The firefox-esr package in Buster includes the encrypted media extension
functionality, which relies on library called "wildvine". Source for
this library is not included in the firefox-esr source package.
This has been an outstanding bug since 2016, but it hasn't been considered as a
serious issue with the package:
The firefox-esr package uses a mechanism apparently intended to work around the
requirement to include source code: it downloads the library at run time. This
implementation detail doesn't change the fact that this is built-in
functionality of the program, shown in the UI as an option like "enable
I'm surprised to find this issue in a package in the Debian "main" archive. Am I
misunderstanding debian policy or this situation?