Bug 1155499

Summary: firefox: Downloads non-free OpenH264 blob on first start
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: fweimer, gecko-bugs-nobody, kevin, l_bratch, luke, mcatanzaro+wrong-account-do-not-cc, ppisar, rz, stransky
Target Milestone: ---Flags: rz: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firefox-33.1-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-13 11:18:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
prefs to disable downloading none

Description Florian Weimer 2014-10-22 09:03:35 UTC
Upon first startup, Firefox automatically downloads the Cisco's OpenH264 video codec:

1413967331677	GMPInstallManager.simpleCheckAndInstall	INFO	Last check was: 1413967332 seconds ago, minimum seconds: 86400
1413967331677	GMPInstallManager._getURL	INFO	Using url: https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
1413967331678	GMPInstallManager._getURL	INFO	Using url (with replacement): https://aus4.mozilla.org/update/3/GMP/33.0/20141015093046/Linux_x86_64-gcc3/en-US/default/Linux%203.16.4-200.fc20.x86_64%20(GTK%202.24.24)/default/default/update.xml
1413967331679	GMPInstallManager.checkForAddons	INFO	sending request to: https://aus4.mozilla.org/update/3/GMP/33.0/20141015093046/Linux_x86_64-gcc3/en-US/default/Linux%203.16.4-200.fc20.x86_64%20(GTK%202.24.24)/default/default/update.xml
1413967332575	GMPInstallManager.onLoadXML	INFO	request completed downloading document
1413967332580	GMPInstallManager.onLoadXML	INFO	allowNonBuiltIn: false
1413967332601	GMPInstallManager.simpleCheckAndInstall	INFO	Found 1 addons advertised.
1413967332601	GMPInstallManager.simpleCheckAndInstall	INFO	Found addon: gmp-gmpopenh264 (isValid: true, isInstalled: false, isOpenH264: true, hashFunction: sha512, hashValue: 737e49f25aace93d470f1a781c69c3cdd0c9db21afe62221fb171d38a31d8a2b55af01a69cd00e7352e7a34aa450b6b85729509f81582379394785b37997a423, size: 385889)
1413967332982	GMPInstallManager.simpleCheckAndInstall	INFO	Addon installed successfully: gmp-gmpopenh264 (isValid: true, isInstalled: true, isOpenH264: true, hashFunction: sha512, hashValue: 737e49f25aace93d470f1a781c69c3cdd0c9db21afe62221fb171d38a31d8a2b55af01a69cd00e7352e7a34aa450b6b85729509f81582379394785b37997a423, size: 385889)

Also see about:plugins.

I see three problems with that:

1. The binary was not built on Fedora infrastructure, which is against packaging policy.

2. Cisco's binary license agreement requires that the license is presented to the user, but it is not included in the Licensing Information or End User Rights that come with Firefox.  It is linked from the Add-Ons Manager, but not from about:plugins.

3. Cisco's license does not seem to allow commercial use (“uses in which it [receives] remuneration”), which is a restriction on use and incompatible with Fedora's licensing guidelines.

Cisco's license is available in Firefox itself and on the web:

  <chrome://mozapps/content/extensions/OpenH264-license.txt>
  <http://www.openh264.org/BINARY_LICENSE.txt>

I've also reproduced it below.

-------------------------------------------------------
About The Cisco-Provided Binary of OpenH264 Video Codec
-------------------------------------------------------

Cisco provides this program under the terms of the BSD license.  

Additionally, this binary is licensed under Cisco’s AVC/H.264 Patent Portfolio License from MPEG LA, at no cost to you, provided that the requirements and conditions shown below in the AVC/H.264 Patent Portfolio sections are met.  

As with all AVC/H.264 codecs, you may also obtain your own patent license from MPEG LA or from the individual patent owners, or proceed at your own risk.  Your rights from Cisco under the BSD license are not affected by this choice.  

For more information on the OpenH264 binary licensing, please see the OpenH264 FAQ found at http://www.openh264.org/faq.html#binary 

A corresponding source code to this binary program is available under the same BSD terms, which can be found at http://www.openh264.org

-----------
BSD License
-----------

Copyright © 2014 Cisco Systems, Inc.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-----------------------------------------
AVC/H.264 Patent Portfolio License Notice
-----------------------------------------

The binary form of this Software is distributed by Cisco under the AVC/H.264 Patent Portfolio License from MPEG LA, and is subject to the following requirements, which may or may not be applicable to your use of this software: 

THIS PRODUCT IS LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO (i) ENCODE VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC VIDEO”) AND/OR (ii) DECODE AVC VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO.  NO LICENSE IS GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE.  ADDITIONAL INFORMATION MAY BE OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://WWW.MPEGLA.COM

Accordingly, please be advised that content providers and broadcasters using AVC/H.264 in their service may be required to obtain a separate use license from MPEG LA, referred to as "(b) sublicenses" in the SUMMARY OF AVC/H.264 LICENSE TERMS from MPEG LA found at http://www.openh264.org/mpegla

---------------------------------------------
AVC/H.264 Patent Portfolio License Conditions
---------------------------------------------

In addition, the Cisco-provided binary of this Software is licensed under Cisco's license from MPEG LA only if the following conditions are met:

1. The Cisco-provided binary is separately downloaded to an end user’s device, and not integrated into or combined with third party software prior to being downloaded to the end user’s device;

2. The end user must have the ability to control (e.g., to enable, disable, or re-enable) the use of the Cisco-provided binary;

3. Third party software, in the location where end users can control the use of the Cisco-provided binary, must display the following text:

       "OpenH264 Video Codec provided by Cisco Systems, Inc."

4.  Any third-party software that makes use of the Cisco-provided binary must reproduce all of the above text, as well as this last condition, in the EULA and/or in another location where licensing information is to be presented to the end user.  
 


                          v1.0

Comment 1 Martin Stransky 2014-10-22 14:05:47 UTC
There was a discussion about it on Fesco without any result. We have something in the hands now so we can discuss how to handle it. Feel free to file such ticket there.

Comment 2 Florian Weimer 2014-10-22 14:38:36 UTC
(In reply to Martin Stransky from comment #1)
> There was a discussion about it on Fesco without any result. We have
> something in the hands now so we can discuss how to handle it. Feel free to
> file such ticket there.

Okay, I filed https://fedorahosted.org/fesco/ticket/1359 .

Comment 3 Kevin Fenzi 2014-11-05 19:30:48 UTC
Can any of the firefox maintainers answer Matts questions in comment #3 of the above ticket?

Basically I think we would very much like to have a way to let users download this if they choose, but not to automatically do so for them. Is there a way we can do that?

Comment 4 Martin Stransky 2014-11-06 11:34:23 UTC
IMHO the automatic download can be disabled. The problem here is how to enable it when user is willing to use it. So if you believe it's important to disable the automatic download we can do that any time.

Comment 5 Kevin Fenzi 2014-11-06 22:41:12 UTC
(In reply to Martin Stransky from comment #4)
> IMHO the automatic download can be disabled. The problem here is how to
> enable it when user is willing to use it. So if you believe it's important
> to disable the automatic download we can do that any time.

Yeah, thats good to know. ;) 

Further to that however: 

1. Can it be disabled in such a way where the user can go and choose to tell it to download now?

2. Can if be disabled in such a way where the user going to a page/loading something that needs it will be prompted to download/install it?

Comment 6 Martin Stransky 2014-11-07 10:44:15 UTC
(In reply to Kevin Fenzi from comment #5)
> (In reply to Martin Stransky from comment #4)
> > IMHO the automatic download can be disabled. The problem here is how to
> > enable it when user is willing to use it. So if you believe it's important
> > to disable the automatic download we can do that any time.
> 
> Yeah, thats good to know. ;) 
> 
> Further to that however: 
> 
> 1. Can it be disabled in such a way where the user can go and choose to tell
> it to download now?

No.

> 2. Can if be disabled in such a way where the user going to a page/loading
> something that needs it will be prompted to download/install it?

No.

Any of those changes need extra work, it means to add special patches to GUI (create new dialog boxes and so) and should be reviewed by mozilla developers. 

We can work with upstream on it but it's a long term goal. Any patches here are welcome.

Comment 7 Kevin Fenzi 2014-11-08 18:23:25 UTC
Thanks for the info. 

One final question: 

Would it be possible to disable the automatic download, and have manual steps/documentation on how to manually download/install it? ie, 'fetch this file and install it here' ?

Comment 8 Martin Stransky 2014-11-10 06:44:55 UTC
(In reply to Kevin Fenzi from comment #7)
> Thanks for the info. 
> 
> One final question: 
> 
> Would it be possible to disable the automatic download, and have manual
> steps/documentation on how to manually download/install it? ie, 'fetch this
> file and install it here' ?

Yes, I believe so (but not tested, I didn't try so). IMHO You need to download the file and copy to plugin directory. It's similar to flas-plugin installation.

Comment 9 Kevin Fenzi 2014-11-10 16:14:32 UTC
ok. I guess that url to download from could be in docs or discoverable somehow? 

Thanks.

Comment 10 Petr Pisar 2014-11-12 08:21:59 UTC
Just a pointer how Gentoo tackles this issue <https://bugs.gentoo.org/show_bug.cgi?id=525810>.

Comment 11 Kevin Fenzi 2014-11-12 19:01:59 UTC
ok, at today's FESCo meeting we discussed this and: 

  * AGREED: ask firefox maintainers to disable automatic download of OpenH264 plugin (+6,0,1)  (nirik, 18:32:04)
  * nirik will draft a page  (nirik, 18:35:28)
  * AGREED: will keep ticket open a week for interested parties to propose longer term solutions. (+6, 0, 0)  (nirik, 18:48:21)

Can you please disable the autodownload in all Fedora firefox packages asap? 

I will work on drafting a page that passes a legal check to manually download/install the plugin for now. 

Hopefully we can come up with a easier way for users to get the plugin. 

Thanks!

Comment 12 Martin Stransky 2014-11-13 10:59:59 UTC
Okay, we'll disable the autoload. Please note that all users who already updated the package to Firefox 33 already have the video codecs installed.

Comment 13 Martin Stransky 2014-11-13 11:01:47 UTC
NOTE: Ypu can check the plugin presence in "about:plugins" tab. It shows "OpenH264 Video Codec provided by Cisco Systems, Inc.".

Comment 14 Martin Stransky 2014-11-13 11:17:59 UTC
Build as firefox-33.1-2.

You can remove the codec by those steps:

1) cd to your Firefox profile (usually ~.mozilla/firefox/*.default)
2) delete the plugin (rm -rf gmp gmp-gmpopenh264)

Comment 15 Fedora Update System 2014-11-14 10:59:33 UTC
firefox-33.1-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firefox-33.1-2.fc20

Comment 16 Fedora Update System 2014-11-17 06:31:19 UTC
firefox-33.1-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Richard Z. 2014-11-25 22:13:21 UTC
This problem still appears present in firefox-33.1-2.fc19. Tried a profile which has not been in use for some time and got this:

1416944541013   GMPInstallManager.simpleCheckAndInstall INFO    Last check was: 1416944541 seconds ago, minimum seconds: 86400
1416944541014   GMPInstallManager._getURL       INFO    Using url: https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
1416944541016   GMPInstallManager._getURL       INFO    Using url (with replacement): https://aus4.mozilla.org/update/3/GMP/33.1/20141113112934/Linux_x86-gcc3/en-US/default/Linux%203.14.23-100.fc19.i686.PAE%20(GTK%202.24.22)/default/default/update.xml
1416944541017   GMPInstallManager.checkForAddons        INFO    sending request to: https://aus4.mozilla.org/update/3/GMP/33.1/20141113112934/Linux_x86-gcc3/en-US/default/Linux%203.14.23-100.fc19.i686.PAE%20(GTK%202.24.22)/default/default/update.xml
1416944550873   GMPInstallManager.onLoadXML     INFO    request completed downloading document
1416944550876   GMPInstallManager.onLoadXML     INFO    allowNonBuiltIn: false
1416944550886   GMPInstallManager.simpleCheckAndInstall INFO    Found 1 addons advertised.
1416944550887   GMPInstallManager.simpleCheckAndInstall INFO    Found addon: gmp-gmpopenh264 (isValid: true, isInstalled: false, isOpenH264: true, hashFunction: sha512, hashValue: ef401c8c80f98e2df8942e601ccefb41ba701753ac3b28ca8bfa1830780c27a5a17f488ba689427500555753e332a0849aac82e93ef9178c85b06f6f2d44438f, size: 380918)
1416944570590   GMPInstallManager.simpleCheckAndInstall INFO    Addon installed successfully: gmp-gmpopenh264 (isValid: true, isInstalled: true, isOpenH264: true, hashFunction: sha512, hashValue: ef401c8c80f98e2df8942e601ccefb41ba701753ac3b28ca8bfa1830780c27a5a17f488ba689427500555753e332a0849aac82e93ef9178c85b06f6f2d44438f, size: 380918)

Comment 18 Martin Stransky 2014-11-26 16:16:31 UTC
Can you please test with a fresh profile? It's possible that you have the download enabled in your recent profile.

Comment 19 Richard Z. 2014-11-26 21:19:57 UTC
same result.

$ cfx run
Using binary at '/usr/bin/firefox'.

(process:7620): GLib-CRITICAL **: g_slice_set_config: assertion `sys_page_size == 0' failed
Using profile at '/tmp/tmph5ONsM.mozrunner'.

(process:7632): GLib-CRITICAL **: g_slice_set_config: assertion `sys_page_size == 0' failed
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 14: reading configurations from ~/.fonts.conf is deprecated.
JavaScript strict warning: chrome://global/content/bindings/textbox.xml, line 119: reference to undefined property this.inputField.selectionStart
JavaScript strict warning: chrome://browser/content/newtab/newTab.js, line 230: reference to undefined property args[0]
1417036074503   GMPInstallManager.simpleCheckAndInstall INFO    Last check was: 1417036075 seconds ago, minimum seconds: 86400
1417036074503   GMPInstallManager._getURL       INFO    Using url: https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
1417036074504   GMPInstallManager._getURL       INFO    Using url (with replacement): https://aus4.mozilla.org/update/3/GMP/33.1/20141113112934/Linux_x86-gcc3/en-US/default/Linux%203.14.23-100.fc19.i686.PAE%20(GTK%202.24.22)/default/default/update.xml
1417036074506   GMPInstallManager.checkForAddons        INFO    sending request to: https://aus4.mozilla.org/update/3/GMP/33.1/20141113112934/Linux_x86-gcc3/en-US/default/Linux%203.14.23-100.fc19.i686.PAE%20(GTK%202.24.22)/default/default/update.xml
1417036077440   GMPInstallManager.onLoadXML     INFO    request completed downloading document
1417036077441   GMPInstallManager.onLoadXML     INFO    allowNonBuiltIn: false
1417036077453   GMPInstallManager.simpleCheckAndInstall INFO    Found 1 addons advertised.
1417036077453   GMPInstallManager.simpleCheckAndInstall INFO    Found addon: gmp-gmpopenh264 (isValid: true, isInstalled: false, isOpenH264: true, hashFunction: sha512, hashValue: ef401c8c80f98e2df8942e601ccefb41ba701753ac3b28ca8bfa1830780c27a5a17f488ba689427500555753e332a0849aac82e93ef9178c85b06f6f2d44438f, size: 380918)
1417036078635   GMPInstallManager.simpleCheckAndInstall INFO    Addon installed successfully: gmp-gmpopenh264 (isValid: true, isInstalled: true, isOpenH264: true, hashFunction: sha512, hashValue: ef401c8c80f98e2df8942e601ccefb41ba701753ac3b28ca8bfa1830780c27a5a17f488ba689427500555753e332a0849aac82e93ef9178c85b06f6f2d44438f, size: 380918)
Total time: 626.330239 seconds
Program terminated successfully.

Comment 20 Richard Z. 2014-11-26 21:24:19 UTC
Is there any upstream ticket for this? I am tempted to create one.

Comment 21 Luke Bratch 2014-11-26 23:08:43 UTC
(In reply to Richard Z. from comment #20)
> Is there any upstream ticket for this? I am tempted to create one.

There is https://bugzilla.mozilla.org/show_bug.cgi?id=1100304 "Cisco's OpenH264 binary blob is downloaded without prompting the user" which I created.

Comment 22 Richard Z. 2014-11-27 19:01:17 UTC
Found https://bugzilla.mozilla.org/show_bug.cgi?id=1044268, seems some more things need to be set:

I have added
pref("media.gmp-gmpopenh264.autoupdate",false);
pref("media.gmp-gmpopenh264.enabled",false);

to the previous
/usr/lib/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js

and it works as expected now, printing
  GMPInstallManager.simpleCheckAndInstall INFO    Auto-update is off for openh264, aborting check.

Apparently the autoupdate still kicked in if the other values were disabled.

Comment 23 Richard Z. 2014-11-28 13:59:46 UTC
Whoever didn't scrub their ~/.mozilla/firefox/*/gmp-gmpopenh264 yet should do it pretty soon:

http://tools.cisco.com/security/center/viewAlert.x?alertId=36500

Comment 24 Richard Z. 2014-11-28 20:48:30 UTC
Created attachment 962575 [details]
prefs to disable downloading

really disable downloading the binary

Comment 25 Martin Stransky 2014-11-29 08:43:08 UTC
Thanks!