So in case you haven't heard of it (or noticed about it), there was a kerfuffle in Firefox land recently about this:
https://www.theverge.com/2017/12/16/16784628/mozilla-mr-robot-arg-plugin-fir...
As part of a tie-in with an American TV show, Mozilla thought it'd be a great idea to silently install a cryptically-named addon in all(?) Firefox deployments. Which can't be turned off.
This is concerning enough - a Random Internet Person quoted in the article has a solid explanation as to why:
"There are several scary things about this:
- Unknown Mozilla developers can distribute addons to users without their permission
- Mozilla developers can distribute addons to users without their knowledge
- Mozilla developers themselves don't realise the consequences of doing this
- Experiments are not explicitly enabled by users
- Opening the addons window reverts configuration changes which disable experiments
- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)"
Mozilla's response is also, IMHO, rather worrying, because it seems to fail entirely to grasp how concerning this kind of action is, and seems concerned instead with self-justification and downplaying:
“Our goal with the custom experience we created with Mr. Robot was to engage our users in a fun and unique way,” a Mozilla representative said in a statement. “Real engagement also means listening to feedback. And so while the web extension/add-on that was sent out to Firefox users never collected any data, and had to be explicitly enabled by users playing the game before it would affect any web content, we heard from some of our users that the experience we created caused confusion.”
(FWIW I don't think that statement is even factually correct; I can't prove it with screenshots, but I'm pretty sure that when the addon appeared in my Firefox install, it was enabled, not disabled).
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them. Assuming Fedora-as-a-project shares my concern, do we have a channel to communicate with them about this, and request assurances that they understand the seriousness of this, and that they have changed policies so that nothing like it will happen in future?
Thanks.
On Mon, Dec 18, 2017 at 09:55:26AM -0800, Adam Williamson wrote:
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them. Assuming Fedora-as-a-project shares my concern, do we have a channel to communicate with them about this, and request assurances that they understand the seriousness of this, and that they have changed policies so that nothing like it will happen in future?
Is there a fundamental difference between this and, if, say, similar functionality were in the FF 57 release itself?
On 18 December 2017 at 13:08, Matthew Miller mattdm@fedoraproject.org wrote:
On Mon, Dec 18, 2017 at 09:55:26AM -0800, Adam Williamson wrote:
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them. Assuming Fedora-as-a-project shares my concern, do we have a channel to communicate with them about this, and request assurances that they understand the seriousness of this, and that they have changed policies so that nothing like it will happen in future?
Is there a fundamental difference between this and, if, say, similar functionality were in the FF 57 release itself?
I am not sure I understand your question enough to formulate what difference you are wanting. Since the addon was distributed POST install without user intervention, it would seem yes there is a big difference. If it were installed in FF57 then I wouldn't install/update to that version. If it is 'pushed' post install then it means that just using the software means that Mozilla can push addons to my desktop without my intervention or knowledge. This takes the browser from being my software to always being 'their' software which I am just using for their pleasure.
It also brings up questions of what value add does Fedora have in actually distributing it if we can't 'stop' them from doing so.
-- Matthew Miller mattdm@fedoraproject.org Fedora Project Leader _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org
On Mon, Dec 18, 2017 at 01:19:26PM -0500, Stephen John Smoogen wrote:
On 18 December 2017 at 13:08, Matthew Miller mattdm@fedoraproject.org wrote:
On Mon, Dec 18, 2017 at 09:55:26AM -0800, Adam Williamson wrote:
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them. Assuming Fedora-as-a-project shares my concern, do we have a channel to communicate with them about this, and request assurances that they understand the seriousness of this, and that they have changed policies so that nothing like it will happen in future?
Is there a fundamental difference between this and, if, say, similar functionality were in the FF 57 release itself?
I am not sure I understand your question enough to formulate what difference you are wanting. Since the addon was distributed POST install without user intervention, it would seem yes there is a big difference. If it were installed in FF57 then I wouldn't install/update to that version. If it is 'pushed' post install then it means that just using the software means that Mozilla can push addons to my desktop without my intervention or knowledge. This takes the browser from being my software to always being 'their' software which I am just using for their pleasure.
It occurred to me that Mozilla's view of this service is probably biased the way they support non-Linux desktop platforms (Windows, OS-X, Android, etc) where 95%+ of their users are. There the users have a direct interaction with Mozilla as the distributor. Once they have downloaded Firefox for windows from Mozilla's website, Mozilla can push out updates to their browser on the fly, and for a large % of users this requires no intervention/approval. There is no middle man "OS vendor" as you get with Linux distros (ok app stores are a middle man, but that's more about rubber stamping the release, not re-packaging & rebuilding firefox). So in this world, the ability to push out code as add-ons without user intervention, doesn't feel significantly different than their ability to push out the entire new browser verson releases to users, largely without intervention.
None the less, if we consider Fedora maintainers to be adding value via the packaging process, over having users get their browser direct from Mozilla, then I do still think it is desirable to be able to opt-out of this feature in Fedora builds.
Conversely though in a Flatpak world though, we would be moving much closer the model of Windows/OS-X/Android where Mozilla has a more direct way to push software to users, without a OS vendor arbitrarily rebuilding & repackaging stuff.
Regards, Daniel
Daniel P. Berrange wrote:
Conversely though in a Flatpak world though, we would be moving much closer the model of Windows/OS-X/Android where Mozilla has a more direct way to push software to users, without a OS vendor arbitrarily rebuilding & repackaging stuff.
And that is one big reason why the Flatpak world is not the world we want to be in!
Kevin Kofler
On Tue, Dec 19, 2017 at 3:19 AM, Daniel P. Berrange berrange@redhat.com wrote:
None the less, if we consider Fedora maintainers to be adding value via the packaging process, over having users get their browser direct from Mozilla, then I do still think it is desirable to be able to opt-out of this feature in Fedora builds.
Being pragmatic, I doubt that is going to happen for various reasons: 1. Mozilla would have to agree to it 2. You'd have to find a maintainer willing to do it - packaging is not hacking
On Mon, 2017-12-18 at 13:08 -0500, Matthew Miller wrote:
On Mon, Dec 18, 2017 at 09:55:26AM -0800, Adam Williamson wrote:
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them. Assuming Fedora-as-a-project shares my concern, do we have a channel to communicate with them about this, and request assurances that they understand the seriousness of this, and that they have changed policies so that nothing like it will happen in future?
Is there a fundamental difference between this and, if, say, similar functionality were in the FF 57 release itself?
Sure. A new release coming out affords many people in the pipeline many chances to notice changes in it. The packager has the opportunity to notice significant changes while updating the package. Users of updates-testing have the opportunity to notice any significant changes before the update goes out to the broader user base. And users, unless they have manually set up some sort of non-notifying automated update script, either make a conscious choice to install the update or are at least notified that it has taken place, both of which provide them with the opportunity to examine changes and decide if they wish to accept them.
Silently deploying an addon to existing installations of Firefox bypasses absolutely all of the above.
On 12/18/2017 07:29 PM, Adam Williamson wrote:
Sure. A new release coming out affords many people in the pipeline many chances to notice changes in it. The packager has the opportunity to notice significant changes while updating the package. Users of updates-testing have the opportunity to notice any significant changes before the update goes out to the broader user base. And users, unless they have manually set up some sort of non-notifying automated update script, either make a conscious choice to install the update or are at least notified that it has taken place, both of which provide them with the opportunity to examine changes and decide if they wish to accept them.
Silently deploying an addon to existing installations of Firefox bypasses absolutely all of the above.
On the other hand, when it comes to privacy settings, if Firefox developers make changes to the settings themselves (not their defaults, but how they are encoded in profiles), they usually do not make an attempt to inform the user or preserve the intent as closely as possible. Two examples come to my mind:
When the “Ask me every time” cookie setting was abolished, it was silently changed to “Keep [them] until they expire”, so people were now tracked without their consent, until they realized what had happened.
When the New tab page was redesigned, major redesigns discard previous settings to offer a blank page and not to capture thumbnails.
In either case, I wasn't aware of proper communication. With the complexity of the code base and the widespread use of extensions, there is little anything any downstream can do. (This is also the reason why I'm wary of privacy-enhanced downstreams because they surely can remove only the obvious stuff.)
Thanks, Florian
Once upon a time, Adam Williamson adamwill@fedoraproject.org said:
As part of a tie-in with an American TV show, Mozilla thought it'd be a great idea to silently install a cryptically-named addon in all(?) Firefox deployments. Which can't be turned off.
I thought that this was actually a violation of the packaging policies, but I can't seem to find it now; I only see the restriction on software the requires downloads to be useful. I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution. Are there any other packages that can silently download and run non-Fedora code?
On Mon, 2017-12-18 at 12:34 -0600, Chris Adams wrote:
Once upon a time, Adam Williamson adamwill@fedoraproject.org said:
As part of a tie-in with an American TV show, Mozilla thought it'd be a great idea to silently install a cryptically-named addon in all(?) Firefox deployments. Which can't be turned off.
I thought that this was actually a violation of the packaging policies, but I can't seem to find it now; I only see the restriction on software the requires downloads to be useful.
IIRC there used to be a stricter policy that was relaxed as it had become kinda untenable with the widespread acceptance of addons and extensions for things like browsers and desktops. I could be wrong, though.
I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
Well, practically speaking we do have to have *some* degree of trust in our suppliers for apps as large and complex as a web browser or, say, an office app. Let's face it, practically speaking we're not really equipped to handle an adversarial relationship there. Even if we say "we're going to patch out this mechanism", that only really works if we trust the vendor at least to the degree that we don't believe they'd insert a harder-to-detect back channel to do the same thing, because practically speaking we just don't have the resources to audit the entire Firefox codebase (or even audit changes from some point in time we consider 'trustworthy' onwards) to ensure they haven't done this.
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution. Are there any other packages that can silently download and run non-Fedora code?
I dunno about 'silently', but there are certainly other cases of this, yes. GNOME Software can install GNOME Shell extensions (which are code, and can do anything with the privileges of the user account running the shell) from a non-Fedora source (extensions.gnome.org), for instance.
Once upon a time, Adam Williamson adamwill@fedoraproject.org said:
Well, practically speaking we do have to have *some* degree of trust in our suppliers for apps as large and complex as a web browser or, say, an office app.
True, but I do think there's a difference between trusting code we get and trusting that they will properly secure/won't abuse an additional install channel.
I dunno about 'silently', but there are certainly other cases of this, yes. GNOME Software can install GNOME Shell extensions (which are code, and can do anything with the privileges of the user account running the shell) from a non-Fedora source (extensions.gnome.org), for instance.
So, I guess it is in policy somewhere, but... what's the difference between that and Fedora having RPMs that install yum repo files for other repositories?
On Mon, Dec 18, 2017 at 10:42:17AM -0800, Adam Williamson wrote:
On Mon, 2017-12-18 at 12:34 -0600, Chris Adams wrote:
Once upon a time, Adam Williamson adamwill@fedoraproject.org said:
As part of a tie-in with an American TV show, Mozilla thought it'd be a great idea to silently install a cryptically-named addon in all(?) Firefox deployments. Which can't be turned off.
I thought that this was actually a violation of the packaging policies, but I can't seem to find it now; I only see the restriction on software the requires downloads to be useful.
IIRC there used to be a stricter policy that was relaxed as it had become kinda untenable with the widespread acceptance of addons and extensions for things like browsers and desktops. I could be wrong, though.
I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
Well, practically speaking we do have to have *some* degree of trust in our suppliers for apps as large and complex as a web browser or, say, an office app. Let's face it, practically speaking we're not really equipped to handle an adversarial relationship there. Even if we say "we're going to patch out this mechanism", that only really works if we trust the vendor at least to the degree that we don't believe they'd insert a harder-to-detect back channel to do the same thing, because practically speaking we just don't have the resources to audit the entire Firefox codebase (or even audit changes from some point in time we consider 'trustworthy' onwards) to ensure they haven't done this.
IMHO requesting support for a build flag to disable this ability to remotely push executable code out to user's browser is not unreasonable, and shouldn't make Fedora seem "adversarial", unless there's bigger trust issues at play here.
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution. Are there any other packages that can silently download and run non-Fedora code?
I dunno about 'silently', but there are certainly other cases of this, yes. GNOME Software can install GNOME Shell extensions (which are code, and can do anything with the privileges of the user account running the shell) from a non-Fedora source (extensions.gnome.org), for instance.
It won't install random new extensions without the user having asked for them. At most it would update previously installed extensions to newer versions. Though if someone did compromise the GNOME extensions service, that distinction is fairly academic from a security POV. IOW, a security concious person would not want to allow an communication to the extensions.gnome.org service at all to protect themselves.
Regards, Daniel
Daniel P. Berrange wrote:
IMHO requesting support for a build flag to disable this ability to remotely push executable code out to user's browser is not unreasonable,
I agree. There should be a single, properly documented build-time option to disable all current and future features that download and execute code without asking the user for explicit permission. If such an option doesn't exist, then I think the Fedora project should request one – and then use it. Any such feature should be strictly opt-in if it must exist at all (except for Javascript from the website being visited, because as much as I would like to make Javascript optional there's no chance of that happening at this point).
Björn Persson
On Mon, Dec 18, 2017 at 12:34:46PM -0600, Chris Adams wrote:
Once upon a time, Adam Williamson adamwill@fedoraproject.org said:
As part of a tie-in with an American TV show, Mozilla thought it'd be a great idea to silently install a cryptically-named addon in all(?) Firefox deployments. Which can't be turned off.
I thought that this was actually a violation of the packaging policies, but I can't seem to find it now; I only see the restriction on software the requires downloads to be useful. I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution. Are there any other packages that can silently download and run non-Fedora code?
It was brought up elsewhere that Chrome/Chromium in the past has done something worse in scope, silently downloading an add-on to that turns on & listens to your microphone. Ostensibly to detect the "ok google" keyword, but since its a closed source add-on can you be sure that's all it does...
https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-i...
Fortunately, the Fedora builds of Chromium have explicitly disabled this feature (enable_hotwording=false in chromium.spec)
Regards, Daniel
Daniel P. Berrange wrote:
It was brought up elsewhere that Chrome/Chromium in the past has done something worse in scope, silently downloading an add-on to that turns on & listens to your microphone. Ostensibly to detect the "ok google" keyword, but since its a closed source add-on can you be sure that's all it does...
https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-i...
Fortunately, the Fedora builds of Chromium have explicitly disabled this feature (enable_hotwording=false in chromium.spec)
Note that enable_hotwording is off by default in Chromium (not Chrome) builds (has been since Chromium 45). Only Chromium 43 and 44 are affected (because this "feature" was added in Chromium 43).
Also note that this implies that QtWebEngine was never affected, because there is no QtWebEngine branch based on Chromium 43 or 44. (QtWebEngine 5.5 shipped Chromium 40, QtWebEngine 5.6 LTS started on Chromium 45.) In addition, QtWebEngine is not built with NaCl support, so there is no way that plugin could have run to begin with even if it had been downloaded.
Kevin Kofler
On Mon, 18 Dec 2017, Chris Adams wrote:
the requires downloads to be useful. I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution.
'Electrolysis' was a Mozilla.org codeword for a sub-project enabling in an A:B sample, 'telemetry' -- that is keystroke logging, click monitoring, timing, and more, largely without prominent external notice.
I had a performance issue related to inter-tab communication in a restrictive environment I run Firefox in, along with SElinux denials, and spent some time 'running down' several problems, in the early summer
see:
https://support.ant.com/hc/en-us/articles/115000513446-Firefox-51-Multi-Proc...
see my bug: https://bugzilla.redhat.com/show_bug.cgi?id=1473754 upstream as well
https://bugzilla.mozilla.org/show_bug.cgi?id=1383141 closed into:
https://bugzilla.mozilla.org/show_bug.cgi?id=1376559
https://bugzilla.mozilla.org/show_bug.cgi?id=1129492
because SysV shared memory follows Unix's “same uid policy” and can't be restricted/brokered like file access. (It was observed when the initial attempt at a desktop content system call whitelist was made, but that was long enough ago that there could have been significant changes to how graphics work that might make this not a problem, so this should be double-checked.) There's a not-well-specified revision to use memory-mapped files (http://patchwork.freedesktop.org/patch/15082/) but I don't know what would need to happen to make it work — Ubuntu 14.04 has a new enough X server and should (I think?) have new enough libraries, but X clients still empirically use SysV (including the Firefox parent process).
see also this:
https://mjg59.dreamwidth.org/42320.html
which implies a shm IPC privacy approach exists, but is not implemented. It ignores adding SELinux constexts, and so the unhopeful conculsion he draws may have been overtaken by events
https://bugzilla.redhat.com/show_bug.cgi?id=1188290#c1
There was a related SELinux / no '--no-xshm IPC' filing upstream as well, which I cannot lay hands upon atm. It looks like others have noticed the 100 pct usage, and IPC problems as well
https://bugzilla.redhat.com/show_bug.cgi?id=1471149
One had to notice such exfiltration of data, and go looking for how to turn it off. I did by watching squid logs of queries, seeing expected domains, and then going looking.
Adding a prefs.js
with
// browser.tabs.remote.autostart = false browser.tabs.remote.autostart.2 = false // // ... above silently set itself true again 2017 08 29 // 52.2.0 (64-bit) ESR // Centos 7, 2017 09 update is: 52.3.0 (64-bit)
was supposed to work, but it turned out that some process inside FF was able to over-ride and un-restrict such even when explicitly turned on. I had to change ownershop of the configuration file to root.root from userid.blah to stop that nonesense
I start ff inside a 'ssh to a unpriv'd uid' localhost X forwarding tunnel -- it breaks sound and video, but ... * shrug * I'd rather not have data I care about being exfiltrated
I believe Jan Horak inside RH does something similar
https://bugzilla.mozilla.org/show_bug.cgi?id=1129492
'it looks like the Firefox over ssh is not used by masses'
-- Russ herrold
===============================
PEFF -- Privacy Enhanced Firefox invocation ... privacy enhanced, isolated userid firefox invocation
startup PATH: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/home/herrold/bin reduced path PATH: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/home/herrold/bin current id: uid=500(herrold) gid=500(herrold) groups=500(herrold),10(wheel),135(mock),498(pulse-access) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 PEFF: ghola note: ghola is a non-priv'd user on localhost, [H/T: Frank Herbert] which we access via a keyed SSH connection to try to avoid some content exfiltration by hostile web browser applications: Firefox, Flash, etc THISHOST: centos-7.first.owlriver.net start: Mon Dec 18 09:45:31 EST 2017 Command: ssh -X -4 -l ghola centos-7.first.owlriver.net export ` dbus-launch ` ; firefox --no-remote --
now down in the limited, privacy enhanced firefox userid reduced path PATH: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/home/ghola/bin current id: uid=606(ghola) gid=606(ghola) groups=606(ghola),498(pulse-access) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Command: umask 022 ; /usr/bin/firefox --no-remote --
Chris Adams wrote:
Are there any other packages that can silently download and run non-Fedora code?
The other web browsers. They'll silently download and run Javascript code from pretty much every website. It's a crazy dangerous practice, but that genie isn't going to go back into the bottle. But perhaps you meant "download and run without even trying to sandbox it"?
Björn Persson
Chris Adams wrote:
I thought that this was actually a violation of the packaging policies, but I can't seem to find it now; I only see the restriction on software the requires downloads to be useful. I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution.
This is the very least that Fedora ought to do, and it has to be done immediately!
In addition, for future Fedora releases, the default browser ought to be changed to one with a more trustworthy upstream, e.g.: * QupZilla (soon to be Falkon) [https://www.qupzilla.com/], * GNOME Web / Epiphany [https://wiki.gnome.org/Apps/Web], * Midori [http://midori-browser.org/] (the WebKit2 branch snapshots that are already in Fedora).
In the interest of desktop integration, I would actually suggest using a different browser on different Spins, matching the shipped desktop environment (QupZilla on KDE and LXQt, GNOME Web on GNOME/Workstation, Midori on the others).
That said, QupZilla, while being a Qt application, actually has better GNOME integration than Firefox: It uses the system icon theme out of the box, it has native look&feel and native file dialogs thanks to QGnomePlatform, and there is even an optional plugin to make it use GNOME Keyring.
In addition, using a browser adapted to the desktop would also provide a much more integrated experience to our users: https://wiki.gnome.org/Apps/Web/Docs/FrequentlyAskedQuestions#Mozilla_and_Fi... https://www.spinics.net/linux/fedora/fedora-kde/msg13235.html
Kevin Kofler
Chris Adams wrote:
This is the very least that Fedora ought to do, and it has to be done immediately!
In addition, for future Fedora releases, the default browser ought to be changed to one with a more trustworthy upstream, e.g.:
- QupZilla (soon to be Falkon) [https://www.qupzilla.com/],
- GNOME Web / Epiphany [https://wiki.gnome.org/Apps/Web],
- Midori [http://midori-browser.org/] (the WebKit2 branch snapshots that are already in Fedora).
In the interest of desktop integration, I would actually suggest using a different browser on different Spins, matching the shipped desktop environment (QupZilla on KDE and LXQt, GNOME Web on GNOME/Workstation, Midori on the others).
That said, QupZilla, while being a Qt application, actually has better GNOME integration than Firefox: It uses the system icon theme out of the box, it has native look&feel and native file dialogs thanks to QGnomePlatform, and there is even an optional plugin to make it use GNOME Keyring.
In addition, using a browser adapted to the desktop would also provide a much more integrated experience to our users: https://wiki.gnome.org/Apps/Web/Docs/FrequentlyAskedQuestions#Mozilla_and... https://www.spinics.net/linux/fedora/fedora-kde/msg13235.html
Kevin Kofler
IMO Going Back to SeaMonkey would be a Better Bet than any of the following Browsers you mentioned .
On 12/19/2017 03:24 AM, Kevin Kofler wrote:
Chris Adams wrote:
I thought that this was actually a violation of the packaging policies, but I can't seem to find it now; I only see the restriction on software the requires downloads to be useful. I think simply requiring Mozilla to change their policies is unacceptable, as this still depends on a third party to properly enforce such policies (and not have any security issue that could result in untrusted addons being installed).
IMHO such behavior needs to be disabled by default in any packages shipped by Fedora for Fedora to remain a trustworthy distribution.
This is the very least that Fedora ought to do, and it has to be done immediately!
In addition, for future Fedora releases, the default browser ought to be changed to one with a more trustworthy upstream, e.g.:
- QupZilla (soon to be Falkon) [https://www.qupzilla.com/],
- GNOME Web / Epiphany [https://wiki.gnome.org/Apps/Web],
- Midori [http://midori-browser.org/] (the WebKit2 branch snapshots that are already in Fedora).
midori is dead upstream. Likely it should be retired, but I keep holding out hope they will revive development. I definitely would not suggest more widespread usage of it.
In the interest of desktop integration, I would actually suggest using a different browser on different Spins, matching the shipped desktop environment (QupZilla on KDE and LXQt, GNOME Web on GNOME/Workstation, Midori on the others).
We shipped midori on the Xfce spin for a while, but people asked for firefox.
kevin
Kevin Fenzi wrote:
midori is dead upstream. Likely it should be retired, but I keep holding out hope they will revive development. I definitely would not suggest more widespread usage of it.
https://code.launchpad.net/~midori/midori/ doesn't look that dead. The webKitTwoOnly branch you are currently packaging is dead, but it was apparently replaced by a new webKit2Gtk3only branch.
We shipped midori on the Xfce spin for a while, but people asked for firefox.
People also ask for patent-encumbered codecs, Flash, etc. It is not always the right decision to ship what some people ask for.
Kevin Kofler
On Wednesday, December 20 2017, Kevin Kofler wrote:
Kevin Fenzi wrote:
midori is dead upstream. Likely it should be retired, but I keep holding out hope they will revive development. I definitely would not suggest more widespread usage of it.
https://code.launchpad.net/~midori/midori/ doesn't look that dead. The webKitTwoOnly branch you are currently packaging is dead, but it was apparently replaced by a new webKit2Gtk3only branch.
Midori has been "revived" only recently. It stayed dead for a while, without any activity on the codebase/IRC channel, and accumulating a few CVE's here and there. I was Debian's Midori maintainer, and I decided to retire the package because of these issues. But apparently upstream is slowly coming back to life, which is good news. However, we shouldn't blindly adopt Midori as the default browser without seriously looking at the health of the project (that goes for any other browser, FWIW).
Sergio Durigan Junior wrote:
Midori has been "revived" only recently. It stayed dead for a while, without any activity on the codebase/IRC channel, and accumulating a few CVE's here and there.
Interesting. I'd expect the browser itself to not really be security- critical, the underlying web engine is. I guess the CVEs are things such as missing warnings for invalid certificates?
However, we shouldn't blindly adopt Midori as the default browser without seriously looking at the health of the project
Sure, that should be obvious. Though I am not proposing to make Midori THE default browser for all of Fedora, I am only proposing it as a default for those Spins where it fits the best technology-wise.
(that goes for any other browser, FWIW).
The other two browsers in my list are active projects maintained by large trustworthy upstreams Fedora is already successfully working with: one (QupZilla/Falkon) is about to become the official browser of the KDE project, the other one (GNOME Web/Epiphany) is already the official browser of the GNOME project. So I don't think there is any need to worry about the health of those 2 projects.
This also means that each of them is really the most suitable browser choice for the respective desktop environment, in the interest of providing an integrated user experience. The browser needs to return to being viewed as an integral part of the desktop environment, as it was in the Konqueror era. Firefox sticks out like a sore thumb on all of them.
Kevin Kofler
On Thu, Dec 21, 2017 at 12:37:48AM +0100, Kevin Kofler wrote:
People also ask for patent-encumbered codecs, Flash, etc. It is not always the right decision to ship what some people ask for.
The phrase "cutting off our nose to spite our face" seems relevant here.
There is a ginormous difference between not being able to legally ship something and deliberately not shipping perhaps _the_ premium Free Software application because you don't agree with every action of its authors.
- Solomon
Solomon Peachy wrote:
There is a ginormous difference between not being able to legally ship something and deliberately not shipping perhaps _the_ premium Free Software application because you don't agree with every action of its authors.
The thing is, the question is whether Firefox even still qualifies as Free Software at all. We disagree with those actions for a reason, i.e., because they are attacks on users' freedom!
Kevin Kofler
On Fri, Dec 22, 2017 at 12:33:20AM +0100, Kevin Kofler wrote:
The thing is, the question is whether Firefox even still qualifies as Free Software at all. We disagree with those actions for a reason, i.e., because they are attacks on users' freedom!
It's Free Software, under every definition of the term.
Meanwhile, this not-so-little rant comes to mind:
https://caddy.community/t/the-realities-of-being-a-foss-maintainer/2728
"I do find it ironic that the open source community is so irate about having to compile software from source to customize it the way they want."
Especially since Fedora's maintainers *already* compile it, including changing some of the defaults. What's a couple more?
(And I might add that yanking Firefox as the default browser will accomplish little more than to increase Chrome's market share)
- Solomon
On Fri, 2017-12-22 at 07:01 -0500, Solomon Peachy wrote:
Especially since Fedora's maintainers *already* compile it, including changing some of the defaults. What's a couple more?
AIUI, Mozilla doesn't actually like downstreams changing too much in Firefox. I don't know exactly where their 'lines' are, but they are known to assert trademark rights against downstreams to prevent them changing some things and still calling the result 'Firefox'. (This policy is why Debian ships 'Iceweasel' or whatever instead - so they can modify it how they like without Mozilla complaining).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, 2017-12-22 at 09:17 -0800, Adam Williamson wrote:
On Fri, 2017-12-22 at 07:01 -0500, Solomon Peachy wrote:
Especially since Fedora's maintainers *already* compile it, including changing some of the defaults. What's a couple more?
AIUI, Mozilla doesn't actually like downstreams changing too much in Firefox. I don't know exactly where their 'lines' are, but they are known to assert trademark rights against downstreams to prevent them changing some things and still calling the result 'Firefox'. (This policy is why Debian ships 'Iceweasel' or whatever instead - so they can modify it how they like without Mozilla complaining).
Actually, Debian ships Firefox again these days as the policies apparently have been changed/clarified enough.
https://lwn.net/Articles/676799/
AFAICT, there is still little indication as to what modifications may be considered "significant functional changes" by Mozilla though.
Benjamin
Benjamin Berg wrote:
Actually, Debian ships Firefox again these days as the policies apparently have been changed/clarified enough.
They ship it as Firefox again under exactly the same kind of informal agreement that they already had once and that already burned them once (because Mozilla suddenly revoked it unilaterally without notice and even tried to deny its existence). That move made no sense whatsoever.
Kevin Kofler
On Fri, Dec 22, 2017 at 09:17:27AM -0800, Adam Williamson wrote:
Especially since Fedora's maintainers *already* compile it, including changing some of the defaults. What's a couple more?
AIUI, Mozilla doesn't actually like downstreams changing too much in Firefox. I don't know exactly where their 'lines' are, but they are known to assert trademark rights against downstreams to prevent them changing some things and still calling the result 'Firefox'. (This policy is why Debian ships 'Iceweasel' or whatever instead - so they can modify it how they like without Mozilla complaining).
There's some definite irony here: this policy is there because there were a number of unscrupulous actors taking Firefox, adding malware toolbars, and offering it for download, thus harming users and tainting their reputation.
On Friday, December 22, 2017, Adam Williamson adamwill@fedoraproject.org wrote:
On Fri, 2017-12-22 at 07:01 -0500, Solomon Peachy wrote:
Especially since Fedora's maintainers *already* compile it, including changing some of the defaults. What's a couple more?
AIUI, Mozilla doesn't actually like downstreams changing too much in Firefox. I don't know exactly where their 'lines' are, but they are known to assert trademark rights against downstreams to prevent them changing some things and still calling the result 'Firefox'. (This policy is why Debian ships 'Iceweasel' or whatever instead - so they can modify it how they like without Mozilla complaining). --
Same for fedora - if you want to use the trademark.
On Sat, Dec 23, 2017 at 04:36:37AM +0100, drago01 wrote:
Same for fedora - if you want to use the trademark.
Yes. It's not an unreasonable request. (Although Fedora does offer the secondary "Fedora Remix" mark, and Firefox doesn't have anything equvalent that I'm aware of.)
On Sat, 2017-12-23 at 04:36 +0100, drago01 wrote:
On Friday, December 22, 2017, Adam Williamson adamwill@fedoraproject.org wrote:
On Fri, 2017-12-22 at 07:01 -0500, Solomon Peachy wrote:
Especially since Fedora's maintainers *already* compile it, including changing some of the defaults. What's a couple more?
AIUI, Mozilla doesn't actually like downstreams changing too much in Firefox. I don't know exactly where their 'lines' are, but they are known to assert trademark rights against downstreams to prevent them changing some things and still calling the result 'Firefox'. (This policy is why Debian ships 'Iceweasel' or whatever instead - so they can modify it how they like without Mozilla complaining). --
Same for fedora - if you want to use the trademark.
Well yes, that's exactly the point I was making - there was a suggestion to make downstream changes to some upstream defaults as part of a response to this, I was saying we don't have an entirely free hand to do that.
On 12/20/2017 03:37 PM, Kevin Kofler wrote:
Kevin Fenzi wrote:
midori is dead upstream. Likely it should be retired, but I keep holding out hope they will revive development. I definitely would not suggest more widespread usage of it.
https://code.launchpad.net/~midori/midori/ doesn't look that dead. The webKitTwoOnly branch you are currently packaging is dead, but it was apparently replaced by a new webKit2Gtk3only branch.
Sure, which has had 6 non translation commits in the last year, and even fewer before that. I wouldn't really call that active.
We shipped midori on the Xfce spin for a while, but people asked for firefox.
People also ask for patent-encumbered codecs, Flash, etc. It is not always the right decision to ship what some people ask for.
They were installing firefox post install and telling us that they wanted us to save them time and just ship it on the spin. It really didn't have anything to do with forbidden items.
kevin
On 12/18/2017 09:55 AM, Adam Williamson wrote: ...snip...
“Our goal with the custom experience we created with Mr. Robot was to engage our users in a fun and unique way,” a Mozilla representative said in a statement. “Real engagement also means listening to feedback. And so while the web extension/add-on that was sent out to Firefox users never collected any data, and had to be explicitly enabled by users playing the game before it would affect any web content, we heard from some of our users that the experience we created caused confusion.”
(FWIW I don't think that statement is even factually correct; I can't prove it with screenshots, but I'm pretty sure that when the addon appeared in my Firefox install, it was enabled, not disabled).
I think even when the extension was 'enabled' you had to do something further to cause it to do anything. But it's not very clear...
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them. Assuming Fedora-as-a-project shares my concern, do we have a channel to communicate with them about this, and request assurances that they understand the seriousness of this, and that they have changed policies so that nothing like it will happen in future?
That would be good (I don't know if we have such a channel or not).
Additionally, can we turn the "Allow firefox to install and run studies" preference to off/false by default in Fedora packages. It seems odd that this is now opt-out.
kevin
On Mon, Dec 18, 2017 at 10:36 AM, Kevin Fenzi kevin@scrye.com wrote:
Additionally, can we turn the "Allow firefox to install and run studies" preference to off/false by default in Fedora packages. It seems odd that this is now opt-out.
I don't know. I personally tend to side with upstream on their decisions - and I don't believe Mozilla is acting in bad faith.
First of all, when you install Fx, it asks you specifically if you want to participate in Fx Data Collection - you can opt out at that point. If you change your mind later, you can go into preferences and security and either disable or enable it.
It was quickly and forcefully pointed out to Mozilla that the automatic installation of a game was something that most considered part of that category. They have since removed it.
Yes, it was a poor decision - but it has been corrected and hopefully they learned their lesson. Everyone needs to just move on.
On Mon, 2017-12-18 at 11:09 -0800, Gerald B. Cox wrote:
First of all, when you install Fx, it asks you specifically if you want to participate in Fx Data Collection - you can opt out at that point.
Well, not quite. I installed Firefox rather a long time ago on this system. Again I can't prove it, but at that time I believe this question and preference referred *only* to 'data collection'. However, since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'. It appears, so far as I can tell, that they are claiming this promotional tie-in constituted a "study". That's a weak claim to start with, but more importantly, I am fairly sure this "Allow Firefox to install and run studies" preference was simply set to 'true' when it was *added* to Firefox. I was not asked. If I had been, I'm pretty sure I would've said no.
On Mon, Dec 18, 2017 at 11:16 AM, Adam Williamson < adamwill@fedoraproject.org> wrote:
On Mon, 2017-12-18 at 11:09 -0800, Gerald B. Cox wrote:
First of all, when you install Fx, it asks you specifically if you want
to
participate in Fx Data Collection - you can opt out at that point.
Well, not quite. I installed Firefox rather a long time ago on this system. Again I can't prove it, but at that time I believe this question and preference referred *only* to 'data collection'. However, since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'. It appears, so far as I can tell, that they are claiming this promotional tie-in constituted a "study". That's a weak claim to start with, but more importantly, I am fairly sure this "Allow Firefox to install and run studies" preference was simply set to 'true' when it was *added* to Firefox. I was not asked. If I had been, I'm pretty sure I would've said no.
You are correct that it is a sub-preference - and IF you allowed data collection it was also allowed - because it is in the same category. As far as Looking Glass - they made a mistake, and they admitted they made a mistake, and have removed Looking Glass from studies
Personally, I have no issue with the shield studies and this episode didn't cause me to opt out.
On Mon, Dec 18, 2017 at 12:16 PM, Adam Williamson adamwill@fedoraproject.org wrote:
On Mon, 2017-12-18 at 11:09 -0800, Gerald B. Cox wrote:
First of all, when you install Fx, it asks you specifically if you want to participate in Fx Data Collection - you can opt out at that point.
Well, not quite. I installed Firefox rather a long time ago on this system. Again I can't prove it, but at that time I believe this question and preference referred *only* to 'data collection'. However, since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'. It appears, so far as I can tell, that they are claiming this promotional tie-in constituted a "study". That's a weak claim to start with, but more importantly, I am fairly sure this "Allow Firefox to install and run studies" preference was simply set to 'true' when it was *added* to Firefox. I was not asked. If I had been, I'm pretty sure I would've said no.
I don't remember being actively asked about such data collection, and I've recently installed on a clean system, nightly on Fedora, and then final releases of 57 on Windows and macOS. Does anyone have a screen shot or description of what this "ask" looks like, and when it appears?
On 12/18/2017 08:31 PM, Chris Murphy wrote:
I don't remember being actively asked about such data collection, and I've recently installed on a clean system, nightly on Fedora, and then final releases of 57 on Windows and macOS. Does anyone have a screen shot or description of what this "ask" looks like, and when it appears?
It keeps changing. Currently, it's a pop-under tab shown once if you open a new profile, using this URL:
https://www.mozilla.org/en-US/privacy/firefox/
You can run “firefox -P” and create a new profile if you want to play with this. So far, there seems to be little cross-talk between those profiles, if there is any at all.
I found another odd thing: about:home network traffic is no longer logged by the web developer console. 8-(
Thanks, Florian
On Mon, 2017-12-18 at 20:52 +0100, Florian Weimer wrote:
On 12/18/2017 08:31 PM, Chris Murphy wrote:
I don't remember being actively asked about such data collection, and I've recently installed on a clean system, nightly on Fedora, and then final releases of 57 on Windows and macOS. Does anyone have a screen shot or description of what this "ask" looks like, and when it appears?
It keeps changing. Currently, it's a pop-under tab shown once if you open a new profile, using this URL:
So I just booted Firefox 27 Workstation live and opened Firefox. Indeed, a pop-under tab appears with this URL (so you can close it without even seeing it). The relevant text reads:
"Firefox by default shares data to: Improve performance and stability for users everywhere
Interaction data: Firefox sends data about your interactions with Firefox to us (such as number of open tabs and windows; number of webpages visited; number and type of installed Firefox Add-ons; and session length) and Firefox features offered by Mozilla or our partners (such as interaction with Firefox search features and search partner referrals).
Technical data: Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs."
I would suggest that nothing in this text reasonably covers "shield studies"; it was clearly written to cover old-school telemetry, not this later and more extensive capability to install custom-written add- ons to perform additional data collection. Yet the "Allow Firefox to install and run studies" checkbox is checked by default.
And in any case, a tie-in with a television-show related game is clearly neither telemetry nor some kind of user interaction study. Yet to me, Mozilla's response does not seem to convey understanding of this at all. It basically just says "oh don't worry it didn't do anything by default", which is sort of grandly missing the point.
On Mon, Dec 18, 2017 at 12:23 PM, Adam Williamson < adamwill@fedoraproject.org> wrote:
On Mon, 2017-12-18 at 20:52 +0100, Florian Weimer wrote:
<snip>
So I just booted Firefox 27 Workstation live and opened Firefox. Indeed, a pop-under tab appears with this URL (so you can close it without even seeing it).
If you're concerned about security and privacy, you have to read. It's not fair to cast aspersions because you weren't paying attention.
The relevant text reads:
<snip>
I would suggest that nothing in this text reasonably covers "shield studies"; it was clearly written to cover old-school telemetry, not this later and more extensive capability to install custom-written add- ons to perform additional data collection. Yet the "Allow Firefox to install and run studies" checkbox is checked by default.
If you read the page, you'll see where there is a highlighted phrase that says: "Choose how you want to share this data in Firefox" following by a selection button. You are then taken to a page where you can opt-out and read more about the Fx Studies.
And in any case, a tie-in with a television-show related game is clearly neither telemetry nor some kind of user interaction study. Yet to me, Mozilla's response does not seem to convey understanding of this at all. It basically just says "oh don't worry it didn't do anything by default", which is sort of grandly missing the point.
Mozilla has already admitted they made a mistake and removed Looking Glass
from the Fx Studies. I believe they understand the situation quite well. It's not helpful to beat a dead horse.
On 18 December 2017 at 15:42, Gerald B. Cox gbcox@bzb.us wrote:
And in any case, a tie-in with a television-show related game is clearly neither telemetry nor some kind of user interaction study. Yet to me, Mozilla's response does not seem to convey understanding of this at all. It basically just says "oh don't worry it didn't do anything by default", which is sort of grandly missing the point.
Mozilla has already admitted they made a mistake and removed Looking Glass from the Fx Studies. I believe they understand the situation quite well. It's not helpful to beat a dead horse.
The only reason we are beating a dead horse is because you keep telling us that we shouldn't have beaten a dead horse in a way that requires us to explain why we are doing so. Look we understand.. you think we should all be friends again. Some of us however are on the "Play a trick on me once, shame on you.. Play a trick on me twice.. shame on me" and this is number 3 or 4..
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org
On Mon, 2017-12-18 at 15:48 -0500, Stephen John Smoogen wrote:
On 18 December 2017 at 15:42, Gerald B. Cox gbcox@bzb.us wrote:
And in any case, a tie-in with a television-show related game is clearly neither telemetry nor some kind of user interaction study. Yet to me, Mozilla's response does not seem to convey understanding of this at all. It basically just says "oh don't worry it didn't do anything by default", which is sort of grandly missing the point.
Mozilla has already admitted they made a mistake and removed Looking Glass from the Fx Studies. I believe they understand the situation quite well. It's not helpful to beat a dead horse.
The only reason we are beating a dead horse is because you keep telling us that we shouldn't have beaten a dead horse in a way that requires us to explain why we are doing so. Look we understand.. you think we should all be friends again. Some of us however are on the "Play a trick on me once, shame on you.. Play a trick on me twice.. shame on me" and this is number 3 or 4..
Right. As my original mail should have made clear to you but apparently didn't, the point where I disagree with you is the idea that Mozilla has "learnt its lesson". Nothing in any Mozilla statement I've seen so far makes me believe that Mozilla has actually learned the right lesson, and as Smooge points out, it is beginning to build up a track record which makes me less willing to just trust that they have without them explicitly stating it and outlining exactly what they have changed in order to ensure that more things like this don't happen in future.
On Mon, Dec 18, 2017 at 12:51 PM, Adam Williamson < adamwill@fedoraproject.org> wrote:
The only reason we are beating a dead horse is because you keep telling us that we shouldn't have beaten a dead horse in a way that requires us to explain why we are doing so. Look we understand.. you think we should all be friends again. Some of us however are on the "Play a trick on me once, shame on you.. Play a trick on me twice.. shame on me" and this is number 3 or 4..
Right. As my original mail should have made clear to you but apparently didn't, the point where I disagree with you is the idea that Mozilla has "learnt its lesson". Nothing in any Mozilla statement I've seen so far makes me believe that Mozilla has actually learned the right lesson, and as Smooge points out, it is beginning to build up a track record which makes me less willing to just trust that they have without them explicitly stating it and outlining exactly what they have changed in order to ensure that more things like this don't happen in future.
Everyone makes mistakes - this wasn't the first by Mozilla and won't be the last. I don't believe they are acting out of malice. As long as they admit and correct mistakes as they go along that is fine with me. In any event, I don't believe this is a Fedora issue - it's an upstream issue. If you're unhappy with a particular direction or decision regarding Fx, it would be better to air those concerns upstream.
On Mon, 2017-12-18 at 12:59 -0800, Gerald B. Cox wrote:
On Mon, Dec 18, 2017 at 12:51 PM, Adam Williamson < adamwill@fedoraproject.org> wrote:
The only reason we are beating a dead horse is because you keep telling us that we shouldn't have beaten a dead horse in a way that requires us to explain why we are doing so. Look we understand.. you think we should all be friends again. Some of us however are on the "Play a trick on me once, shame on you.. Play a trick on me twice.. shame on me" and this is number 3 or 4..
Right. As my original mail should have made clear to you but apparently didn't, the point where I disagree with you is the idea that Mozilla has "learnt its lesson". Nothing in any Mozilla statement I've seen so far makes me believe that Mozilla has actually learned the right lesson, and as Smooge points out, it is beginning to build up a track record which makes me less willing to just trust that they have without them explicitly stating it and outlining exactly what they have changed in order to ensure that more things like this don't happen in future.
Everyone makes mistakes - this wasn't the first by Mozilla and won't be the last. I don't believe they are acting out of malice. As long as they admit and correct mistakes as they go along that is fine with me. In any event, I don't believe this is a Fedora issue
- it's an upstream issue.
If you're unhappy with a particular direction or decision regarding Fx, it would be better to air those concerns upstream.
Again, this is something I covered in my original mail. We distribute Firefox as the default browser to a large number of people who trust us to provide them with software. This gives us both a responsibility to our users and, presumably, some level of organized clout with Mozilla: I believe they will treat the concerns of the Fedora project with somewhat more interest than they would treat the concerns of...me.
Raising it with upstream is exactly what I am suggesting, but I am suggesting that *the Fedora project* raises it with upstream. Not me.
On Mon, Dec 18, 2017 at 1:03 PM, Adam Williamson <adamwill@fedoraproject.org
wrote:
Again, this is something I covered in my original mail. We distribute Firefox as the default browser to a large number of people who trust us to provide them with software. This gives us both a responsibility to our users and, presumably, some level of organized clout with Mozilla: I believe they will treat the concerns of the Fedora project with somewhat more interest than they would treat the concerns of...me.
Raising it with upstream is exactly what I am suggesting, but I am suggesting that *the Fedora project* raises it with upstream. Not me.
If the Fedora project wants to do a "me too" that's fine - it's not going to hurt anything - my point was I believe they got the message loud and clear:
https://support.mozilla.org/en-US/questions/1194583#question-reply
and as you'll see, I was a bit blunt with them on the 13th: "Folks this is really unacceptable. Reddit is losing their mind about it. It's fine if this is associated with Shields studies - but you need use a meaningful description - not some random quote that you think might be cute. It's not amusing to the millions of users who are thinking WTF."
On 12/18/2017 09:59 PM, Gerald B. Cox wrote:
Everyone makes mistakes - this wasn't the first by Mozilla and won't be the last. I don't believe they are acting out of malice.
Of course not. But at some level, there is a deception involved: Mozilla present a strong privacy focus for Firefox, but clearly lacks the processes to systematically prevent such blunders.
Of course, you can dismiss this as the usual tension between marketing and technical reality. It's a bit like the reputation of Linux as a secure system vs the actual development procedures.
Thanks, Florian
Gerald B. Cox writes:
Everyone makes mistakes - this wasn't the first by Mozilla and won't be the last. I don't believe they are acting out of malice. As long as they admit and correct mistakes as they go along that is fine with me.
Here's the most complete statement from Mozilla that I could find regarding this:
############################################################################
"Our goal with the custom experience we created with Mr. Robot was to engage our users in a fun and unique way," Mozilla's chief marketing officer, Jascha Kaykas-Wolff, told Gizmodo. "Real engagement also means listening to feedback. And so while the web extension/add-on that was sent out to Firefox users never collected any data, and had to be explicitly enabled by users playing the game before it would affect any web content, we heard from some of our users that the experience we created caused confusion."
"As a result we will be moving the Looking Glass Add-on to our Add-On store within the next 24 hours so Mr. Robot fans can continue to solve the puzzle and the source can be viewed in a public repository," Kaykas-Wolff added.
############################################################################
Can you point out to me which part indicates that Mozilla admits that they made a mistake. Sounds to me like they're just blaming the dumb users for not understanding how wonderful was "the experience [they] created".
Does anyone read this as Mozilla admitting that they messed up?
On Mon, Dec 18, 2017 at 3:00 PM, Sam Varshavchik mrsam@courier-mta.com wrote:
Can you point out to me which part indicates that Mozilla admits that they made a mistake. Sounds to me like they're just blaming the dumb users for not understanding how wonderful was "the experience [they] created".
Keeping with the Mr. Robot motif, it is a riddle, wrapped in a mystery, inside an enigma.
On 12/18/2017 03:00 PM, Sam Varshavchik wrote:
Does anyone read this as Mozilla admitting that they messed up?
This was published today: https://blog.mozilla.org/firefox/update-looking-glass-add/
On 19/12/17 01:11, Thomas Daede wrote:
On 12/18/2017 03:00 PM, Sam Varshavchik wrote:
Does anyone read this as Mozilla admitting that they messed up?
This was published today: https://blog.mozilla.org/firefox/update-looking-glass-add/
It's certainly an improvement on their previous efforts though it still rather skates around some of the most important points.
They still seem to be concentrating on the details of what this specific addon did or didn't do rather than on the abuse of the "shield studies" mechanism. To remind ourselves https://support.mozilla.org/en-US/kb/shield describes them as:
SHIELD studies let you try out different features and ideas before they are released to all Firefox users. Using your feedback, we can make more informed decisions based on what you actually need.
So they are about testing new browser features, and yet in that blog post they are described as "our auto-install mechanism for add-ons" which while it might be what shield studies amount to technically shows that internally they are viewed (at least by some people) much more broadly.
I realise it goes on to say they are conducting a review, which will presumably cover the approval process for shield studies and why it seems that marketing was able to push this through - indeed why marketing even had access to a channel designed for feature testing.
Just the fact that response to this still seems to be led by their marketing department (with all response coming from the chief marketing officer) and not by security/privacy teams says quite a lot really.
It seems obvious that either people with responsibility for security and privacy issues didn't have visibility of what was happening here, which would suggest a seriously broken process for approving shield studies, or they didn't have the political power to overrule the marketing department which is many ways an even bigger problem because that is a cultural issue at the heart of the organisation that will be hard to fix.
Tom
On 12/18/2017 09:42 PM, Gerald B. Cox wrote:
Mozilla has already admitted they made a mistake and removed Looking Glass from the Fx Studies. I believe they understand the situation quite well. It's not helpful to beat a dead horse.
Do you think it's a dead horse? I don't.
Actually, I think Mozilla's management finally has unhidden their real face. Time for changes at Mozilla and for personal changes in their management - Period.
Ralf
Florian Weimer wrote:
On 12/18/2017 08:31 PM, Chris Murphy wrote:
I don't remember being actively asked about such data collection, and I've recently installed on a clean system, nightly on Fedora, and then final releases of 57 on Windows and macOS. Does anyone have a screen shot or description of what this "ask" looks like, and when it appears?
It keeps changing. Currently, it's a pop-under tab shown once if you open a new profile,
A background tab where the only visible words are "Firefox by default shares" does not match my understanding of what the word "ask" means.
And if I actually notice the tab and read the page, I don't see anything about silently installing additional software.
Björn Persson
Adam Williamson wrote:
since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'.
In the Swedish translation the sub-preference doesn't even exist. There is no second checkbox under the translation of "Allow Firefox to send technical and interaction data to Mozilla".
I was going to ask where this sub-preference was supposed to be as I couldn't find it. I restarted Firefox with "LANG=C firefox" to get the exact English wording of "Allow Firefox to send technical and interaction data to Mozilla", and only then did "Allow Firefox to install and run studies" appear. And it's turned on by default.
So now the question is: Do speakers of other languages have to periodically start Firefox in English mode and look for new misfeatures that they might want to opt out of, or are these so-called studies only inflicted on speakers of certain languages? Or did the option get turned on automatically now that I started Firefox in the C locale, and remains enabled henceforth unless I explicitly disable it?
Björn Persson
Adam Williamson wrote:
Well, not quite. I installed Firefox rather a long time ago on this system. Again I can't prove it, but at that time I believe this question and preference referred *only* to 'data collection'. However, since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'. It appears, so far as I can tell, that they are claiming this promotional tie-in constituted a "study". That's a weak claim to start with, but more importantly, I am fairly sure this "Allow Firefox to install and run studies" preference was simply set to 'true' when it was *added* to Firefox. I was not asked. If I had been, I'm pretty sure I would've said no.
IMHO, the fact that telemetry exists and is enabled by default is already an unacceptable privacy invasion. And the misfeature to abuse users as guinea pigs is even more unacceptable.
Kevin Kofler
On Mon, 2017-12-18 at 11:16 -0800, Adam Williamson wrote:
Well, not quite. I installed Firefox rather a long time ago on this system. Again I can't prove it, but at that time I believe this question and preference referred *only* to 'data collection'. However, since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'. It appears, so far as I can tell, that they are claiming this promotional tie-in constituted a "study". That's a weak claim to start with, but more importantly, I am fairly sure this "Allow Firefox to install and run studies" preference was simply set to 'true' when it was *added* to Firefox. I was not asked. If I had been, I'm pretty sure I would've said no.
Count me in the same boat. I hadn't noticed that option until now.
However, before I toggled it off, I noticed the setting "Prevent accessibility services from accessing your browser". I briefly read the "Learn more" for that feature and upon deciding that I have no need for accessibility services at all, it was just better to toggle that off. Fx then wanted to restart for that change. Much to my surprise, when I got back to the security/privacy settings, the one for "Allow Fx to install and run studies" had vanished ... and yes, the "Allow Fx to send technical and interaction data to Moz" is still enabled.
On Tue, 2017-12-19 at 09:47 -0500, John Florian wrote:
On Mon, 2017-12-18 at 11:16 -0800, Adam Williamson wrote:
Well, not quite. I installed Firefox rather a long time ago on this system. Again I can't prove it, but at that time I believe this question and preference referred *only* to 'data collection'. However, since then, a new sub-preference seems to have appeared, labelled 'Allow Firefox to install and run studies'. It appears, so far as I can tell, that they are claiming this promotional tie-in constituted a "study". That's a weak claim to start with, but more importantly, I am fairly sure this "Allow Firefox to install and run studies" preference was simply set to 'true' when it was *added* to Firefox. I was not asked. If I had been, I'm pretty sure I would've said no.
Count me in the same boat. I hadn't noticed that option until now.
However, before I toggled it off, I noticed the setting "Prevent accessibility services from accessing your browser". I briefly read the "Learn more" for that feature and upon deciding that I have no need for accessibility services at all, it was just better to toggle that off. Fx then wanted to restart for that change. Much to my surprise, when I got back to the security/privacy settings, the one for "Allow Fx to install and run studies" had vanished ... and yes, the "Allow Fx to send technical and interaction data to Moz" is still enabled.
Sounds related to the issue someone else mentioned about the setting not showing up in languages other than English, perhaps...
Once upon a time, Gerald B. Cox gbcox@bzb.us said:
First of all, when you install Fx, it asks you specifically if you want to participate in Fx Data Collection - you can opt out at that point.
AFAIK, not when you install from an RPM.
On Mon, Dec 18, 2017 at 12:06 PM, Chris Adams linux@cmadams.net wrote:
Once upon a time, Gerald B. Cox gbcox@bzb.us said:
First of all, when you install Fx, it asks you specifically if you want
to
participate in Fx Data Collection - you can opt out at that point.
AFAIK, not when you install from an RPM.
See the reply from Florian Weimer - he did a good job in explaining it.
De: "Adam Williamson"
I think we should be concerned by this kind of behaviour on the part of the supplier of our default desktop browser, and we should express that concern to them.
Adam,
We should understand that there is a whole software ecosystem that grew on the Internet and free software, but emphatically does *not* share Fedora values.
For them free software is at best an absurdity and at worst an abomination, and open source is acceptable insofar it offers a ramp to open core or cloud services (which are really the same thing under different guises).
They are here to monetize users one way or another, will collect as much data as possible in the hope of selling it so someone, will make as much a PITA as possible the rebuilding of their software because free software that can only be rebuilt sanely by one org has all the properties of proprietary software without the associated user rejection. They will lobby for 'open source' and 'bundling' and 'container images' because that reduces the actual chance their software can be industrialized by others (ie that severely reduces the SHARE property). Linux distributions in particular are their enemy both because they reduce the cost of deploying their software to zero, and have the capability to remove antifeatures at will.
Those people look closely at how Google managed to build android from open source bricks without letting it escape from its control and dearly wish to emulate that.
They are the same people that thought AIX and Solaris were crushing Linux, because their indicator was the amount of money paid for each system, not how useful it was for the society in general.
A few years ago their indicator switched to the number of users (when people were paying ridiculous amounts of money for websites based on their user count), now the indicator is moving to the amount of data that can be extracted from users (because big data and AI and get rich quick magic), next year it will be something else that will have no relationship with Fedora values.
Is it surprising that the Mozilla foundation, that decided long ago that users were idiots that didn't know what they wanted, and reoriented itself to serve the cloud industry, is increasingly sharing the values of this cloud industry, and only caring about user needs as defined by this industry? I'm sure the people that invented "looking glass" didn't realize (and do not realize today) there was any problem with it. I'm sure they are fuming at the injustice of getting hung high and dry when they were just doing business as usual as defined in those not-really-free-software circles.
This is only the first of many similar incidents, if we continue to think that any one professing "open source" is our friend. Many are not. Free software won the development story but free software values are no less marginal than a decade ago. Maybe even more so, now that the water is severely muddied.
Regards,
On Mon, 2017-12-18 at 22:36 +0100, nicolas.mailhot@laposte.net wrote:
Is it surprising that the Mozilla foundation, that decided long ago that users were idiots that didn't know what they wanted, and reoriented itself to serve the cloud industry
I don't share this opinion at all. If Fedora as a project does, then the obvious course of action would be to find an alternative default browser.
My mail is based on a belief that Mozilla is still one of the better actors we have to work with in the category of desktop browser suppliers, but that it's reasonable to believe that a message to them from a relatively significant downstream along the lines of "hey, folks, we kinda need you to demonstrate that you really understand why this was a bad idea and be clear about how you plan to pull your socks up" might have positive results.
----- Mail original ----- De: "Adam Williamson"
My mail is based on a belief that Mozilla is still one of the better actors we have to work with in the category of desktop browser suppliers,
Adam, I agree it's still one of the better actors, but the better actor bar keeps lowering every year.
Mozilla has progressively redefined its "protect users of the internet" goal to "protect the communication between users and websites", and given how powerful javascript is nowadays that actually means "protect the right of websites to abuse users as they wish". They will lobby for any web standard extension pushed by cloud giants on the grounds it makes the internet better, without any thought for the effects of those extensions on protection of users from abusive websites.
Looking Glass is typical of this mindset: the server/cloud-side defines the rules, in that case server/cloud-side == Mozilla marketing, why should it constrain itself when it fights all year long to give the same power to any random website?
Regards,
-
Adam Williamson -
Benjamin Berg -
Björn Persson -
Chris Adams -
Chris Murphy -
Daniel P. Berrange -
drago01 -
Florian Weimer -
Gerald B. Cox -
Greg Evenden -
John Florian -
Kevin Fenzi -
Kevin Kofler -
Matthew Miller -
nicolas.mailhot@laposte.net -
R P Herrold -
Ralf Corsepius -
Sam Varshavchik -
Sergio Durigan Junior -
Solomon Peachy -
Stephen John Smoogen -
Thomas Daede -
Tom Hughes