On Sat, May 17, 2014 at 11:15:20AM +0900, Mike Hommey wrote: > On Sat, May 17, 2014 at 02:03:18PM +1200, Chris Pearce wrote: > > On 5/17/2014 10:34 AM, Mike Hommey wrote: > > >Hi, > > > > > >As far as I can tell from what has been said so far on the subject, we > > >may be opting to download the CDM blob unconditionally, and run it after > > >user interaction. > > > > > >As I understand it, the CDM blob is going to be hosted by Adobe. I can > > >see a privacy issue here. Or at least, I can see that people can be > > >unconfortable with this, and/or with the unconditional download of > > >proprietary code (however irrational that is, knowing how many non-free > > >blobs a browser downloads every day). > > > > The UX has not been finalized yet, and it will likely involve people from > > UX, who don't read this list. > > > > Firstly, the CDM will be sandboxed (using Chromium's sandbox, which uses > > seccomp-bpf on Linux I believe). So what the CDM can do to snoop on the > > users' computers is severely restricted. > > > > Or is your concern that the browser will ping some Adobe server without the > > user asking it to? > > Yes. Essentially, Adobe would receive a ping from all Firefox users on a > recent version. That doesn't sound very appealing. > > > Secondly, last I heard the plan was to XOR the downloaded blob with some > > string to make it non-executable until the user consents. > > I'm not convinced that would satisfy the concerns of the people who > don't want to have anything to do with proprietary software. It's > completely irrational, as, like I said, a browser will already download > proprietary blobs all the time, but that's a point a lot of people are > already doing.
I hate to say I told you so, but here we are: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769716 https://bugs.gentoo.org/show_bug.cgi?id=525810 https://bugzilla.redhat.com/show_bug.cgi?id=1155499 And that's not even an actually non-free blob being downloaded. Mike _______________________________________________ dev-media mailing list [email protected] https://lists.mozilla.org/listinfo/dev-media
