I apologize for the disparagement; I was miffed at your statement that "only US English speakers will be allowed to disable this requirement," which completely misrepresents the situation, followed by doubt about Firefox's status as F/OSS. Instead of ascribing that to malice, I should have assumed good intent and that the communications from our end were unclear.
As to the English issue, we have absolutely no intent to restrict the signature opt-out to English speakers.
Much like with our Nightly builds, the unbranded copies of Firefox will only be pre-compiled with en-US strings. Additional locales can be added at any time through https://addons.mozilla.org/firefox/language-tools/.
For users that want to disable verification without installing a language pack, the Developer Edition and ESR builds will always allow for opting out and will continue to be released will a full complement of pre-compiled locales.
As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt, which has been the case since version 0.6 in 2003. These signatures are tools to ensure integrity and provenance, not to restrict your freedoms. Much like with the secure apt initiative, it's entirely possible for users to opt out of these protections after jumping through minimally invasive hoops.
Oh, hey, yep. Tripping over my own ignorance there.
I didn't realize that latest-mozilla-central-l10n/ subdirectory existed; I've always gone straight for latest-trunk/, which it turns out is a symlink to latest-mozilla-central/, which only contains the en-US builds. Thanks for pointing that out. I'll file a bug to get https://nightly.mozilla.org/ updated to point to the localized builds.
> As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt
Said parallel is imperfect. With APT, you can add custom signatures (say, if you run a private or organization-specific repo). AFAICT, Firefox offers no such capability.
Thank you for clarifying, but I am still very skeptical.
I would have no problem with signature verification if, as with apt, users can decide which keys to trust. (And you don't have to download a whole new copy of apt to do it!) But the intent of this announcement seems to be that Mozilla will prevent users from doing that, on the theory that they will make bad choices. Well, some of them will!
But it's far more dangerous to take those choices away from them — that guarantees that they're trusting the wrong company.
As to the English issue, we have absolutely no intent to restrict the signature opt-out to English speakers.
Much like with our Nightly builds, the unbranded copies of Firefox will only be pre-compiled with en-US strings. Additional locales can be added at any time through https://addons.mozilla.org/firefox/language-tools/.
For users that want to disable verification without installing a language pack, the Developer Edition and ESR builds will always allow for opting out and will continue to be released will a full complement of pre-compiled locales.
As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt, which has been the case since version 0.6 in 2003. These signatures are tools to ensure integrity and provenance, not to restrict your freedoms. Much like with the secure apt initiative, it's entirely possible for users to opt out of these protections after jumping through minimally invasive hoops.