While doing a browser fingerprinting survey, I was quite surprised to see I actually have a FireFox plugin installed. The culprit is /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so It appears that whoever maintains the rhythmbox RPM has chosen not to package the browser plugin separately like it probably should be. So if I have the rhythmbox RPM installed, I have the plugin. This is rather worrisome because I can find no trace of the plugin in the Mozilla preferences panel, so if it is there it is very well hidden and if it really isn't there, it can't be disabled there. Is there some kind of blacklist file I can put in /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell FireFox not to load that plugin, or do I have to uninstall rhythmbox? Thank you for suggestions. PS does anyone actually have a real world use for an itms detection plugin?
On 11/2/2016 9:37 PM, Alice Wonder wrote:> > PS does anyone actually have a real world use for an itms detection > plugin?it appears to be used for playing itunes format multimedia embedded on websites -- john r pierce, recycling bits in santa cruz
On 11/02/2016 09:37 PM, Alice Wonder wrote:> While doing a browser fingerprinting survey, I was quite surprised to > see I actually have a FireFox plugin installed. > > The culprit is > > /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so > > It appears that whoever maintains the rhythmbox RPM has chosen not to > package the browser plugin separately like it probably should be. So if > I have the rhythmbox RPM installed, I have the plugin. > > This is rather worrisome because I can find no trace of the plugin in > the Mozilla preferences panel, so if it is there it is very well hidden > and if it really isn't there, it can't be disabled there. > > Is there some kind of blacklist file I can put in > /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell > FireFox not to load that plugin, or do I have to uninstall rhythmbox? > > Thank you for suggestions. > > PS does anyone actually have a real world use for an itms detection plugin? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosI added this bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=1391323
Alice Wonder wrote:> While doing a browser fingerprinting survey, I was quite surprised to > see I actually have a FireFox plugin installed. > > The culprit is > > /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so > > It appears that whoever maintains the rhythmbox RPM has chosen not to > package the browser plugin separately like it probably should be. So if > I have the rhythmbox RPM installed, I have the plugin. > > This is rather worrisome because I can find no trace of the plugin in > the Mozilla preferences panel, so if it is there it is very well hidden > and if it really isn't there, it can't be disabled there. > > Is there some kind of blacklist file I can put in > /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell > FireFox not to load that plugin, or do I have to uninstall rhythmbox? > > Thank you for suggestions.It shows up when I run Firefox - in both about:plugins and about:addons -> Plugins If you use a central Mozilla autoconfig file setup - see, for example: <https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment#Configuration> then you can use the following line to disable this plug-in: lockPref("plugin.state.librhythmbox-itms-detection-plugin", 0); (and similar lines to disable any other plug-in) James Pearson
On Wed, 2016-11-02 at 21:37 -0700, Alice Wonder wrote:> While doing a browser fingerprinting survey, I was quite surprised to > see I actually have a FireFox plugin installed. > > The culprit is > > /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so > > It appears that whoever maintains the rhythmbox RPM has chosen not to > package the browser plugin separately like it probably should be. So if > I have the rhythmbox RPM installed, I have the plugin. > > This is rather worrisome because I can find no trace of the plugin in > the Mozilla preferences panel, so if it is there it is very well hidden > and if it really isn't there, it can't be disabled there. > > Is there some kind of blacklist file I can put in > /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell > FireFox not to load that plugin, or do I have to uninstall rhythmbox? > > Thank you for suggestions. > > PS does anyone actually have a real world use for an itms detection plugin?Hi, It is possible to rebuild the package ( for CentOS 7) and disable this plugin being built. Attached is a diff of the changes required. In RHEL 7.3 rhythmbox is supposed to rebase. https://bugzilla.redhat.com/show_bug.cgi?id=1298233 Unsure if it has been pushed as yet, being 7.3 release day, not all info is available. What this package does contain is to be found out. Regards Phil -- Google+: https://goo.gl/CPjvNo Blog: https://philwyett-hemi.blogspot.co.uk/ GitLab: https://gitlab.com/philwyett_hemi/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20161103/5d6ba81f/attachment.sig>
On 11/03/2016 05:28 AM, Phil Wyett wrote:> On Wed, 2016-11-02 at 21:37 -0700, Alice Wonder wrote: >> While doing a browser fingerprinting survey, I was quite surprised to >> see I actually have a FireFox plugin installed. >> >> The culprit is >> >> /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so >> >> It appears that whoever maintains the rhythmbox RPM has chosen not to >> package the browser plugin separately like it probably should be. So if >> I have the rhythmbox RPM installed, I have the plugin. >> >> This is rather worrisome because I can find no trace of the plugin in >> the Mozilla preferences panel, so if it is there it is very well hidden >> and if it really isn't there, it can't be disabled there. >> >> Is there some kind of blacklist file I can put in >> /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell >> FireFox not to load that plugin, or do I have to uninstall rhythmbox? >> >> Thank you for suggestions. >> >> PS does anyone actually have a real world use for an itms detection plugin? > > Hi, > > It is possible to rebuild the package ( for CentOS 7) and disable this > plugin being built.Yes but then any update to rhythmbox would re-install it and it would become a pattern of build, rinse, repeat. Hopefully the bugzilla I filed will result in an update being pushed with the plugin either gone or available in a separate package for those who do want it.
On Wed, Nov 02, 2016 at 09:37:03PM -0700, Alice Wonder wrote> While doing a browser fingerprinting survey, I was quite surprised to > see I actually have a FireFox plugin installed. > > The culprit is > > /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so > > It appears that whoever maintains the rhythmbox RPM has chosen not to > package the browser plugin separately like it probably should be. So if > I have the rhythmbox RPM installed, I have the plugin. > > This is rather worrisome because I can find no trace of the plugin in > the Mozilla preferences panel, so if it is there it is very well hidden > and if it really isn't there, it can't be disabled there. > > Is there some kind of blacklist file I can put in > /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell > FireFox not to load that plugin, or do I have to uninstall rhythmbox?How about manually... sudo rm /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so You'll have to do it each time you update rhytmbox. -- Walter Dnes <waltdnes at waltdnes.org>
Walter Dnes wrote:> > How about manually... > > sudo rm /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so > > You'll have to do it each time you update rhytmbox.... or create a very simple RPM that just has a '%triggerpostun' script that removes that file each time rhythmbox is updated James Pearson
On Thu, Nov 03, 2016 at 10:10:20AM +0000, James Pearson wrote:> > It shows up when I run Firefox - in both about:plugins and about:addons -> > Plugins > > If you use a central Mozilla autoconfig file setup - see, for example: > > > <https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment#Configuration> > > then you can use the following line to disable this plug-in: > > lockPref("plugin.state.librhythmbox-itms-detection-plugin", 0); > > (and similar lines to disable any other plug-in) > > James PearsonWith all the talk about deleting a packaged file or rebuilding a base package, I'm surprised no one has noticed this solution. The above is most likely the best solution. Easy to deploy through CM, won't be overwritten with package updates, and is the best for "Enterprise" customers (who deploy to hundreds or thousands of computers). I'm already using something similar to change the default home page. -- Jonathan Billings <billings at negate.org>