On Mon, Dec 18, 2017 at 12:34:46PM -0600, Chris Adams wrote: > Once upon a time, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> said: > > As part of a tie-in with an American TV show, Mozilla thought it'd be a > > great idea to silently install a cryptically-named addon in all(?) > > Firefox deployments. Which can't be turned off. > > I thought that this was actually a violation of the packaging policies, > but I can't seem to find it now; I only see the restriction on software > the requires downloads to be useful. I think simply requiring Mozilla > to change their policies is unacceptable, as this still depends on a > third party to properly enforce such policies (and not have any security > issue that could result in untrusted addons being installed). > > IMHO such behavior needs to be disabled by default in any packages > shipped by Fedora for Fedora to remain a trustworthy distribution. Are > there any other packages that can silently download and run non-Fedora > code? It was brought up elsewhere that Chrome/Chromium in the past has done something worse in scope, silently downloading an add-on to that turns on & listens to your microphone. Ostensibly to detect the "ok google" keyword, but since its a closed source add-on can you be sure that's all it does... https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/ Fortunately, the Fedora builds of Chromium have explicitly disabled this feature (enable_hotwording=false in chromium.spec) Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
