Review the Chromium Webview build environment
In Android 6 (Marshmallow), the Webview is not built as part of an Android built. It is built in an Chromium build environment using the Chromium source code. The final apk file is committed to external/chromium-webview.
While this makes it possible to build the Webview based on the latest Chromium release including security fixes, the downside of this is that another huge and complex build environment has to be set up in order to build the Webview apk. The apk has to be copied and committed to the corresponding repo in the Replicant source tree. Then it gets automatically included in the build.
The build environment for the Chromium code needs to be thoroughly reviewed. All dependencies must be free software and the prebuilt binaries should be verifiable and the aim should be to build them from source, too. The build scripts download and set up a custom Android toolchain. Maybe this prebuilt toolchain can be replaced with the Replicant toolchain that is built from source.
I did an initial review. During the setup of the build environment, a license needs to be accepted that appears to be non-free. The license needs to be accepted because the build environment sets up the proprietary play services libraries. I verified that these non-free libraries are not used when building the Webview apk. The libraries were likely only included in the build environment setup because the same build environment is used for building Chrome which includes the libraries. I removed the scripts related to the play services in this commit. The commit can be used as reference when preparing a new Webview version for #1780.
Updated by Kurtis Hanna about 3 years ago
- Status changed from New to Feedback
It seems like this ticket can be closed because the issue seems to have been thoroughly reviewed over at #1780 and here: https://redmine.replicant.us/projects/replicant/wiki/Upstream#Embeddable-web-engine
I think there also was a talk given about the topic at 36c3, but I don't have the link handy.
If you agree, please feel free to close this topic.