The firefox-esr package in Buster includes the encrypted media extension
functionality, which relies on library called "wildvine". Source for
this library is not included in the firefox-esr source package.
This has been an outstanding bug since 2016, but it hasn't been considered as a
serious issue with the package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837091
The firefox-esr package uses a mechanism apparently intended to work around the
requirement to include source code: it downloads the library at run time. This
implementation detail doesn't change the fact that this is built-in
functionality of the program, shown in the UI as an option like "enable
_javascript_" rather than as an addon or plug-in.
I'm surprised to find this issue in a package in the Debian "main" archive. Am I
misunderstanding debian policy or this situation?
Thanks,
– Nat