"IMPORTANT: These binaries are provided by anyone who are willing to build and submit them, they are NOT official. Because these binaries generally not reproducible, authenticity cannot be guaranteed. For your consideration, each download page lists the GitHub user that submitted those binaries."
Given one does not compile their own version, wouldn't this make the privacy trade-off vis-à-vis generic Chromium unacceptable?
GitHub now offers "artifact attestation"[1], which would be ideal for this use case. It records what build process binaries originated from, so they can still be published elsewhere while remaining verifiable.
This is common. Sometimes a security policy works (e.g. a password length requirement may cause people to come up with stronger password) and sometimes people consider it excessive and prefer to work around it (e.g. a password length requirement may cause people to write the password down on a sticky note and attach it to the computer screen).
"IMPORTANT: These binaries are provided by anyone who are willing to build and submit them, they are NOT official. Because these binaries generally not reproducible, authenticity cannot be guaranteed. For your consideration, each download page lists the GitHub user that submitted those binaries."
Given one does not compile their own version, wouldn't this make the privacy trade-off vis-à-vis generic Chromium unacceptable?
(1) https://ungoogled-software.github.io/ungoogled-chromium-bina...