GNU bug report logs - #68361
Mozzarella may list non-free add-ons

Previous Next

Package: gnuzilla;

Reported by: Nguyễn Gia Phong <cnx <at> loang.net>

Date: Wed, 10 Jan 2024 02:18:02 UTC

Severity: normal

To reply to this bug, email your comments to 68361 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnuzilla <at> gnu.org:
bug#68361; Package gnuzilla. (Wed, 10 Jan 2024 02:18:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Nguyễn Gia Phong <cnx <at> loang.net>:
New bug report received and forwarded. Copy sent to bug-gnuzilla <at> gnu.org. (Wed, 10 Jan 2024 02:18:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Nguyễn Gia Phong <cnx <at> loang.net>
To: <bug-gnuzilla <at> gnu.org>
Subject: Mozzarella may list non-free add-ons
Date: Wed, 10 Jan 2024 10:53:46 +0900

[Message part 1 (text/plain, inline)]
Hi,

I learned about Mozzarella from social media, so I missed
the official announcement of how it is curated,
i.e. automatically or manually added entries.

Either way, I spotted ff2mpv being listed
although it is published under a non-free license:
https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE

The Firefox add-on page still shows the original Expat license though,
so Mozzarella inherit this metadata.

I think cases like this are rare enough to not demand a web UI
to report extensions add-ons accidentally listed on Mozzarella,
but there should be a mechanism to manually remove it
from the repository to avoid misleading users into installing
proprietary software.

BTW all Mozzarella pages have an empty <title>, which makes it difficult
to browse multiple extensions in different tabs/windows.

Kind regards,
Phong

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-gnuzilla <at> gnu.org:
bug#68361; Package gnuzilla. (Wed, 10 Jan 2024 16:46:01 GMT) Full text and rfc822 format available.

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: bug-gnuzilla--- via GNUzilla bug reports <bug-gnuzilla <at> gnu.org>
Cc: 68361 <at> debbugs.gnu.org, Nguyễn Gia Phong <cnx <at> loang.net>
Subject: Re: bug#68361: Mozzarella may list non-free add-ons
Date: Wed, 10 Jan 2024 17:44:54 +0100

On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:

> Hi,
>
> I learned about Mozzarella from social media, so I missed
> the official announcement of how it is curated,
> i.e. automatically or manually added entries.
>
> Either way, I spotted ff2mpv being listed
> although it is published under a non-free license:
> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>
> The Firefox add-on page still shows the original Expat license though,
> so Mozzarella inherit this metadata.
>
> I think cases like this are rare enough to not demand a web UI
> to report extensions add-ons accidentally listed on Mozzarella,
> but there should be a mechanism to manually remove it
> from the repository to avoid misleading users into installing
> proprietary software.
>
> BTW all Mozzarella pages have an empty <title>, which makes it difficult
> to browse multiple extensions in different tabs/windows.
>
> Kind regards,
> Phong

Hi,

I think this is an issue indeed.  But there is another one that is more
serious: even if we remove ff2mpv from Mozzarella, all users who have it
installed will have new updates pulling the non-free code forever.

A possible fix would be to change the source of the add-ons, from
addons.mozilla.org to Guix
(e.g. file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

That would require us to sign our add-ons though.  I don't know how
feasible it is.

Clément
Information forwarded to bug-gnuzilla <at> gnu.org:
bug#68361; Package gnuzilla. (Wed, 10 Jan 2024 16:46:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-gnuzilla <at> gnu.org:
bug#68361; Package gnuzilla. (Wed, 10 Jan 2024 17:07:01 GMT) Full text and rfc822 format available.

Message #14 received at 68361 <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: 68361 <at> debbugs.gnu.org
Cc: cnx <at> loang.net
Subject: Re: bug#68361: Mozzarella may list non-free add-ons
Date: Wed, 10 Jan 2024 18:06:07 +0100

On Wed, Jan 10 2024, Clément Lassieur wrote:

> On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:
>
>> Hi,
>>
>> I learned about Mozzarella from social media, so I missed
>> the official announcement of how it is curated,
>> i.e. automatically or manually added entries.
>>
>> Either way, I spotted ff2mpv being listed
>> although it is published under a non-free license:
>> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>>
>> The Firefox add-on page still shows the original Expat license though,
>> so Mozzarella inherit this metadata.
>>
>> I think cases like this are rare enough to not demand a web UI
>> to report extensions add-ons accidentally listed on Mozzarella,
>> but there should be a mechanism to manually remove it
>> from the repository to avoid misleading users into installing
>> proprietary software.
>>
>> BTW all Mozzarella pages have an empty <title>, which makes it difficult
>> to browse multiple extensions in different tabs/windows.
>>
>> Kind regards,
>> Phong
>
> Hi,
>
> I think this is an issue indeed.  But there is another one that is more
> serious: even if we remove ff2mpv from Mozzarella, all users who have it
> installed will have new updates pulling the non-free code forever.
>
> A possible fix would be to change the source of the add-ons, from
> addons.mozilla.org to Guix
> (e.g. file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

Sorry my link is wrong.  That would be
https://bordeaux.guix.gnu.org/nar/lzip/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi.
But it wouldn't work right away anyway because the format is not correct.

> That would require us to sign our add-ons though.  I don't know how
> feasible it is.
>
> Clément
Information forwarded to bug-gnuzilla <at> gnu.org:
bug#68361; Package gnuzilla. (Wed, 10 Jan 2024 19:04:01 GMT) Full text and rfc822 format available.

Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):

From: bill-auger <bill-auger <at> peers.community>
To: bug-gnuzilla--- via GNUzilla bug reports <bug-gnuzilla <at> gnu.org>
Cc: 68361 <at> debbugs.gnu.org, Nguyễn Gia Phong <cnx <at> loang.net>
Subject: Re: bug#68361: Mozzarella may list non-free add-ons
Date: Wed, 10 Jan 2024 14:03:01 -0500

though the public instance of the mozarella website is hosted under gnuzilla's
web space, it not part of the gnuzilla project or any GNU project - it is used
by other web browsers also, such as parabola's iceweasel and trisquel's
abrowser - mozarella's author probably does not read this mailing list; so i
would not expect anything to happen unless this issue is raised on the
mozarella bug tracker

https://gitlab.trisquel.org/joeall/mozzarella/-/issues

i suppose that a link to the bug tracker should be added to the mozarella UI to
guide bug reports toward the author
Information forwarded to bug-gnuzilla <at> gnu.org:
bug#68361; Package gnuzilla. (Wed, 10 Jan 2024 19:04:02 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 156 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.