A common note at the end of f-droid repos states any non-free components.
The guardian project’s f-droid repo states the TBB has one such issue.
“About the Anti-Features In order to support WebAuthn, Firefox includes a proprietary Google library. Tor Browser inherited this change.”
I was not able to find any reference to this on Mozilla’s site, bug reports, etc.
I was also not able to find any reference to this on the Tor Project’s gitlab issues.
I saw that TBB disabled webauthn for a while, but now has it enabled.
Is Mozilla/Firefox including a proprietary blob library?
Or, is the inclusion more benign in the form of an iffy, but still open source licensed library.
and closed with comment “I’m considering this as covered by #26614”
I thought it means that fenix problem is solved with commits from 26614.
Looks like I was wrong.
But then comes question why issue was moved, closed, but not fixed.
Perhaps I’m misunderstanding, but this library is included at compile time, right?
Is that not a bigger deal than is being made of it, by merely disabling?
Would disabling merely disable, or prevent compile-time inclusion?
My understanding is that this is the only binary blob in Firefox itself?
I thought Firefox was shipping a fully open source web browser…
I’m surprised there has not been more protest and bad press on this point.
Ok, so I guess this google library is just included android Firefox and Tor browser, but not desktop?
I guess Mozilla implemented it themselves for desktop versions?
F-droid is also discussing the issue:
I think it would be better to remove or at least disable it, people question its conclusion of izzysoft.de also. Is there any possibilities of that @championquizzer@PieroV
I can find this in browser/app/profile/001-base-profile.js:
pref("security.webauth.webauthn", false); // Bug 26614: Disable Web Authentication API for now
And this in mobile/android/app/000-tor-browser-android.js
// Disable WebAuthn. It requires Google Play Services, so it isn't
// available, but avoid any potential problems.
pref("security.webauth.webauthn_enable_android_fido2", false);
So, it is disabled at the moment, unless there are other preferences I am missing.
However, I agree that having Tor Browser unencumbered by proprietary dependencies would be better.
I will talk about it in this afternoon’s public meeting, to see if we can assign a priority, and reopen the linked issues, if needed.