New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 624128 link

Starred by 18 users
Status: Fixed
Owner:
sorin@chromium.org
Closed: Aug 2016
Cc:
pastarmovj@chromium.org
sorin@chromium.org
kerrnel@chromium.org
lafo...@chromium.org
ryanmyers@chromium.org
keta...@chromium.org
edoan@chromium.org
georgesak@chromium.org
waff...@chromium.org
jsc...@chromium.org
falcantara@chromium.org
saswat@chromium.org
blumberg@chromium.org
dhadd...@chromium.org
mevissen@chromium.org
rpop@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Feature

Blocked on:
issue 642148
Blocking:
issue 624086



Sign in to add a comment

Enterprise control to disable (binary) component updates

Project Member Reported by lafo...@chromium.org, Jun 28 2016 
Provide a control mechanism for Enterprises to disable binary component updates (i.e. Flash Player, Recovery Component, pNaCL, etc...).

Background: Now that the Flash MSI is available, Enterprises can now push Flash Player updates separately from Chrome updates.  For those clients, in particular, it's desirable for Chrome not to be pushing binary component updates.

Comment 1 by sorin@chromium.org, Jun 28 2016

Owner: sorin@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by sorin@chromium.org, Jun 28 2016

Labels: -Type-Bug Type-Feature

Comment 3 by sorin@chromium.org, Jun 28 2016

Components: Internals>Installer>Components

Comment 4 by lafo...@chromium.org, Jun 28 2016

Blocking: 624086

Comment 5 by jsc...@chromium.org, Jun 28 2016

Cc: pastarmovj@chromium.org georgesak@chromium.org

Comment 6 by sorin@chromium.org, Jul 26 2016

Status: Started (was: Assigned)

Comment 7 by waff...@chromium.org, Jul 27 2016 

Anthony, can you provide a full list of which of the following components should be affected by this policy, and a rule by which we should determine whether additional new components should be subject to it? So far we know:

####DISABLE###########
  Omaha Recovery
  Pepper Flash
  PNaCl

####DO NOT DISABLE####
  CRLSet

####??????????????####
  SwiftShader
  WidevineCDM
  Supervised User Whitelists [May have multiple whitelists to update.]
  EV Whitelist
  STH Set
  Origin Trials
  File Type Policies (Safebrowsing feature)
  Software Reporter Tool (Foil)
  CAPS (never updated, soon to be deleted)

Comment 8 by lafo...@chromium.org, Jul 27 2016 

DISABLE
  SwiftShader
  WidevineCDM (Bundled, but they can still push updates)
  Software Reporter Tool (Foil - repair tool shouldn't be necessary for enterprise)

DO NOT DISALBE
  Supervised User Whitelists [May have multiple whitelists to update.]
  EV Whitelist
  STH Set
  Origin Trials
  File Type Policies (Safebrowsing feature)

DELETE
  CAPS (never updated, soon to be deleted)

Comment 9 by georgesak@chromium.org, Jul 27 2016

Cc: blumberg@chromium.org
Project Member

Comment 10 by bugdroid1@chromium.org, Aug 2 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cb4e5e933ae9975ccc24e83f48369716d65b669d

commit cb4e5e933ae9975ccc24e83f48369716d65b669d
Author: sorin <sorin@chromium.org>
Date: Tue Aug 02 21:48:40 2016

Mechanical change in the component updater Configurator.

This is the first CL in a series of CLs to implement component updater
group policies

The CL renames a few functions in the Configurator, for consistency.
It introduces Configurator::EnabledComponentUpdates and
CrxComponent::supports_group_policy_enable_component_updates.

These members are placeholders and have no effect on the current
code behavior.

BUG= 624128 

Review-Url: https://codereview.chromium.org/2199423002
Cr-Commit-Position: refs/heads/master@{#409337}

[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/chrome/browser/component_updater/chrome_component_updater_configurator.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/chrome/browser/component_updater/chrome_component_updater_configurator_unittest.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/chrome/browser/extensions/updater/chrome_update_client_config.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/chrome/browser/extensions/updater/chrome_update_client_config.h
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/component_updater/configurator_impl.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/component_updater/configurator_impl.h
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/action.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/action_update.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/configurator.h
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/test_configurator.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/test_configurator.h
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/update_checker.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/update_checker_unittest.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/update_client.cc
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/components/update_client/update_client.h
[modify] https://crrev.com/cb4e5e933ae9975ccc24e83f48369716d65b669d/ios/chrome/browser/component_updater/ios_component_updater_configurator.cc
Project Member

Comment 11 by bugdroid1@chromium.org, Aug 3 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3574ef96bd3a663127dac1b5b0ad3730112d43b4

commit 3574ef96bd3a663127dac1b5b0ad3730112d43b4
Author: sorin <sorin@chromium.org>
Date: Wed Aug 03 16:46:01 2016

Rename and repurpose ComponentInstallerTraits::CanAutoUpdate.

This is a mechanical change. It declares the components using the DefaultComponentInstaller as not supporting GP.

BUG= 624128 

Review-Url: https://codereview.chromium.org/2205693004
Cr-Commit-Position: refs/heads/master@{#409537}

[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/caps_installer_win.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/ev_whitelist_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/ev_whitelist_component_installer.h
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/file_type_policies_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/file_type_policies_component_installer.h
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/origin_trials_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/origin_trials_component_installer.h
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/pepper_flash_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/sth_set_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/sth_set_component_installer.h
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/subresource_filter_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/subresource_filter_component_installer.h
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/supervised_user_whitelist_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/sw_reporter_installer_win.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/chrome/browser/component_updater/widevine_cdm_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/components/component_updater/default_component_installer.cc
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/components/component_updater/default_component_installer.h
[modify] https://crrev.com/3574ef96bd3a663127dac1b5b0ad3730112d43b4/components/component_updater/default_component_installer_unittest.cc
Project Member

Comment 13 by bugdroid1@chromium.org, Aug 11 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/590921d35fcece61e518705b432bd61f01a17c4b

commit 590921d35fcece61e518705b432bd61f01a17c4b
Author: sorin <sorin@chromium.org>
Date: Thu Aug 11 23:48:36 2016

Use consistent values for enabled_component_updates throughout an update.

The upcoming group policy control for the component updates will support
dynamic refresh. That means that the enable/disable state for the
updates, as reported by the Confogurator can change during an update task.

This can lead to inconsistent behavior while running an update task.

To support this dynamic scenario, the update context retains the
enable/disable state of the updates as an immutable value created at
construction time. This value is used throughout an update task and
its dependent update actions.

TBR=waffles@chromium.org

BUG= 624128 

Review-Url: https://codereview.chromium.org/2237153002
Cr-Commit-Position: refs/heads/master@{#411450}

[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/action.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/action_update_check.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/test_configurator.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/update_checker.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/update_checker.h
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/update_checker_unittest.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/update_client_unittest.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/update_engine.cc
[modify] https://crrev.com/590921d35fcece61e518705b432bd61f01a17c4b/components/update_client/update_engine.h

Comment 14 by falcantara@chromium.org, Aug 12 2016

Cc: falcantara@chromium.org

Comment 15 by lafo...@chromium.org, Aug 15 2016 

Hey Sorin,

Looks like you're making excellent progress, is there anything that I can help w/?
Project Member

Comment 16 by bugdroid1@chromium.org, Aug 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13

commit 0b99b8d3c1cc918f43923e5566d7fcb4fae66d13
Author: sorin <sorin@chromium.org>
Date: Mon Aug 22 20:40:53 2016

Define EnabledComponentUpdates group policy for the component updater.

BUG= 624128 

Review-Url: https://codereview.chromium.org/2257363002
Cr-Commit-Position: refs/heads/master@{#413526}

[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/browser/component_updater/chrome_component_updater_configurator.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/browser/component_updater/chrome_component_updater_configurator.h
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/browser/component_updater/chrome_component_updater_configurator_unittest.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/browser/component_updater/component_updater_prefs.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/browser/policy/policy_browsertest.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/common/pref_names.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/common/pref_names.h
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/components/component_updater/component_updater_service.h
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/components/component_updater/component_updater_service_unittest.cc
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/components/policy/resources/policy_templates.json
[modify] https://crrev.com/0b99b8d3c1cc918f43923e5566d7fcb4fae66d13/tools/metrics/histograms/histograms.xml

Comment 18 by sorin@chromium.org, Aug 23 2016 

All code needed for this feature has landed.

Comment 19 by lafo...@chromium.org, Aug 25 2016 

You rock, thank you Sorin!

Comment 20 by sorin@chromium.org, Aug 29 2016

Blockedon: 642148

Comment 21 by sorin@chromium.org, Aug 30 2016

Status: Fixed (was: Started)

Comment 22 by sorin@chromium.org, Sep 2 2016 

The dependent crbug has been merged into M54: https://codereview.chromium.org/2292463004

Comment 23 by lafo...@chromium.org, Sep 2 2016 

Thank you sir!

Comment 24 by scunning...@chromium.org, Sep 23 2016

Cc: dhadd...@chromium.org
Sorry for the late question, but why is ComponentUpdatesEnabled not a Device policy for Chrome OS, but a User policy?  It seems odd that different users on the same Chrome OS device could have different policy values, such that component updates will happen when some users are signed in, but not others. Or will one device be allowed to have different versions of the same components for each user?

Comment 25 by sorin@chromium.org, Sep 23 2016 

Can we have the same policy be a user policy for Chrome and a device policy for ChromeOS?

I don't know enough of how ChromeOS is managed (I am a Chrome desktop dev). Components are installed for all users in Chrome desktop, and I assume the same for ChromeOS. I also assumed that all users on ChromeOS will be affected by this policy, instead of selectively, based on the user signin.

I implemented the feature in what I thought was the simplest way, which works for both Chrome and ChromeOS.  but I am open to change the code so that it becomes a device policy for ChromeOS.

Comment 26 by pastarmovj@chromium.org, Sep 26 2016 

The policy is registered in the local state pref registry which makes it global to all profiles on Desktop and since the components are global to all profiles this is the only way it makes sense.

On ChromeOS we can do better than that because we can only enforce this on accounts that belong to the owner org and not to private accounts (which can be disabled if needed).  If the policy was made a device policy it will be enforced on every account even the non-org ones which does not sound right to me. Also generally device policies are usually only used for functions that should span across the login flow or changes the behavior of the hardware. this is why there only so few of those.

That said I think the way the policy works now is optimal.

Comment 27 by dhadd...@chromium.org, Sep 26 2016

Cc: keta...@chromium.org kerrnel@chromium.org
+ketaki +greg for opinion

Comment 28 by pbomm...@chromium.org, Sep 29 2016 

Verified the new GPO policy "ComponentUpdatesEnabled" to disable binary component updates on Windows(7,10), Mac 10.9 and Linux(ubuntu 14.04Lts) and haven't found any issues. 

Test's which were covered as part of my verification :
=================================================================
1. Verified only binary component updates are disable when "ComponentUpdatesEnabled" is set to Disbale(False)
2. Verified all binary component updates are disable when "ComponentUpdatesEnabled" is set to Disbale(True)
3. When "ComponentUpdatesEnabled" is set to "Not Configured" everything works normally(Only on Windows), Mac and Linux with no policy set.
4. Installed PPAPI Flash player MSI(on Windows), Mac(DMG) and make sure flash player loads correclty(opned https://www.adobe.com/software/flash/about/) and verified that correct version of flash was getting prompted. Also our Chrome://plugins page shows the flash player location from system files(Not from Chrome user data dir)
5. Also checked every available data Component was getting updated at the same time none of the binary component were updated.
6. Also checked Swiftshader(only on Windows) by disabling GPU with Policy set to "Disbale" and Swiftshader wasn't getting update.

Please let me know if there are any testcases which I missed should have been covered by ASAP(On vacation starting Friday)


Note : I have the testplan which need some more details on how to configure the policies on Mac and Linux.

Comment 29 by lafo...@chromium.org, Sep 29 2016

Cc: lafo...@chromium.org ryanmyers@chromium.org edoan@chromium.org
 Issue 306330  has been merged into this issue.

Sign in to add a comment