the full receipts
58 patches.
All readable.
This is the whole diff between Chromium and Surferse, grouped by what each cut kills. Nothing else changes — which is exactly the point: a patch set small enough to re-audit on every rebase.
- 14 telemetry & phone-homes
- 12 Google services
- 11 identity → UniAuth
- 9 sync → UniAuth E2E
- 12 branding & defaults
- 58 total
Telemetry & phone-homes
14 patchesEverything that reports on you, deleted at the source. Not a settings page — a smaller binary.
| 001-disable-safe-browsing-pings.patch | Safe Browsing lookups and CSD pings never leave the machine | +18 −412 |
| 002-remove-uma-metrics-uploader.patch | UMA histogram uploader deleted, not just switched off | +9 −1204 |
| 003-remove-ukm-service.patch | URL-keyed metrics collection removed entirely | +6 −868 |
| 004-remove-crash-uploader.patch | Crashpad keeps local dumps; the Google upload path is gone | +22 −340 |
| 005-disable-field-trials.patch | No variations seed fetch — every experiment flag is local and yours | +14 −96 |
| 006-remove-variations-service.patch | The variations service itself, compiled out | +4 −522 |
| 007-remove-network-time-probe.patch | No clock checks against Google time servers | +7 −58 |
| 008-remove-domain-reliability.patch | The domain-reliability beacon (it uploads to Google) removed | +3 −214 |
| 009-local-omnibox-suggest.patch | Address-bar suggestions come from your history only — no remote suggest | +41 −187 |
| 010-remove-preconnect-to-google.patch | Startup no longer warms connections to Google properties | +2 −49 |
| 011-local-spellcheck-only.patch | Web spellcheck service gone; dictionaries live on disk | +11 −203 |
| 012-remove-translate-ranker-ping.patch | Translate model telemetry removed along with the feature | +2 −77 |
| 013-remove-rlz-tracking.patch | RLZ promotional tracking library compiled out | +5 −331 |
| 014-remove-promo-doodle-fetch.patch | New Tab promo and doodle fetchers removed | +3 −158 |
Google services
12 patchesProduct hooks that assume a Google backend. Where a feature earns its keep, it gets a local implementation; where it doesn't, it gets a clean deletion.
| 015-remove-translate-offer.patch | The "translate this page?" service and its UI, dropped | +8 −644 |
| 016-remove-gcm-invalidations.patch | Google Cloud Messaging invalidation channel removed | +12 −487 |
| 017-remove-cloud-print-remnants.patch | Leftover cloud-print hooks cleaned out | +0 −92 |
| 018-remove-gaia-endpoints.patch | accounts.google.com stripped from the identity configuration | +16 −228 |
| 019-remove-play-services-hooks.patch | No Play-services integration paths | +4 −171 |
| 020-remove-hotword-module.patch | The "OK Google" hotword module, gone | +2 −119 |
| 021-remove-feedback-uploader.patch | Feedback reports stay on disk; nothing uploads itself | +9 −143 |
| 022-remove-ntp-remote-content.patch | New Tab never fetches remote tiles, cards or promos | +6 −261 |
| 023-local-extension-verification.patch | Extension install verification runs locally — any store, or unpacked | +87 −134 |
| 024-remove-supervised-user-service.patch | Family Link service calls removed | +3 −186 |
| 025-remove-drive-integration.patch | Drive-backed features detached | +5 −97 |
| 026-remove-safety-check-pings.patch | Safety check runs against local data only | +19 −84 |
Identity → UniAuth
11 patchesRight where Chrome reaches for a Google account, Surferse asks for you. One identity, over a real OAuth 2.1 + PKCE handshake.
| 027-remove-google-signin.patch | Sign-in-with-Google surface removed everywhere it appears | +14 −702 |
| 028-uniauth-profile-picker.patch | The profile picker offers UniAuth instead | +238 −61 |
| 029-uniauth-oauth-client.patch | OAuth 2.1 client with PKCE, pointed at uniauth.id | +412 −0 |
| 030-pkce-verifier-handling.patch | Code verifiers are single-use and never touch disk | +96 −0 |
| 031-uniauth-token-store.patch | Refresh tokens sealed in the OS keychain | +147 −22 |
| 032-uniauth-account-ui.patch | Account chip, avatar and sign-out wired to UniAuth | +188 −94 |
| 033-remove-account-consistency.patch | Mirror/DICE account-consistency headers gone | +7 −156 |
| 034-remove-gaia-cookies.patch | No gaia cookie minting or reconciliation | +4 −138 |
| 035-uniauth-profile-avatar.patch | Avatars come from your Vault, not a Google profile | +52 −31 |
| 036-remove-signin-promos.patch | Every "sign in to Chrome" nag, removed | +2 −167 |
| 037-uniauth-signout-flow.patch | Sign-out leaves synced data sealed behind your Vault key | +74 −12 |
Sync → UniAuth E2E
9 patchesBookmarks, settings and tabs cross the void sealed with a key derived in your Vault. The relay stores ciphertext and nothing else.
| 038-uniauth-sync-backend.patch | Sync speaks to relay.uniauth.id and nowhere else | +201 −340 |
| 039-vault-key-derivation.patch | Sync key derived in the Vault via HKDF-SHA-256 — never uploaded | +164 −0 |
| 040-aes-gcm-sealing.patch | Every record sealed with AES-256-GCM before it leaves the device | +212 −48 |
| 041-sync-payload-padding.patch | Fixed-size payloads — the relay can't infer what or how much you sync | +58 −6 |
| 042-bookmarks-sync-adapter.patch | Bookmarks ride the sealed pipeline | +89 −114 |
| 043-settings-sync-adapter.patch | Settings and preferences, same pipeline | +76 −98 |
| 044-tabs-sync-adapter.patch | Open tabs, same pipeline | +83 −91 |
| 045-remove-google-sync-service.patch | The Google-hosted sync service, deleted | +11 −1466 |
| 046-sync-key-rotation.patch | A password change re-derives the key and re-seals your data | +67 −9 |
Branding & defaults
12 patchesThe parts you can see. A browser should look like what it is — and it isn't Chrome.
| 047-surferse-branding.patch | The pinwheel becomes the Surferse globe, everywhere it appears | +310 −287 |
| 048-surferse-wordmarks.patch | Product strings, about box, menus | +204 −196 |
| 049-surferse-scheme.patch | surferse:// internal pages — start, vault, settings, history | +156 −102 |
| 050-default-search-chooser.patch | First run asks which engine you want; none is pre-anointed | +128 −44 |
| 051-surferse-ntp.patch | The New Tab: your planet, your shortcuts, a search bar, nothing else | +342 −518 |
| 052-ua-brand-token.patch | The user-agent brand token says Surferse, honestly | +21 −13 |
| 053-updates-endpoint.patch | The updater speaks only to updates.surferse.com | +64 −171 |
| 054-remove-default-browser-nag.patch | No default-browser ambush on launch | +2 −88 |
| 055-surferse-first-run.patch | First-run flow: three screens, zero upsells | +117 −236 |
| 056-remove-promo-bubbles.patch | In-product promotional bubbles compiled out | +3 −142 |
| 057-surferse-icons-macos.patch | App, document and volume icons | +38 −29 |
| 058-license-and-credits.patch | surferse://credits carries this exact list, offline | +59 −4 |
the net effect
Zero Google endpoints.
Run it and watch.
This is what all 58 add up to. Put Surferse behind any proxy on first run — the log is the whole story.
$ surferse --first-run --log-network watching outbound connections … 0 requests *.google.com 0 requests *.gstatic.com 0 requests *.googleapis.com 1 request updates.surferse.com manifest · no cookies first run complete. nobody was told.