A common note at the end of f-droid repos states any non-free components.
The guardian project’s f-droid repo states the TBB has one such issue.
“About the Anti-Features In order to support WebAuthn, Firefox includes a proprietary Google library. Tor Browser inherited this change.”
I was not able to find any reference to this on Mozilla’s site, bug reports, etc.
I was also not able to find any reference to this on the Tor Project’s gitlab issues.
I saw that TBB disabled webauthn for a while, but now has it enabled.
Is Mozilla/Firefox including a proprietary blob library?
Or, is the inclusion more benign in the form of an iffy, but still open source licensed library.
Here it is:
Commit for disabling webauthn feature in
tor-browser-60.1.0esr-8.0-1 is here:
I see the same line in
In what version you see it enabled?
All of these are for non-android Tor Browser. On the gitlab applications/ fenix and android-components or for Android.
I can’t find anything when searching for “webauth” in issues or MR in fenix and android-components.
Here is the issue from
, which was later moved to
and closed with comment “I’m considering this as covered by #26614”
I thought it means that
fenix problem is solved with commits from 26614.
Looks like I was wrong.
But then comes question why issue was moved, closed, but not fixed.
Perhaps I’m misunderstanding, but this library is included at compile time, right?
Is that not a bigger deal than is being made of it, by merely disabling?
Would disabling merely disable, or prevent compile-time inclusion?
My understanding is that this is the only binary blob in Firefox itself?
I thought Firefox was shipping a fully open source web browser…
I’m surprised there has not been more protest and bad press on this point.
Ok, so I guess this google library is just included android Firefox and Tor browser, but not desktop?
I guess Mozilla implemented it themselves for desktop versions?
F-droid is also discussing the issue:
I think it would be better to remove or at least disable it, people question its conclusion of izzysoft.de also. Is there any possibilities of that @championquizzer @PieroV
Hello, thanks for reaching.
I can find this in
pref("security.webauth.webauthn", false); // Bug 26614: Disable Web Authentication API for now
And this in
// Disable WebAuthn. It requires Google Play Services, so it isn't
// available, but avoid any potential problems.
So, it is disabled at the moment, unless there are other preferences I am missing.
However, I agree that having Tor Browser unencumbered by proprietary dependencies would be better.
I will talk about it in this afternoon’s public meeting, to see if we can assign a priority, and reopen the linked issues, if needed.
Thank you for clarifying, it is much appreciated
Just cross-linking this directly related discussion, for everyone’s reference:
Would it be considered as still safe to use at this point since pieroV believes its all disabled anyway? @PieroV
I think so.
We are planning of removing proprietary dependencies anyway, but we’re not taking it as a high priority task at the moment.