Dear iceweasel maintainers and lurkers, Here's some history, analysis, and a recommendation.
Firefox 10-ESR disabled WebGL/Mesa based on https://bugzilla.mozilla.org/show_bug.cgi?id=777028 in which the rationale comes out clearly: 1. the Firefox team can't control the quality of the Mesa version installed 2. ESR releases are meant for ultra-conservative users who probably are not interested in glitzy frills like WebGL Neither of these assumptions is completely true for a Debian stable release. Also, blacklisting WebGL/Mesa indirectly endorses proprietary drivers; a position that probably doesn't bother Mozilla much, but is at odds with Debian principles. iceweasel_10.0.12esr-1 shipped with patches/fixes/Allow-webGL-with-mesa-assuming-users-will-have-updat.patch which removes the disabling stanza. Its meta-information reads: From: Mike Hommey <redacted> Date: Fri, 31 Aug 2012 09:01:08 +0200 Subject: Allow webGL with mesa, assuming users will have updated to 8.0.4-2 on wheezy The version in squeeze-backports is not affected by CVE-2012-2864, and the version in squeeze is blacklisted. Firefox 17-ESR disabled WebGL/Mesa based on https://bugzilla.mozilla.org/show_bug.cgi?id=838413 which has much less detail than the Firefox 10 discussion. The starting comment from Benoit Jacob is: In ESR10 Mesa was blacklisted and we've had many occasions to be thankful for that. We should do the same for ESR17. iceweasel_17.0.8esr-1~deb7u1 shipped _without_ any patch changing the WebGL/Mesa blacklisting. If there was any internal discussion leading to that decision, I'm not aware of it. And of course there's no commit message to read. I don't want to second-guess the decision to leave WebGL/Mesa disabled in Wheezy's iceweasel. But if that is in fact the intended behavior, there are two bugs: 1. Not documenting the regression 2. Not providing a bypass I have been taught that software "should not set policy, but provide capabilities." (That phrasing is from 2008 by John Kacur, but the idea is much older.) I'm no Firefox source code expert, so I don't really want to write the patch putting in a bypass switch to ignore the blacklist. If I did it, it would probably be based on a magic environment variable. Maybe there's a more GUI way to do it. Whatever. But it should not require a 75+ MB download and 2 hours of CPU time to bypass a blacklist that may or may not have any basis. P.S. Is it expected that the "Debian Changelog" link from http://packages.debian.org/wheezy/iceweasel tells me "Not Found"? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
