Page MenuHomePureOS Tracker

[FREEDOM ISSUE] firefox-esr multiple violations of GNU FSDG
Open, Freedom IssuePublic

Description

Package: firefox-esr
Tag: [uses-nonfree]
Reference: fsf:firefox parabola:2409
Short description:
Proposed solution: replace
Replacement:
Notes:

Below are a few examples of freedom issues in Firefox ESR shipped by PureOS.

This has been reported with understanding that PureOS is still committed to follow GNU FSDG [1]. If this is not the case, please confirm this in the comments.

I did not descibe each one of them in detail as a separate issue. Because if Firefox replaced PureBrowser where many of these issues were not present, it is not clear if PureOS team is interested in resolving it. However, if you are interested, I'd be happy to provide more detailed reports and probably even help with the fixes.

  1. New tab page includes links to YouTube, Twitter, Amazon, Reddit and Facebook. All of these websites download and execute JavaScript code that appears to be nonfree. That violates [2]. The same is true for Search Engines.
  2. Encrypted Media Extensions implementation is available and is working. On web pages that have DRM content, Firefox suggests to enable DRM, and if the user agrees, it automatically installs nonfree Widevine CDM. Violates [3] and [4].
  3. Addons page lists recommendations from addons.mozilla.org (AMO), some of those are nonfree. Please see [5], it has the attachment with clarification from Scott DeVaney, AMO Sr. Editorial Manager. These recommendations violate [2].
  4. Addons page has a box "Search addons.mozilla.org", that violates [2], because AMO can be seen as a third-party repository that is not committed to only including free software.

There are more FSDG violations, like OpenH264 plugin, privileges for Mozilla repositories to treat them as trusted, recommendations to download other versions of Firefox (Developer Edition and mobile which share the same freedom issues), etc.

Tested on:
firefox-esr/amber-security 68.7.0esr-1~deb10u1 amd64: Freshly upgraded installation with everything by default
firefox-esr/byzantium 68.7.0esr-1 amd64: live pureos-10~devel-gnome-live_20200328-amd64.hybrid.iso after the upgrade

[1] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html

[2] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#license-rules , Paragraph 4:
A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so. The system should have no repositories for nonfree software and no specific recipes for installation of particular nonfree programs. Nor should the distribution refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow. Programs in the system should not suggest installing nonfree plugins, documentation, and so on.

[3] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#license-rules , Paragraph 5:
For instance, a free system distribution must not contain browsers that implement EME, the browser functionality designed to load DRM modules.

[4] https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#no-malware

[5] https://labs.parabola.nu/issues/2409

Event Timeline

grizzlyuser triaged this task as Freedom Issue priority.May 4 2020, 12:53
grizzlyuser created this task.

I guess the best approach in resolving of the issue would be a collaboration between many parties interested in FSDG-compatible fork of Firefox.

Currently there are a few projects that try to achieve this independently of each other. Like GNU IceCat, Abrowser (Trisquel), IceWeasel (Parabola). As I can see, all of them maintain long scripts that patch the upstream sources and apply many configuration options to disable or cripple the unwanted functionality. On the other hand, Tor Browser appears to be a proper fork of the whole source tree, but as I understand, they don't have the goal to follow the FSDG.

Ideally, for a proper fork it would be best to follow multiple Mozilla release channels, like ESR, Release and Beta. For example, GNU IceCat 68 has not been officially released yet, I suppose in part because they track only ESR, and the amount of changes between major releases is overwhelming. If multiple channels were followed, the effort would be spread more smoothly on the timeline, leading to less delays for releases, that contain security fixes among other changes.

All these projects basically do the same thing, and collaboration would benefit all of them.

Please note, for some functionality like EME, it's not enough to disable it by configuration flags only. Because the implementation would still be available in the source code and built binaries, but [3] clearly says: " must not contain browsers that implement EME" It is better to remove the implementation completely from the source code tree. The same goes for references to nonfree software, repositories, etc.