bug-gnuzilla
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] Several freedom-bugs in IceCat (from the Parabola tea


From: Luke T . Shumaker
Subject: Re: [Bug-gnuzilla] Several freedom-bugs in IceCat (from the Parabola team)
Date: Sun, 06 Jan 2013 15:09:24 -0500
User-agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (Goj┼Ź) APEL/10.8 Emacs/24.2 (i686-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)

At Sun, 06 Jan 2013 13:08:35 -0500,
Loic J. Duros wrote:
> 
> Luke T. Shumaker <address@hidden> writes:
> > Even though DuckDuckGo is the default, it still includes Google and
> > Yahoo search engines.
> 
> AFAIK, we still want to provide alternatives to DuckDuckGo, and give
> users the choice. DuckDuckGo HTML-only is the default, and non-free JS
> is blocked from such sites as Google and Yahoo. Do you have other
> alternatives you'd like to see there or replace the Google and Yahoo
> choices?

In Parabola, the provided (general purpose) search engines are DDG
HTML, DDG Lite, Seeks[1], and YaCy/bluebox[2].

[1] http://www.seeks-project.info/site/
[2] http://yacy.dyndns.org/

> > Subject: Recommends DuckDuckGo, which uses non-free javascript.
> 
> DuckDuckGo in the search box and in the about:home page go directly to
> the html version of DuckDuckGo, the form is given the html-only url:
> https://duckduckgo.com/html/
> There is no javascript in the html-only pages.
> 
> Where do you see DDG being included without the /html/ url? Maybe
> there's a location where it isn't applied.

I'm sorry, I believe I was mistaken.  You see, Parabola uses
"DuckDuckGo HTML" for the shortName, instead of "DuckDuckGo" to refer
to DDG HTML (consistent with DDG's official opensearch.xml files).  I
had assumed that since IceCat was using just "DuckDuckGo" for the
shortName, it was using the ajax version of DDG.

> > Subject: If social API stuff is enabled, Facebook is there by default
> 
> Even when enabling the Social API, I can't see Facebook enabled by
> default. I talked with a few Firefox developers a while ago on this
> issue. It appears you have to go to a page (from Facebook) and click
> "install", after what you see the sidebar and you can like a URL, etc,
> ... What do you mean by "Facebook there by default"?
> 
> For the Social API code itself, it is released under a free license, and
> so isn't a freedom issue per se. The services it may interact with, on
> the other hand, may not be free. We probably need to warn users about
> this. All in all, I think the Social API is less of a privacy concern
> than the "like" buttons you may find on websites, because if you `like`
> a URL with the API, only the URL value is being communicated; but I'll
> have to check again. Of course, we should at least warn or discourage
> people from using Facebook for the reasons given here:
> https://www.fsf.org/facebook
> 
> More to come about this... But let's keep in mind it is already disabled
> by default.

I have not evaluated that issue myself, I was looking at libre.patch,
which is (should be) used to correct freedom-related issues.  The
portion that I am reporting is this:

diff -Nur a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
--- a/browser/app/profile/firefox.js    2012-12-01 16:06:30.000000000 -0200
+++ b/browser/app/profile/firefox.js    2012-12-04 20:42:20.753633713 -0200
@@ -1149,13 +1149,3 @@
 // might keep around more than this, but we'll try to get down to this value).
 // (This is intentionally on the high side; see bug 746055.)
 pref("image.mem.max_decoded_image_kb", 256000);
-
-// Example social provider
-pref("social.manifest.facebook", 
"{\"origin\":\"https://www.facebook.com\",\"name\":\"Facebook 
Messenger\",\"workerURL\":\"https://www.facebook.com/desktop/fbdesktop2/socialfox/fbworker.js.php\",\"iconURL\":\"data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8%2F9hAAAAX0lEQVQ4jWP4%2F%2F8%2FAyUYTFhHzjgDxP9JxGeQDSBVMxgTbUBCxer%2Fr999%2BQ8DJBuArJksA9A10s8AXIBoA0B%2BR%2FY%2FjD%2BEwoBoA1yT5v3PbdmCE8MAshhID%2FUMoDgzUYIBj0Cgi7ar4coAAAAASUVORK5CYII%3D\",\"sidebarURL\":\"https://www.facebook.com/desktop/fbdesktop2/?socialfox=true\"}";);
-// Comma-separated list of nsIURI::prePaths that are allowed to activate
-// built-in social functionality.
-pref("social.activation.whitelist", "https://www.facebook.com";);
-pref("social.sidebar.open", true);
-pref("social.sidebar.unload_timeout_ms", 10000);
-pref("social.active", false);
-pref("social.toast-notifications.enabled", true);

> > The bar that pops up on first run tha has the "Know your rights..."
> > button reads:
> >
> >  > GNU IceCat is free and open source software from the non-profit
> >  > Mozilla Foundation.
> 
> Thanks! This is a problem. We might want to remove the bar all together or
> create a new one linking to the Free Software page.

I think that taking the user to "about:rights" is OK.  However, it
does look like that the file needs to be filled out; it has numerous
"X goes here" lines in it :P

> > ----
> >
> > Type: technical/rebranding issue
> > Subject: "Reset IceCat" does not work
> >
> > This is because it falls victim to Mozilla bug 756390
> > The patch uploaded to the Mozilla bug tracker should fix this.
> >
> > https://bugzilla.mozilla.org/show_bug.cgi?id=756390
> >
> > ----

> > Subject: Uses the phrase "Firefox Sync"
> 
> Since the servers are provided by Mozilla, changing the name to "IceCat"
> didn't seem to make much sense, and could have been misleading for users.

Fair enough.

> > ----
> >
> > Type: freedom/legal issue
> > Subject: Recommends using Mozilla's sync servers.
> >
> > Mozilla's TOS only allows "official Mozilla-branded software" to use
> > their servers for Firefox Sync without special written permission.
> >
> > I know that Trisquel runs their own sync servers for Abrowser, I'm
> > sure they'd be happy to let you use them.  I also think it would be
> > cool if GNU ran their own servers.  I've also been toying with the
> > idea of packaging the sync server software for Parabola and running it
> > on our servers.
> >
> > If you do end up getting permission to use Mozilla's servers, I
> > believe that the TOS and Privacy Policy are acceptable, but you'd want
> > to take a look yourself. 
> >
> > ----
> >
> > Type: bug
> > Subject: langpacks
> >
> > There are no IceCat 17 langpacks that I can tell.
> 
> I have sent an announcement on this mailing that I was looking for help
> on this. I can generate the automated packages, but they have several
> issues that need more focus than I have time to give them. Currently
> focus is on privacy and freedom, and so anyone willing to take over
> generating the langpacks would be appreciated!
> 
> > As another issue with the langpack script, the resulting langpacks
> > overrode the normal search engine settings to be back to using Google
> > by default. (apparently, en-US user here)
> 
> This is one among other issues with the bash script that does the
> conversion. It needs much updating.

I'll look into seeing what I can do about creating tools to deal with
the langpacks.

> > Type: feature request
> > Subject: Run AMO on GNU servers.
> 
> I have asked the sysadmins at GNU about hosting an appl a while ago, and
> the best solution they gave us is to host the list of addons in the FSF
> Free Software Directory. I am looking for volunteers who can help doing
> this. They would need an account on the FSF directory and a brief
> walkthrough on how to create the addon list.
> 
> Would you be willing to add the addons to the FSF Directory list, or
> find more volunteers to do so? :-)

Absolutely!

> Also, if you are interested in working on IceCat bugs yourself and
> provide patches, this would be very beneficial for the project.
> 
> Thanks for all your reports, and I'm looking forward to fixing what can
> be fixed!
> 
> Loic

Happy hacking,
~ Luke Shumaker



reply via email to

[Prev in Thread] Current Thread [Next in Thread]