Re: [Bug-gnuzilla] Several freedom-bugs in IceCat (from the Parabola team)

[Narcis Garcia - GiLUG]

This may be the YaCy website:
http://yacy.net/


Al 06/01/13 21:09, En/na Luke T. Shumaker ha escrit:
> At Sun, 06 Jan 2013 13:08:35 -0500,
> Loic J. Duros wrote:
>>
>> Luke T. Shumaker <address@hidden> writes:
>>> Even though DuckDuckGo is the default, it still includes Google and
>>> Yahoo search engines.
>>
>> AFAIK, we still want to provide alternatives to DuckDuckGo, and give
>> users the choice. DuckDuckGo HTML-only is the default, and non-free JS
>> is blocked from such sites as Google and Yahoo. Do you have other
>> alternatives you'd like to see there or replace the Google and Yahoo
>> choices?
> 
> In Parabola, the provided (general purpose) search engines are DDG
> HTML, DDG Lite, Seeks[1], and YaCy/bluebox[2].
> 
> [1] http://www.seeks-project.info/site/
> [2] http://yacy.dyndns.org/
> 
>>> Subject: Recommends DuckDuckGo, which uses non-free javascript.
>>
>> DuckDuckGo in the search box and in the about:home page go directly to
>> the html version of DuckDuckGo, the form is given the html-only url:
>> https://duckduckgo.com/html/
>> There is no javascript in the html-only pages.
>>
>> Where do you see DDG being included without the /html/ url? Maybe
>> there's a location where it isn't applied.
> 
> I'm sorry, I believe I was mistaken.  You see, Parabola uses
> "DuckDuckGo HTML" for the shortName, instead of "DuckDuckGo" to refer
> to DDG HTML (consistent with DDG's official opensearch.xml files).  I
> had assumed that since IceCat was using just "DuckDuckGo" for the
> shortName, it was using the ajax version of DDG.
> 
>>> Subject: If social API stuff is enabled, Facebook is there by default
>>
>> Even when enabling the Social API, I can't see Facebook enabled by
>> default. I talked with a few Firefox developers a while ago on this
>> issue. It appears you have to go to a page (from Facebook) and click
>> "install", after what you see the sidebar and you can like a URL, etc,
>> ... What do you mean by "Facebook there by default"?
>>
>> For the Social API code itself, it is released under a free license, and
>> so isn't a freedom issue per se. The services it may interact with, on
>> the other hand, may not be free. We probably need to warn users about
>> this. All in all, I think the Social API is less of a privacy concern
>> than the "like" buttons you may find on websites, because if you `like`
>> a URL with the API, only the URL value is being communicated; but I'll
>> have to check again. Of course, we should at least warn or discourage
>> people from using Facebook for the reasons given here:
>> https://www.fsf.org/facebook
>>
>> More to come about this... But let's keep in mind it is already disabled
>> by default.
> 
> I have not evaluated that issue myself, I was looking at libre.patch,
> which is (should be) used to correct freedom-related issues.  The
> portion that I am reporting is this:
> 
> diff -Nur a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
> --- a/browser/app/profile/firefox.js  2012-12-01 16:06:30.000000000 -0200
> +++ b/browser/app/profile/firefox.js  2012-12-04 20:42:20.753633713 -0200
> @@ -1149,13 +1149,3 @@
>  // might keep around more than this, but we'll try to get down to this 
> value).
>  // (This is intentionally on the high side; see bug 746055.)
>  pref("image.mem.max_decoded_image_kb", 256000);
> -
> -// Example social provider
> -pref("social.manifest.facebook", 
> "{\"origin\":\"https://www.facebook.com\",\"name\":\"Facebook 
> Messenger\",\"workerURL\":\"https://www.facebook.com/desktop/fbdesktop2/socialfox/fbworker.js.php\",\"iconURL\":\"data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8%2F9hAAAAX0lEQVQ4jWP4%2F%2F8%2FAyUYTFhHzjgDxP9JxGeQDSBVMxgTbUBCxer%2Fr999%2BQ8DJBuArJksA9A10s8AXIBoA0B%2BR%2FY%2FjD%2BEwoBoA1yT5v3PbdmCE8MAshhID%2FUMoDgzUYIBj0Cgi7ar4coAAAAASUVORK5CYII%3D\",\"sidebarURL\":\"https://www.facebook.com/desktop/fbdesktop2/?socialfox=true\"}";);
> -// Comma-separated list of nsIURI::prePaths that are allowed to activate
> -// built-in social functionality.
> -pref("social.activation.whitelist", "https://www.facebook.com";);
> -pref("social.sidebar.open", true);
> -pref("social.sidebar.unload_timeout_ms", 10000);
> -pref("social.active", false);
> -pref("social.toast-notifications.enabled", true);
> 
>>> The bar that pops up on first run tha has the "Know your rights..."
>>> button reads:
>>>
>>>  > GNU IceCat is free and open source software from the non-profit
>>>  > Mozilla Foundation.
>>
>> Thanks! This is a problem. We might want to remove the bar all together or
>> create a new one linking to the Free Software page.
> 
> I think that taking the user to "about:rights" is OK.  However, it
> does look like that the file needs to be filled out; it has numerous
> "X goes here" lines in it :P
> 
>>> ----
>>>
>>> Type: technical/rebranding issue
>>> Subject: "Reset IceCat" does not work
>>>
>>> This is because it falls victim to Mozilla bug 756390
>>> The patch uploaded to the Mozilla bug tracker should fix this.
>>>
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=756390
>>>
>>> ----
> 
>>> Subject: Uses the phrase "Firefox Sync"
>>
>> Since the servers are provided by Mozilla, changing the name to "IceCat"
>> didn't seem to make much sense, and could have been misleading for users.
> 
> Fair enough.
> 
>>> ----
>>>
>>> Type: freedom/legal issue
>>> Subject: Recommends using Mozilla's sync servers.
>>>
>>> Mozilla's TOS only allows "official Mozilla-branded software" to use
>>> their servers for Firefox Sync without special written permission.
>>>
>>> I know that Trisquel runs their own sync servers for Abrowser, I'm
>>> sure they'd be happy to let you use them.  I also think it would be
>>> cool if GNU ran their own servers.  I've also been toying with the
>>> idea of packaging the sync server software for Parabola and running it
>>> on our servers.
>>>
>>> If you do end up getting permission to use Mozilla's servers, I
>>> believe that the TOS and Privacy Policy are acceptable, but you'd want
>>> to take a look yourself. 
>>>
>>> ----
>>>
>>> Type: bug
>>> Subject: langpacks
>>>
>>> There are no IceCat 17 langpacks that I can tell.
>>
>> I have sent an announcement on this mailing that I was looking for help
>> on this. I can generate the automated packages, but they have several
>> issues that need more focus than I have time to give them. Currently
>> focus is on privacy and freedom, and so anyone willing to take over
>> generating the langpacks would be appreciated!
>>
>>> As another issue with the langpack script, the resulting langpacks
>>> overrode the normal search engine settings to be back to using Google
>>> by default. (apparently, en-US user here)
>>
>> This is one among other issues with the bash script that does the
>> conversion. It needs much updating.
> 
> I'll look into seeing what I can do about creating tools to deal with
> the langpacks.
> 
>>> Type: feature request
>>> Subject: Run AMO on GNU servers.
>>
>> I have asked the sysadmins at GNU about hosting an appl a while ago, and
>> the best solution they gave us is to host the list of addons in the FSF
>> Free Software Directory. I am looking for volunteers who can help doing
>> this. They would need an account on the FSF directory and a brief
>> walkthrough on how to create the addon list.
>>
>> Would you be willing to add the addons to the FSF Directory list, or
>> find more volunteers to do so? :-)
> 
> Absolutely!
> 
>> Also, if you are interested in working on IceCat bugs yourself and
>> provide patches, this would be very beneficial for the project.
>>
>> Thanks for all your reports, and I'm looking forward to fixing what can
>> be fixed!
>>
>> Loic
> 
> Happy hacking,
> ~ Luke Shumaker
> 
> --
> http://gnuzilla.gnu.org
>