Page MenuHomePureOS Tracker
Create Task
Maniphest T902

[FREEDOM ISSUE] firefox-esr multiple violations of GNU FSDG
Closed, InvalidPublic
Actions

Description

Package: firefox-esr
Tag: [uses-nonfree]
Reference: fsf:firefox parabola:2409
Short description:
Proposed solution: replace
Replacement:
Notes:

Below are a few examples of freedom issues in Firefox ESR shipped by PureOS.

This has been reported with understanding that PureOS is still committed to follow GNU FSDG [1]. If this is not the case, please confirm this in the comments.

I did not descibe each one of them in detail as a separate issue. Because if Firefox replaced PureBrowser where many of these issues were not present, it is not clear if PureOS team is interested in resolving it. However, if you are interested, I'd be happy to provide more detailed reports and probably even help with the fixes.

  1. New tab page includes links to YouTube, Twitter, Amazon, Reddit and Facebook. All of these websites download and execute JavaScript code that appears to be nonfree. That violates [2]. The same is true for Search Engines.
  2. Encrypted Media Extensions implementation is available and is working. On web pages that have DRM content, Firefox suggests to enable DRM, and if the user agrees, it automatically installs nonfree Widevine CDM. Violates [3] and [4].
  3. Addons page lists recommendations from addons.mozilla.org (AMO), some of those are nonfree. Please see [5], it has the attachment with clarification from Scott DeVaney, AMO Sr. Editorial Manager. These recommendations violate [2].
  4. Addons page has a box "Search addons.mozilla.org", that violates [2], because AMO can be seen as a third-party repository that is not committed to only including free software.

There are more FSDG violations, like OpenH264 plugin, privileges for Mozilla repositories to treat them as trusted, recommendations to download other versions of Firefox (Developer Edition and mobile which share the same freedom issues), etc.

Tested on:
firefox-esr/amber-security 68.7.0esr-1~deb10u1 amd64: Freshly upgraded installation with everything by default
firefox-esr/byzantium 68.7.0esr-1 amd64: live pureos-10~devel-gnome-live_20200328-amd64.hybrid.iso after the upgrade

[1] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html

[2] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#license-rules , Paragraph 4:
A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so. The system should have no repositories for nonfree software and no specific recipes for installation of particular nonfree programs. Nor should the distribution refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow. Programs in the system should not suggest installing nonfree plugins, documentation, and so on.

[3] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#license-rules , Paragraph 5:
For instance, a free system distribution must not contain browsers that implement EME, the browser functionality designed to load DRM modules.

[4] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#no-malware

[5] https://labs.parabola.nu/issues/2409

Related Objects

Event Timeline

grizzlyuser triaged this task as Freedom Issue priority.May 4 2020, 12:53
grizzlyuser created this task.
grizzlyuser added a comment.May 4 2020, 12:56

I guess the best approach in resolving of the issue would be a collaboration between many parties interested in FSDG-compatible fork of Firefox.

Currently there are a few projects that try to achieve this independently of each other. Like GNU IceCat, Abrowser (Trisquel), IceWeasel (Parabola). As I can see, all of them maintain long scripts that patch the upstream sources and apply many configuration options to disable or cripple the unwanted functionality. On the other hand, Tor Browser appears to be a proper fork of the whole source tree, but as I understand, they don't have the goal to follow the FSDG.

Ideally, for a proper fork it would be best to follow multiple Mozilla release channels, like ESR, Release and Beta. For example, GNU IceCat 68 has not been officially released yet, I suppose in part because they track only ESR, and the amount of changes between major releases is overwhelming. If multiple channels were followed, the effort would be spread more smoothly on the timeline, leading to less delays for releases, that contain security fixes among other changes.

All these projects basically do the same thing, and collaboration would benefit all of them.

Please note, for some functionality like EME, it's not enough to disable it by configuration flags only. Because the implementation would still be available in the source code and built binaries, but [3] clearly says: " must not contain browsers that implement EME" It is better to remove the implementation completely from the source code tree. The same goes for references to nonfree software, repositories, etc.

grizzlyuser raised the priority of this task from Freedom Issue to Needs Triage.Oct 17 2020, 03:06
grizzlyuser added a comment.Oct 17 2020, 03:09

I'm not sure if it was correct to initially set priority of this task to Freedom Issue, because it's possible the issue went unnoticed by team members.

jonas.smedegaard changed the task status from Open to Incomplete.May 25 2021, 11:02
jonas.smedegaard claimed this task.
jonas.smedegaard triaged this task as Freedom Issue priority.
jonas.smedegaard added a subscriber: jonas.smedegaard.

Thanks for sharing your concerns about multiple things being wrong in various ways with PureOS.
Unfortunately batching them together is not actionable: that's not how an issue tracker works.

Please file issues separately.

grizzlyuser added a comment.EditedMay 27 2021, 00:26

OK, if there's an interest from PureOS team to resolve these issues, I will do my best to file them separately.

Please keep in mind that all of them in total require considerable time to describe in detail (including testing on current versions like Amber and Byzantium). I'm having some lack of free time right now, so can't give any ETAs for that.

I see that item #2 from the Description has already been logged as https://tracker.pureos.net/T980, thank you for that @jonas.smedegaard.

In the meantime, if anybody else wants to log at least those remaining 3 items listed in the description, please feel free to do that, but please leave a comment here about what's been logged.

jonas.smedegaard added a comment.May 27 2021, 23:29

I will not try deduplicate this issue:
From a quick read, all the issues seems to have been discussed in the past in other issue reports. Obviously you might very well disagree on that (otherwise you wouldn't have invested your time in reporting it), so it needs a more careful examination which is better done by yourself.

jonas.smedegaard closed this task as Invalid.Jun 12 2021, 03:36
jonas.smedegaard lowered the priority of this task from Freedom Issue to Low.

This issue is not in itself a Freedom issue, but a bundling of multiple issues seemingly all tracked on their own.
Lowering priority and closing accordingly.

Please contribute to the individually tracked issues if you have valuable additional information to those.
Also, please report any issues not already tracked - just please do so as individual issues.
Our goal here is not simply to close most possible issue reports, but to identify and understand and track and solve most posible issues in PureOS!