Bug#837091: firefox-esr: EME DRM extention present and enabled

Tue Jun 20 20:09:49 UTC 2017

Dear Simon, dear maintainers,

since you replied and are probably a bit better knowledgeable about some
of the etiquette on the bug tracker than I am.

Do you know if Is there discussion about the EME / DRM implementations
going on? This was one of the reasons for submitting this bug, next to
documenting concern from (one user out of) the user community about
EME/DRM being present.

I had actually already expected a close or degraded severity for this
bug after a short comment (which you provided) of the standpoint of (one
of) the Debian developers on this. I don't want to block any progress on
package releases, nor start a flame war (please not, costs way too much
time).

@maintainers: If Simons reasoning is seen as representative, please
close bug with a short comment summarising the maintainers standpoint.
(or does etiquette require me to close or degrade priority of the bug?)

Yours,

Tjeerd

On 05/27/2017 02:47 PM, Simon McVittie wrote:
> On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote:
>> after reading up a bit (late(ly)) on the W3C EME proposed standard for
>> embedding of DRM managed content in web pages, I decided to have a
>> look if it is present in the firefox browser
> [...]
>> I think the presence of code that requires closed source components to
>> function, might violate the DFSG for the main section? On the other
>> hand, no package relation is available in the non-free section as far
>> as I see that is actively depended on. If a decision has been taken on
>> this already, then please close.
> 
> I don't see a freeness problem here.
> 
> Firefox with the EME API enabled at compile time, but no CDM (DRM
> implementation) installed, is presumably no less functional than Firefox
> with the EME API disabled at compile time - so the CDM is not a
> dependency, because Firefox without a CDM is a perfectly acceptable web
> browser (just missing an optional feature). If we shipped CDMs in
> non-free, I don't think Firefox would have a stronger relationship to
> them than Suggests (or more likely, the CDMs would declare an Enhances
> relationship on Firefox, which means the same thing). Packages in main
> are allowed to have Suggests on non-free or even not-in-Debian packages,
> just not (Pre-)Depends or Recommends.
> 
> Free CDMs do seem to exist -
> https://github.com/fraunhoferfokus/open-content-decryption-module is one
> example. It is fairly likely that content publishers will not actually
> *use* those CDMs, but that's between you and the content providers whose
> products you choose to buy. So from a freeness point of view, this
> doesn't seem any worse than any other plugin interface that can accept
> both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer,
> Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers.
> 
> I understand your desire to avoid DRM, but I don't think opening
> release-critical bugs requesting that features are removed from our
> builds of Firefox is an appropriate way to go about it.
> 
>> P.S. yes I know, having flash installed as a plugin is as bad as
>> having EME enabled...
> 
> In particular, I believe having the Flash NPAPI plugin installed means
> your copy of Firefox already loads a DRM implementation, because there's
> one in Flash. You might as well use one that is better-sandboxed, which
> is the purpose of EME.
> 
>     S

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20170620/05cda05d/attachment.sig>