bug#68361: Mozzarella may list non-free add-ons

[Clément Lassieur]

On Wed, Jan 10 2024, bug-gnuzilla--- via GNUzilla bug reports wrote:

> Hi,
>
> I learned about Mozzarella from social media, so I missed
> the official announcement of how it is curated,
> i.e. automatically or manually added entries.
>
> Either way, I spotted ff2mpv being listed
> although it is published under a non-free license:
> https://raw.githubusercontent.com/woodruffw/ff2mpv/master/LICENSE
>
> The Firefox add-on page still shows the original Expat license though,
> so Mozzarella inherit this metadata.
>
> I think cases like this are rare enough to not demand a web UI
> to report extensions add-ons accidentally listed on Mozzarella,
> but there should be a mechanism to manually remove it
> from the repository to avoid misleading users into installing
> proprietary software.
>
> BTW all Mozzarella pages have an empty <title>, which makes it difficult
> to browse multiple extensions in different tabs/windows.
>
> Kind regards,
> Phong

Hi,

I think this is an issue indeed.  But there is another one that is more
serious: even if we remove ff2mpv from Mozzarella, all users who have it
installed will have new updates pulling the non-free code forever.

A possible fix would be to change the source of the add-ons, from
addons.mozilla.org to Guix
(e.g. 
file:///gnu/store/dxck0g51w8kzmzdn1nx97dsnp78jq4sv-ublock-origin-1.54.0-xpi/lib/mozilla/extensions/uBlock0.firefox.xpi).

That would require us to sign our add-ons though.  I don't know how
feasible it is.

Clément