Debian Bug report logs - #915582

Installs non-free binaries from cisco and google again

Reported by: Ingo Saitz <ingo@hannover.ccc.de> Date: Wed, 5 Dec 2018 00:27:02 UTC Severity: serious Found in version firefox/62.0.3-1

Reply or subscribe to this bug.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> :

Bug#915582 ; Package firefox . (Wed, 05 Dec 2018 00:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ingo Saitz <ingo@hannover.ccc.de> :

New Bug report received and forwarded. Copy sent to Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> . (Wed, 05 Dec 2018 00:27:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ingo Saitz <ingo@hannover.ccc.de> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: Installs non-free binaries from cisco and google again Date: Wed, 05 Dec 2018 01:22:50 +0100

Package: firefox Version: 62.0.3-1 Severity: serious Justification: Policy §2.2.1 Mozilla changed the config options for the openh264 codec. The option listed in /etc/firefox/firefox.fs (media.gmp-gmpopenh264.enabled) seems to be no longer in use, instead about:config now lists the options media.gmp-provider.enabled media.gmp.decoder.enabled media.gmp-widevinecdm.enabled media.gmp.trial-create.enabled And in addition to libgmpopenh264.so it also downloads and installs into ~/.mozilla a libwidevinecdm.so binary. Its license (contained in the zip-archive from which it gets installed) reads > "Google Inc. and its affiliates ("Google") own all legal right, title and > interest in and to the content decryption module software ("Software") and > related documentation, including any intellectual property rights in the > Software. You may not use, modify, sell, or otherwise distribute the Software > without a separate license agreement with Google. The Software is not open > source software. > > If you are interested in licensing the Software, please contact > widevine@google.com. Cf. bug #769716 i believe these automated downloads should be disabled by default in debian packages. Thx -- Package-specific info: -- Addons package information -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (800, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.4-echse20181124 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages firefox depends on: ii debianutils 4.8.6 ii fontconfig 2.13.1-2 ii libasound2 1.1.7-1+b1 ii libatk1.0-0 2.30.0-1 ii libc6 2.28-1 ii libcairo-gobject2 1.16.0-1 ii libcairo2 1.16.0-1 ii libdbus-1-3 1.12.10-1 ii libdbus-glib-1-2 0.110-3 ii libevent-2.1-6 2.1.8-stable-4 ii libffi6 3.2.1-9 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3 ii libgcc1 1:8.2.0-10 ii libgdk-pixbuf2.0-0 2.38.0+dfsg-6 ii libglib2.0-0 2.58.1-2 ii libgtk-3-0 3.24.1-2 ii libjsoncpp1 1.7.4-3 ii libnspr4 2:4.20-1 ii libnss3 2:3.40-1 ii libpango-1.0-0 1.42.4-4 ii libsqlite3-0 3.26.0-1 ii libstartup-notification0 0.12-5 ii libstdc++6 8.2.0-10 ii libvpx5 1.7.0-3 ii libx11-6 2:1.6.7-1 ii libx11-xcb1 2:1.6.7-1 ii libxcb-shm0 1.13.1-1 ii libxcb1 1.13.1-1 ii libxcomposite1 1:0.4.4-2 ii libxdamage1 1:1.1.4-3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1 ii procps 2:3.3.15-2 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages firefox recommends: ii libavcodec58 7:4.0.3-1 Versions of packages firefox suggests: ii fonts-lmodern 2.004.5-5 ii fonts-stix [otf-stix] 1.1.1-4 ii libcanberra0 0.30-6 ii libgssapi-krb5-2 1.16.1-1 ii libgtk2.0-0 2.24.32-3 ii pulseaudio 12.2-2 -- no debconf information -- debsums errors found: debsums: package firefox is not installed

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> :

Bug#915582 ; Package firefox . (Mon, 10 Dec 2018 21:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ingo Saitz <ingo@hannover.ccc.de> :

Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> . (Mon, 10 Dec 2018 21:03:02 GMT) (full text, mbox, link).

Message #10 received at 915582@bugs.debian.org (full text, mbox, reply):

From: Ingo Saitz <ingo@hannover.ccc.de> To: 915582@bugs.debian.org Subject: Re: Bug#915582: Acknowledgement (Installs non-free binaries from cisco and google again) Date: Mon, 10 Dec 2018 21:52:25 +0100

After setting the options in my previous mail to false i found firefox still was downloading binaries of libgmpopenh264.so and libwidevinecdm.so. I looked into the firefox sources (64.0~b12-2), and the installation seems to be done by toolkit/mozapps/extensions/internal/ProductAddonChecker.jsm by ProductAddonChecker.getProductAddonList(). There is a config option GMPPrefs.KEY_UPDATE_ENABLED to disable this, which is defined in toolkit/modules/GMPUtils.jsm line 118. Setting this to false seems to disable the binary blob downloads. So in /etc/firefox/firefox.js (debian/browser.js.in in the source), the option pref("media.gmp-gmpopenh264.enabled", false); should be changed to pref("media.gmp-manager.updateEnabled", false); Users needing to enable the EME and OpenH264 binaries can still change this option in about:config. Ingo -- ╭─╮ Kennedy's Lemma: ╭│───╮ If you can parse Perl, you can solve the Halting Problem. │╰─│─╯ ╰──╯ http://www.perlmonks.org/?node_id=663393

Send a report that this bug log contains spam.