Re: Missing source in firefox-esr: EME module

To: debian-legal@lists.debian.org
Subject: Re: Missing source in firefox-esr: EME module
From: Mihai Moldovan <ionic@ionic.de>
Date: Wed, 03 Jul 2019 03:28:18 +0200
Message-id: <[🔎] 9C95BD36-DEE3-4FAD-9D0E-231926678D8D@ionic.de>
In-reply-to: <[🔎] 20190702235504.GA11097@espresso.pseudorandom.co.uk>
References: <87h895tasq.fsf@ferrus.net> <23821.3886.149684.989026@chiark.greenend.org.uk> <5d24a243-791c-4450-abc8-7c42152657f0@www.fastmail.com> <23828.54286.232461.755071@chiark.greenend.org.uk> <3ef62907-dc94-43f2-8ef7-b634196feb5a@www.fastmail.com> <23830.2589.871825.388789@chiark.greenend.org.uk> <d9ffef36-6bc1-4ec8-bae7-cf33af8afe73@www.fastmail.com> <[🔎] 23835.31965.537943.901877@chiark.greenend.org.uk> <[🔎] feef77d3-494f-4379-aea5-f31dce1420b4@www.fastmail.com> <[🔎] 20190702235504.GA11097@espresso.pseudorandom.co.uk>

On July 3, 2019 1:55:04 AM GMT+02:00, Simon McVittie <smcv@debian.org> wrote:
>On Tue, 02 Jul 2019 at 15:20:37 -0400, Nat Tuck wrote:
>> It'd probably be necessary to go through the packages in main and see
>> if any other packages download and install proprietary software at
>all,
>> or if this is just Firefox even in the more general case.
>
>I want to head this off right now, because continuing this train of
>thought could lead to us removing all the email clients from Debian
>(because they are willing to download this email[1], which I have not
>placed under a Free license), and if that's the standard we are aiming
>for then we might as well give up on producing a practically useful
>Free Software distribution.
>
>A program that *can* download and install proprietary software, but
>does
>not depend on doing so, is definitely allowed in main: general-purpose
>HTTP clients like Firefox and wget download whatever you tell them to,
>proprietary or otherwise, and so will software package managers like
>apt, Docker and pip. Even within the scope of installing executable
>code through an interface specifically designed for executable code,
>the
>extensions available from addons.mozilla.org and third-party sources
>are a
>mixture of Free and non-Free, just like the dpkg packages available
>from
>deb.debian.org and third-party apt sources, the Docker images available
>from Dockerhub and third-party Docker registries, and the Python
>packages
>available from PyPI and third-party pip-compatible repositories. Some
>distribution points have a strict policy of Free Software only (Debian
>main is one such distribution point, and I think PyPI aims for this?),
>but any downloader that can't cope with multiple compatible
>distribution
>points (federation) has an obvious missing feature, and any downloader
>that *can* cope with multiple compatible distribution points can be
>pointed to a distribution point that offers non-Free software.
>
>Now, I do agree that Firefox's Widevine module is not the same as (for
>example) the addons on addons.mozilla.org, because there is code in
>Firefox to download and run this specific module (Widevine
>specifically,
>not just the generic concept of an EME module), and the UI for that
>feature does not make it immediately obvious that an additional module
>will be downloaded and run when it is enabled. I think you might be
>harming your chances of achieving your goal here by trying to make this
>into a debate about DFSG-compliance (which I suspect is not one you are
>likely to win), and by expanding its scope from Widevine to software
>downloaders more generally.

Very good points. By that same reasoning you could throw out wget since there is a risk of it downloading non-free software. Of course that argument is more a tongue-in-cheek one and there is a fundamental difference to what Firefox does: downloading proprietary software with wget is possible because wget allows any source to be fetched and has no control over the remote content, but Firefox hardcodes a very specific location and knows what it'll get. That's inline with the OP's assessment of bypassing non-free software requirements via a trick.

I wonder why no one brought it up yet, but here we go: IMHO, downloading pre-defined proprietary software should completely be disabled/removed in Firefox and the proprietary Widevine module be properly packaged as a package in non-free - with at most a Suggests dependency in the firefox(-esr) package. The nag bar might tell people to install this additional package.

This isn't just a (questionable) licensing question, but AFAICT even a potential security issue. I *hope* that Mozilla at least signs the module and checks the signature, but haven't checked. In theory, a malicious network could intercept and replace this module with arbitrary binaries when not using signatures. And even if Mozilla signs and checks this stuff, why should Debian trust their infrastructure? This module should be under trustworthy distro control, just like any other software package.

Mihai
-- 
Sent from mobile phone.

Reply to:

Follow-Ups:
- Re: Missing source in firefox-esr: EME module
  - From: Francesco Poli <invernomuto@paranoici.org>
- Re: Missing source in firefox-esr: EME module
  - From: Paul Wise <pabs@debian.org>

References:
- Re: Missing source in firefox-esr: EME module
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Missing source in firefox-esr: EME module
  - From: "Nat Tuck" <nat@ferrus.net>
- Re: Missing source in firefox-esr: EME module
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Missing source in firefox-esr: EME module
Next by Date: Re: Missing source in firefox-esr: EME module
Previous by thread: Re: Missing source in firefox-esr: EME module
Next by thread: Re: Missing source in firefox-esr: EME module
Index(es):
- Date
- Thread