Flagged by Whissi. In the release notes for Firefox 74 [0] >We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information. See the bug [1] for technical information, but this remote setting seems to be done via Firefox's Normandy service. We should be able to set a local override for this preference, and we may want to consider turning off Normandy in general. [0] https://www.mozilla.org/en-US/firefox/74.0/releasenotes/ [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1623534
(In reply to sam_c (Security Padawan) from comment #0) > We should be able to set a local override for this preference, and we may > want to consider turning off Normandy in general. > It looks like setting security.tls.version.min to 1 (or 2) prevents TLS 1.0/1.1 respectively. To disable normandy, set app.normandy.enabled to 1. Polynomial-C has checked seamonkey 2.5.1 and I've checked thunderbird, no mention of normandy.
Note: This is not about which setting Mozilla changed (like in this case they are currently pushing "app.normandy.startupRolloutPrefs.security.tls.version.min=1" which will set "security.tls.version.min" back to 1, allowing usage of TLS 1.0/1.1 again). It's about the concern that Mozilla has the ability in general to change any setting or push add-ons remotely by default. You could argue that this feature is good because it allowed Mozilla to recover from "armagadd-on 2.0) (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973) by pushing an add-on containing the new certificate... Or imagine a bad driver causing problems: Once identified, Mozilla could blacklist certain features like HWA on affected devices, allowing user to re-use firefox at least. In the current case, they re-enabled TLS 1.0/1.1, which they had disabled in the latest release, to ensure that users can connect to any official website, which is often run by governments, which often have problems supporting latest TLS technologies, so that they have at least access to latest official information on COVID-19 (SARS-CoV-2). However, all of this is happening silently in the background. There aren't any prompts allowing user to notice such a change and to opt-out/reject on a case by case basis. If we disable this feature by default, users can still re-enable it in their profile if they want to.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1439e84dcb0864aa6e2f2e7b16e1bce0ec5bb3f9 commit 1439e84dcb0864aa6e2f2e7b16e1bce0ec5bb3f9 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-27 22:43:21 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 11:45:08 +0000 www-client/firefox-bin: disable Normandy service by default Closes: https://bugs.gentoo.org/713782 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox-bin/files/all-gentoo-3.js | 7 ++++ ...-68.6.0.ebuild => firefox-bin-68.6.0-r1.ebuild} | 41 +++++++++++++++++++--- ...-bin-74.0.ebuild => firefox-bin-74.0-r1.ebuild} | 26 ++++++++++++-- 3 files changed, 68 insertions(+), 6 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23e30a18cc929a37f50e38b5d5671d58cbc3506a commit 23e30a18cc929a37f50e38b5d5671d58cbc3506a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-27 22:38:51 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 11:45:08 +0000 www-client/firefox: disable Normandy service by default Bug: https://bugs.gentoo.org/713782 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/files/gentoo-default-prefs.js-3 | 1 + ...x-68.6.0-r1.ebuild => firefox-68.6.0-r2.ebuild} | 33 ++++++++++++++++++++++ www-client/firefox/firefox-74.0-r2.ebuild | 26 +++++++++++++++-- 3 files changed, 58 insertions(+), 2 deletions(-)
I think you forgot to enable the changes to files/gentoo-default-prefs.js-2, and so =firefox-68.6.0-r2 hasn't got the update yet despite the bump, since that ebuild doesn't source files/gentoo-default-prefs.js-3 but files/gentoo-default-prefs.js-2
Damn, thanks for catching this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01c322d14b9adaafc8711b73010f0a2f9a9b9916 commit 01c322d14b9adaafc8711b73010f0a2f9a9b9916 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-30 13:47:01 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 13:47:27 +0000 www-client/firefox: really disable Normandy service ...while there, also disable DoH which we already disabled in normal Firefox. Fixes 23e30a18c ("www-client/firefox: disable Normandy service by default") Bug: https://bugs.gentoo.org/713782 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/files/gentoo-default-prefs.js-2 | 17 --------------- ...x-68.6.0-r2.ebuild => firefox-68.6.0-r3.ebuild} | 25 +++++++++++++++++----- 2 files changed, 20 insertions(+), 22 deletions(-)
