in Chief of Free Software Magazine, fumed about how carriers of Android tend to "lock down" the software thus making free software unfree but as Joe Hewitt, a former Mozilla developer, pointed out on his blog, while there is a great deal of talk about openness it is often an empty obeisance:

If you want to see a better representation of Google's values, look at Chrome OS. It hasn't even shipped yet, but you can already follow the daily progress in their source repository and install your own build on a PC. The Chromium and Webkit projects it is based on are also full open source, and you can earn commit privileges and contribute to them today. It remains to be seen if Chrome OS will have any success, but my fear is that a lack of support from carriers and manufacturers will keep it from rising as fast as Android has

Unfortunately, the term "open" has so many meanings in computing today, it's probably futile for anyone to bother criticizing the way it is used as I did yesterday. My emotional response had a lot to do with my background. I cut my teeth in the software industry working on the Mozilla open source project, so when I hear others talk about openness, but see them omitting important facets like a public source tree and outsider commit privileges, my bullshit radar goes off.

Source code, and how you make it available, makes the difference. All the difference

Joe Hewitt is right that Chromium is doing it the right way, and if Chromeplus and Iron Browser followed the same model they might attract more contributors and so accelerate development. As it is, Chromeplus includes some features yet to appear in Chromium even though it currently lags more than four versions behind. Their source code model is legal but all wrong. They do enough to comply but in doing so discourage collaboration and innovation. If Chromium had adopted this model it wouldn't be where it is today. Source code, and how you make it available, makes the difference. All the difference. The licence you choose, if you create or fork a project, matters too but so does the distribution and collaboration model.

Category: 

Author information

Gary Richmond's picture

Biography

A retired but passionate user of free and open source for nearly ten years, novice Python programmer, Ubuntu user, musical wanabee when "playing" piano and guitar. When not torturing musical instruments, rumoured to be translating Vogon poetry into Swahili.