Firefox and Mozilla Update

[Ian Jackson]

Firefox has the ability to download additional and updated software
from the Mozilla project website, and of course our own package
management systems do the same thing from our distribution.

Mozilla distinguishes:
 * Application updates: the browser (or whatever) itself
 * Extensions: additional functionality (there is a rich ecology of
    extensions of varying quality and usefulness).  (There are themes
    too.)
 * Plugins: software to display additional content which Firefox can't
    do itself.

The current situation in Breezy is:

 * The `plugin finder' can automatically find and install (following
   user permission including agreement to egregious licences) plugins
   like Flash.  This appears to work as intended by upstream.  There
   does not appear to be a mechanism for updating these plugins (which
   probably implies a nearly-insurmountable security problem, since
   automatically suggesting updates from untrustworthy organisations
   like Macromedia is unwise).

 * The `application' and `extensions' updates systems have been
   deliberately broken by the removal of one of the pieces of UI XML.
   This makes it impossible to use the UI to update Firefox itself; I
   haven't determined yet for sure whether all routes to extension
   updates are blocked.  Nevertheless most of the UI is still
   available and simply inexplicably nonfunctional.  Additionally, the
   links which open up pages on the Mozilla extensions site are still
   present.

This is obviously rather suboptimal.  I don't propose to make any
significant changes for Breezy at this late stage, but we should start
thinking about how we want this to work in the future.  Questions we
need to ask ourselves include:

 * What is our political position regarding content viewable only with
   non-free software ?  How bad does the non-free licence have to be,
   and/or how bad does the software have to be, before we will decline
   to lead the user through agreeing to the licence and installing the
   software ?  Or do we take a Stallmanite position and refuse to
   suggest any non-free software ?

   Some of the arguments that might be made seem similar to those
   surrounding non-free drivers which we currently have in
   `restricted'.

   As an example of a bad licence, see the one for Flash 7, which
   amongst other evil contains provisions apparently intended to
   hinder anyone developing with a compatible player.  (These
   provisions are incompatible with for example EU law but there's a
   choice of law clause too.)  Let's not get too far into armchair
   lawyering here, but the situation there is clearlay pretty bad.

 * What should our approach be to the near-certainty of security bugs
   in the plugins mentioned above ?  Is there a system (or can we
   create a system) for vetting `security updates' from plugin
   suppliers to ensure that they do not introduce hostile behaviours ?

 * As a technical question, should Firefox extensions and themes be
   installable by Ubuntu users from Ubuntu universe, or from Mozilla
   Update ?  Should Ubuntu users be offered these Mozilla addons via
   the Firefox UI ?

   If you answer `both' to the previous question, note that this will
   not provide a very good user experience.  It is probably
   impractical for us to attempt to allow the user to manage both sets
   of extensions through both interfaces, so instead you'll find that
   there are two interfaces for extensions some of which are used for
   some and some for others.  And if we accept that then we still have
   to stop the Ubuntu and Firefox packaging systems fighting each
   other.

 * Mozilla's system does not appear to have a way to deinstall a piece
   of software for which support (including, of course, security
   support) has been withdrawn.  What should we do about this ?

 * What level of referral from the Ubuntu Firefox UI to the Mozilla
   website is appropriate ?

Ian.

PS: 4395 in our bugzilla covers some of this.