On Thu, 2016-11-03 at 06:13 -0700, Alice Wonder wrote: > On 11/03/2016 05:28 AM, Phil Wyett wrote: > > On Wed, 2016-11-02 at 21:37 -0700, Alice Wonder wrote: > >> While doing a browser fingerprinting survey, I was quite surprised to > >> see I actually have a FireFox plugin installed. > >> > >> The culprit is > >> > >> /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so > >> > >> It appears that whoever maintains the rhythmbox RPM has chosen not to > >> package the browser plugin separately like it probably should be. So if > >> I have the rhythmbox RPM installed, I have the plugin. > >> > >> This is rather worrisome because I can find no trace of the plugin in > >> the Mozilla preferences panel, so if it is there it is very well hidden > >> and if it really isn't there, it can't be disabled there. > >> > >> Is there some kind of blacklist file I can put in > >> /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell > >> FireFox not to load that plugin, or do I have to uninstall rhythmbox? > >> > >> Thank you for suggestions. > >> > >> PS does anyone actually have a real world use for an itms detection plugin? > > > > Hi, > > > > It is possible to rebuild the package ( for CentOS 7) and disable this > > plugin being built. > > Yes but then any update to rhythmbox would re-install it and it would > become a pattern of build, rinse, repeat. > > Hopefully the bugzilla I filed will result in an update being pushed > with the plugin either gone or available in a separate package for those > who do want it. Hi, Sometimes we are only left with the wash, rinse, repeat, though not ideal. This was a regular for me until I fully moved away from 6.x. However... You can update your bugzilla entry as affecting 7.3 also. The 3.3.1-5 build in RHEL 7.3 has the same issue as you reported it. Note: All patches attached are against 7.3 rhythmbox 3.3.1-5 located on git.centos.org. There are a number of scenarios. Scenario 01: Disable the plugin, so it is not built and thus removed from RHEL/CentOS 7 altogether. Not something that is likely to be done, taking away a feature. Attached patch referenced below does this: 0001-Scenario-01-Disable-building-of-browser-plugin.patch Scenario 02: Move the browser plugin into a separate package. Not sure about the vendor wanting to do this, but is a viable option. Attached patch referenced below does this: 0001-Scenario-02-Browser-plugin-as-seperate-package.patch Scenario 03: The CentOS community agrees with you and decides on one of the methods above and it is built and released as a 'centosplus' package. Regards Phil -- Google+: https://goo.gl/CPjvNo Blog: https://philwyett-hemi.blogspot.co.uk/ GitLab: https://gitlab.com/philwyett_hemi/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20161103/1912630e/attachment-0005.sig>