Package: firefox-esr Version: 60.6.1esr-1~deb9u1 Severity: important In Preferences/Privacy & Security there are a pair of preferences "Allow Firefox to send technical and interaction data to Mozilla" and "Allow Firefox to install and run studies". These are both unchecked and greyed out by default. They cannot be checked, and there is a line of text under them that says "Data reporting is disabled for this build configuration". I vaguely recall reading something about Debian disabling this around the time that the Mr Robot "easter egg" came out.
Today in the wake of reading about the Mozilla certificate oops that broke everyone's extensions, Mozilla announced that they used their studies system to push out the fix without requiring a formal update. Given that my extensions were in fact working, I was confused by this. I read that the config key for studies was app.normandy.enabled, so I checked about:config and lo and behold, that setting was defaulted to true. I would expect that it would be false, given that the UI setting claims to be disabled. I'd imagine that this might be a serious bug, but I'm not a lawyer and I don't have hours of time to spend today, so I can't give you chapter and verse of the policy to say what policy is violated by defaulting to allowing an app author to remotely change settings on user's computers in the background. -- Package-specific info: -- Addons package information -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firefox-esr depends on: ii debianutils 4.8.1.1 ii fontconfig 2.11.0-6.7+b1 ii libasound2 1.1.3-5 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u4 ii libcairo-gobject2 1.14.8-1 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.26-0+deb9u1 ii libdbus-glib-1-2 0.108-2 ii libffi6 3.2.1-6 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgcc1 1:6.3.0-18+deb9u1 ii libgdk-pixbuf2.0-0 2.36.5-2+deb9u2 ii libglib2.0-0 2.50.3-2 ii libgtk-3-0 3.22.11-1 ii libjsoncpp1 1.7.4-3 ii libpango-1.0-0 1.40.5-1 ii libstartup-notification0 0.12-4+b2 ii libstdc++6 6.3.0-18+deb9u1 ii libvpx4 1.6.1-3+deb9u1 ii libx11-6 2:1.6.4-3+deb9u1 ii libx11-xcb1 2:1.6.4-3+deb9u1 ii libxcb-shm0 1.12-1 ii libxcb1 1.12-1 ii libxcomposite1 1:0.4.4-2 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1 ii procps 2:3.3.12-3+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages firefox-esr recommends: ii libavcodec57 7:3.2.12-1~deb9u1 Versions of packages firefox-esr suggests: ii fonts-lmodern 2.004.5-3 ii fonts-stix [otf-stix] 1.1.1-4 ii libcanberra0 0.30-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libgtk2.0-0 2.24.31-2 ii pulseaudio 10.0-1+deb9u1 -- no debconf information
