Normandy remote control should be disabled by default

Bug #1827717 reported by Tom Reynolds on 2019-05-04
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Undecided
Unassigned

Bug Description

While sure useful as a way to remedy the add-on intermediate signing certificate expiry issue Mozilla has created (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973), I really think Normandy should be disabled in Ubuntu by default:

  Normandy is a collection of servers, workflows, and Firefox components that enables Mozilla to remote control Firefox clients in the wild based on precise criteria.
  https://mozilla.github.io/normandy/

Reasoning: Software installed via APT should have defined states, software should not be allowed to change itself, unless the user has actively chosen to enable such functionality and this functionality points out, for the user, that it has this capability.

The current default preference (per about:config) is: app.normandy.enabled;true

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
lotuspsychje (lotuspsychje) wrote :

Confirmed it was enabled by default for me on 18.04 aswell

Olivier Tilloy (osomon) wrote :

> Reasoning: Software installed via APT should have defined states, software
> should not be allowed to change itself, unless the user has actively chosen
> to enable such functionality and this functionality points out, for the
> user, that it has this capability.

Normandy won't alter the packages installed by apt (that would mean that it runs as root, which would definitely be a security problem). The mechanism allows Mozilla to roll out preference changes, which will alter only the user's profile.

As you pointed out, this allowed to mitigate quite effectively bug #1827727, which rather advocates for keeping it enabled by default.

Changed in firefox (Ubuntu):
status: Confirmed → Opinion
Tom Reynolds (tomreyn) wrote :

Normandy can remotely change the functionality and behavior and preferences of Firefox installations, though. It can silently install extensions which may not be listed at about:addons. I agree that is not remote root access (not immediately, anyway), but the fact that such a powerful remotely controllable feature is enabled by default, without the user asked for explicit opt-in, is still very troubling from my perspective. And so is your response, I might add.

Olivier Tilloy (osomon) wrote :

If you feel uncomfortable with that functionality, you should turn it off (that's a totally respectable concern). Or use a different browser that doesn't have this sort of mechanism. For the vast majority of Ubuntu users though, it makes sense for the feature to be enabled by default.

Security is often a matter of trust, so it all boils down to whether we trust Mozilla to use the feature in a sensible way.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers