Mozzarella may list non-free add-ons

  • Open
  • quality assurance status badge
Details
3 participants
  • bill-auger
  • Clément Lassieur
  • Nguy?n Gia Phong
Owner
unassigned
Submitted by
Nguy?n Gia Phong
Severity
normal
N
N
Nguy?n Gia Phong wrote on 10 Jan 02:53 +0100
(address . bug-gnuzilla@gnu.org)
CYANGOX86UA7.25KLXSE1BOXLZ@loang.net
Hi,

I learned about Mozzarella from social media, so I missed
the official announcement of how it is curated,
i.e. automatically or manually added entries.

Either way, I spotted ff2mpv being listed
although it is published under a non-free license:

The Firefox add-on page still shows the original Expat license though,
so Mozzarella inherit this metadata.

I think cases like this are rare enough to not demand a web UI
to report extensions add-ons accidentally listed on Mozzarella,
but there should be a mechanism to manually remove it
from the repository to avoid misleading users into installing
proprietary software.

BTW all Mozzarella pages have an empty <title>, which makes it difficult
to browse multiple extensions in different tabs/windows.

Kind regards,
Phong
-----BEGIN PGP SIGNATURE-----

iIQEABYKACwWIQSDiv4NVdwHTjYPlDqEtpzm8/a3ZwUCZZ34rA4cY254QGxvYW5n
Lm5ldAAKCRCEtpzm8/a3Z9bFAPsEiCka15v+ZrCziGRPmeMAU2a3h/MAx7SGLvuy
ZxWqbgD/ZaB5gFB1T40gFQMuO7cdS898aOtUEIZzIapwF9IRAA8=
=7Sgh
-----END PGP SIGNATURE-----


C
C
Clément Lassieur wrote on 10 Jan 17:44 +0100
(name . bug-gnuzilla--- via GNUzilla bug reports)(address . bug-gnuzilla@gnu.org)
87wmshjfy1.fsf@lassieur.org
On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:

Toggle quote (25 lines)
> Hi,
>
> I learned about Mozzarella from social media, so I missed
> the official announcement of how it is curated,
> i.e. automatically or manually added entries.
>
> Either way, I spotted ff2mpv being listed
> although it is published under a non-free license:
> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>
> The Firefox add-on page still shows the original Expat license though,
> so Mozzarella inherit this metadata.
>
> I think cases like this are rare enough to not demand a web UI
> to report extensions add-ons accidentally listed on Mozzarella,
> but there should be a mechanism to manually remove it
> from the repository to avoid misleading users into installing
> proprietary software.
>
> BTW all Mozzarella pages have an empty <title>, which makes it difficult
> to browse multiple extensions in different tabs/windows.
>
> Kind regards,
> Phong

Hi,

I think this is an issue indeed. But there is another one that is more
serious: even if we remove ff2mpv from Mozzarella, all users who have it
installed will have new updates pulling the non-free code forever.

A possible fix would be to change the source of the add-ons, from
addons.mozilla.org to Guix
(e.g. file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

That would require us to sign our add-ons though. I don't know how
feasible it is.

Clément
C
C
Clément Lassieur wrote on 10 Jan 18:06 +0100
(address . 68361@debbugs.gnu.org)(address . cnx@loang.net)
87sf35jeyo.fsf@lassieur.org
On Wed, Jan 10 2024, Clément Lassieur wrote:

Toggle quote (37 lines)
> On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:
>
>> Hi,
>>
>> I learned about Mozzarella from social media, so I missed
>> the official announcement of how it is curated,
>> i.e. automatically or manually added entries.
>>
>> Either way, I spotted ff2mpv being listed
>> although it is published under a non-free license:
>> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>>
>> The Firefox add-on page still shows the original Expat license though,
>> so Mozzarella inherit this metadata.
>>
>> I think cases like this are rare enough to not demand a web UI
>> to report extensions add-ons accidentally listed on Mozzarella,
>> but there should be a mechanism to manually remove it
>> from the repository to avoid misleading users into installing
>> proprietary software.
>>
>> BTW all Mozzarella pages have an empty <title>, which makes it difficult
>> to browse multiple extensions in different tabs/windows.
>>
>> Kind regards,
>> Phong
>
> Hi,
>
> I think this is an issue indeed. But there is another one that is more
> serious: even if we remove ff2mpv from Mozzarella, all users who have it
> installed will have new updates pulling the non-free code forever.
>
> A possible fix would be to change the source of the add-ons, from
> addons.mozilla.org to Guix
> (e.g. file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

Sorry my link is wrong. That would be
But it wouldn't work right away anyway because the format is not correct.

Toggle quote (4 lines)
> That would require us to sign our add-ons though. I don't know how
> feasible it is.
>
> Clément
B
B
bill-auger wrote on 10 Jan 20:03 +0100
(name . bug-gnuzilla--- via GNUzilla bug reports)(address . bug-gnuzilla@gnu.org)
20240110140301.4f25ad30@parabola.localdomain
though the public instance of the mozarella website is hosted under gnuzilla's
web space, it not part of the gnuzilla project or any GNU project - it is used
by other web browsers also, such as parabola's iceweasel and trisquel's
abrowser - mozarella's author probably does not read this mailing list; so i
would not expect anything to happen unless this issue is raised on the
mozarella bug tracker


i suppose that a link to the bug tracker should be added to the mozarella UI to
guide bug reports toward the author
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 68361@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 68361
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch