Bug#788900: iceweasel: still shows traces of OpenH264

Christoph Anton Mitterer calestyo at scientia.net
Tue Jun 16 03:32:40 UTC 2015


Package: iceweasel
Version: 38.0.1-5
Severity: normal


Hi.

Iceweasel still shows places of the blob pluing OpenH264 at several places:


1) All the downloading code and options seems to be still present, as is the
plugin entry in Tools/Add-Ons in the menu (even though disabled).

As far as I understood, the long term plan was to either properly package
OpenH264 and/or rely on other system libs for H264 decoding.

Therefore I'd kindly ask the maintainers to consider removing the whole
downloader facilites.
If the decoder is properly packaged, than the downloader-facilities are
at best useless and at worst get accidentally used/enabled somehow and download
execute possibly malicious code as it has already happened before.


2) Going to about:plugins still shows the plugin being there (just disabled)
and even gives a path where it would exist:
/home/user/.mozilla/firefox/profile/gmp-gmpopenh264/1.1
which is however not even existing but confusing.

So at least this would be nice to be fixed.


3) /home/user/.mozilla/firefox/profile/gmp seems to be still created here?!



This whole blob downloading seems to get more and more of an issue,... just
these days it was found out that Chromium is doing the same.

Many people choose open source for security, trust and verifiability reasons,
thus it would be nice if (at the Debian level) more pro-active measurements
could be taken to preven these things from even remotely happening again.
Especially when it comes to package which are known for having such "habits".


Cheers,
Chris.



More information about the pkg-mozilla-maintainers mailing list