[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Missing source in firefox-esr: EME module

I don't think it's appropriate to start by simply changing the messages since that doesn't solve the majority of the problem, but it would make the issue seem less urgent.

The Firefox package implements core functionality by downloading a component from a third party site. This would be a problem even if that component were freely licensed. The DRM component is not - as currently integrated into Firefox - an addon like what we see in Gnome or other Firefox functionality like ad blocking or userscripts.

There's a distinction between addons and what's going on here, and I think that distinction is important.

Firefox used to have an "enable javascript" checkbox in the preferences. If this button were unchecked by default, would it be appropriate for Debian to distribute a version of Firefox that didn't include the JavaScript engine and downloaded it from Mozilla when the box was checked? I don't think so. Debian packages are self contained. For a normal Debian package I'd expect the download mechanism to be disabled and replaced either by bundling the component in the firefox package or the addition of a firefox-js-engine package.

Having software be downloaded and installed from a hard-coded non-Debian URL is not a reasonable result from enabling a preference in a Debian package.

Your proposal of simply changing the text is effectively trying to convert DRM *into* an addon. That would then get us to your question of whether a package should propose downloading a proprietary addon. Doing that honestly would take some work - Firefox would need a new "proprietary addons" screen, the DRM preference would need to be moved there, and the nag bar would need to change to take you there rather than simply triggering the install. And even then, Debian probably shouldn't have a patch that *adds* a request to download a proprietary addon.

There are a bunch of other possible solutions. For example, a wildvine-drm-nonfree package that downloads the component, and a patch to Firefox that removes the downloading mechanism entirely and shows an error message if the DRM preference is enabled and wildvine-drm-nonfree is not installed. That would follow the spirit of the DFSG and allow the existing user signal of enabling repos to work as expected.

All that gets a bit off topic for why I started this thread on debian-legal. Currently, the Firefox package *logically* bundles this component in a way that's clearly intended to dishonestly circumvent the DFSG. Papering over the issue with UI changes just feels like doubling down on that dishonesty.

On Fri, Jun 28, 2019, at 08:38, Ian Jackson wrote:
> Nat Tuck writes ("Re: Missing source in firefox-esr: EME module"):
> > [Ian Jackson:]
> > > You didn't answer my question:
> > >  | [The bug] says that firefox-esr only downloads this proprietary
> > >  | software after explicit user action.  Is that right ?
> ...
> > If the "Enable DRM" preference is ever enabled, the software is automatically downloaded and installed transparently in the background. There are two ways that preference can be enabled:
> > 
> >  - Checking "Enable DRM" in preferences.
> >  - Visiting a page with a DRMed video on it.
> > 
> > When you visit a page with DRMed video a yellow nag bar appears at the top of the page with the text "You must enable DRM to play some audio or video on this page", as well as a single "Enable DRM" button. Users click off these nag bars without reading them - so it's questionable that this is further user interaction than simply pressing "play" on a video. But even if you do read the text, in neither case are you requesting a software download.
> OK so there are a number of problems here, which add
> 1. The message asking permission is far too inexplicit.  (TBH I
>   remember deciding not to approve, when prompted by such messages,
>   but because I hate DRM - and I didn't know that if I had approved,
>   it would have downloaded proprietary software too.)
> 2. There is no way to prevent firefox from repeatedly asking
>   permission.
> 3. Users who have not installed software from contrib find that their
>   Debian firefox package will offer to download and run proprietary
>   software.
> Fixing problems 1 and 2 will not be controversial, I hope.  Would you
> care to write a patch which changes the message, as a start ?
> Presumably fixing problem 2 is not that hard either: at least,
> providing something that could be set in about:config.
> Problem 3 is awkward because in Debian we do not have a consensus
> understanding of when it is appropriate for a package in main to
> download and run proprietary software.  I think this will require a
> General Resolution to fix, but necessary groundwork involves figuring
> out what behavioural profiles users want, and trying to align those
> behavioural profiles to our existing archive areas.
> Ian.
> -- 
> Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.
> If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
> a private address which bypasses my fierce spamfilter.

Reply to: