Iceweasel for Fedora?

By Jake Edge
December 23, 2015

Mozilla's plan to require all extensions (also known as add-ons) to be signed by Mozilla before they can be installed in Firefox may lead Linux distributions down the same path that Debian has taken—a name change to avoid the Firefox trademark. The problem is that some distributions currently ship extensions that it will be difficult or impossible to get signed. The requirement can also be seen as a form of control over what users can install in their browser, which some see as running counter to the philosophical underpinnings of free software.

A Fedora Engineering Steering Committee (FESCo) bug report has called out the issue for Fedora. Kevin Kofler filed the bug, which calls for blocking any update to Firefox 44 (which will remove the about:config option for signature checking) in fairly strident terms (e.g. the bug is entitled "Software packaged in Fedora should not be allowed to implement DRM schemes that cannot be disabled"). He described the problem this way:

With the release of Firefox 43, Firefox has started refusing by default to load any extensions that are not signed. With the next release, Firefox 44, upstream is even removing the option to load unsigned extensions entirely. This effectively amounts to an iOS-style DRM scheme, disallowing to install any extensions not coming from Mozilla. As a [result], this prevents the user from exercising the fundamental 4 freedoms of Free Software when it comes to Firefox extensions. (It also has the side effect of breaking all Firefox extensions packaged in Fedora, in a way that cannot be fixed without shipping binary blobs, in violation of our policy to build everything from source.) Such a DRM scheme should NOT be allowed in Fedora.

There is a mechanism provided by addons.mozilla.org (which is the site for Firefox extensions as well as for signing the packages) to automate the signing of existing extensions, but it would be quite cumbersome for Fedora to use. It would also leave users who want to install extensions they have built or have obtained in other ways out in the cold.

There are already two bug reports filed for Fedora packages (mozilla-adblockplus and mozilla-https-everywhere) that can't be installed in Firefox 43 without changing the value of xpinstall.signatures.required in about:config. When Firefox 44 comes along in late January, even that workaround won't suffice. But this requirement has been coming for some time; we covered the change back in February.

Others commented on the bug, mostly agreeing with Kofler's assessment. FESCo member Stephen Gallagher suggested that the committee communicate with Mozilla:

I think our first course of action here needs to be that FESCo should craft a formal letter (possibly published publicly) on behalf of the Fedora Project to the Mozilla Foundation that expresses our concern, particularly that we feel that such mandatory DRM likely causes Firefox to cease qualification as "Free Software" and thus suitability for inclusion in Fedora and likely other Free Software operating systems.

Kevin Fenzi, who is also a FESCo member, thought that it was important to include the Firefox package maintainer Martin Stransky into the discussion. As might be guessed, Stransky had a somewhat different view than many of the other commenters. He wondered about the value of Fedora packaging extensions. He also noted the Debian's rebranded Firefox (i.e. Iceweasel) is available in Fedora already, which might be an alternative for those who need it.

Several responded with reasons that Fedora wants or needs to package its own extensions, but there is more to it than that. For one thing, users may be willing to trust Fedora as a source for their extensions, but not Mozilla. There may also be distribution-specific changes that need to be made. As Gallagher put it:

This is valuable because it allows us the ability to ship certain functionality by default that upstream Firefox may not desire (such as Fedora [Workstation]-specific extensions). [Furthermore], there are many users of Fedora that would not assume trust of the Mozilla Foundation that do trust Fedora because our infrastructure is public and possible to inspect. Thus, RPM-provided content may meet a business need that A.M.O [addons.mozilla.org] does not.

[...]

All RPMs distributed by Fedora must be built in the Fedora infrastructure. This is also a trust issue, as it ensures that we are building and shipping a binary that matches the sources (there's no guarantee to our users that the public source matches the binary distributed by A.M.O.). Furthermore, compiled extensions may be built with different flags in order to match the system security policy and these may differ from the upstream build.

Fundamentally it comes down to a question of software freedom, Gallagher concluded. In fact, Dominik "Rathann" Mierzejewski argued that updating Fedora to Firefox 43 without disabling the signature checking by default, as Stransky has done, is a violation of the update guidelines. He suggested updating the Firefox 43 package to disable signature checking and to "NOT update to FF44 in F22 and F23 until this is resolved".

The consensus in the bug is clearly to remove the signature checking by default one way or another. Gallagher suggested prompting users to decide if they want the checking, but even that requires changes to the Firefox code. And that will be the crux of the matter. Mozilla only allows using the Firefox trademark for modified versions of the browser if it approves of those changes. Concern about that trademark policy (and getting Mozilla's approval for every patch) is what led Debian to switch to Iceweasel. Kofler explicitly suggested that Fedora do the same.

Ultimately it will be up to Mozilla, as it can choose to allow distributions to remove the signature checking (or provide a way to disable it) or not. If it sticks to its guns and "forces" distributions to leave that part of the Firefox code alone, it may well push more Linux users into installing Iceweasel or the like, because that is what their distribution provides. At some point, FESCo will undoubtedly discuss the issue, but it is hard to see how the conflicts between the freedoms inherent in free software and a lockdown regime such as that being pushed by Mozilla (however well-intentioned) can coexist. Something has to give—if it isn't Mozilla, then replacing Firefox in Fedora with Iceweasel may not be far behind.

Iceweasel for Fedora?

Posted Dec 24, 2015 0:36 UTC (Thu) by josh (subscriber, #17465) [Link]

I personally see quite a bit of value in packaging extensions. I'm not a fan of random pieces of software inventing their own "stores"; I have a perfectly good package manager already. I have Debian metapackages that install everything I want on my system; they depend on both the browser and all the extensions I want, all of which are packages in Debian (Adblock Plus, HTTPS Everywhere, and It's All Text).

I don't see anything wrong with Mozilla implementing a signing scheme by default for user-installed extensions, but I don't think that scheme should reject (or even gripe about) extensions installed system-wide on Linux systems. Installing such extensions requires root; if malware has root, you've lost already.

Iceweasel for Fedora?

Posted Dec 24, 2015 3:14 UTC (Thu) by Fowl (subscriber, #65667) [Link] (2 responses)

I was under the impression that extension signing was only going to be mandatory on Windows. That's where the malware is that they're trying to stop, after all.

Iceweasel for Fedora?

Posted Dec 24, 2015 5:33 UTC (Thu) by karath (subscriber, #19025) [Link]

That may once have been true. For a subset of systems, it may even be true today. Can you promise that it will be true tomorrow? What financial guarantee to back that promise do you offer?

Iceweasel for Fedora?

Posted Dec 24, 2015 14:29 UTC (Thu) by javispedro (guest, #83660) [Link]

Obviously not, they're enforcing this even on GNU, and even for extensions that are installed in /usr (via package manager).

This is a terribly misguided choice. First and foremost, extensions installed from a root-owned directory should be able to skip the verification (it's not like you couldn't already modify the firefox binary itself).

Second, there needs to be a way to enroll your own signatures. Otherwise, this is no better than a more draconian version of MS's Secure Boot, and I'm not willing to give Mozilla a free pass just because they're not MS.

Easy solution

Posted Dec 24, 2015 10:18 UTC (Thu) by mokki (subscriber, #33200) [Link] (7 responses)

Fedora creates a new signing key and signs all official fedora built extensions with it.

Mozilla approves change to Firefox to load public verification keys from build time configured directory.

Result: all fedora built extensions work and user can install their own keys without modifying Firefox

As an extra: if the addons public key is also in that directory users/organizations can remove that trust if they want to

Easy solution

Posted Dec 24, 2015 13:12 UTC (Thu) by alankila (guest, #47141) [Link] (4 responses)

Result 2: Any malware-containing packages can also be signed with Fedora's key and loaded into Firefox processes on Fedora systems without complaint. It is necessary to provide these keys to everybody as part of the freedoms given to users of free software.

Easy solution

Posted Dec 24, 2015 14:24 UTC (Thu) by javispedro (guest, #83660) [Link] (1 responses)

This is yet another common GPLv3 misunderstanding. (it's on the FAQ iirc, even)

If you allow for a way to load your own keys on the system and binaries loaded using these keys have the same privileges as binaries loaded using the Fedora key, then you do not need to distribute the Fedora private key.

But Firefox, currently, violates even that.

"[...] authorization keys, or other information required to install and execute modified versions [...]. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made."

Easy solution

Posted Dec 24, 2015 16:08 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

You can modify Firefox to replace the keys, so there's no conflict here.

Easy solution

Posted Dec 24, 2015 16:11 UTC (Thu) by mokki (subscriber, #33200) [Link]

I do not think the keys used to sign Fedora rpms are public. As you said that would remove the security.

Easy solution

Posted Jan 5, 2016 0:03 UTC (Tue) by davidstrauss (guest, #85867) [Link]

> Any malware-containing packages can also be signed with Fedora's key and loaded into Firefox processes on Fedora systems without complaint.

If you have Fedora's signing key, it's possible to compromise Fedora-based systems without any involvement by Firefox.

> It is necessary to provide these keys to everybody as part of the freedoms given to users of free software.

That is not the case.

Easy solution

Posted Dec 25, 2015 9:34 UTC (Fri) by tzafrir (subscriber, #11501) [Link] (1 responses)

Almost. Not good enough for my use-case (I use Debian and not Fedora, but anyway) - I'd like to deploy a locally-built extension.

* Currently: works well.
* After the Mozilla "fixes" - it's impossible.
* With your suggestion: possible, but requires me to maintain a locally-built Firefox/Iceweasel package.

Easy solution

Posted Dec 30, 2015 13:10 UTC (Wed) by tao (subscriber, #17563) [Link]

The Debian-version of Firefox (Iceweasel) v43 has already been patched to disable signing for locally installed extensions.

See bugs #808228 and #800150.