What if a source change is accepted and Cisco does not want to release binaries based on that code?
What if the code contains a security issue that is exploitable, but only in remote cases and the maintainers do not want to accept changes to the code for whatever reason?
How many attacks will there be trying to redirect the Cisco DNS in order to let Firefox download a malware-ridden binary?
Will the binaries be available as deterministic builds?
Will the binaries be signed and checked by Firefox? Who has access to those signatures?
How is this a victory over using GStreamer and using the encoders/decoders available on the OS?
This isn't necessary for systems that already have H.264 decoders provided by the OS, but it's useful for platforms like Windows XP (which still accounts for 20-30% of web usage) that don't have built-in H.264 decoders.
Firefox already uses cryptographic signatures to verify other code that it downloads (including updates to Firefox itself); it could do the same for the Cisco H.624 decoder.
Windows XP users already need to download a third-party binary plugin (e.g. Flash) to play H.264 videos in Firefox. Cisco's code has the advantage that it is open source and could be signed and distributed by Mozilla.
Correcting myself: it looks like Mozilla can't distribute the binary itself (while still benefiting from Cisco's end user licensing), though it could still publish its own signature for verification.
> What if the code contains a security issue that is exploitable, but only in remote cases and the maintainers do not want to accept changes to the code for whatever reason?
Surely, Mozilla will release an update which disables the plugin under these circumstances.
> How many attacks will there be trying to redirect the Cisco DNS in order to let Firefox download a malware-ridden binary?
Are there currently attacks trying to subvert Firefox's self-update mechanism? Or Chrome's for that matter? My understanding is that Firefox will be checking hashes or signatures for the download.
> How is this a victory over using GStreamer and using the encoders/decoders available on the OS?
As stated in the blog post, not all OS's have support for H.264, in particular Windows XP. It sounds like Firefox already supports H.264 video when the OS provides the codec. It's not clear to me whether Mozilla will move to OpenH264 across all platforms supported by Firefox, or only when there's no codec provided by the OS.
> How is this a victory over using GStreamer and using the encoders/decoders available on the OS?
MPEG-LA-licensed GStreamer codecs cost 28 euros to the end user. This priced at zero towards the end users.
This is not a particular win over decoders available on the OS when those are indeed available.
As for encoders, this encoder is designed for real-time use and even when encoders are provided by the OS, the OS might not provide an encoder suitable for real-time use.
What if a source change is accepted and Cisco does not want to release binaries based on that code?
What if the code contains a security issue that is exploitable, but only in remote cases and the maintainers do not want to accept changes to the code for whatever reason?
How many attacks will there be trying to redirect the Cisco DNS in order to let Firefox download a malware-ridden binary?
Will the binaries be available as deterministic builds?
Will the binaries be signed and checked by Firefox? Who has access to those signatures?
How is this a victory over using GStreamer and using the encoders/decoders available on the OS?