Chocolatey-coreteampackages: (chrome) download URLs are bypassing EULA

Created on 2 Dec 2020  路  8Comments  路  Source: chocolatey-community/chocolatey-coreteampackages

Chrome: download URLs are bypassing EULA

https://github.com/chocolatey-community/chocolatey-coreteampackages/blob/master/automatic/googlechrome/update.ps1

Expected Behavior

Direct URLs should not be referenced, users should be directed to the download page.
https://chrome.com/enterprise so that the user can accept the EULA before download.

Current Behavior

Download bypasses the EULA.

Possible Solution

Do not silently download MSI/ZIP files without allowing user to accept EULA.

Steps to Reproduce (for bugs)

Context

This bypasses Google Chrome's EULA and is an legal issue - this is especially important in light of GDPR and ongoing legal discussions in the USA.

QuestioDiscussion

Most helpful comment

Why not ask the user to agree to the EULA when the software is first executed? That is how most other software works, and better complies with the law. For example, I might be asked to download and install chrome on several computers, each operated by different people at different businesses. That end user is the legal entity who should be accepting the EULA, not the consultant who downloaded the program just to install it, and doesn鈥檛 even execute it. Right?

All 8 comments

Why not ask the user to agree to the EULA when the software is first executed? That is how most other software works, and better complies with the law. For example, I might be asked to download and install chrome on several computers, each operated by different people at different businesses. That end user is the legal entity who should be accepting the EULA, not the consultant who downloaded the program just to install it, and doesn鈥檛 even execute it. Right?

I will close this as it doesn't seem much relevant for this repository and solution doesn't exist (not silently installing something defeats the purpose of chocolatey)

I'm going to override this one to allow for open conversation on this for a bit. @anujgoyal my email is rob at chocolatey dot io.

Hit go too soon. My email is also here in case you want to contact me directly.

For Mac we do something like this: https://support.google.com/chrome/a/answer/9915669

I can't promise it (as I have to work with and get approvals from internal stakeholders), but what if Chrome did something similar for Windows downloads?

So if the current URL is
https://dl.google.com/tag/s/dl/chrome/install/googlechromestandaloneenterprise.msi,
the url would be changed to something like
https://dl.google.com/tag/s/dl/chrome/install/accept_tos%3Dhttps%253A%252F%252Fwww.google.com%252Fintl%252Fen_ph%252Fchrome%252Fterms%252F%26_and_accept_tos%3Dhttps%253A%252F%252Fpolicies.google.com%252Fterms/googlechromestandaloneenterprise.msi
Correct?

If that is the case, then presumably the Chocolatey package would be changed to point to the new URL, and the end-user of the package would still have the exact same installation procedure, still without being forced to look at the EULA.


A better option might be this feature request when it is implemented: https://github.com/chocolatey/choco/issues/39
This would require the person installing the package to either manually specify that they accept the license with --accept-license argument, or accepting the license via a prompt.


The best option is probably what @rasa suggested. First, it also makes sure that end users are required to accept the license, which is not always the person installing the software. Secondarily, there are a number of other pieces of software that also can download and install Chrome without the user having to accept the EULA. Some examples are: scoop, winget, ninite, windowsremix, and appget

@anujgoyal just wanted to follow up here as to why this issue was closed. Can we assume that this is no longer an issue, or is there additional work that would have to be done here for the Chocolatey package?

So if the current URL is
https://dl.google.com/tag/s/dl/chrome/install/googlechromestandaloneenterprise.msi,
the url would be changed to something like
https://dl.google.com/tag/s/dl/chrome/install/accept_tos%3Dhttps%253A%252F%252Fwww.google.com%252Fintl%252Fen_ph%252Fchrome%252Fterms%252F%26_and_accept_tos%3Dhttps%253A%252F%252Fpolicies.google.com%252Fterms/googlechromestandaloneenterprise.msi
Correct?

If that is the case, then presumably the Chocolatey package would be changed to point to the new URL, and the end-user of the package would still have the exact same installation procedure, still without being forced to look at the EULA.

A better option might be this feature request when it is implemented: chocolatey/choco#39
This would require the person installing the package to either manually specify that they accept the license with --accept-license argument, or accepting the license via a prompt.

The best option is probably what @rasa suggested. First, it also makes sure that end users are required to accept the license, which is not always the person installing the software. Secondarily, there are a number of other pieces of software that also can download and install Chrome without the user having to accept the EULA. Some examples are: scoop, winget, ninite, windowsremix, and appget

I think @TheCakeIsNaOH is spot on right.

Was this page helpful?
0 / 5 - 0 ratings