On Wednesday, June 24, 2015 at 1:39:38 AM UTC-5, Ryan Kelly wrote: > > Seriously?
Wow, I am having a hard time figuring out how to respond to this. > I directly challenged you to explain how the Pocket Terms of Service are > supposedly activated at install time, how they supposedly apply to every > Firefox user regardless of whether they interacted with the Pocket > button at all. You were not able to do so. I have directly quoted from Pocket's own Terms of Service. > You raised interesting points about what the terms might imply for users > and developers after they agreed to them, and interesting points about > the legal status of third-party re-implementations of the Pocket API. > But none of it explained how these ToS might come to override the very > clear open-source license under which the Pocket code inside Firefox is > distributed. I have explained already how Pocket already has an override on the spirit in which the Open Source Definition #6 is stated. There is no practical way today to commercially use the code without violating the Terms of Service. If this comes down to if a license stamped on a file is OSI approved. Then you are perfectly right to say the rubber stamp has made it open source based on the letter of the law. If Firefox core integrations is just about following open source to the letter and ignoring the spirit of it then it isn't the browser I thought it was. And, also, if that is the case, I really strongly feel the features which are only available for non-commercial/personal use should be made clear in "about:rights#webservices" > That the Terms themselves appear to claim they're activated at install > time is a nonsensical circular argument, powerless until you actually do > something that would require agreement to the terms in the first place. > > I'm not a lawyer. If there were even a hint of a problem here, you > would not have to work hard to convince me of the possibility. I get the feeling based on this reply that you clearly ignored my direct quotes of the Terms of Service and probably ignored the majority of everything else I wrote. Even when there is a hint of a problem, once you firewalled off what is being said then it will go from hard work to *impossible* to convince you of anything. > But the closest you offered was this: > > > However, lets say, just for the sake of argument, that Pocket decides it > > want a web site popularity/rank feature. Something similar to Google > > PageRank or Alexa add-ons. As part of this (again for the sake of > > argument), the Pocket integration links into the http/https submissions > > such a log of websites visited is periodically compressed and transmitted > > to Pocket. > > > > I'm not claiming I have proof Pocket intends to do this. What I am > > claiming is the current Terms of Service give themselves the permission to > > add this type of behavior even if the user never clicks on the Pocket icon > > and disables the icon from the bar. > > This is a meaningless hypothetical because *Pocket does not have the > ability to do this even if they wanted to*. > > Nothing here has given Pocket the ability to make arbitrary changes to > the code shipping in Firefox, and their own ToS are certainly not > powerful enough to grant them that by fiat. Mozilla would have to > accept accept such a change through our normal review procedures and > include it in a normal Firefox release. I was demanded to give an example of what could happen and I gave one. Any such example of what the future has in store for us will be hypothetical. The idea that RealNetworks would ever have spyware-like activity included in RealPlayer remains hypothetical until they actually do it. The idea that RSA BSAFE would use a known weak random generator by default remains hypothetical until they actually do it. The idea that Lenovo would pre-install a Certificate Authority record and also distribute the private signing key associated remains hypothetical until they actually do it. Each of these companies help make the environment of how the web was formed and operated. Each of these companies are largely good companies that produce good results for both direct and indirect users. Each have stumbled at one point and done something that hurts an aspect about the type of web we want. For how we are building the web of the future, what a company is planning to do is as important as what it is currently doing. > The day such code shipped in Firefox would be the day I handed in my > resignation, and I'm pretty confident I'm not alone in that regard. It does help me that you are willing to say that. I'm sure there are others at Mozilla Foundation that feel the same way. I still don't think code review should ever be the *first* line of defense. As part of transparency, code submitters should make an effort to make it clear they are also committed to the stated mission of Firefox such that the submitter themselves are the first line of defense. > If you're really raising these points because you care about Mozilla and > its mission, please either: > > 1) Explain exactly where the problem is, so we can fix this incredibly > serious betrayal of our users sovereignty and trust; or The problems is the lack of transparency about what is intended for the future of this integration. I am having trouble finding anything statement of intent regarding a roadmap from Pocket. So, normally, with open protocols and APIs, I look to those to determine the limits of what a company will collect. At first glance, it looks like Pocket's API is open as one of the first code comments say where to go get the public API documentation. However, the actual API calls made in the code itself don't restrict themselves to that. Ok, the next tier I can look for transparency is what else is stated on the website. From what I can tell, the closest that Pocket has ever published to a statement of intent for future releases is the Terms of Service. I will admit that I'm stuck reading between the lines on what their intent must be. However, the only thing they have gotten back to me on is that the API call is *private* by design. If they would have provided a roadmap or gotten back to me about clarification (going on over two weeks now) or provided an actually open API then I wouldn't be resorting to reading between the lines of a ToS. It isn't just the legal aspects to the ToS as much as it also gives insight into the mindset of the authors. > 2) Stop spreading this unsubstantiated FUD. You are right, I shouldn't have given examples of how things could play out in the future. Lets just stick with the facts of why I find the current situation alarming: (1) Mozilla Foundation's code review has let through code which lacks transparency in the API calls it makes. Instead it introduces an private "/v3/firefox/*" namespace they have no intention of providing documentation for. (2) Pocket has no clearly written roadmap or statement of intent for future releases of Pocket integration. (3) Tyler Downer of Mozilla Foundation is able to "RESOLVE" a bug submission regarding the Pocket integration in less than 90 minutes (the "INVALID" flag I agree with but the "RESOLVE" sends a very different message) (4) Mike Connor has made some alarming statements in this thread about the future of transparency of Mozilla Foundation. (5) Ryan Kelly wants me to just shut up about the ToS because the code has a license that is OSI approved (and honoring OSD #6 in a practical way just doesn't matter--I guess?) > I'm completely serious about (1). If what you describe above really is > happening to our users when they install this release, IMHO that's a > chemspill of the highest order and we need to scramble all our resources > to fix it. It's a serious enough allegation that I just can't bring > myself to leave the claims above unchallenged. > > But I haven't seen any meaningful attempt to explain how that's actually > happening. You just keep asserting it as though it were fact. I'm asserting that the mixture of all of things lay out dots that when connected produce a drawing of a big red flag. If you want to dissect that then you will be left scrutinizing a mere set of dots. I will have a hard time defending a mere dot as being alarming, it is the whole picture I'm asking to be looked into. Just as staying under budget requires looking at the sum of expenses, I was expecting to be able to look at the sum of what Pocket has published (and what they have kept secret/private). Does that sum add up to the "best way" of getting this feature for a browser built around transparency? > Of course, the alternative is: > > 3) Continue trolling us with vague claims of automagic Terms of Service > > At which point I will attempt to just let this thread die... Great. Fine. I give up. This clearly has all been about trolling because I really just want to sabotage this wonderful contribution that could not have been done in any other better way. There is actually no red flags to see here. Everything is wonderfully transparently done. Terms of Service can't possibly apply to non-users of Pocket in any country that Firefox is used. No one deserves any type of clarification since Pocket seems to not want to give it and even asking for clarification is just "trolling" anyways. I get it. _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
