- Package:
- firefox-esr
- Source:
- firefox-esr
- Description:
- Mozilla Firefox web browser - Extended Support Release (ESR)
- Submitter:
- Alejandro Colomar
- Date:
- 2025-08-11 15:25:25 UTC
- Severity:
- normal
- Tags:
Dear Maintainer, As you may know from recent news <https://lwn.net/Articles/1012430/>, Mozilla has gone evil. The new Terms of Use, from what I can see, are in violation of the DFSG points 5 and 6: 5) No discrimination against persons or groups Rationale: The terms of use grant Mozilla the right to terminate anyone's access: Mozilla can suspend or end anyone’s access to Firefox at any time for any reason <https://www.mozilla.org/en-US/about/legal/terms/firefox/#mozilla-can-update-or-terminate-this-agreement> 6) No discrimination against fields of endeavor Rationale: The terms of use don't allow you to use Firefox to break the law. While this seems a reasonable term, it wouldn't be so reasonable for a disident in an oppressive country. you agree that you will not use Firefox to [...] violate any applicable laws or regulations. <https://www.mozilla.org/en-US/about/legal/terms/firefox/#you-are-responsible-for-the-consequences-of-your-use-of-firefox> While not exactly this case, see also: <https://wiki.debian.org/DissidentTest>. Apart from these violations of the DFSG, Firefox has now permission to leak user data to Mozilla, and who knows who else they decide to sell it later. This is a security bug. You give Mozilla all rights necessary to operate Firefox, including processing data as we describe in the Firefox Privacy Notice, as well as acting on your behalf to help you navigate the internet. When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to [...] <https://www.mozilla.org/en-US/about/legal/terms/firefox/#you-give-mozilla-certain-rights-and-permissions> * What led up to the situation? Mozilla's greedyness? Please consider packaging a fork of Firefox that doesn't have these violations of Debian's Policy and the security and privacy bugs. Have a lovely day! Alex
Mozilla plans to put the new Terms of Use in front of users soon. https://blog.mozilla.org/en/products/firefox/firefox-news/firefox-terms-of-use/ And actually asking you to acknowledge it is an important step, so we’re making it a part of the standard product experience starting in early March for new users and later this year for existing ones. Having seen it, and continuing to use firefox, users will have accepted it. That's what the "as you indicate with your use of Firefox" language is doing in there. As far as I can tell with clock setting tests, firefox does not behave any differently after that point in time. So how will they do this? I think it will be as simple as https://www.mozilla.org/en-US/privacy/firefox/ getting a link to the TOU, or including it. That page is currently opened in a tab when starting firefox for the 1st time. It does not currently link to the TOU. For existing users, I think a later firefox release will make it pop up the TOU page. I think this will mean that the TOU will apply equally to *all* builds of firefox, including eg from Debian. Debian should protect its users from this, by modifying firefox to not display the TOU on a new install or upgrade, at a minimum. I hope you'll also develop a general policy for dealing with free software that actively exposes its users to harmful click through agreements. That this is happening to such a core component suggests that bug #690495 should have had a different outcome than it did.
Hi all, as firefox-esr gets installed by default on Debian when installing the default GUI (via task-desktop and other packages) I feel that this is particularly important. The alternative of installing desktop-specific browsers on different desktop environments would be suboptimal, in my opinion. I hope this will not bring back the "iceweasel" Debian vs upstream thing, but it may be a necessary evil :/
An update from Mozilla regarding this situation: https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/
On Sun, 02 Mar 2025 10:07:03 +0100 Andrea Pappacoda <andrea@pappacoda.it> wrote: > An update from Mozilla regarding this situation: > https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/ > > > > While Mozilla backtracked on some of the crazier stuff (like the Acceptable Use policy applying to Firefox, which would have made viewing entire categories of content using Firefox prohibited), none of the points brought up in the original report have been functionally changed. As it stands, the new ToU is still incompatible with the DFSG.
I also am deeply concerned about this. If it is true that this violates the DFSG, which it looks like it very well does, that means that a non-compliant package is on the verge of getting released with Trixie. And a high-profile one at that. The toolchain freeze is in 4 days, so time is short to make matters mucn worse. Copying maintainer.
Hello folks, First, a quick intro. I am a director working for Mozilla, and I have been a Debian developer for a long time. I managed the Iceweasel → Firefox renaming back in the day: https://lwn.net/Articles/676799/ and the Debian/Rust trademark discussion. Thanks for the input about the TOU and the connection with the DFSG. I would like to point out that Mozilla has published an update about the Terms of Use: https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/. As described in Mozilla’s communication, due to changes in laws in various places where Mozilla operates (particularly California and the EU), having a clear Terms of Use in the product became a necessity (all other major browsers also have terms, open source or not). In parallel, Firefox is relying more and more on remote services to operate (downloading models for translation, crash reporting with potential PII, telemetry, new tab page, etc.). This is why we had to put this in place. Our Privacy Notice comprehensively describes what data Firefox processes, collects, and shares. The data sent to our Sync servers is encrypted. The data collected as part of telemetry is clearly documented here: https://dictionary.telemetry.mozilla.org/.. Now, the license of Firefox, MPL, hasn’t changed. It is still an OSI/DFSG-compliant license. The TOU doesn’t violate any of the DFSG terms, as it doesn’t (and won’t) discriminate against any category. However, we reserve the right to block access to some of our online services in case of abuse. Cheers, Sylvestre
Hi Sylvestre, thank you for chiming in! Your mail is text wrapped in a very strange way, so I'm going to reflow parts of it in my reply. Quoting Sylvestre Ledru (2025-03-24 22:27:57) write to ask you whether you think it would be too hard to maintain a copy of firefox in Debian that by default does not do the things that the terms of use are required for? Or, if that is not easily possible: will I be able to continue using firefox in Debian without having agreed to the new eula? I do not intend to download models for translation, send crash reports, use the sync servers, send telemetry nor use the new tab page. Thanks! cheers, josch
Hi Sylvestre, thanks for your reply on this matter! This, to me, is the crucial part of all this. Most people here are not at all concerned with Mozilla's online servies. It is reasonable that what gets put into an online service reaches your servers and is then processed. What is not reasonable is for these same terms of use to be applied to Firefox, which is not a web service. People are concerned because it is not clear how much of these new terms of use also apply to Firefox. This should be made clearer. To many, Firefox isn't an online service, it is just a program which should not need to even contact Mozilla servers to perform its functions. Bye :)
Re sending with a proper formatting Hello folks, First, a quick intro. I am a director working for Mozilla, and I have been a Debian developer for a long time. I managed the Iceweasel → Firefox renaming back in the day: https://lwn.net/Articles/676799/ and the Rust trademark: https://lwn.net/Articles/901816/ Thanks for the input about the TOU and the connection with the DFSG. I would like to point out that Mozilla has published an update about the Terms of Use: https://blog.mozilla.org/en/products/firefox/update-on-terms-of-use/. As described in Mozilla’s communication, due to changes in laws in various places where Mozilla operates (particularly California and the EU), having a clear Terms of Use in the product became a necessity (all other major browsers also have terms, open source or not). In parallel, Firefox is relying more and more on remote services to operate (downloading models for translation, crash reporting with potential PII, telemetry, new tab page, etc.). This is why we had to put this in place. Our Privacy Notice comprehensively describes what data Firefox processes, collects, and shares. The data sent to our Sync servers is encrypted. The data collected as part of telemetry is clearly documented here: https://dictionary.telemetry.mozilla.org/ Now, the license of Firefox, MPL, hasn’t changed. It is still an OSI/DFSG-compliant license. The TOU doesn’t violate any of the DFSG terms, as it doesn’t (and won’t) discriminate against any category. However, we reserve the right to block access to some of our online services in case of abuse. Cheers, Sylvestre
Hello all, I'm not very familiar with legal language, but I'd like to point out some things that seem apparent to me. Correct me if I'm making a mistake. I think the existence of the Firefox Terms of Use violate the DFSG section 7: Even more so, due to this section of the Firefox Terms of Use: From https://www.mozilla.org/en-US/about/legal/terms/firefox/: Also, I don't know whether the DFSG applies to the online services, for example if they are enabled by default, but: Seems to potentially violate section 5 of the DFSG: On whether the terms apply to the Firefox browser: The new terms do apply to Firefox, they are called Firefox Terms of Use, and state: From https://www.mozilla.org/en-US/about/legal/terms/firefox/: And in the Firefox Privacy Notice (https://www.mozilla.org/en-US/privacy/firefox/#notice), ways in which user data is processed include: There are different terms, titled Mozilla Accounts Terms of Service (https://www.mozilla.org/en-US/about/legal/terms/services/), that exist for the online services. - T
Control: retitle -1 Are the Firefox Terms of Use suitable for Debian? Sylvestre, your final parenthetical claim here appears to not be true for the only other major web browser in Debian and therefore an easy alternative for Debian to switch to now: chromium. Sylvestre, would Mozilla strongly object if Debian patched Firefox to remove links to the Terms of Use and links to the Privacy Notice? It looks to me like we have a situation where the maintainer of firefox-esr is a Mozilla employee and may be unwilling to take any action on this issue. Meanwhile, this is an RC bug and firefox-esr is eligible for automatic removal from Debian Testing which is causing a burden on other Debian maintainers and bug fixers since other things are marked for automatic removal because they depend on firefox-esr. I think we'll need the Debian Release Team to weigh in on this issue soon. Thank you, Jeremy Bícha
Control: reassign -1 firefox Actually, we don't, because ESR 128 doesn't have the code that shows the Terms of Use. Mike
I thought that at first. Opening Firefox ESR 128.9.0esr-2 in Debian Testing opens two tabs, one is about:welcome and can be ignored here. The other, because I live in the United States, shows me https://www.mozilla.org/en-US/privacy/firefox/ which does include the new Terms of Use. It is also linked to in Help > About Firefox. Maybe it will just be more aggressive at presenting the Terms in a future Firefox ESR version? Thank you, Jeremy Bícha
Jeremy Bícha wrote: I don't see a link on that page to the new ToU. (It does link to some ToU's of chatbots.) Indeed it is! While this is a ways from "making it a part of the standard product experience" that was promised for early March and still does not seem to have happened, it seems to me that by making those clicks, I've made a legally binding agreement with Mozilla to grant them a license to all content I enter into firefox.
Sometime after May 15th and before June 12th, the following change was made to https://www.mozilla.org/en-US/about/legal/terms/firefox/ You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. [-It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content.-] That resolves what was, to me the most consequential problem with the Firefox ToU. (I'm left without much trust in Mozilla the organization, and would happily use a firefox fork if Debian packaged one.)
I'm not sure about the legal notices - but I found it wise to remove a bunch of URLs in the configs. As far as a fork - Librewolf seems to have a proper default config - where the 'call-home' services are disabled. Many distribution pull from Debian so the call to change to a fork would come from here. LibreWolf.net - looks like the latest build was on 6-22 My take, is that software that calls out should be locked down unless the user allows it - one URL at a time. The business model is selling your information - the long term consequences of this can be serious - and unpredictable.