Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 525810 - www-client/firefox-33.0 downloads and installs executable libgmpopenh264.so from the Internet
Summary: www-client/firefox-33.0 downloads and installs executable libgmpopenh264.so f...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-18 21:22 UTC by Petr Pisar
Modified: 2017-08-26 17:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Pisar 2014-10-18 21:22:05 UTC
www-client/firefox-33.0 comes with a support for H.264 from the upstream in a very peculiar manner:

It connects periodically to aus4.mozilla.org server (<https://aus4.mozilla.org/update/3/GMP/33.0/20141015182207/Linux_x86_64-gcc3/en-US/default/Linux%203.17.1%20(GTK%202.24.24)/default/default/update.xml> in my case) and downloads a ZIP archive linked from there and installs its content into user's profile directory:

This the a log from firefox's stdout (and stderr):

(process:22548): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size 
1413666053629   GMPInstallManager.GMPInstallManager.simpleCheckAndInstall      INFO     Last check was: 1413666054 seconds ago, minimum seconds: 86400
1413666053630   GMPInstallManager.GMPInstallManager._getURL     INFO    Using url: https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
1413666053631   GMPInstallManager.GMPInstallManager._getURL     INFO    Using url (with replacement): https://aus4.mozilla.org/update/3/GMP/33.0/20141015182207/Linux_x86_64-gcc3/en-US/default/Linux%203.17.1%20(GTK%202.24.24)/default/default/update.xml
1413666053633   GMPInstallManager.GMPInstallManager.checkForAddons      INFO   sending request to: https://aus4.mozilla.org/update/3/GMP/33.0/20141015182207/Linux_x86_64-gcc3/en-US/default/Linux%203.17.1%20(GTK%202.24.24)/default/default/update.xml
1413666054596   GMPInstallManager.GMPInstallManager.onLoadXML   INFO    request completed downloading document
1413666054599   GMPInstallManager.GMPInstallManager.onLoadXML   INFO    allowNonBuiltIn: false
1413666054609   GMPInstallManager.GMPAddon.constructor  INFO    Created new addon: gmp-gmpopenh264 (isValid: true, isInstalled: false, isOpenH264: true, hashFunction: sha512, hashValue: 737e49f25aace93d470f1a781c69c3cdd0c9db21afe62221fb171d38a31d8a2b55af01a69cd00e7352e7a34aa450b6b85729509f81582379394785b37997a423, size: 385889)
1413666054610   GMPInstallManager.GMPPrefs.set  INFO    Setting pref: media.gmp-manager.lastCheck to value: 1413666055
1413666054610   GMPInstallManager.GMPInstallManager.simpleCheckAndInstall      INFO     Found 1 addons advertised.
1413666054610   GMPInstallManager.GMPInstallManager.simpleCheckAndInstall      INFO     Found addon: gmp-gmpopenh264 (isValid: true, isInstalled: false, isOpenH264: true, hashFunction: sha512, hashValue: 737e49f25aace93d470f1a781c69c3cdd0c9db21afe62221fb171d38a31d8a2b55af01a69cd00e7352e7a34aa450b6b85729509f81582379394785b37997a423, size: 385889)
1413666054611   GMPInstallManager.GMPDownloader.start   INFO    downloading from http://ciscobinary.openh264.org/openh264-linux64-v1.1-Firefox33.zip to /tmp/gmp-gmpopenh264.zip
1413666055085   GMPInstallManager.GMPDownloader.onStopRequest   INFO    onStopRequest called
1413666055085   GMPInstallManager.GMPDownloader._verifyDownload INFO    _verifyDownload called
1413666055085   GMPInstallManager.GMPDownloader._verifyDownload INFO    for path: /tmp/gmp-gmpopenh264.zip
1413666055091   GMPInstallManager.GMPDownloader._verifyDownload INFO    hashes match!
1413666055092   GMPInstallManager.GMPDownloader.onStopRequest   INFO    GMP file is ready to unzip
1413666055092   GMPInstallManager.GMPDownloader.onStopRequest   INFO    install to directory path: /home/petr/.mozilla/firefox/4bms6nj4.gpdata/gmp-gmpopenh264/1.1
1413666055092   GMPInstallManager.GMPExtractor.install  INFO    Installing /tmp/gmp-gmpopenh264.zip...
1413666055101   GMPInstallManager.GMPExtractor.install  INFO    libgmpopenh264.so was successfully extracted to: /home/petr/.mozilla/firefox/4bms6nj4.gpdata/gmp-gmpopenh264/1.1/libgmpopenh264.so
1413666055101   GMPInstallManager.GMPExtractor.install  INFO    gmpopenh264.info was successfully extracted to: /home/petr/.mozilla/firefox/4bms6nj4.gpdata/gmp-gmpopenh264/1.1/gmpopenh264.info
1413666055102   GMPInstallManager.GMPExtractor.install  INFO    /tmp/gmp-gmpopenh264.zip was installed successfully
1413666055102   GMPInstallManager.GMPPrefs.set  INFO    Setting pref: media.gmp-gmpopenh264.lastUpdate to value: 1413666055
1413666055102   GMPInstallManager.GMPPrefs.set  INFO    Setting pref: media.gmp-gmpopenh264.version to value: 1.1
1413666055109   GMPInstallManager.GMPInstallManager.simpleCheckAndInstall      INFO     Addon installed successfully: gmp-gmpopenh264 (isValid: true, isInstalled: true, isOpenH264: true, hashFunction: sha512, hashValue: 737e49f25aace93d470f1a781c69c3cdd0c9db21afe62221fb171d38a31d8a2b55af01a69cd00e7352e7a34aa450b6b85729509f81582379394785b37997a423, size: 385889)
1413666116260   GMPInstallManager.GMPDownloader.uninit  INFO    Aborting request
1413666116260   GMPInstallManager.GMPDownloader.uninit  INFO    Done cleanup

And indeed, gmp-gmpopenh264/1.1/libgmpopenh264.so emerges in Firefox profile.

This happens despite setting Firefox's option media.gmp-gmpopenh264.provider.enabled to false.

I consider this practice of installing executables without user's consent as very bad and insecure and I propose you to inhibit this feature on ebuild level.

Reproducible: Always
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2014-10-19 18:37:24 UTC
Yes, yes it does.  This is a module-update procedure that firefox (and presumably other mozilla packages) now does.  Not only is it doing this but on occasion this process will also cause firefox to segfault the first time it is run after upgrading from a previous version.

The tricky bit, here, is that I believe these modules are part of the profile, rather than part of the system.  As such, at this time I don't think there is a way around them.  However I will continue t olook into it and check with upstream to see if there's a way to avoid this binary-modules-update process.
Comment 2 Ian Stakenvicius (RETIRED) gentoo-dev 2014-10-21 15:47:48 UTC
OK.  So, first of all, setting "media.gmp-gmpopenh264.autoupdate" to "false" will disable auto-updates.  This is also doable in a user-friendly way in the Addon Manager.

Secondly, this "binary blob" is coming from Cisco, and due to license issues it has to happen this way.  It's also integral to WebRTC support, apparently.  That said, the sources are fully open and available at https://github.com/cisco/openh264 and apparently the build system used for this is unchanged from what's listed in that repo.

I'm looking into how best to provide alternatives to updates of this binary blob; at this point i think that a flag which disables the auto-update and possibly also the main plugin itself (given it doesn't exist on a new/empty profile), and allowing a separate package to build and install the plugin into system paths, might be the best route forward, but i need to do more tests and research.
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2014-10-22 16:01:07 UTC
My proposed solution is in mozilla-overlay now:

- New package media-plugins/gmp-openh264 builds and installs a system copy of libgmpopenh264.so , and an /etc/env.d file to add its location to a MOZ_GMP_PATH environment variable

- IUSE="system-gmps" in www-client/firefox (and others, eventually) which modifies depends on this (and others, eventually) plugin, and modifies the default prefs.js so that auto-updates are disabled, this ensuring the binary files are not fetched from upstream.

Let me know if this solution works for you.  FYI, if a ~/.mozilla profile already contains the gmp plugin(s), it looks like those plugins are still used first, so you'll need to delete those plugins by hand to force the system one.  You'll also need to restart your login session in order to ensure the MOZ_GMP_PATH var is set in your environment.
Comment 4 Petr Pisar 2014-10-28 09:01:14 UTC
Thanks. The media-plugins/gmp-openh264 requires dev-lang/nasm on x86_64 (and maybe other architectures):

nasm -DUNIX64 -f elf64 -I./codec/common/x86/   -o codec/encoder/core/x86/coeff.o codec/encoder/core/x86/coeff.asm
make: nasm: Command not found
codec/encoder/targets.mk:85: recipe for target 'codec/encoder/core/x86/coeff.o' failed
make: *** [codec/encoder/core/x86/coeff.o] Error 127
Comment 5 Petr Pisar 2014-10-28 12:28:16 UTC
I built the plug-in and 33.0 firefox from the overlay successfully. If I use fresh new profile, it will still download the plug-in. It reports that updating is disabled but installs it anyway. The about:plugins lists the the plug-in without details (version, file path), but after firefox downloads it (it happens later than one minute as documented), the details and the file appears. The MOZ_GMP_PATH is set correctly to directory containing two files (info and library).
Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev 2014-10-28 12:52:43 UTC
(In reply to Petr Pisar from comment #5)
> I built the plug-in and 33.0 firefox from the overlay successfully. If I use
> fresh new profile, it will still download the plug-in. It reports that
> updating is disabled but installs it anyway. The about:plugins lists the the
> plug-in without details (version, file path), but after firefox downloads it
> (it happens later than one minute as documented), the details and the file
> appears. The MOZ_GMP_PATH is set correctly to directory containing two files
> (info and library).

When you built firefox-33 from the overlay, USE="system-gmps" was set?  Please browse to "about:config" and search 'gmp' , and let me know if media.gmp-gmpopenh264.autoupdate has a value (it should be 'false' and not user-set)

You can set that to 'false' yourself as well, and just 'rm -Rf ~/.mozilla/firefox/*/gmp-gmpopenh264' instead of nuking your whole profile.

Thanks for reporting about the missing dep on nasm, fixed in overlay now.
Comment 7 Petr Pisar 2014-10-28 13:08:49 UTC
Of course the system-gmps is set:

# qlist -IUvR firefox
www-client/firefox-33.0::mozilla (custom-cflags gstreamer jit linguas_cs minimal system-cairo system-gmps system-icu system-jpeg system-libvpx system-sqlite)

The media.gmp-gmpopenh264.autoupdate has a default value and it is false.
Comment 8 Ian Stakenvicius (RETIRED) gentoo-dev 2014-10-28 13:51:57 UTC
(In reply to Petr Pisar from comment #7)
> Of course the system-gmps is set:
> 
> # qlist -IUvR firefox
> www-client/firefox-33.0::mozilla (custom-cflags gstreamer jit linguas_cs
> minimal system-cairo system-gmps system-icu system-jpeg system-libvpx
> system-sqlite)
> 
> The media.gmp-gmpopenh264.autoupdate has a default value and it is false.

Thanks for confirming.

Unfortunately, I can't reproduce that here -- if media.gmp-gmpopenh264.autoupdate is false, then the update manager does not download the plugin on my system.  Indeed, watching the console, I see:

> 1414503227158   GMPInstallManager.simpleCheckAndInstall INFO    Auto-update is off for openh264, aborting check.

This pref setting is the key component for keeping the binary blob away; the external plugin package is just to provide the openh264 support for webrtc that would otherwise be missing.
Comment 9 Ian Stakenvicius (RETIRED) gentoo-dev 2014-11-05 23:31:34 UTC
I made some adjustments to how things were being managed, in mozilla-overlay today, it might work better now.  Seamonkey also honours the 'system-gmps' flag now if you care to test.
Comment 10 Petr Pisar 2014-11-10 19:42:41 UTC
I did a test and unfortunately it still downloads and installs the binary library. The only difference I spotted is that it reports "system-installed" version of the plug-in until it downloads the copy from Cisco.
Comment 11 Ian Stakenvicius (RETIRED) gentoo-dev 2014-11-10 19:50:58 UTC
(In reply to Petr Pisar from comment #10)
> I did a test and unfortunately it still downloads and installs the binary
> library. The only difference I spotted is that it reports "system-installed"
> version of the plug-in until it downloads the copy from Cisco.


and if you check about:config , media.gmp-gmpopenh264.autoupdate is still set to false ?
Comment 12 Petr Pisar 2014-11-10 20:26:23 UTC
Yes, it's false.
Comment 13 Maciej S. Szmigiero 2016-07-13 15:27:19 UTC
I can confirm that current FF 47.0.1 with "media.gmp-gmpopenh264.autoupdate" set to false will download Cisco binary blobs at least if you click on "Check for updates" in Extensions (this happens in Plugins too, but that's more understandable since this blob is also listed as plugin).

Setting "media.gmp-provider.enabled" to false makes it behave nicer.
Video / audio playback still works via libmozavcodec (on https://www.youtube.com/html5 all checkboxes are ticked).
Comment 14 Ian Stakenvicius (RETIRED) gentoo-dev 2016-07-13 16:27:22 UTC
(In reply to Maciej S. Szmigiero from comment #13)
> I can confirm that current FF 47.0.1 with "media.gmp-gmpopenh264.autoupdate"
> set to false will download Cisco binary blobs at least if you click on
> "Check for updates" in Extensions (this happens in Plugins too, but that's
> more understandable since this blob is also listed as plugin).
> 
> Setting "media.gmp-provider.enabled" to false makes it behave nicer.
> Video / audio playback still works via libmozavcodec (on
> https://www.youtube.com/html5 all checkboxes are ticked).


The Cisco binary blob is *only* for "webrtc" , which is native support for one-way or two-way video conferencing.  It doesn't have anything to do with HTML5 media elements.  Also, the "gmp-autoupdate" option is not supposed to block any and all possible updates of this addon, but rather to just prevent it from being automatically downloaded and updated in the background without any user intervention or control whatsoever (because it will, automatically, as soon as you start up a new install or upgrade of firefox).  Otherwise the control is entirely yours.
Comment 15 Jory A. Pratt gentoo-dev 2017-08-26 17:57:27 UTC
If you feel I have closed your bug and it is still a current issue, please reopen and update it completely. We will not work bugs that have no ebuild in tree any longer or can not be reproduced with a current system.

Thank You for your support and understanding
The Mozilla Team