Bug#720289: history, analysis, and a recommendation

Larry Doolittle larry at doolittle.boa.org
Wed Aug 28 02:59:24 UTC 2013


Dear iceweasel maintainers and lurkers,

Here's some history, analysis, and a recommendation.

Firefox 10-ESR disabled WebGL/Mesa based on
  https://bugzilla.mozilla.org/show_bug.cgi?id=777028
in which the rationale comes out clearly:
  1. the Firefox team can't control the quality of the Mesa version installed
  2. ESR releases are meant for ultra-conservative users who probably are
     not interested in glitzy frills like WebGL
Neither of these assumptions is completely true for a Debian stable release.
Also, blacklisting WebGL/Mesa indirectly endorses proprietary drivers; a position
that probably doesn't bother Mozilla much, but is at odds with Debian principles.

iceweasel_10.0.12esr-1 shipped with
  patches/fixes/Allow-webGL-with-mesa-assuming-users-will-have-updat.patch
which removes the disabling stanza.  Its meta-information reads:
  From: Mike Hommey <redacted>
  Date: Fri, 31 Aug 2012 09:01:08 +0200
  Subject: Allow webGL with mesa, assuming users will have updated to 8.0.4-2 on wheezy
  The version in squeeze-backports is not affected by CVE-2012-2864, and the version in squeeze is blacklisted.

Firefox 17-ESR disabled WebGL/Mesa based on
  https://bugzilla.mozilla.org/show_bug.cgi?id=838413
which has much less detail than the Firefox 10 discussion.
The starting comment from Benoit Jacob is:
  In ESR10 Mesa was blacklisted and we've had many occasions to be thankful for that.
  We should do the same for ESR17.

iceweasel_17.0.8esr-1~deb7u1 shipped _without_ any patch changing the
WebGL/Mesa blacklisting.  If there was any internal discussion leading to that
decision, I'm not aware of it.  And of course there's no commit message to read.

I don't want to second-guess the decision to leave WebGL/Mesa disabled in Wheezy's
iceweasel.  But if that is in fact the intended behavior, there are two bugs:
  1. Not documenting the regression
  2. Not providing a bypass
I have been taught that software "should not set policy, but provide capabilities."
(That phrasing is from 2008 by John Kacur, but the idea is much older.)

I'm no Firefox source code expert, so I don't really want to write the patch
putting in a bypass switch to ignore the blacklist.  If I did it, it would
probably be based on a magic environment variable.  Maybe there's a more GUI
way to do it.  Whatever.  But it should not require a 75+ MB download and 2 hours
of CPU time to bypass a blacklist that may or may not have any basis.

P.S. Is it expected that the "Debian Changelog" link from
  http://packages.debian.org/wheezy/iceweasel
tells me "Not Found"?



More information about the pkg-mozilla-maintainers mailing list