Andrey Gursky
2014-12-05 18:17:01 UTC
Hi Mike.
reproducible builds which will then allow verification of the blob."
[1]
this blob and maybe even it's configure/build options and
dependencies. Googling on "libgmpopenh264.so chksum" results in this
bug report.
Looking further, I've found some relevant url infos:
/usr/share/iceweasel/browser/defaults/preferences/firefox.js:pref("media.gmp-manager.url",
"https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
But it's still not really helpful.
While cisco blobs are clearly available [2], Mozilla seems to be not
transparent in this issue.
A binary from cisco:
-rw-r--r-- 1 andrey andrey 1040584 Aug 8 06:29 libopenh264-1.1.0-linux64.so
and one from Mozilla: (~/.mozilla/firefox/*/gmp-gmpopenh264/1.1/)
-rwxr-xr-x 1 andrey andrey 1030172 Sep 2 22:27 libgmpopenh264.so
They are obviously different. If I understood correctly, the problem
was in patent fees. Cisco published a binary blob, which all could use
without paying these fees, but it wouldn't be really interesting.
That's why they published source code for it. Now Mozilla can include
the blob and be "almost sure" (for now) that it's really built from
this source code. But now I see Mozilla makes it's own builds? Or
cisco made some not public builds for Mozilla?
Regards,
Andrey
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1100304#c9
[2] https://github.com/cisco/openh264/blob/master/RELEASES
P.S. I'm happy openh264 is there at Debian experimental and I've
enabled it after update to iceweasel 34, just like to clarify it's
origins.
b) everyone knows what's actually contained in that binary blob, since
it's built from open source code, and the build is (supposed to be)
reproductible.
Yes, "supposed to be": "there are ongoing efforts to allowit's built from open source code, and the build is (supposed to be)
reproductible.
reproducible builds which will then allow verification of the blob."
[1]
c) the binary blob is verified against a sha256 checksum downloaded from
a mozilla server through HTTPS with certificate pinning.
Googling on "libgmpopenh264.so sha256" delivers no url to downloada mozilla server through HTTPS with certificate pinning.
this blob and maybe even it's configure/build options and
dependencies. Googling on "libgmpopenh264.so chksum" results in this
bug report.
Looking further, I've found some relevant url infos:
/usr/share/iceweasel/browser/defaults/preferences/firefox.js:pref("media.gmp-manager.url",
"https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
But it's still not really helpful.
While cisco blobs are clearly available [2], Mozilla seems to be not
transparent in this issue.
A binary from cisco:
-rw-r--r-- 1 andrey andrey 1040584 Aug 8 06:29 libopenh264-1.1.0-linux64.so
and one from Mozilla: (~/.mozilla/firefox/*/gmp-gmpopenh264/1.1/)
-rwxr-xr-x 1 andrey andrey 1030172 Sep 2 22:27 libgmpopenh264.so
They are obviously different. If I understood correctly, the problem
was in patent fees. Cisco published a binary blob, which all could use
without paying these fees, but it wouldn't be really interesting.
That's why they published source code for it. Now Mozilla can include
the blob and be "almost sure" (for now) that it's really built from
this source code. But now I see Mozilla makes it's own builds? Or
cisco made some not public builds for Mozilla?
Regards,
Andrey
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1100304#c9
[2] https://github.com/cisco/openh264/blob/master/RELEASES
P.S. I'm happy openh264 is there at Debian experimental and I've
enabled it after update to iceweasel 34, just like to clarify it's
origins.
--
To UNSUBSCRIBE, email to debian-bugs-rc-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
To UNSUBSCRIBE, email to debian-bugs-rc-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org