1293874 – [DEBIAN] firefox: support for Fedora add-ons was removed

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1293874 - [DEBIAN] firefox: support for Fedora add-ons was removed

Summary: [DEBIAN] firefox: support for Fedora add-ons was removed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Martin Stransky
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-23 10:36 UTC by Florian Weimer
Modified:	2016-05-12 10:08 UTC (History)
CC List:	9 users (show)
Fixed In Version:	firefox-45.0.1-2.fc23 firefox-45.0.1-2.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-12 10:08:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Allow unsigned addons in /usr/{lib,share}/mozilla/extensions (1.63 KB, patch) 2016-02-05 08:55 UTC, Frederik Holden	no flags	Details \| Diff
View All

Description Florian Weimer 2015-12-23 10:36:55 UTC

firefox-43.0-1.fc22.x86_64 removed support for browser add-ons which are part of Fedora (as opposed to downloaded/curated by Mozilla).  Please restore support for locally-installed add-ons.

This affects packages such as mozilla-noscript-2.7-1.fc22.noarch and makes them unusable with Firefox.

Comment 1 Florian Weimer 2015-12-23 10:45:56 UTC

It turns out you can set xpinstall.signatures.required to false in about:config to restore the old behavior.  Perhaps this should be the default for Fedora.

Comment 2 Martin Stransky 2016-01-04 22:11:48 UTC

New update (43.0.3) has the addon signing temporary disabled by upstream (Mozilla).

Comment 3 Frederik Holden 2016-02-05 08:55:49 UTC

Created attachment 1121298 [details]
Allow unsigned addons in /usr/{lib,share}/mozilla/extensions

Debian carries a patch that allows unsigned addons in /usr/{lib,share}/mozilla/extensions (see attachment). Perhaps this patch should be added to Fedora as well?

Comment 4 Martin Stransky 2016-02-26 14:35:08 UTC

Let's see if Debian will ship this patch in their branded browser. If so we can do the same in Fedora.

Comment 5 Kevin Kofler 2016-03-06 02:29:11 UTC

IMHO, while this patch fixes this particular bug (i.e., add-ons Fedora itself ships), it is not a sufficient solution for the problem as a whole. It limits support for unsigned add-ons to add-ons installed as root to system locations, preventing their installation through the normal browser mechanisms for add-on installation.

Comment 6 Stephen Gallagher 2016-03-07 13:42:43 UTC

(In reply to Kevin Kofler from comment #5)
> IMHO, while this patch fixes this particular bug (i.e., add-ons Fedora
> itself ships), it is not a sufficient solution for the problem as a whole.
> It limits support for unsigned add-ons to add-ons installed as root to
> system locations, preventing their installation through the normal browser
> mechanisms for add-on installation.

Kevin, talks are ongoing with Mozilla around how best to both allow add-ons and also to protect the user from malicious extensions (which are fairly common these days). No absolute consensus has been reached, but as a temporary solution, this is a considerable improvement.

Also, it *could* be argued that the right to install an unsigned extension really does belong only to the root user of a machine, since A) they could do so anyway, since they already have privilege to install a modified Firefox and B) they are assumed to be a trusted, knowledgeable administrator of the system.

That said, as noted elsewhere, I agree that the ideal case is for the user to have the ability to make their own choices, but at the same time I want them to be able to make properly-informed choices. That's a difficult balance to strike and one that we are actively working on finding.

Comment 7 Martin Stransky 2016-03-21 08:36:31 UTC

Debian patch for it:

https://sources.debian.net/patches/firefox/45.0.1-1/debian-hacks/Allow-unsigned-addons-in-usr-lib-share-mozilla-exten.patch/

Comment 8 Martin Stransky 2016-03-21 09:06:28 UTC

Added to firefox-45.0.1-2

Comment 9 Fedora Update System 2016-03-21 15:33:35 UTC

firefox-45.0.1-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-035239c3d5

Comment 10 Fedora Update System 2016-03-21 15:33:42 UTC

firefox-45.0.1-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-33be675c57

Comment 11 Fedora Update System 2016-03-21 15:33:48 UTC

firefox-45.0.1-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-44d7ec40fd

Comment 12 Fedora Update System 2016-03-21 22:30:32 UTC

firefox-45.0.1-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-44d7ec40fd

Comment 13 Fedora Update System 2016-03-22 01:26:19 UTC

firefox-45.0.1-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-33be675c57

Comment 14 Fedora Update System 2016-03-22 15:22:26 UTC

firefox-45.0.1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-035239c3d5

Comment 15 Fedora Update System 2016-03-23 22:22:08 UTC

firefox-45.0.1-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-03-26 17:55:30 UTC

firefox-45.0.1-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2016-04-13 18:43:23 UTC

firefox-45.0.2-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-94582896cd

Comment 18 Fedora Update System 2016-04-16 19:28:16 UTC

firefox-45.0.2-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-94582896cd

Comment 19 Fedora Update System 2016-04-26 18:03:56 UTC

firefox-46.0-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-cdf8e2592e

Note You need to log in before you can comment on or make changes to this bug.