|
|
Log in / Subscribe / Register

Distributions

The end of the Iceweasel Age

By Nathan Willis
February 24, 2016

For roughly the past decade, Debian has shipped the Mozilla desktop applications (Firefox, Thunderbird, and Seamonkey) in a rebranded form that replaces the original, trademarked names and logos with alternatives (Iceweasel, Icedove, and Iceape). Originally, this effort was undertaken to work around incompatibilities between the Debian Free Software Guidelines (DFSG), the Mozilla trademark-usage policy, and the licenses of the Mozilla logos. But times—and policy wordings—change, and Debian now seems poised to resume calling its packages by the original, upstream Mozilla names.

It is important to understand that, despite the similarities in name, Debian's Iceweasel is not in the same category as GNU IceCat, which is an actual fork of the code. Iceweasel consists of binaries rebuilt by Debian with only minimal alterations—most obviously to remove the Mozilla branding, but other functional changes as well (such as using system libraries and hooking into the Debian package manager).

The rebranding issue originated in 2004. At that time, the Mozilla trademark policy only permitted usage of the Firefox logo on downstream packages that adhered to a set of strict "Distribution Partners" guidelines that prohibited changing the search engines, extensions, directory structure, and other details—clearly making the Distribution Partner rules (and the less stringent "Community Edition" rules) incompatible with the DFSG.

Confusingly enough, the Community Edition rules would have allowed Debian to use the name "Firefox" but not to use the name "Mozilla Firefox" nor to use the Firefox logo. Yet another wrinkle for DFSG compliance was that the actual graphics files for the logo, as the FAQ page explained, were distributed under non-free license terms (prohibiting modification) anyhow. Furthermore, and perhaps even most problematic, the policy required redistributors to seek Mozilla's approval for any other modifications to the package. And Debian's Firefox packagers needed to make modifications, starting with rather fundamental necessities like integrating with the distribution's package manager, rather than using Firefox's built-in updater.

It was proposed that Mozilla could grant a trademark license to Debian, outside of the generic, public trademark policy, but Debian Project Leader (DPL) Branden Robinson contended that such an agreement would run afoul of section eight of the DFSG, which prohibits licensing agreements that are specific to the Debian project and, thus, are not transferred automatically to Debian users. After considerable debate, bug #354622 was opened in February 2006 by Mozilla's Mike Connor, and the Iceweasel name change was implemented to close it.

Re-discussion

It is now 2016, however, and most users or developers could be forgiven for forgetting that Mozilla ever had "Distribution" and "Community" partner programs, much less what all of the details were. The Mozilla trademark guidelines have morphed considerably over the years and, in particular, they have become far more open. The logos and product names are no longer subject to separate terms, and the current guidelines only state that "making significant functional changes" prohibits a downstream project from using the Mozilla trademarks.

On February 17, Mozilla's Sylvestre Ledru opened bug #815006, stating that "the various issues mentioned in bug #354622 have been now tackled" and including a patch that renames the packaged version of Iceweasel to Firefox. It is not entirely clear whether the original logos will return as well, although now that they are available under the same terms as the name trademarks, it seems like a possibility. Ledru's initial report includes a recap of recent discussions between Mozilla and Debian. Of particular note is the assessment by Mozilla of Debian's modifications to the code:

Mozilla recognizes that patches applied to Iceweasel/Firefox don't impact the quality of the product. Patches which should be reported upstream to improve the product always have been forward upstream by the Debian packagers. Mozilla agrees about specific patches to facilitate the support of Iceweasel on architecture supported by Debian or Debian-specific patches.

More generally, Mozilla trusts the Debian packagers to use their best judgment to achieve the same quality as the official Firefox binaries.

In case of derivatives of Debian, Firefox branding can be used as long as the patches applied are in the same category as described above. Ubuntu having a different packaging, this does not apply to that distribution.

Furthermore, Ledru notes that Debian has adopted a new approach to backporting security patches. In the past, one of the key non-branding modifications Debian made to the Mozilla applications was backporting recent security fixes. This was necessary because Debian's stable releases remain supported for a lengthy period of time (two years), far longer than Firefox, which is now updated every six to eight weeks. It might seem like security patches would be uncontroversial, given the benefit to users, but Mozilla objected to them quite early on in the Iceweasel debate.

Now, however, Mozilla has implemented its Extended Support Release (ESR) program, which makes maintaining an old release simpler for both Mozilla and Debian. First, Debian has committed to providing security fixes for the ESR releases of Firefox, not to every Firefox release. In addition, once the ESR release initially shipped with a Debian "stable" release is no longer provided with security updates from Mozilla, Debian updates the package to the next ESR release.

In essence, then, the logo-licensing problem, the trademark-usage incompatibility, and the patch-maintenance problem have all been resolved, so, Ledru said, Debian could return to the Firefox branding.

Except that not everyone in the Debian project was easily convinced that the trademark issue was resolved. For instance, Paul Wise asked for clarification about how the new trademark-usage guidelines meshed with section eight of the DFSG. "Mozilla's trademark policy isn't clear about how much modification requires Mozilla's written consent", he noted. If Debian, in order to use the trademarks in a manner different from the public policy, was being granted special permission from Mozilla, that would constitute a licensing agreement that Debian could not pass on to downstream users.

Stefano Zacchiroli replied, however, that there is no formal or contractual arrangement; in other words, Mozilla is not granting a trademark license to Debian. Instead, Mozilla is acknowledging that the patches and other work that have gone into the Debian packages over the past ten years do not violate the trademark policy. Connor concurred, adding:

The one point I'll clarify is that this isn't even something I'd call an exception. We have always sought to permit and enable modifications that do not negatively impact users (in terms of security/privacy, user expectations of Firefox stability/behaviour/compatibility, etc). Other distros have been following this process for more than a decade, so it's definitely not a special case for Debian. I'm thrilled that we're finally making this step forward with Debian.

Perhaps it feels strange to have a dilemma that Debian was forced into by the specifics of policy documents and project governance guidelines be resolved by such a seemingly informal statement. But it is important to remember that Mozilla's casual-sounding blessing of Debian's Firefox modifications is not the only change to have taken place. The Mozilla trademark policy and logo-usage guidelines have evolved considerably since 2006, and the ESR program has changed the face of long-term maintenance not just for Debian, but for many other users as well.

The plan, as it stands presently, is for the Iceweasel package to be renamed Firefox in the Debian 9 "stretch" release (slated for an early 2017 release). For simplicity in package maintenance, the Iceweasel package in the current stable release (Debian 8 "jessie") will not be renamed. Similar changes should be expected for Icedove and Iceape, although those discussions are still underway with the Debian package maintainers.

Comments (8 posted)

Brief items

Distribution quote of the week

I guess I'm a fan of cross-distro solutions in general, but it would be fair to say that the fact that something is broadly used doesn't automatically make it better. The reality is that Gentoo's approach to package management is completely different from how almost everybody does things but we wouldn't be here if we didn't like it.
-- Rich Freeman

Comments (9 posted)

Open source Zephyr Project aims to deliver an RTOS

The Linux Foundation has announced the Zephyr Project, which is aimed at building a real-time operating system (RTOS) for the Internet of Things (IoT). "Modularity and security are key considerations when building systems for embedded IoT devices. The Zephyr Project prioritizes these features by providing the freedom to use the RTOS as is or to tailor a solution. The project’s focus on security includes plans for a dedicated security working group and a delegated security maintainer. Broad communications and networking support is also addressed and will initially include Bluetooth, Bluetooth Low Energy and IEEE 802.15.4, with plans to expand communications and networking support over time." The Zephyr Kernel v1.0.0 Release Notes provide more details.

Comments (53 posted)

Linux Mint downloads (briefly) compromised

The Linux Mint blog announces that the project's web site was compromised and made to point to a backdoored version of the distribution. "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either. Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th."

Update: it appears that the Linux Mint forums were compromised too; users should assume that their passwords have been exposed.

Comments (121 posted)

FreedomBox 0.8 Released

FreedomBox 0.8 has been released. New images have not been created for this release. It is available in Debian unstable as two packages, freedombox-setup 0.8 and plinth 0.8.1-1. Quassel, an IRC client that stays connected to IRC networks and can synchronize multiple frontends, has been added and the first boot user interface has been improved.

Full Story (comments: none)

Ubuntu 14.04.4 LTS released

The fourth point release of Ubuntu 14.04 LTS is available for its Desktop, Server, Cloud, and Core products, as well as other flavors of Ubuntu with long-term support. "We have expanded our hardware enablement offering since 12.04, and with 14.04.4, this point release contains an updated kernel and X stack for new installations to support new hardware across all our supported architectures, not just x86."

Full Story (comments: none)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Subgraph OS Wants to Make Using a Secure Operating System Less of a Headache (Motherboard)

Motherboard takes a look at Subgraph OS. "In my tests, Subgraph OS worked fine out of the box, aside from some bugs that [Subgraph president David Mirza Ahmad] pointed out and provided workarounds for (the project is still in a pre-alpha stage). Those fixes required some use of the Linux command line, and users will probably need some experience of using a terminal to get the most out of their system. In sum, Subgraph OS appears easier to get to grips with than other secure options, but likely still requires a learning curve for users switching from, say, Windows or OSX for the first time. I ran Subgraph OS in virtual machines with 2GB and 4GB RAM."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds