
Firefox Installs non-free binaries from Cisco and Google again (2018) - DyslexicAtheist
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915582
======
romaaeterna
It's worse than that. Firefox will download non-free javascript and html from
pretty much every website you visit. Debian team needs to get on it, fast!

~~~
bobongo
I do not think the sarcasm is deserved here. Debian is committed to free
software. You can find a set of guidelines they implement in their social
contract website under the heading "The Debian Free Software Guidelines
(DFSG)" at
[https://www.debian.org/social_contract#guidelines](https://www.debian.org/social_contract#guidelines)

A substantial user and developer base prefers Debian precisely because of
these Guidelines. Inclusion of free software (as-is) that automatically
installs non-free binaries would violate almost all of these guidelines.

~~~
romaaeterna
I'm not sure that these guidelines make a distinction between a call to
install a codec on-demand versus a call to download and run (and even cache) a
minified Javascript library.

~~~
dTal
The difference is whether the user has explicitly asked for it. If I point my
web browser at a url, I am instructing it to download and execute whatever it
finds there. However, if the browser decides to download a codec on-demand, it
is making an executive decision as to what code should run on the machine -
and to select non-free code without user interaction is a violation of trust.

An analogous situation would be the non-free NVidia blob. Debian fully
supports installing it, but it would be very much verboten to do so by
default, automatically.

~~~
romaaeterna
> If I point my web browser at a url, I am instructing it to download and
> execute whatever it finds there.

And your browser will download linked javascript from third party websites to
make it run. As firefox downloads a codec from a third party to make the media
you've requested run.

I actually agree about the conflict between this codec behavior and the Debian
philosophy. But they need to come to terms with the much greater conflict with
their philosophy that the modern internet experience presents.

Stallman, for all his faults, was right about a lot of things. We live in a
world where people don't own their own books, and buy software on a
subscription model. For a few years back in the late 90s and early 2000s it
looked like free software was the answer. But the internet made an end run
around it, and Debian, etc., hasn't caught up. We're all digital renters
instead of owners.

------
paulintrognon
Can someone here please explain to me what the issue is? Firefox downloads
non-free binaries in order to read some codecs by default, and this issue
states that firefox should not download the codec by default because it is
non-free, which is against debian's philosophy, is that correct?

~~~
Wowfunhappy
Yes, although notably this is about black-box DRM systems, not just your run-
of-the-mill video codecs.

Standard versions of Firefox include non-free components by default because
most users expect Netflix to work. ("Free" means "open source" in this
context.)

Debian repositories (that aren't named "non-free") are supposed to contain
only free software, so the Debian-packaged version of Firefox needs to be
stripped of any non-free components. Should any slip through, that's a
critical bug as far as Debian is concerned.

I don't think there's an issue here, it's just two projects with different
goals proceeding as they're supposed to. We can have a discussion about all
the things wrong with Encrypted Media Extensions and the like, but it's
somewhat beside the point unless Firefox gains _way_ more marketshare.

~~~
suprfsat
What technical reason is there for Firefox to dynamically download these
libraries instead of bundling them at built time? It leads to bugs such as
this one.

~~~
phatfish
Pretty sure its up to Debian to repackage and modify software to meet their
standards. Not for app developers to somehow comply with every bizarre
packaging policy each Linux distribution cooks up.

~~~
Wowfunhappy
That as it may be, "why is this component downloaded separately" is a fair
question to ask. (Sibling comments have proposed some answers.)

------
DyslexicAtheist
see also this cluster-fudge: _" firefox: Safe Browsing updates fail due to
insufficient quota on the Google API key"_ [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=895147](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=895147)

both issues are still open after more than 1 year! There seems to be a
disconnect in how FF security is perceived by tech savvy users and how
security/privacy critical bugs get prioritized by Mozilla.

edit:

Just recently I discovered DoH was activated by default now and bypassing my
/etc/hosts block list without any warning. This opened me up to tracking from
sites I thought I had blocked (discovered it only by accident and after
several months when I actively looked into DoH and the network.trr.mode
setting).

In all above cases the failure-modes are insecure. It's like a firewall that
suddenly switches its enforcement policy from a deny-all+whitelisting to
allow-all+blacklisting without properly informing users.

Totally unacceptable!

~~~
pbhjpbhj
Thank you for that note on DNS-over-HTTP .. it might explain a weird event for
me recently where a blacklisted site wasn't blocked (opendns + pihole).

Are FF sending all my DNS data to a private third party now then? Doesn't
sound a very FOSS thing to do?

~~~
zaarn
If you have an up-to-date PiHole, firefox should automatically disable DoH
since PiHole now ships the necessary canary.

~~~
mondoshawan
Still unacceptable if I'm not at home or on a VPN.

~~~
zaarn
If you're not at home or on a VPN you trust, how can you trust the network you
are in delivers a safe DNS server? Besides, you can always disable DoH or
point it to your own DoH server.

------
madacol
Why is this relevant if it's from DEC 2018?

------
paulie_a
Next week will be entertaining when someone takes a baseball bat to the pinata
and 50;security vulnerablities fall out. thanks Cisco for your continued
dangerous and terrible software.

I wonder if the devs get a bonus for everyone they fix.

------
vmchale
that's why I use chrome

~~~
SmellyGeekBoy
This doesn't even make sense, Chrome is non-free to begin with.

~~~
pedrogpimenta
It's a joke.

~~~
ncmncm
It's two jokes!

