[Desktop-packages] [Bug 1827717] Re: Normandy remote control should be disabled by default
If you feel uncomfortable with that functionality, you should turn it off (that's a totally respectable concern). Or use a different browser that doesn't have this sort of mechanism. For the vast majority of Ubuntu users though, it makes sense for the feature to be enabled by default. Security is often a matter of trust, so it all boils down to whether we trust Mozilla to use the feature in a sensible way. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1827717 Title: Normandy remote control should be disabled by default Status in firefox package in Ubuntu: Opinion Bug description: While sure useful as a way to remedy the add-on intermediate signing certificate expiry issue Mozilla has created (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973), I really think Normandy should be disabled in Ubuntu by default: Normandy is a collection of servers, workflows, and Firefox components that enables Mozilla to remote control Firefox clients in the wild based on precise criteria. https://mozilla.github.io/normandy/ Reasoning: Software installed via APT should have defined states, software should not be allowed to change itself, unless the user has actively chosen to enable such functionality and this functionality points out, for the user, that it has this capability. The current default preference (per about:config) is: app.normandy.enabled;true To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1827717/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1827717] Re: Normandy remote control should be disabled by default
Normandy can remotely change the functionality and behavior and preferences of Firefox installations, though. It can silently install extensions which may not be listed at about:addons. I agree that is not remote root access (not immediately, anyway), but the fact that such a powerful remotely controllable feature is enabled by default, without the user asked for explicit opt-in, is still very troubling from my perspective. And so is your response, I might add. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1827717 Title: Normandy remote control should be disabled by default Status in firefox package in Ubuntu: Opinion Bug description: While sure useful as a way to remedy the add-on intermediate signing certificate expiry issue Mozilla has created (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973), I really think Normandy should be disabled in Ubuntu by default: Normandy is a collection of servers, workflows, and Firefox components that enables Mozilla to remote control Firefox clients in the wild based on precise criteria. https://mozilla.github.io/normandy/ Reasoning: Software installed via APT should have defined states, software should not be allowed to change itself, unless the user has actively chosen to enable such functionality and this functionality points out, for the user, that it has this capability. The current default preference (per about:config) is: app.normandy.enabled;true To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1827717/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1827717] Re: Normandy remote control should be disabled by default
> Reasoning: Software installed via APT should have defined states, software > should not be allowed to change itself, unless the user has actively chosen > to enable such functionality and this functionality points out, for the > user, that it has this capability. Normandy won't alter the packages installed by apt (that would mean that it runs as root, which would definitely be a security problem). The mechanism allows Mozilla to roll out preference changes, which will alter only the user's profile. As you pointed out, this allowed to mitigate quite effectively bug #1827727, which rather advocates for keeping it enabled by default. ** Changed in: firefox (Ubuntu) Status: Confirmed => Opinion -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1827717 Title: Normandy remote control should be disabled by default Status in firefox package in Ubuntu: Opinion Bug description: While sure useful as a way to remedy the add-on intermediate signing certificate expiry issue Mozilla has created (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973), I really think Normandy should be disabled in Ubuntu by default: Normandy is a collection of servers, workflows, and Firefox components that enables Mozilla to remote control Firefox clients in the wild based on precise criteria. https://mozilla.github.io/normandy/ Reasoning: Software installed via APT should have defined states, software should not be allowed to change itself, unless the user has actively chosen to enable such functionality and this functionality points out, for the user, that it has this capability. The current default preference (per about:config) is: app.normandy.enabled;true To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1827717/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1827717] Re: Normandy remote control should be disabled by default
Confirmed it was enabled by default for me on 18.04 aswell -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1827717 Title: Normandy remote control should be disabled by default Status in firefox package in Ubuntu: Confirmed Bug description: While sure useful as a way to remedy the add-on intermediate signing certificate expiry issue Mozilla has created (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973), I really think Normandy should be disabled in Ubuntu by default: Normandy is a collection of servers, workflows, and Firefox components that enables Mozilla to remote control Firefox clients in the wild based on precise criteria. https://mozilla.github.io/normandy/ Reasoning: Software installed via APT should have defined states, software should not be allowed to change itself, unless the user has actively chosen to enable such functionality and this functionality points out, for the user, that it has this capability. The current default preference (per about:config) is: app.normandy.enabled;true To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1827717/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1827717] Re: Normandy remote control should be disabled by default
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: firefox (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1827717 Title: Normandy remote control should be disabled by default Status in firefox package in Ubuntu: Confirmed Bug description: While sure useful as a way to remedy the add-on intermediate signing certificate expiry issue Mozilla has created (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973), I really think Normandy should be disabled in Ubuntu by default: Normandy is a collection of servers, workflows, and Firefox components that enables Mozilla to remote control Firefox clients in the wild based on precise criteria. https://mozilla.github.io/normandy/ Reasoning: Software installed via APT should have defined states, software should not be allowed to change itself, unless the user has actively chosen to enable such functionality and this functionality points out, for the user, that it has this capability. The current default preference (per about:config) is: app.normandy.enabled;true To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1827717/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp