FreeBSD Palemoon branding violation
feld at FreeBSD.org
Tue Feb 6 22:50:07 UTC 2018
On Tue, Feb 6, 2018, at 16:36, Matt A. Tobin wrote:
> It would be awesome if you could build it closer to our official build
> configuration. Something more akin to
> Patches to anywhere in the codebase to accommodate our in-tree code for BSD
> systems to get a positive build is totally permitted. If that means libvpx
> or nss needs an in-tree patch then that is totally fine.
> In fact, if you do the patches in such a way as it won't interfere with
> other platforms via proper ifdef we would gladly accept them up the line.
> We were close to having this in the past but the contributor would not make
> clean patches that didn't fundamentally bust other platforms and we had to
> back it all out.
> We do want to work with platforms and projects but we also don't want our
> rights to be trampled on any more than you would want yours to be. Frankly,
> we didn't want the OpenBSD people to remove the port either but that was
> their decision to escalate a situation beyond reason over a couple of
> perhaps poor phrasing choices.
> The Mozilla Public License is clear in its provisions and grants and
> protections for covered code. The Pale Moon Redistribution License actually
> extends rights and permissions beyond what the MPL allows but has its own
> conditions that need to be met. None of these are insane or out of line and
> are there so that users of the software know they are getting what the name
> and logo claim it to be.
> However, given all that if you guys are going to follow suit and not going
> to follow point 8 of the Redist License you ask under point 10 for special
> permission to use trademarked branding and perhaps find a happy medium
> between which libs are absolutely required to satisfy the Pale Moon feature
> set and what ones can get by with using system libs.
> The decision is yours. Please make it a good one.
[ I do not speak on behalf of the project ]
1) You're not the upstream for any of these codebases: sqlite, nspr, nss, png, icu... As such there will be no effort made to submit you patches. You are welcome to retrieve our patches from the FreeBSD ports tree and apply them to your codebase if you so choose. Many man hours were spent adjusting these projects to work with FreeBSD's expectations; spending more to appease your private forks of these projects is unconscionable.
2) Shared system libraries exist for a reason and we intend to use them.
3) It will be beyond tedious to track down which vulnerabilities your browser is shipping. A CVE in nss or sqlite3 will not show up automatically for Palemoon in the results of our "pkg audit" tool unless someone has the ambition to peek into your codebase and see which extra copy of those libraries are being used.
Building with your libraries is the wrong way to ship this software for our users.
Do we need to disable your branding only or also stop using the name? If both, we will likely remove the port and suggest users upgrade to www/waterfox if they want an alternative to Firefox.
ports-secteam & portmgr member
feld at FreeBSD.org
More information about the freebsd-ports