Bug#837091: firefox-esr: EME DRM extention present and enabled

Simon McVittie smcv at debian.org
Sat May 27 12:47:45 UTC 2017 

On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote:
> after reading up a bit (late(ly)) on the W3C EME proposed standard for
> embedding of DRM managed content in web pages, I decided to have a
> look if it is present in the firefox browser
[...]
> I think the presence of code that requires closed source components to
> function, might violate the DFSG for the main section? On the other
> hand, no package relation is available in the non-free section as far
> as I see that is actively depended on. If a decision has been taken on
> this already, then please close.

I don't see a freeness problem here.

Firefox with the EME API enabled at compile time, but no CDM (DRM
implementation) installed, is presumably no less functional than Firefox
with the EME API disabled at compile time - so the CDM is not a
dependency, because Firefox without a CDM is a perfectly acceptable web
browser (just missing an optional feature). If we shipped CDMs in
non-free, I don't think Firefox would have a stronger relationship to
them than Suggests (or more likely, the CDMs would declare an Enhances
relationship on Firefox, which means the same thing). Packages in main
are allowed to have Suggests on non-free or even not-in-Debian packages,
just not (Pre-)Depends or Recommends.

Free CDMs do seem to exist -
https://github.com/fraunhoferfokus/open-content-decryption-module is one
example. It is fairly likely that content publishers will not actually
*use* those CDMs, but that's between you and the content providers whose
products you choose to buy. So from a freeness point of view, this
doesn't seem any worse than any other plugin interface that can accept
both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer,
Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers.

I understand your desire to avoid DRM, but I don't think opening
release-critical bugs requesting that features are removed from our
builds of Firefox is an appropriate way to go about it.

> P.S. yes I know, having flash installed as a plugin is as bad as
> having EME enabled...

In particular, I believe having the Flash NPAPI plugin installed means
your copy of Firefox already loads a DRM implementation, because there's
one in Flash. You might as well use one that is better-sandboxed, which
is the purpose of EME.

    S

More information about the pkg-mozilla-maintainers mailing list