Policy question re Firefox binary blob auto-download

[Sakaki]

This is a 'policy' question I guess. It concerns "sliently-auto-downloaded-on-first-run" binary blobs.

This behaviour has been 'pioneered' by Firefox (e.g. in the ~amd64 v38), as a way to get around patent licensing restrictions, in this case, for an H264 video codec.

When first run, (>= v33) Firefox will, without prompting the user before or after, silently download and excute a 1MB binary blob from Cisco.

While the source to the blob is provided (BSD-licensed), the blob itself has additional license conditions (text here).

Well, I don't like blobs in principle, and I don't want it on my machine. Call me paranoid, but there it is.

So, what can I do about this?

Well, thanks to AxS, I can disable the gmp-autoupdate USE flag for the Firefox ebuild. That's good, but by default (in IUSE) this flag is enabled, so users upgrading to v38 (when it stabilizes) are going to get the blob, probably without realizing it has happened (I just moved a box from stable to ~amd64, and it happened to me - I caught the download on wireshark, otherwise I'd have had no idea it'd happened).

I have ACCEPT_LICENSE="-* @FREE" in make.conf, but at the moment that won't protect me against this behaviour either.

So my (policy) question is: if a package, on first use, deterministically pulls in a binary blob without asking the user, should it be treated in Gentoo as if it shipped with that blob, for the purposes of LICENSE and sanitary USE-flag defaults?

Interestingly, Fedora seem to have taken the view that it should (for their distro), and have disabled the auto-download behaviour by default.

I'd be interested to hear what others think about this.

[tclover]

This is very annoying to have binary download without any notice! What else could be pulled in with this? Malicious code could be inserted in the binary and possibly in the network transaction. The extra license which prohibit binary distribution should be included at least beforehand to deal with this, so users would be warned.

This is simply unacceptable.

Moreover, there is a package in the official tree providing OpenH264 with a Gecko plugin, so, this should be simply disabled by brute force if necessary [irony].

EDIT: Darn... the worst is,--from a Firefox user point of view,--I don't watch any video online and play rarely audio media. I don't wanna flash $#*! all the time, so, I am just gonna got the intrusive hacks without any benefit.

[Apheus]

I would like a definitive policy against this, too. I update using webrsync-gpg, which means software is protected by the gentoo release engineering pgp key. The blob is downloaded via https, which is only as secure as the weakest ca (diginotar anyone?).

I have /home mounted noexec, and the day-to-day user tpe restricted, so it should not work anyway. But I would like to watch youtube videos without flash, and some videos do not have a webm version, unfortunately.

There is a global package media-libs/openh264 (masked), but the older version does not work with firefox 38, and version 1.3.1 installs broken symlinks "libopenh264.so" to a nonexistant "libopenh264.so.0". A crude symlink hack in the firefox profile is needed anyway.

I sure hope this will develop in a sane direction, I stay tuned.

[tclover]

But I would like to watch youtube videos without flash, and some videos do not have a webm version, unfortunately.

Use youtube-dl in combination with your favorite video player. mpv has some fancy features with ydl... an be done with the numerous holes of flash.

[tld]

It speaks volumes that we have to worry about BS like this from an open source project. It's getting as though the whole wold is turning into Windows....

[Apheus]

Use youtube-dl in combination with your favorite video player.

Thanks. I have Video Downloadhelper installed, which is fine for easy downloading. But when watching youtube on the big screen with friends, the bluetooth keyboard is a bit of a hassle. And the whole linux ecosystem has the stigma of "not ready for prime time" on the desktop anyway. So I want the real thing, not a workaround.

[tclover]

Use youtube-dl in combination with your favorite video player.

Thanks. I have Video Downloadhelper installed, which is fine for easy downloading. But when watching youtube on the big screen with friends, the bluetooth keyboard is a bit of a hassle. And the whole linux ecosystem has the stigma of "not ready for prime time" on the desktop anyway. So I want the real thing, not a workaround.

What are talking about?! You want to watch a video from youtube(tm) or not? Fine. Choose your fav' way to do that with "numerous security holes inside by design(tm)". I am not talking about a "false" thing, only a more secure alternative without Google monitoring(tm). That's all.

[Apheus]

Sorry, I did not want to sound offending.

[tclover]

Sorry, I did not want to sound offending.

You don't have to and you should not because there is no offense. I've just highlighted the implications of js+flash. You've already made a choice... be it. You, still, have a choice, so choose wisely--or do not bring the "security holes by design(tm)" forward when you prety much agreed to... have 'em in the first place.

[tclover]

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth

1) Yes, we’re downloading and installing a wiretapping black-box to your computer. But we’re not actually activating it. We did take advantage of our position as trusted upstream to stealth-insert code into open-source software that installed this black box onto millions of computers, but we would never abuse the same trust in the same way to insert code that activates the eavesdropping-blackbox we already downloaded and installed onto your computer without your consent or knowledge. You can look at the code as it looks right now to see that the code doesn’t do this right now.

2) Yes, Chromium is bypassing the entire source code auditing process by downloading a pre-built black box onto people’s computers. But that’s not something we care about, really. We’re concerned with building Google Chrome, the product from Google. As part of that, we provide the source code for others to package if they like. Anybody who uses our code for their own purpose takes responsibility for it. When this happens in a Debian installation, it is not Google Chrome’s behavior, this is Debian Chromium’s behavior. It’s Debian’s responsibility entirely.

3) Yes, we deliberately hid this listening module from the users, but that’s because we consider this behavior to be part of the basic Google Chrome experience. We don’t want to show all modules that we install ourselves.

Now I understand Mozilla... as this house became pretty much a copycat of Google, so they following suite [irony inside].

[Tony0945]

Wow! Is this stealth code in firefox-bin as well? Or have our devs removed it?

[Apheus]

Wow! Is this stealth code in firefox-bin as well? Or have our devs removed it?

Removing something from firefox-bin and distributing it under the name "firefox" or with mozilla branding would be a license violation. And the last post is about google-chrome. Do you refer to www-client/firefox, or www-client/chromium, maybe?

[Tony0945]

Sakaki said:

When first run, (>= v33) Firefox will, without prompting the user before or after, silently download and excute a 1MB binary blob from Cisco.

[Apheus]

Sakaki said:

When first run, (>= v33) Firefox will, without prompting the user before or after, silently download and excute a 1MB binary blob from Cisco.

Yes, and firefox-bin does the same, of course. *-bin is unmodified upstream package. If gentoo devs want to remove something, they can only do so with firefox (without "bin"), for licensing reasons. I personally would like a default pref "media.gmp-provider.enabled=false".

[haarp]

EDIT: Darn... the worst is,--from a Firefox user point of view,--I don't watch any video online and play rarely audio media. I don't wanna flash $#*! all the time, so, I am just gonna got the intrusive hacks without any benefit.

Cisco's binary codec can't do any useful playback anyway, you're not losing anything by disabling it.

https://forums.gentoo.org/viewtopic-p-7 ... ml#7692772

[tclover]

EDIT: Darn... the worst is,--from a Firefox user point of view,--I don't watch any video online and play rarely audio media. I don't wanna flash $#*! all the time, so, I am just gonna got the intrusive hacks without any benefit.

Cisco's binary codec can't do any useful playback anyway, you're not losing anything by disabling it.

https://forums.gentoo.org/viewtopic-p-7 ... ml#7692772

That's not the problem with that kind of incognito craft behind the doors... I don't think anybody care, at least, I do not the least. Are you doing this on purpose? I mean push the discussion to uselfulness when the topic is the... intrusion hacks? The disable-abilty of it all is nill here. (Ref: Previous post about Chrom* craft if the intent was not clear from the beginning or... what you're exactly saying--"not really useful but still downloaded" on your back, well nothing surprise me with open wire-tape anyway.)

[haarp]

Of course that should not be allowed. I never questioned that. All I'm saying is that you're not even losing anything by ripping out the blobs.

[tclover]

In response to

the-future-of-developing-firefox-add-ons
With the recent controversy about the removal of XUL and XPCOM in Firefox, and several add-on authors refusing to update (eg. [url=ttp://www.downthemall.net/the-likely-end-of-downthemall/]DownThemAll[/url]), I'm somewhat concerned:
In which ways will this affect the pentadactyl project? Are you going to migrate to the new WebExtension API? Would such a thing even be possible?

from this pentadctyl issue #82

Clearly Mozilla want to make some bucks with the new hype with a completely void corpse. Good luck to 'em then! Well, I'll stick to the current ESR version for a year at least, and keep it as long as possible untill I got something workable elsewhere -- no Google backdoors(TM) wanted here... sorry. I guess I will have to say good bye to this damn awesome add-on along with NoScript, FashGOT et al.

BIG THANKS 'till the end of the end -- meaning when 38.8.0 will hit the release table... and then a bit more 'till security-wise no more functional nor practicable. So, yes, a year and a few mounths. Again, THANKS for this awesome add-on. NOTE: Should we mourn...? let's laugh to pitfall of Mozilla instead! Firefox was killed since v4 with that huge PR and plans to supposedly catch up Chrome. -- Surely in the PITA GUI and smelly crufts reviewed openly by BIG EYE/DISK. I guess some no-brain and noob-skull from M$ would/will be happy to get a fancy Mozilla backdoors(TM). Without me for sure.

PS: Just reposting it here in case some Gentoo Users missed the news and thus... miss this momentum celebration of a dead corpse. GAME OVER or SET!

[steveL]

This is a 'policy' question I guess. It concerns "sliently-auto-downloaded-on-first-run" binary blobs.
..
So, what can I do about this?

Well, thanks to AxS, I can disable the gmp-autoupdate USE flag for the Firefox ebuild. That's good, but by default (in IUSE) this flag is enabled, so users upgrading to v38 (when it stabilizes) are going to get the blob, probably without realizing it has happened (I just moved a box from stable to ~amd64, and it happened to me - I caught the download on wireshark, otherwise I'd have had no idea it'd happened).

I have ACCEPT_LICENSE="-* @FREE" in make.conf, but at the moment that won't protect me against this behaviour either.

So my (policy) question is: if a package, on first use, deterministically pulls in a binary blob without asking the user, should it be treated in Gentoo as if it shipped with that blob, for the purposes of LICENSE and sanitary USE-flag defaults?

Absolutely. This is not a technical-development question, this is a legal question, so don't let any spurious "technical" objections stand: dismiss them forthwith as irrelevant.

You are 100% correct that the USE flag should be disabled by default (the norm) rather than +enabled in the ebuild.

Personally I wouldn't even allow the option, but the description should make it loud and clear that enabling it, means that firefox will download and execute a blob without asking as soon as you use it.

[Tony0945]

I tried changing from ACCEPT_LICENSE="* AdobeFlash-11.1" to ACCEPT_LICENSE="-* @FREE"

The result was

!!! The following installed packages are masked:
- media-fonts/corefonts-1-r7::gentoo (masked by: MSttfEULA license(s))
A copy of the 'MSttfEULA' license is located at '/usr/portage/licenses/MSttfEULA'.

- sys-kernel/gentoo-sources-4.1.4::gentoo (masked by: freedist license(s))
A copy of the 'freedist' license is located at '/usr/portage/licenses/freedist'.

- www-client/opera-12.16_p1860-r1::gentoo (masked by: OPERA-12 license(s))
A copy of the 'OPERA-12' license is located at '/usr/portage/licenses/OPERA-12'.

- sys-firmware/ivtv-firmware-20080701-r1::gentoo (masked by: Hauppauge-Firmware license(s))
A copy of the 'Hauppauge-Firmware' license is located at '/usr/portage/licenses/Hauppauge-Firmware'.

- app-arch/unrar-5.1.6::gentoo (masked by: unRAR license(s))
A copy of the 'unRAR' license is located at '/usr/portage/licenses/unRAR'.

- sys-kernel/tuxonice-sources-4.0.5::gentoo (masked by: freedist license(s))
- media-fonts/bitstream-cyberbit-2.0::gentoo (masked by: BitstreamCyberbit license(s))
A copy of the 'BitstreamCyberbit' license is located at '/usr/portage/licenses/BitstreamCyberbit'.

- x11-themes/adwaita-icon-theme-3.14.1-r1::gentoo (masked by: || ( ) CC-Sampling-Plus-1.0 license(s))
A copy of the 'CC-Sampling-Plus-1.0' license is located at '/usr/portage/licenses/CC-Sampling-Plus-1.0'.

- x11-drivers/radeon-ucode-20140823::gentoo (masked by: radeon-ucode license(s))
A copy of the 'radeon-ucode' license is located at '/usr/portage/licenses/radeon-ucode'.

- media-gfx/xv-3.10a-r16::gentoo (masked by: xv license(s))
A copy of the 'xv' license is located at '/usr/portage/licenses/xv'.

- sys-kernel/gentoo-sources-4.1.5::gentoo (masked by: freedist license(s))
- sys-kernel/gentoo-sources-4.1.2::gentoo (masked by: freedist license(s))
- sys-kernel/gentoo-sources-4.0.5::gentoo (masked by: freedist license(s))
- media-tv/linuxtv-dvb-firmware-2009.09.19::gentoo (masked by: freedist all-rights-reserved license(s))
A copy of the 'all-rights-reserved' license is located at '/usr/portage/licenses/all-rights-reserved'.

- x11-themes/gnome-icon-theme-3.12.0::gentoo (masked by: || ( ) CC-Sampling-Plus-1.0 license(s))
- www-client/opera-beta-32.0.1948.4::gentoo (masked by: OPERA-2014 license(s))
A copy of the 'OPERA-2014' license is located at '/usr/portage/licenses/OPERA-2014'.
- sys-firmware/ivtv-firmware-20080701-r1::gentoo (masked by: Hauppauge-Firmware license(s))
A copy of the 'Hauppauge-Firmware' license is located at '/usr/portage/licenses/Hauppauge-Firmware'.

- app-arch/unrar-5.1.6::gentoo (masked by: unRAR license(s))
A copy of the 'unRAR' license is located at '/usr/portage/licenses/unRAR'.

- sys-kernel/tuxonice-sources-4.0.5::gentoo (masked by: freedist license(s))
- media-fonts/bitstream-cyberbit-2.0::gentoo (masked by: BitstreamCyberbit license(s))
A copy of the 'BitstreamCyberbit' license is located at '/usr/portage/licenses/BitstreamCyberbit'.

- x11-themes/adwaita-icon-theme-3.14.1-r1::gentoo (masked by: || ( ) CC-Sampling-Plus-1.0 license(s))
A copy of the 'CC-Sampling-Plus-1.0' license is located at '/usr/portage/licenses/CC-Sampling-Plus-1.0'.

- x11-drivers/radeon-ucode-20140823::gentoo (masked by: radeon-ucode license(s))
A copy of the 'radeon-ucode' license is located at '/usr/portage/licenses/radeon-ucode'.

- media-gfx/xv-3.10a-r16::gentoo (masked by: xv license(s))
A copy of the 'xv' license is located at '/usr/portage/licenses/xv'.

- sys-kernel/gentoo-sources-4.1.5::gentoo (masked by: freedist license(s))
- sys-kernel/gentoo-sources-4.1.2::gentoo (masked by: freedist license(s))
- sys-kernel/gentoo-sources-4.0.5::gentoo (masked by: freedist license(s))
- media-tv/linuxtv-dvb-firmware-2009.09.19::gentoo (masked by: freedist all-rights-reserved license(s))
A copy of the 'all-rights-reserved' license is located at '/usr/portage/licenses/all-rights-reserved'.

- x11-themes/gnome-icon-theme-3.12.0::gentoo (masked by: || ( ) CC-Sampling-Plus-1.0 license(s))
- www-client/opera-beta-32.0.1948.4::gentoo (masked by: OPERA-2014 license(s))
A copy of the 'OPERA-2014' license is located at '/usr/portage/licenses/OPERA-2014'.

- sys-kernel/gentoo-sources-4.1.6::gentoo (masked by: freedist license(s))
- www-plugins/adobe-flash-11.2.202.508::gentoo (masked by: AdobeFlash-11.x license(s))
A copy of the 'AdobeFlash-11.x' license is located at '/usr/portage/licenses/AdobeFlash-11.x'.

- media-libs/faac-1.28-r4::gentoo (masked by: MPEG-4 license(s))
A copy of the 'MPEG-4' license is located at '/usr/portage/licenses/MPEG-4'.

- sys-kernel/gentoo-sources-4.1.3::gentoo (masked by: freedist license(s))
- media-fonts/ipamonafont-1.0.8::gentoo (masked by: grass-ipafonts license(s))
A copy of the 'grass-ipafonts' license is located at '/usr/portage/licenses/grass-ipafonts'.

- dev-java/oracle-jre-bin-1.8.0.51::gentoo (masked by: Oracle-BCLA-JavaSE license(s))
A copy of the 'Oracle-BCLA-JavaSE' license is located at '/usr/portage/licenses/Oracle-BCLA-JavaSE'.

That would render my computer pretty much unusable without a web browser, the TV card useless, and not even a kernel!

Dumping the ADOBE license makes some sense, Firefox won't even use it anyway. I'm starting to use Opera-Beta more and more. I hate the interface but at least video and HTML5 work.

[saellaven]

BIG THANKS 'till the end of the end -- meaning when 38.8.0 will hit the release table... and then a bit more 'till security-wise no more functional nor practicable. So, yes, a year and a few mounths. Again, THANKS for this awesome add-on. NOTE: Should we mourn...? let's laugh to pitfall of Mozilla instead! Firefox was killed since v4 with that huge PR and plans to supposedly catch up Chrome. -- Surely in the PITA GUI and smelly crufts reviewed openly by BIG EYE/DISK. I guess some no-brain and noob-skull from M$ would/will be happy to get a fancy Mozilla backdoors(TM). Without me for sure.

PS: Just reposting it here in case some Gentoo Users missed the news and thus... miss this momentum celebration of a dead corpse. GAME OVER or SET!

I switched over to palemoon (from the palemoon overlay). Most of the firefox addons work (those that don't are broken because of the interface changes in the newer versions of firefox and there are palemoon specific versions of a couple of the ones that are broken).

[tclover]

I switched over to palemoon (from the palemoon overlay). Most of the firefox addons work (those that don't are broken because of the interface changes in the newer versions of firefox and there are palemoon specific versions of a couple of the ones that are broken).

Thanks... palemoon.. "yes but" I am/was reluctant about it for no apparent reason but the lack any notable developement since the fork. Yet, firefox became monstruously big with recent changes. So, I guess, notable developement would require noticeable dev crew to... take care of it. And Mozilla was not shy at all to over complicate things to make their monopoly unavoidable and unescapable.

I'll take a look, again, in a near futur. Or else, trying www-client/vimb, www-client/vimprobable2 and maybe a more GUI oriented for others people should be an unescapable step. Sigh, it's just the cost of that mounstruously big webkit-gtk:2 that's annoy me the most which cost more copiling power than any Firefox compiled to my HW 'till today.

Or else, giving dillo a chance for the GUI oriented browser would suffice which does take a few second to compile. And then rely to a more minimalistic and why not text based browser? LOL This might be what await me in 2016! Big issue would be HTML5... Well then, it seems back listing a few HTML5 web-sites would be necessary 'till something good happen.

[Tony0945]

I switched over to palemoon (from the palemoon overlay). Most of the Firefox addons work (those that don't are broken because of the interface changes in the newer versions of firefox and there are palemoon specific versions of a couple of the ones that are broken).

I never heard of this before. I have it building on one box now. It requires a monstrous 12G on /var/tmp/portage so I had to unmount the tmpfs, it's "only" 6G. However, I downloaded the XP version on the dual-boot machine and profile converter worked. I've been testing it for half an hour and it's like old firefox reborn, but with HTML5 support. I LOVE it. Hope the Linux version works as well. Also hope they are not in the release of the month club, i.e. are professional.

Many thanks!

Adblock Plus wasn't compatible, but I only have it because of those annoying pop-ups that float all over your screen. I haven't seen them yet. Ghostery appears to be working. I say "appears" because during the conversion there was a message that Ghostery is incompatible, yet it seems to be working. All this from the baby Atom/XP version. The Linux version is still building. The palemoon notes say that only the default profile can be converted. I run three profiles on Gentoo. Any hints how to convert the other two?

[saellaven]

I switched over to palemoon (from the palemoon overlay). Most of the Firefox addons work (those that don't are broken because of the interface changes in the newer versions of firefox and there are palemoon specific versions of a couple of the ones that are broken).

I never heard of this before. I have it building on one box now. It requires a monstrous 12G on /var/tmp/portage so I had to unmount the tmpfs, it's "only" 6G. However, I downloaded the XP version on the dual-boot machine and profile converter worked. I've been testing it for half an hour and it's like old firefox reborn, but with HTML5 support. I LOVE it. Hope the Linux version works as well. Also hope they are not in the release of the month club, i.e. are professional.

Many thanks!

Adblock Plus wasn't compatible, but I only have it because of those annoying pop-ups that float all over your screen. I haven't seen them yet. Ghostery appears to be working. I say "appears" because during the conversion there was a message that Ghostery is incompatible, yet it seems to be working. All this from the baby Atom/XP version. The Linux version is still building. The palemoon notes say that only the default profile can be converted. I run three profiles on Gentoo. Any hints how to convert the other two?

Palemoon forked Firefox at 24 and has kept up with some of the changes since then... but one of the primary purposes of the fork was to keep the interface stable. They can pull something good in from Firefox pretty much any time they want, so it doesn't need a ton of developers, though the developers have done things to improve security that Firefox hadn't done themselves yet.

Ghostery seems to work just fine for me despite it saying it doesn't work (that said, I've recently switched to disconnect). Adblock Plus isn't compatible because of issues with the interface, so they forked that into Adblock Latitude (see: https://addons.palemoon.org/ and https://addons.palemoon.org/resources/incompatible/ ).

As for converting profiles, I only use one myself, but there shouldn't be much profile work to convert, so I imagine you should just be able to copy them over to .moonchild\ productions/pale\ moon/ just like you were copying a Firefox profile to a new directory/system.


I've been using it as my browser for months now and the only issues I've run into, are weak security being disabled by default in palemoon, while needing to re-enable it for a couple sites that are still using a weak SSL key.

[Tony0945]

It took 75 minutes to build on an Athlon II X3 at 3.0 Ghz!. I then ran quickpkg and am going to try it on the dual boot machine which is Phenom II X6, both are k10, the Phenom II just has more cache and three more cores so the binary package should work. The profile converter is an exe file, but what I really want to transfer are the passwords and bookmarks, so I'm going to try the FEBE add on that I used to transfer those from Windows to Gentoo.

Firefox was getting too weird, trying to turn itself into Chrome. Firefox 2, the theme reloaded, was compatible with both the XP and Linux versions. I ran speedtest from www.dslreports.com on both versions and they ran well, so HTML5 is working. If anyone wants the K10 binary package, I can send it if they can accept a 25Meg file.

I already had the proper version of wxwidgets but that to re-emerge it with -odbc flag. The 75 minutes is for building Palemoon only, not the dependencies. I had to start the build several times (also not included) because of a download failure on an xpi file. The time is from "time emerge palemoon" 75 minutes, 49 and a fraction seconds. Good thing i had yard work to do.