Bug#837091: firefox-esr: EME DRM extention present and enabled
Control: severity -1 normal On 2017-05-27 13:47:45 +0100, Simon McVittie wrote: > On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote: > > after reading up a bit (late(ly)) on the W3C EME proposed standard for > > embedding of DRM managed content in web pages, I decided to have a > > look if it is present in the firefox browser > [...] > > I think the presence of code that requires closed source components to > > function, might violate the DFSG for the main section? On the other > > hand, no package relation is available in the non-free section as far > > as I see that is actively depended on. If a decision has been taken on > > this already, then please close. > > I don't see a freeness problem here. > > Firefox with the EME API enabled at compile time, but no CDM (DRM > implementation) installed, is presumably no less functional than Firefox > with the EME API disabled at compile time - so the CDM is not a > dependency, because Firefox without a CDM is a perfectly acceptable web > browser (just missing an optional feature). If we shipped CDMs in > non-free, I don't think Firefox would have a stronger relationship to > them than Suggests (or more likely, the CDMs would declare an Enhances > relationship on Firefox, which means the same thing). Packages in main > are allowed to have Suggests on non-free or even not-in-Debian packages, > just not (Pre-)Depends or Recommends. > > Free CDMs do seem to exist - > https://github.com/fraunhoferfokus/open-content-decryption-module is one > example. It is fairly likely that content publishers will not actually > *use* those CDMs, but that's between you and the content providers whose > products you choose to buy. So from a freeness point of view, this > doesn't seem any worse than any other plugin interface that can accept > both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer, > Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers. > > I understand your desire to avoid DRM, but I don't think opening > release-critical bugs requesting that features are removed from our > builds of Firefox is an appropriate way to go about it. ACK, so let's downgrade the severity. Cheers > > P.S. yes I know, having flash installed as a plugin is as bad as > > having EME enabled... > > In particular, I believe having the Flash NPAPI plugin installed means > your copy of Firefox already loads a DRM implementation, because there's > one in Flash. You might as well use one that is better-sandboxed, which > is the purpose of EME. > > S -- Sebastian Ramacher
Bug#837091: firefox-esr: EME DRM extention present and enabled
Using the firefox-esr package currently in stable, visiting any page with EME media causes a "you must enable DRM" nag bar to be displayed with an "enable DRM" button. A single click enables DRM and causes the proprietary wildvine plugin to be downloaded, installed, and executed. There is no setting that disables this nag box or prevents it from installing the plugin. Example page: https://bitmovin.com/demos/drm There's no way this behavior is appropriate for a package in "main".
Bug#837091: firefox-esr: EME DRM extention present and enabled
On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote: > after reading up a bit (late(ly)) on the W3C EME proposed standard for > embedding of DRM managed content in web pages, I decided to have a > look if it is present in the firefox browser [...] > I think the presence of code that requires closed source components to > function, might violate the DFSG for the main section? On the other > hand, no package relation is available in the non-free section as far > as I see that is actively depended on. If a decision has been taken on > this already, then please close. I don't see a freeness problem here. Firefox with the EME API enabled at compile time, but no CDM (DRM implementation) installed, is presumably no less functional than Firefox with the EME API disabled at compile time - so the CDM is not a dependency, because Firefox without a CDM is a perfectly acceptable web browser (just missing an optional feature). If we shipped CDMs in non-free, I don't think Firefox would have a stronger relationship to them than Suggests (or more likely, the CDMs would declare an Enhances relationship on Firefox, which means the same thing). Packages in main are allowed to have Suggests on non-free or even not-in-Debian packages, just not (Pre-)Depends or Recommends. Free CDMs do seem to exist - https://github.com/fraunhoferfokus/open-content-decryption-module is one example. It is fairly likely that content publishers will not actually *use* those CDMs, but that's between you and the content providers whose products you choose to buy. So from a freeness point of view, this doesn't seem any worse than any other plugin interface that can accept both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer, Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers. I understand your desire to avoid DRM, but I don't think opening release-critical bugs requesting that features are removed from our builds of Firefox is an appropriate way to go about it. > P.S. yes I know, having flash installed as a plugin is as bad as > having EME enabled... In particular, I believe having the Flash NPAPI plugin installed means your copy of Firefox already loads a DRM implementation, because there's one in Flash. You might as well use one that is better-sandboxed, which is the purpose of EME. S
Bug#837091: firefox-esr: EME DRM extention present and enabled
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Package: firefox-esr
Version: 45.3.0esr-1~deb8u1
Severity: serious
Tags: security upstream
Justification: Policy 2.2.1 must comply with the DFSG
Dear Maintainer,
after reading up a bit (late(ly)) on the W3C EME proposed standard for
embedding of DRM managed content in web pages, I decided to have a
look if it is present in the firefox browser. about:config shows the
following:
media.eme.apiVisible;true
media.eme.enabled;true
I think the presence of code that requires closed source components to
function, might violate the DFSG for the main section? On the other
hand, no package relation is available in the non-free section as far
as I see that is actively depended on. If a decision has been taken on
this already, then please close.
I have not found this in the system for the firefox-esr package, I did
find bug 748342 (iceweasel), and the upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1011459
and a discussion at:
http://forums.debian.net/viewtopic.php?f=20=114687
First of all I disabled the function by setting the above values to:
false.
It would be better to have support for EME removed altogether to be free
of any possible legal issues arising from DRM enabled software.
Yours,
Tjeerd Pinkert
P.S. yes I know, having flash installed as a plugin is as bad as
having EME enabled... Trying to block as much as possible though...
- -- Package-specific info:
- -- Extensions information
Name: Adblock Plus
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d1
0d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled
Name: Cookie Monster
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{45
d8ff86-d909-11db-9705-005056c8}
Package: xul-ext-cookie-monster
Status: enabled
Name: Default theme
Location:
/usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198
ce6fd}.xpi
Package: firefox-esr
Status: enabled
Name: DOM Inspector
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ins
pec...@mozilla.org
Package: xul-ext-dom-inspector
Status: enabled
Name: Element Hiding Helper for Adblock Plus
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ele
mhidehel...@adblockplus.org
Package: xul-ext-adblock-plus-element-hiding-helper
Status: enabled
Name: English (GB) Language Pack locale
Location:
/usr/lib/firefox-esr/browser/extensions/langpack-en-GB@firefox-esr.mozil
la.org.xpi
Package: firefox-esr-l10n-en-gb
Status: enabled
Name: Firefox Hello Beta
Location: ${PROFILE_EXTENSIONS}/l...@mozilla.org.xpi
Status: enabled
Name: Flashblock
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{3d
7eb24f-2740-49df-8937-200b1cc08f8a}
Package: xul-ext-flashblock
Status: enabled
Name: FlashGot
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{19
503e42-ca3c-4c27-b1e2-9cdb2170ee34}
Package: xul-ext-flashgot
Status: enabled
Name: Lightbeam
Location: ${PROFILE_EXTENSIONS}/jid1-f9uj2thwoam...@jetpack.xpi
Status: enabled
Name: Nederlands (NL) Language Pack locale
Location:
/usr/lib/firefox-esr/browser/extensions/langpack-nl@firefox-esr.mozilla.
org.xpi
Package: firefox-esr-l10n-nl
Status: enabled
Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.x
pi
Status: enabled
- -- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: disabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: disabled
Name: Shockwave Flash (11.2.202.632)
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled
- -- Addons package information
ii firefox-esr45.3.0esr-1~ amd64Mozilla Firefox web
browser - Ext
ii firefox-esr-l1 45.3.0esr-1~ all English (United Kingdom)
language
ii firefox-esr-l1 45.3.0esr-1~ all Dutch language package
for Firefo
ii gnome-shell3.14.4-1~deb amd64graphical shell for the
GNOME des
ii rhythmbox-plug 3.1-1amd64plugins for rhythmbox
music playe
ii xul-ext-adbloc 2.6.6+dfsg-1 all advertisement blocking
extension
ii xul-ext-adbloc 1.3-1all companion for Adblock
Plus to cre
ii xul-ext-cookie 1.2.0-1 all manage cookies in a
whitelist-bas
ii xul-ext-dom-in 1:2.0.14-1 all tool for inspecting the
DOM of we
ii xul-ext-flashb 1.5.18-1 all Mozilla extension to
block Adobe
ii xul-ext-flashg 1.5.6.7+dfsg all Extension to handle
downloads wit
- -- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale:
