The chromium-render service depends on puppeteer, which in turn depends on having a Chromium binary available for use. Unless told otherwise, puppeteer downloads the Chromium version it needs on first launch. We can tell puppeteer to not download Chromium and use some other binary, perhaps the one that comes with the distribution. Some concerns against using the bundled Chromium in the service were raised in T178189#3692824. So we looked into using a version of Chromium that comes with the distribution.
However, the puppeteer documentation warns against using versions of Chromium that doesn't come with pupeeteer:
NOTE Puppeteer works best with the version of Chromium it is bundled with. There is no guarantee it will work with any other version. Use executablePath option with extreme caution. If Google Chrome (rather than Chromium) is preferred, a Chrome Canary or Dev Channel build is suggested.
I wonder whether this a good reason to not use the Debian version of Chromium.
Also, the latest Debian Jessie has the Chromium version 57.0.2987.98-1~deb8u1, and the headless Chromium first appeared in versoin 59. Does that mean we should compile our own version of Chromium if we want to avoid the puppeteer's version? Wouldn't it defeat the purpose of getting free security fixes from the Debian package maintainers?
Also, I created a proof of concept patch that uses the distribution's Chromium, except the patch doesn't work and puppeteer warns against using non-bundled Chromium: https://gerrit.wikimedia.org/r/385044.
Given the above, would it make sense to stick to the version of Chromium provided by puppeteer?
If you're interested in the full context, please read T178189: [spike] Temporarily allow pushing large objects.