Firefox and Mozilla Update
Ian Jackson
ian at davenant.greenend.org.uk
Wed Sep 14 06:47:21 CDT 2005
Firefox has the ability to download additional and updated software
from the Mozilla project website, and of course our own package
management systems do the same thing from our distribution.
Mozilla distinguishes:
* Application updates: the browser (or whatever) itself
* Extensions: additional functionality (there is a rich ecology of
extensions of varying quality and usefulness). (There are themes
too.)
* Plugins: software to display additional content which Firefox can't
do itself.
The current situation in Breezy is:
* The `plugin finder' can automatically find and install (following
user permission including agreement to egregious licences) plugins
like Flash. This appears to work as intended by upstream. There
does not appear to be a mechanism for updating these plugins (which
probably implies a nearly-insurmountable security problem, since
automatically suggesting updates from untrustworthy organisations
like Macromedia is unwise).
* The `application' and `extensions' updates systems have been
deliberately broken by the removal of one of the pieces of UI XML.
This makes it impossible to use the UI to update Firefox itself; I
haven't determined yet for sure whether all routes to extension
updates are blocked. Nevertheless most of the UI is still
available and simply inexplicably nonfunctional. Additionally, the
links which open up pages on the Mozilla extensions site are still
present.
This is obviously rather suboptimal. I don't propose to make any
significant changes for Breezy at this late stage, but we should start
thinking about how we want this to work in the future. Questions we
need to ask ourselves include:
* What is our political position regarding content viewable only with
non-free software ? How bad does the non-free licence have to be,
and/or how bad does the software have to be, before we will decline
to lead the user through agreeing to the licence and installing the
software ? Or do we take a Stallmanite position and refuse to
suggest any non-free software ?
Some of the arguments that might be made seem similar to those
surrounding non-free drivers which we currently have in
`restricted'.
As an example of a bad licence, see the one for Flash 7, which
amongst other evil contains provisions apparently intended to
hinder anyone developing with a compatible player. (These
provisions are incompatible with for example EU law but there's a
choice of law clause too.) Let's not get too far into armchair
lawyering here, but the situation there is clearlay pretty bad.
* What should our approach be to the near-certainty of security bugs
in the plugins mentioned above ? Is there a system (or can we
create a system) for vetting `security updates' from plugin
suppliers to ensure that they do not introduce hostile behaviours ?
* As a technical question, should Firefox extensions and themes be
installable by Ubuntu users from Ubuntu universe, or from Mozilla
Update ? Should Ubuntu users be offered these Mozilla addons via
the Firefox UI ?
If you answer `both' to the previous question, note that this will
not provide a very good user experience. It is probably
impractical for us to attempt to allow the user to manage both sets
of extensions through both interfaces, so instead you'll find that
there are two interfaces for extensions some of which are used for
some and some for others. And if we accept that then we still have
to stop the Ubuntu and Firefox packaging systems fighting each
other.
* Mozilla's system does not appear to have a way to deinstall a piece
of software for which support (including, of course, security
support) has been withdrawn. What should we do about this ?
* What level of referral from the Ubuntu Firefox UI to the Mozilla
website is appropriate ?
Ian.
PS: 4395 in our bugzilla covers some of this.
More information about the ubuntu-devel
mailing list