Bug 1391323

Summary: Installs un-necessary browser plugin
Product: Red Hat Enterprise Linux 7 Reporter: Michael Peters <alice>
Component: rhythmboxAssignee: Bastien Nocera <bnocera>
Status: CLOSED NOTABUG QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: philwyett.hemisphere, rainer.traut
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-08 15:03:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Peters 2016-11-03 05:19:20 UTC 
Description of problem:
rhythmbox installs a mozilla plugin that is not packaged separately

Version-Release number of selected component (if applicable):
rhythmbox-2.99.1-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. rpm -ql rhythmbox |grep itms
2.
3.

Actual results:
/usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so

Expected results:
null

Additional info:

If there is a way to disable a plugin in FireFox I have not found it. From about:plugins it seems the purpose of the plugin is:

"This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox."

If that feature is even wanted in Enterprise Linux, then it should be packaged as a separate RPM that requires rhythmbox (assuming it does) rather than as part of rhythmbox itself.

Browser plugins are a source of security issues, and also can be used to fingerprint users remotely when they visit a web page (even just their presence, and from the version information they report).

Please remove this file from the rhythmbox package and if it has utility for anyone (I sure have no need for it), offer it as a sub-package.
Comment 2 Bastien Nocera 2018-06-08 15:03:58 UTC 
The plugin fingerprinting is a problem for Firefox to solve.

The plugin is necessary for iTunes pages to detect that we can handle itms:// locations, as mentioned in:
https://bugzilla.gnome.org/show_bug.cgi?id=489874

If you want to discuss the removal of this plugin, please do so upstream by filing a new issue at:
https://gitlab.gnome.org/GNOME/rhythmbox/issues

I don't have any interest in seeing this package diverge from upstream.