Bug#769716: iceweasel: OpenH264 back in 37, breaks H.264 playback

Fri Apr 3 00:18:05 UTC 2015

On Fri, 2015-04-03 at 09:05 +0900, Mike Hommey wrote: 
> Did you read my message? Nothing is being downloaded. Iceweasel only
> happens to use what was downloaded *before* the original fix in version 34.
Sure I got that, but IMO it shouldn't even be using that.
Actually that it does use it, shows us just how wrong the principle of
installing software to the home dirs is.
It circumvents package management, it's no longer security supported at
all (I guess since the actual downloading got disabled as you've said,
people who had it downloaded back then won't either get updates for
their back then version, which IIRC already got a CVE few days after),
people usually don't expect that they have to look for software in their
home dir and manually need to uninstall it.

It's not that I have anything against OpenH264, if Iceweasel wants to
use it - fine - but then please only from a package, installed to some
system location.

So my comment from above didn't just apply to the downloader part (which
you said was disabled), it basically applied to the whole framework that
Mozilla set up for this hack of the patent system... including the usage
of previously downloaded, no longer updated code in ~/

> > Didn't version 37 also start to include code for MSE? And wasn't that
> > also binary proprietary code?
> You're mixing acronyms. MSE is not EME.
Ah, you're right...

Uhm I had a small look at the real MSE.
So... AFAIU this is *not* about bytecode sent to the browser and then
executed right? (cause then it wouldn't be much better in terms of
security,... as we all know, sandboxes are regularly escaped)

Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150403/fe127222/attachment-0001.bin>