On Fri, 2015-04-03 at 09:05 +0900, Mike Hommey wrote: > Did you read my message? Nothing is being downloaded. Iceweasel only > happens to use what was downloaded *before* the original fix in version 34. Sure I got that, but IMO it shouldn't even be using that. Actually that it does use it, shows us just how wrong the principle of installing software to the home dirs is. It circumvents package management, it's no longer security supported at all (I guess since the actual downloading got disabled as you've said, people who had it downloaded back then won't either get updates for their back then version, which IIRC already got a CVE few days after), people usually don't expect that they have to look for software in their home dir and manually need to uninstall it.
It's not that I have anything against OpenH264, if Iceweasel wants to use it - fine - but then please only from a package, installed to some system location. So my comment from above didn't just apply to the downloader part (which you said was disabled), it basically applied to the whole framework that Mozilla set up for this hack of the patent system... including the usage of previously downloaded, no longer updated code in ~/ > > Didn't version 37 also start to include code for MSE? And wasn't that > > also binary proprietary code? > You're mixing acronyms. MSE is not EME. Ah, you're right... Uhm I had a small look at the real MSE. So... AFAIU this is *not* about bytecode sent to the browser and then executed right? (cause then it wouldn't be much better in terms of security,... as we all know, sandboxes are regularly escaped) Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature