Re: Missing source in firefox-esr: EME module

To: "Nat Tuck" <nat@ferrus.net>
Cc: debian-legal@lists.debian.org
Subject: Re: Missing source in firefox-esr: EME module
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 28 Jun 2019 13:37:49 +0100
Message-id: <[🔎] 23830.2589.871825.388789@chiark.greenend.org.uk>
In-reply-to: <[🔎] 3ef62907-dc94-43f2-8ef7-b634196feb5a@www.fastmail.com>
References: <[🔎] 87h895tasq.fsf@ferrus.net> <[🔎] 23821.3886.149684.989026@chiark.greenend.org.uk> <[🔎] 5d24a243-791c-4450-abc8-7c42152657f0@www.fastmail.com> <[🔎] 23828.54286.232461.755071@chiark.greenend.org.uk> <[🔎] 3ef62907-dc94-43f2-8ef7-b634196feb5a@www.fastmail.com>

Nat Tuck writes ("Re: Missing source in firefox-esr: EME module"):
> [Ian Jackson:]
> > You didn't answer my question:
> >  | [The bug] says that firefox-esr only downloads this proprietary
> >  | software after explicit user action.  Is that right ?
...
> If the "Enable DRM" preference is ever enabled, the software is automatically downloaded and installed transparently in the background. There are two ways that preference can be enabled:
> 
>  - Checking "Enable DRM" in preferences.
>  - Visiting a page with a DRMed video on it.
> 
> When you visit a page with DRMed video a yellow nag bar appears at the top of the page with the text "You must enable DRM to play some audio or video on this page", as well as a single "Enable DRM" button. Users click off these nag bars without reading them - so it's questionable that this is further user interaction than simply pressing "play" on a video. But even if you do read the text, in neither case are you requesting a software download.

OK so there are a number of problems here, which add

1. The message asking permission is far too inexplicit.  (TBH I
  remember deciding not to approve, when prompted by such messages,
  but because I hate DRM - and I didn't know that if I had approved,
  it would have downloaded proprietary software too.)

2. There is no way to prevent firefox from repeatedly asking
  permission.

3. Users who have not installed software from contrib find that their
  Debian firefox package will offer to download and run proprietary
  software.

Fixing problems 1 and 2 will not be controversial, I hope.  Would you
care to write a patch which changes the message, as a start ?

Presumably fixing problem 2 is not that hard either: at least,
providing something that could be set in about:config.

Problem 3 is awkward because in Debian we do not have a consensus
understanding of when it is appropriate for a package in main to
download and run proprietary software.  I think this will require a
General Resolution to fix, but necessary groundwork involves figuring
out what behavioural profiles users want, and trying to align those
behavioural profiles to our existing archive areas.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: Missing source in firefox-esr: EME module
  - From: "Nat Tuck" <nat@ferrus.net>

References:
- Missing source in firefox-esr: EME module
  - From: Nat Tuck <nat@ferrus.net>
- Re: Missing source in firefox-esr: EME module
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Missing source in firefox-esr: EME module
  - From: "Nat Tuck" <nat@ferrus.net>
- Re: Missing source in firefox-esr: EME module
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Missing source in firefox-esr: EME module
  - From: "Nat Tuck" <nat@ferrus.net>

Prev by Date: Re: Missing source in firefox-esr: EME module
Next by Date: Re: Missing source in firefox-esr: EME module
Previous by thread: Re: Missing source in firefox-esr: EME module
Next by thread: Re: Missing source in firefox-esr: EME module
Index(es):
- Date
- Thread