Mozzarella may list non-free add-ons

  • Open
  • quality assurance status badge
Details
3 participants
  • bill-auger
  • Clément Lassieur
  • Nguy?n Gia Phong
Owner
unassigned
Submitted by
Nguy?n Gia Phong
Severity
normal
N
N
Nguy?n Gia Phong wrote on 10 Jan 02:53 +0100
(address . bug-gnuzilla@gnu.org)
CYANGOX86UA7.25KLXSE1BOXLZ@loang.net
Hi,

I learned about Mozzarella from social media, so I missed
the official announcement of how it is curated,
i.e. automatically or manually added entries.

Either way, I spotted ff2mpv being listed
although it is published under a non-free license:

The Firefox add-on page still shows the original Expat license though,
so Mozzarella inherit this metadata.

I think cases like this are rare enough to not demand a web UI
to report extensions add-ons accidentally listed on Mozzarella,
but there should be a mechanism to manually remove it
from the repository to avoid misleading users into installing
proprietary software.

BTW all Mozzarella pages have an empty <title>, which makes it difficult
to browse multiple extensions in different tabs/windows.

Kind regards,
Phong
-----BEGIN PGP SIGNATURE-----

iIQEABYKACwWIQSDiv4NVdwHTjYPlDqEtpzm8/a3ZwUCZZ34rA4cY254QGxvYW5n
Lm5ldAAKCRCEtpzm8/a3Z9bFAPsEiCka15v+ZrCziGRPmeMAU2a3h/MAx7SGLvuy
ZxWqbgD/ZaB5gFB1T40gFQMuO7cdS898aOtUEIZzIapwF9IRAA8=
=7Sgh
-----END PGP SIGNATURE-----


C
C
Clément Lassieur wrote on 10 Jan 17:44 +0100
(name . bug-gnuzilla--- via GNUzilla bug reports)(address . bug-gnuzilla@gnu.org)
87wmshjfy1.fsf@lassieur.org
On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:

Toggle quote (25 lines)
> Hi,
>
> I learned about Mozzarella from social media, so I missed
> the official announcement of how it is curated,
> i.e. automatically or manually added entries.
>
> Either way, I spotted ff2mpv being listed
> although it is published under a non-free license:
> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>
> The Firefox add-on page still shows the original Expat license though,
> so Mozzarella inherit this metadata.
>
> I think cases like this are rare enough to not demand a web UI
> to report extensions add-ons accidentally listed on Mozzarella,
> but there should be a mechanism to manually remove it
> from the repository to avoid misleading users into installing
> proprietary software.
>
> BTW all Mozzarella pages have an empty <title>, which makes it difficult
> to browse multiple extensions in different tabs/windows.
>
> Kind regards,
> Phong

Hi,

I think this is an issue indeed. But there is another one that is more
serious: even if we remove ff2mpv from Mozzarella, all users who have it
installed will have new updates pulling the non-free code forever.

A possible fix would be to change the source of the add-ons, from
addons.mozilla.org to Guix
(e.g. file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

That would require us to sign our add-ons though. I don't know how
feasible it is.

Clément
C
C
Clément Lassieur wrote on 10 Jan 18:06 +0100
(address . 68361@debbugs.gnu.org)(address . cnx@loang.net)
87sf35jeyo.fsf@lassieur.org
On Wed, Jan 10 2024, Clément Lassieur wrote:

Toggle quote (37 lines)
> On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:
>
>> Hi,
>>
>> I learned about Mozzarella from social media, so I missed
>> the official announcement of how it is curated,
>> i.e. automatically or manually added entries.
>>
>> Either way, I spotted ff2mpv being listed
>> although it is published under a non-free license:
>> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>>
>> The Firefox add-on page still shows the original Expat license though,
>> so Mozzarella inherit this metadata.
>>
>> I think cases like this are rare enough to not demand a web UI
>> to report extensions add-ons accidentally listed on Mozzarella,
>> but there should be a mechanism to manually remove it
>> from the repository to avoid misleading users into installing
>> proprietary software.
>>
>> BTW all Mozzarella pages have an empty <title>, which makes it difficult
>> to browse multiple extensions in different tabs/windows.
>>
>> Kind regards,
>> Phong
>
> Hi,
>
> I think this is an issue indeed. But there is another one that is more
> serious: even if we remove ff2mpv from Mozzarella, all users who have it
> installed will have new updates pulling the non-free code forever.
>
> A possible fix would be to change the source of the add-ons, from
> addons.mozilla.org to Guix
> (e.g. file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

Sorry my link is wrong. That would be
But it wouldn't work right away anyway because the format is not correct.

Toggle quote (4 lines)
> That would require us to sign our add-ons though. I don't know how
> feasible it is.
>
> Clément
B
B
bill-auger wrote on 10 Jan 20:03 +0100
(name . bug-gnuzilla--- via GNUzilla bug reports)(address . bug-gnuzilla@gnu.org)
20240110140301.4f25ad30@parabola.localdomain
though the public instance of the mozarella website is hosted under gnuzilla's
web space, it not part of the gnuzilla project or any GNU project - it is used
by other web browsers also, such as parabola's iceweasel and trisquel's
abrowser - mozarella's author probably does not read this mailing list; so i
would not expect anything to happen unless this issue is raised on the
mozarella bug tracker


i suppose that a link to the bug tracker should be added to the mozarella UI to
guide bug reports toward the author
?