Chromium Browser in Bionic - end of support and CVE problems

Did you get the solution for this?

Have you considered using chromium from the snap store?

@Manferd Hampl like you know I am beginner. If I will install chromium from snap store I will get support? If I will install from snap store I will have chromium outside ubuntu "universe" repositorium?

@david John, I thinked about change OS to focal but I have a lot of problems with LXQt on my machine.

The snap store has completely different support strategy and does not distinguish between different categories (like "main" and "universe" in Ubuntu). https://snapcraft.io/chromium

@Manfred Hampl thank you for your professional and helpful answer. Like always you had good idea. Now I am thinking go away from debian chromium-browser package (I mean .deb package from Ubuntu repository).

Maybe I can install Google Chrome instead Chromium. I know that Chromium is better for privacy reason but I want to try with Google. Maybe they will have less CVE in their software. I know that Chrome based on Chromium but maybe they included some changes in the code. I simply downloaded the package from this website: https://www.google.com/chrome/

Now I have downloaded file: google-chrome-stable_current_amd64.deb and every things will be fine but I don't know how install this with apt command? I always used apt to install packages from Ubuntu repository. Is it a option to install package from the file? I knot that are option with dpkg or apt-get but I always used apt because it was easier for me. I heard also that apt is better than apt-get because it is newer program than apt-get. I founded this command: sudo apt install ./google-chrome-stable_current_amd64.deb.

Second problem is to verify this package. File can be corrupted or other things like Meet in the middle can be done. So I found this solution: https://www.google.com/linuxrepositories/

I downloaded gpg keys and I imported to gpg program but I can't verify this .deb package file from google because error is showed (gpg output in terminal) so I think that apt must do this instead gpg . So how I can do this ? I readed instruction to rpm package and it is very easy in there but for apt I have no idea how do this and I can't find solution on the internet.

P.S. I don't know if apt will verify file before installation. If I will add gpg keys from google website to apt with apt-key add command then maybe I should use apt install <name_of_package> and apt will download and verify package automatically but I don't know what is name of the package. On google website I can't find this information.

sudo dpkg -i ~/Downloads/google-chrome-stable_current_amd64.deb

sudo apt-get -f install

"I have downloaded file: google-chrome-stable_current_amd64.deb but I don't know how install this with apt command"
You are mixing two different things.
apt and apt-get are programs for downloading from a configured repository and installing packages.
They are practically identical, and I cannot rate one being better than the other.
If you have already downloaded a deb file, then you have to use dpkg or gdebi for installing.

"I heard also that apt is better than apt-get"
In the paste there were separate commands apt-get and apt-seacrh, but they now have been combined and apt can do what the different commands did.

"I want to try with Google. Maybe they will have less CVE in their software."
The basic login in Chrome and Chromium is identical. So if there is a flaw that has got a CVE number in one of them, then for sure the bug is also present in the other.
If you dig into the links of your first reference to
https://ubuntu.com/security/CVE-2021-21233
and further to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21233
you will even see that the description only mentions "Google Chrome" and not "Chromium", although it most probably also affects the other one.

"I downloaded gpg keys but I can't verify this .deb package file"
The gpg keys cannot be used for validating a *.deb file that you already have downloaded.
They are to be used for verifying apt archives and they are checked before downloading the software packages.
You can use them on the google chrome repository only if you set up that repository (e.g. with add-apt-archive), and if you download the chrome *.deb file with an apt command.

@Manfred Hampl thank you again for the professional answer. So on Ubuntu family system is no option to verify downloaded *.deb file with gpg keys?

" Recent versions of apt-get will automatically attempt to verify packages on download. If an appropriate key is not found or if the package is corrupted, you will get a message like the following:

WARNING: The following packages cannot be authenticated!
packagename "

So on Google website I can see that apt-get will automatically verify packages on download. But my question is how I can use apt-get to download *.deb files from google chrome website? Is it only option to set up google repository? Google doesn't have information about repository http adress which I can add. Can you help?

https://www.tecmint.com/install-google-chrome-in-debian-ubuntu-linux-mint

Thank you Manfred Hampl, I installed Google Chrome browser but I was suprised that ubuntu-support-status command output "tell" me that this package is not supported. Is this normal because bionic is outdated software or maybe Google doesn't support chrome for bionic? What is reason of this output?

You are misinterpreting the output of ubuntu-support-status
Ubuntu does not provide support for the chrome package that you gave downloaded from the google repository.
ubuntu-support-status does not make any statement whether that package may be supported by somebody else. That is something that you have to investigate yourself.

@Manfred Hampl, thank you for answer. You wrote that Ubuntu doesn't provide support for chrome package. Of course is it true so why this package is mentioned in ubuntu-support-status? This shoulde be output like something that --> not applicable but nor unsupported. How this can be unsupported if ubuntu never supported this package. For me it is not logic but maybe my perception is wrong.

What is wrong with "unsupported"?

"unsupported" is the opposite of "supported" and means that _currently_ there is no support for this package by Ubuntu.

It can be that the package was supported in the past and is no longer supported,
but "unsupported" can also mean that the package has never been supported at all.
For all foreign packages it is the latter.

The chrome package from google has never been supported by Ubuntu, and it probably will never be supported. So it is simply "unsupported".

And ubuntu-support-status shows the status of all packages that you have installed on your system, independent from their origin. Why should it exclude chrome from google?

I also noticed bug. I don't know why but on /etc/apt/sources.list.d I created google-chrome.list but in next day I noticed also second file at directory /etc/apt/sources.list.d and the name was google.list. I didn't create two files. One files created automatically itself and I received errors on update. I removed one of the file and now works perfectly but why it created automatically?

Thanks Manfred Hampl, that solved my question.