[00:05] <Unit193> Eickmeyer: I mean if that's part of Mozilla's requirements for distribution of firefox and they can enforce that, then it'd seem to be non-free to me and some alternative should be found.
[00:07] <Eickmeyer> Unit193: not my call, nor is that up to the CC.
[00:07] <Unit193> I mean, you just brought it up. :P
[00:08] <Eickmeyer> Unit193: No, I explained the reason it's a snap now, I didn't start the conversation.
[00:09] <Eickmeyer> And non-free software is allowed in Ubuntu (see multiverse).
[00:11] <Unit193> Yeah but terrible defaults. :P
[00:14] <JanC> Ubuntu can distribute Firefox, it just maight be blocked from using the trademark
[00:14] <JanC> might
[00:15] <JanC> but Mozilla is being hostile to the community IMNSHO
[00:16] <Eickmeyer> Guys, TOPIC.
[00:16] <JanC> I explained at the beginning how this is a security issue, did you even bother to read that...?
[00:17] <Eickmeyer> Bug report.
[00:17] <Eickmeyer> Prove it and file it in a bug report.
[00:17] <JanC> Firefox-as-a-snap is DoS
[00:17] <Eickmeyer> Prove it and file a bug report.
[00:18] <JanC> I gave the upstream bug report
[00:18] <Eickmeyer> Did you prove it?
[00:19] <JanC> so you didn't even bother to look at it...
[00:22] <JanC> (I don't have to prove bug reports that were filed & confirmed by others)
[00:27] <JanC> maybe you need to re-read the actual CoC yourself...
[00:28] <Unit193> JanC: Either way, I don't see continuing on in here as likely to get anywhere, specifically on a Sunday night.  I think the bug report is the best approach.
[00:29] <JanC> Unit193: this requires more of a systemic discussion really
[00:30] <JanC> but I'm not sure I have the time/motivation to move it forward
[00:35] <JanC> I've been part of the Ubuntu community since 2004, so this whole situation really sucks
=== Eickmeyer[w] is now known as Eickmeyer
=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: mdeslaur
[12:44] <bittin> Listening to the episode from this Friday now amurray feel better
[12:57] <amurray> thanks bittin - am slowly getting better... is taking longer than I would have liked/hoped but slowly, slowly...
[13:00] <bittin> having a cold and headache/migranes myself, but feeling a bit better today so catching up with last weeks podcasts, while testing Fedora stuff
[13:05] <amurray> hope you feel better soon bittin 
[17:55] <sarnold> still, most irc users don't bother loading the extra matrix links
[17:57] <sarnold> JanC: I'm rather hoping Someone [tm] will come up with a nice little shell script to wget latest firefox, either unpack it or debify it, smack together an apparmor profile for it, maybe some bwrap integration..
[18:36] <jjohansen> regardless, mozilla has chosen to ship FF as a snap (and there are good technical reasons to do so). What would be helpful is reports (preferably bugs) of how this fails for people (especially security issues). So that the FF snap can be improved and work for more people
[18:37] <jjohansen> from the ubuntu side, if its a snap issue then it would be good to have an ubuntu bug even if its linked to a mozilla bug
[18:44] <sarnold> aye, it'd be nice if we didn't wind up losing all brazilian desktop users
[18:59] <rbasak> JanC: if you want to lock a snap to a particular version: https://forum.snapcraft.io/t/disabling-automatic-refresh-for-snap-from-store/707/269
[18:59] <rbasak> Though of course not updating a browser to receive security risks is a security problem. But if you want to do that, then you can.
[19:00] <rbasak> s/risks/updates/
[19:02] <sarnold> oh that's clever
[19:12] <JanC> well, some of my systems don't have enough diskspace to use snaps, so it's not even an option on those...
[19:13] <JanC> and the Firefox bug I linked to results in a DoS when I have to interact with the government here, so that's a security issue too  :)
[19:14] <JanC> (sometimes you have to weigh risks)
[19:15] <jjohansen> sure, which is perfectly valid to point out, Ubuntu needs to know the use cases where things are problematic, thats not saying it will drop snaps, etc. but the more cases are known the better chance they have of being addressed
[19:16] <JanC> like, not upgrading your browser just before you need it for something important
[19:16] <jjohansen> yep
[19:18] <JanC> and snapd & flatpak combined used ~10 GiB of disk space on my main desktop system, with 0 packages installed in both, that's somewhat insane...   ;)
[19:27] <JanC> so that thing on the forum is not really a solution, as that way it will not upgrade at all
[19:27] <JanC> it might be useful some day for something else, I guess
[19:36] <jjohansen> JanC: sure, snaps and flatpaks take extra space, no one can argue with that. Doing so has advantages and disadvantages. Thats not an argument for -security.
[19:37] <jjohansen> that it causes a dos for your use case is worth bringing up
[19:38] <jjohansen> asking about what your options are to work around, etc.
[19:38] <jjohansen> but the broader argument about snaps needs to be done else where
[19:39] <JanC> Firefox broke the smartcard/eID support, so basically we can no longer file taxes & such  :)
[19:40] <ahasenack> o/
[19:40] <jjohansen> yeah, and it is very much worth bringing up
[19:41] <ahasenack> I filed a bug in lp for that, against the deb, even though I know it's the snap
[19:41] <ahasenack> it got linked to an upstream firefox bug about the snap
[19:41] <ahasenack> that's fine for me
[19:42] <jjohansen> ahasenack: I can give you a gross temperary work around
[19:42] <ahasenack> nah
[19:42] <ahasenack> I can still use chrome, or firefox from the upstream tarball
[19:42] <jjohansen> yep
[19:43] <ahasenack> it's just a few sites
[19:44] <jjohansen> sure, but its really annoying
[19:44] <JanC> some people also use those some government organisations use the eID system for logins/SSO
[19:47] <JanC> (I don't know if any of those use Ubuntu or another linux though)
[19:48] <ahasenack> well, we all know it's important, upstream is aware, there are workarounds
[19:48] <JanC> I'm also not particularly thrilled to see Mozilla still use Ubuntu 16.04 for testing BTW...   :P
[19:49] <jjohansen> well I like that thy use 16.04 for testing, I just would like it to also be 18.04, 20.04, 22.04 ... :)
[19:51] <JanC> assuming they have an extended support contract enabled for that 16.04, otherwise it's out of security support...  ;)
[19:52] <jjohansen> well, free support anyways, it is covered by ESM
[19:53] <sarnold> and even then I think they could use the 'three free machines' thing :)
[19:53] <JanC> I assume Mozilla has more than a couple computers  :)
[19:53] <sarnold> I added a note to the jammy release notes about the firefox pkcs#11 support; it'd be nice if mozilla address it before we ship jammy, but just in case there's at least a note somewhere
[19:54] <JanC> the bug I suffer from is broken in the non-snap Firefox versions too, of course
[19:55] <sarnold> ow :/
[19:58] <JanC> they already fixed it upstream AFAIK, so it will be fixed in the next release I presume, and I can wait until then to file my taxes; but if this happens when the deadline is close it would be more problematic
[20:01] <sarnold> hmm is it? I'm not super-familiar with bugzilla these days but it looks ignored to me https://bugzilla.mozilla.org/show_bug.cgi?id=1734371
[20:01] <ubottu> Mozilla bug 1734371 in Release Engineering "Firefox snap can't load PKCS#11 modules on the host system" [S2, New]
[20:03] <JanC> sarnold: I was talking about the non-Snap bug I have, also related to pkcs11 in Firefox  :)
[20:03] <sarnold> JanC: ah!
[20:04] <JanC> the point is just that you need to be able to test before allowing upgrades to a fairly critical OS component  :)
[20:06] <JanC> (and with everything-in-the-cloud nowadays, the browser is almost the most critical OS component...)
[20:08] <sarnold> good point! put the browser in the cloud! https://www.mightyapp.com/