Bug#837091: firefox-esr: EME DRM extention present and enabled
Control: severity -1 normal On 2017-05-27 13:47:45 +0100, Simon McVittie wrote: > On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote: > > after reading up a bit (late(ly)) on the W3C EME proposed standard for > > embedding of DRM managed content in web pages, I decided to have a > > look if it is present in the firefox browser > [...] > > I think the presence of code that requires closed source components to > > function, might violate the DFSG for the main section? On the other > > hand, no package relation is available in the non-free section as far > > as I see that is actively depended on. If a decision has been taken on > > this already, then please close. > > I don't see a freeness problem here. > > Firefox with the EME API enabled at compile time, but no CDM (DRM > implementation) installed, is presumably no less functional than Firefox > with the EME API disabled at compile time - so the CDM is not a > dependency, because Firefox without a CDM is a perfectly acceptable web > browser (just missing an optional feature). If we shipped CDMs in > non-free, I don't think Firefox would have a stronger relationship to > them than Suggests (or more likely, the CDMs would declare an Enhances > relationship on Firefox, which means the same thing). Packages in main > are allowed to have Suggests on non-free or even not-in-Debian packages, > just not (Pre-)Depends or Recommends. > > Free CDMs do seem to exist - > https://github.com/fraunhoferfokus/open-content-decryption-module is one > example. It is fairly likely that content publishers will not actually > *use* those CDMs, but that's between you and the content providers whose > products you choose to buy. So from a freeness point of view, this > doesn't seem any worse than any other plugin interface that can accept > both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer, > Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers. > > I understand your desire to avoid DRM, but I don't think opening > release-critical bugs requesting that features are removed from our > builds of Firefox is an appropriate way to go about it. ACK, so let's downgrade the severity. Cheers > > P.S. yes I know, having flash installed as a plugin is as bad as > > having EME enabled... > > In particular, I believe having the Flash NPAPI plugin installed means > your copy of Firefox already loads a DRM implementation, because there's > one in Flash. You might as well use one that is better-sandboxed, which > is the purpose of EME. > > S -- Sebastian Ramacher
Bug#837091: firefox-esr: EME DRM extention present and enabled
Using the firefox-esr package currently in stable, visiting any page with EME media causes a "you must enable DRM" nag bar to be displayed with an "enable DRM" button. A single click enables DRM and causes the proprietary wildvine plugin to be downloaded, installed, and executed. There is no setting that disables this nag box or prevents it from installing the plugin. Example page: https://bitmovin.com/demos/drm There's no way this behavior is appropriate for a package in "main".
Bug#837091: firefox-esr: EME DRM extention present and enabled
On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote: > after reading up a bit (late(ly)) on the W3C EME proposed standard for > embedding of DRM managed content in web pages, I decided to have a > look if it is present in the firefox browser [...] > I think the presence of code that requires closed source components to > function, might violate the DFSG for the main section? On the other > hand, no package relation is available in the non-free section as far > as I see that is actively depended on. If a decision has been taken on > this already, then please close. I don't see a freeness problem here. Firefox with the EME API enabled at compile time, but no CDM (DRM implementation) installed, is presumably no less functional than Firefox with the EME API disabled at compile time - so the CDM is not a dependency, because Firefox without a CDM is a perfectly acceptable web browser (just missing an optional feature). If we shipped CDMs in non-free, I don't think Firefox would have a stronger relationship to them than Suggests (or more likely, the CDMs would declare an Enhances relationship on Firefox, which means the same thing). Packages in main are allowed to have Suggests on non-free or even not-in-Debian packages, just not (Pre-)Depends or Recommends. Free CDMs do seem to exist - https://github.com/fraunhoferfokus/open-content-decryption-module is one example. It is fairly likely that content publishers will not actually *use* those CDMs, but that's between you and the content providers whose products you choose to buy. So from a freeness point of view, this doesn't seem any worse than any other plugin interface that can accept both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer, Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers. I understand your desire to avoid DRM, but I don't think opening release-critical bugs requesting that features are removed from our builds of Firefox is an appropriate way to go about it. > P.S. yes I know, having flash installed as a plugin is as bad as > having EME enabled... In particular, I believe having the Flash NPAPI plugin installed means your copy of Firefox already loads a DRM implementation, because there's one in Flash. You might as well use one that is better-sandboxed, which is the purpose of EME. S
Bug#837091: firefox-esr: EME DRM extention present and enabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: firefox-esr Version: 45.3.0esr-1~deb8u1 Severity: serious Tags: security upstream Justification: Policy 2.2.1 must comply with the DFSG Dear Maintainer, after reading up a bit (late(ly)) on the W3C EME proposed standard for embedding of DRM managed content in web pages, I decided to have a look if it is present in the firefox browser. about:config shows the following: media.eme.apiVisible;true media.eme.enabled;true I think the presence of code that requires closed source components to function, might violate the DFSG for the main section? On the other hand, no package relation is available in the non-free section as far as I see that is actively depended on. If a decision has been taken on this already, then please close. I have not found this in the system for the firefox-esr package, I did find bug 748342 (iceweasel), and the upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1011459 and a discussion at: http://forums.debian.net/viewtopic.php?f=20&t=114687 First of all I disabled the function by setting the above values to: false. It would be better to have support for EME removed altogether to be free of any possible legal issues arising from DRM enabled software. Yours, Tjeerd Pinkert P.S. yes I know, having flash installed as a plugin is as bad as having EME enabled... Trying to block as much as possible though... - -- Package-specific info: - -- Extensions information Name: Adblock Plus Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d1 0d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Package: xul-ext-adblock-plus Status: enabled Name: Cookie Monster Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{45 d8ff86-d909-11db-9705-005056c8} Package: xul-ext-cookie-monster Status: enabled Name: Default theme Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198 ce6fd}.xpi Package: firefox-esr Status: enabled Name: DOM Inspector Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ins pec...@mozilla.org Package: xul-ext-dom-inspector Status: enabled Name: Element Hiding Helper for Adblock Plus Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ele mhidehel...@adblockplus.org Package: xul-ext-adblock-plus-element-hiding-helper Status: enabled Name: English (GB) Language Pack locale Location: /usr/lib/firefox-esr/browser/extensions/langpack-en-GB@firefox-esr.mozil la.org.xpi Package: firefox-esr-l10n-en-gb Status: enabled Name: Firefox Hello Beta Location: ${PROFILE_EXTENSIONS}/l...@mozilla.org.xpi Status: enabled Name: Flashblock Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{3d 7eb24f-2740-49df-8937-200b1cc08f8a} Package: xul-ext-flashblock Status: enabled Name: FlashGot Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{19 503e42-ca3c-4c27-b1e2-9cdb2170ee34} Package: xul-ext-flashgot Status: enabled Name: Lightbeam Location: ${PROFILE_EXTENSIONS}/jid1-f9uj2thwoam...@jetpack.xpi Status: enabled Name: Nederlands (NL) Language Pack locale Location: /usr/lib/firefox-esr/browser/extensions/langpack-nl@firefox-esr.mozilla. org.xpi Package: firefox-esr-l10n-nl Status: enabled Name: NoScript Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.x pi Status: enabled - -- Plugins information Name: Gnome Shell Integration Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so Package: gnome-shell Status: disabled Name: iTunes Application Detector Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so Package: rhythmbox-plugins Status: disabled Name: Shockwave Flash (11.2.202.632) Location: /usr/lib/flashplugin-nonfree/libflashplayer.so Status: enabled - -- Addons package information ii firefox-esr45.3.0esr-1~ amd64Mozilla Firefox web browser - Ext ii firefox-esr-l1 45.3.0esr-1~ all English (United Kingdom) language ii firefox-esr-l1 45.3.0esr-1~ all Dutch language package for Firefo ii gnome-shell3.14.4-1~deb amd64graphical shell for the GNOME des ii rhythmbox-plug 3.1-1amd64plugins for rhythmbox music playe ii xul-ext-adbloc 2.6.6+dfsg-1 all advertisement blocking extension ii xul-ext-adbloc 1.3-1all companion for Adblock Plus to cre ii xul-ext-cookie 1.2.0-1 all manage cookies in a whitelist-bas ii xul-ext-dom-in 1:2.0.14-1 all tool for inspecting the DOM of we ii xul-ext-flashb 1.5.18-1 all Mozilla extension to block Adobe ii xul-ext-flashg 1.5.6.7+dfsg all Extension to handle downloads wit - -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US