Proposal: Waterfox, IceCat, Pale Moon & Seamonkey / Firefox forks #375
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#375
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
For those of us displeased with the direction Mozilla is headed, Waterfox and IceCat are suitable alternatives.
Are either or both of these browsers contenders for inclusion or mentions on Privacy Tools?
Pros of both:
Cons:
Although Waterfox is currently just a "fork," it appears it's going to branch off & become a stand-alone project after the demise of ESR; from 56 release notes:
It has been mentioned that compatibility with "legacy" extensions is also in work to be retained beyond ESR, as well.
Edit:
I forgot about Pale Moon, per @beerisgood's suggestion: https://www.palemoon.org/
Also worth mentioning: https://www.seamonkey-project.org/ - Though I'm not sure how intertwined Seamonkey is with Mozilla:
Which is concerning, given Mozilla's recent activities; definitely not a company that should be handing out advice.
Hi, could you share what do you mean by "the direction Mozilla is headed"? Is there anything new we don't know?
Thank you.
@davidtabernerom Shields project is meant to look at different user's settings and how they work on different sites. Here is the last one.
The only useful part was this one imho
Mozilla managed to betray users' trust many times in a couple of months. https://github.com/mozilla/addons-frontend/issues/2785 https://www.theverge.com/2017/12/16/16784628/mozilla-mr-robot-arg-plugin-firefox-looking-glass @beardog108 might give you extra info.
Also, not a FF issue, but a Mozilla issue: https://www.youtube.com/watch?v=KPgyTzqDJhM. https://youtu.be/KPgyTzqDJhM?t=987 (16:28) talks about yet another betrayal of users' trust.
For Pale Moon, you should read this:
https://forum.palemoon.org/viewtopic.php?p=129767#p129767
And Pale Moon isnt just a fork like Waterfox, nor have telemetry included. So its currently the best alternative
@davidtabernerom
Edit:
How could I forget!
Pale Moon have a few integral extensions: https://addons.palemoon.org/extensions/privacy-and-security/
Here's hoping for Waterfox to follow suit: https://github.com/MrAlex94/Waterfox/issues/303
Considering that incredibly lucrative deal with Yahoo, a lot of Mozilla's recent actions reek of intense greed & abandonment of principles that made Firefox what it is in the first place.
With the recent changes to webextensions and the ui, (not to mention negation of user privacy with opt-out) they are emulating Chrome.
@beerisgood I updated my original post, had forgotten about Pale Moon. Though I don't think it's "better" than the other two. I think all 3 are suitable alternatives!
@Shifterovich supplied an excellent podcast detailing how much money Mozilla rakes in + some pretty shady happenings within the corporation/organization that aren't covered in any of the links above: https://hooktube.com/watch?v=qMALm1VthGY
Mozilla is Not Trustworthy
We should also make a section about Mozilla, similarly to the W10 section, as Mozilla is very often recommended to people seeking privacy and generally open-source freedom.
@Shifterovich
Holy cow, there's so much more sheistyness going on with Mozilla than I ever knew!
Fixed your link: https://hooktube.com/watch?v=qMALm1VthGY
Thanks, didn't know about that.
Just be aware that HookTube sits behind Cloudflare, so there is a trade-off vis-a-vis YouTube.
@Hillside502 - Valid point. Though without much competition for Youtube, I'd say Cloudlfare is the lesser of two evils.
Mozilla posted their "apology," does anyone take issue with the fact it came from their Chief Marketing Officer, instead of the CEO?
A grossly negligent violation of trust and they respond with PR speak from marketing.
Would it be controversial to remove Firefox from privacytools.io as a suggestion, entirely?
I agree with @z0m8i3
Cyberfox is another alternative
@PandaCodex isnt it dead?
Possibly semi-offtopic, but do you have any feature comparsion table between those forks (and possibly Firefox itself)?
@Mikaela Excellent suggestion. I submitted a PR https://github.com/privacytoolsIO/privacytools.io/pull/379 with a comparison chart (link beneath "Worth Mentioning" of the browser section)
+1 for this. I avoid Mozilla after they said this: http://uk.businessinsider.com/mozilla-new-initiative-counter-fake-news-2017-8?r=US&IR=T
So now they want to filter what you see based on their political views or what they deem as true or false...
You can add too:
By removing the Tor-dependante feature (for eg https://superuser.com/questions/1117383/can-i-use-tor-browser-without-using-tor-network/1117660#1117660 ) you'll have a good hardening browser
Perhaps recommending Tor Browser without Tor is better than recommending FF with some tweaks? You will look like Tor apart from your IP.
@Shifterovich depends. Tor Browser use Firefox esr. Some guys need modern stuff which only the normal version have (until esr go to new version)
Else: yes but it needs config too to use it without Tor network
FF + user.js tweaks needs more time than setting Tor for non deepweb.
Intika's Librefox-Firefox includes ghacks.user.js in the available releases.
Can't recommend this. Firefox 63.0.3 is still used -> security problem!
Also guys which visit this site, care about privacy and have the few minutes to config the (gHacks) user.js tweaks
@2E0PGS that's enough for me to ditch Firefox. When tech companies become political and censor information that doesn't fit their narrative is the day they are not in support of a free internet.
We really need to stop Firefox from being recommended and suggest forks that adhere to the original goals Mozilla seems to have forgotten.
@quantumpacket
I wholly agree. Anytime this subject is brought up, someone counters it with, "The forks only have x developers and are volunteers; security patches are slow.. you can't beat the army of paid staff Mozilla has."
When a staff of size is working against their users, obscure security exploits are the least of anyone's worries. There's probably much worse going on inside that none of us are privy to.
Relying on community users to monitor and review such an enormous codebase is nonsense. The codebase is too large to analyze every line of code efficiently and Mozilla has become untrustworthy.
I'll use your argument, @angela-d: "The forks only have x developers and are volunteers; security patches are slow.. you can't beat the army of paid staff Mozilla has."
And remember that even Microsoft has switched to Google product chromium (and so add a more pressure to standardize all that Google want in term of web)
Tor browser is the only "fork" which have enough power to keep it secure.
Also remember even Mozilla implement some privacy feature in Firefox FROM Tor browser.
Also Firefox is (yet) the only solution. You can't config any other browser like you want and have good security & privacy
@Kcchouette 'Old' doesn't necessarily mean insecure. If anything, Firefox is more of a moving target due to its popularity, like Windows. Rumor has it Windows has some underlying code dating back 25 years or so (if people are concerned about a codebases age).
The amount of hackers putting resources into actively hunting users on Pale Moon is probably close to 0.
Lack of choices is not good for the web as a whole.
Claiming that Pale Moon is "old and insecure" is repeating the false argument that has been used by its detractors for years.
The truth is that Pale Moon is developed independently, and does not rely on fixes provided by Mozilla.
Sure, Moonchild does review security fixes applicable to each version of Firefox when released, after getting access to the related bugs, but evaluating their applicability against Pale Moon (or Basilisk) and if so either porting patches across or writing his own mitigation code does not mean being reliant on Mozilla, but rather taking advantage of a resource (which becomes increasingly less relevant as the differences between Firefox and Pale Moon and Basilisk code grow even more).
Pale Moon regularly fixes issues independently, in many cases long before Mozilla implemented relevent fixes in Firefox, and to clarify further, Moonchild isn't the only one making additions and fixes to the code - there are many regular contributors.
Pale Moon (and Basilisk) is now built upon the Unified XUL Platform, with improvements to the platform not only making their way into Pale Moon, but also any other of the growing number of applications built on top of it. Just because Mozilla abandoned XUL, doesn't mean that it should die, or that WebExtensions are necessary - I'd argue that WebExtensions are more likely to be detrimental to security and privacy due to how much it limits the abilities of the user.
@Ligge c'mon don't spread FUD.
Of course pale Moon and basilisk based on Firefox. Moonchild need to wait to get the security updates/ Infos from Mozilla which take some time.
Also just compare the time between a Firefox (security) update and a pale moon or basilisk update.
So the argument isn't false. Also compare how much guys work for Firefox and how less for pale moon / basilisk.
And if moonchild go more and more away from Firefox code, then he need even more work for security. Don't think he can solved that alone.
You don't know why Webextension is important don't you?
It's more secure. And yes, the add-ons got more and more features from old xul times but now in more secure way.
@beerisgood You sir, have no idea what you are talking about.
The Unified XUL Platform is not dependent on Mozilla Security for fixes. Though, applicable ones are taken in where it seems appropriate. There are also security fixes that are independent of Mozilla, like stated earlier, they are often ahead of Mozilla even admitting it is an issue. This has happened a few times now.
No one has ever denied that Pale Moon and Basilisk were based on Firefox from various eras or that the Unified XUL Platform is likewise not based on Mozilla's platform code. However, you should learn the definition of the word fork. In our case, we are a diverging fork which will not re-unify or sync with upstream. That business is quite done. Mozilla has very little to offer us or anyone at this point.
As for WebExtensions, your claims of security may be valid for pure Chrome Extensions running on Chrome-derived browsers however in the Mozillasphere.. This is not the case, or maybe you don't have the time to actually see how the Mozilla implementation of WebExtensions along with their Multiprocess model and sandbox are less effective at security than a screen door on a submarine.
Just because there is constant refactoring and churn plus adding the latest Google shiny does not mean it is better, faster, more secure, or even desirable for all people.
The point of the Unified XUL Platform and its applications are to be alternatives to the mainstream offerings just as much as it is to continue these nearly or completely abandoned technologies that we believe in and would hate to loose.
Mozilla has made its choice in the direction they want to go along with the destruction it has wrought. That is their decision and while I disagree with it that is how it is. However, it is NOT the ONLY way there is.
You also need to familiarize yourself with how the Mozilla-style platform works (or soon in Mozilla's eyes, worked). The code for Firefox is small in comparison to the platform code. Largely existing only in
browser/in their tree. The rest of the code has DOM, Layout, Media Libs, JS, XPCOM, and the rest. This allows one to build more than just a web browser albeit that is by far the most popular use of the platform.In UXP, Pale Moon's application specific code is in
application/palemoon/this is the code that makes it Pale Moon and not something else. Likewiseapplication/basilisk/is the code that makes it Basilisk and not Pale Moon. However one sets it up, there is a difference between shared platform code and the application specific code. So when you say "Firefox code" you are talking about a small percentage.The Unified XUL Platform currently has 6 active applications which are listed at http://thereisonlyxul.org/ and more will show up for the future. Cross community cooperation and independent development prevails. The contributing force continues to grow as we are all dedicated to the technologies that are employed in UXP.
Very few have attempted to do what we are coming together to do and no one has at this scale. I think that is something special. So please, if you are going to spread falsehoods and bash our work as the devil himself, at least become informed.
I am very disappointed with the lack of creativity of those who bash us.
These small team browsers often lag way behind upstream and depend on a huge load of unmaintained code, that they have to maintain with their small team.
XUL is dead and WebExtensions is here to stay. Is anyone actually developing new extensions based on XUL? Every argument I've seen in favor of XUL has been someone bitching about some old plugin not working anymore.
A web browser is a highly complicated piece of software that requires quite a lot of resources to maintain. There is a high demand for 0days to be fixed promptly and this requires resources. Additionally using some obscure browser with an obscure combination of APIs is likely to make your browser fingerprint a lot more unique.
There are also significant issues related to trusting a small number of unproven people, who essentially develop under the cover of anonymity.
I also think there's a lot of drama surrounding Waterfox/Palemoon. People being banned on the Palemoon forums pointing out faults with the project etc. I have read far too many a comment like that one.
I also seem to remember a thread (I can't seem to find it, now) where the poster talked about how the authors are removed from the pulls from Mozilla's code base. I don't think that is appropriate at all if it is the case
There also seems to be a small group of devout followers who travel from the Palemoon forums to other parts of reddit, HN and github to spruik the project and derail criticism. I've observed (without naming names) it's the same names doing it over and over again.
They also seem to pretend this small following has the ability to maintain and develop what a huge profit making company decided was too difficult and time consuming.
Eventually there's going to be another fork, like Basilisk when it becomes impossible to merge from upstream this will only further divide development resources.
Nothing original again. Very disappointing!
You may not like it as a member of the Moonchild appreciation society but that doesn't make it any less true.
Actually, it isn't true. You know what it is though @tya99? It is Fake News!
You are Fake News.
@mattatobin Please stop writing comments that look like wannabe Trump tweets.
How big is the Pale Moon project? Since there have been serious security issues with projects as big as Chrome, browser with JS support and too small dev teams shouldn't be recommended imo.
@Shifterovich A number and as already stated we are often ahead of the curve when it comes to security. Of course we also take in any applicable security fixes from Mozilla including those of a defense-in-depth nature which are not actively exploitable but could be if surrounding code were to expose it.
For instance, there was a secbug involving javascript timers we came across and fixed a full year before Mozilla indicated a problem merely because the code looked wrong.
There have been other such cases as well as fixing some things Mozilla has outright refused to. Moonchild himself has a high sec background and indeed independent sec issues have been resolved when identifed.
However, anyone who took two minutes to examine Pale Moon and the broader Unified XUL Platform would know that security is of the highest priority.
Indeed, acting on security issues prematurely has also bitten us before in terms of web security because the web its self had not caught up yet and as a result it busted some sites and the users were not happy about it.
From rebuild to selective rebase to independent fork to multi-application platform over the past 10 years seeing it grow from a one man shop to a group of passionate and dedicated developers and contributors who spend much if not all of their free time loosing sleep working together is a spectacular thing to behold.
Continuing down the original path set for us by our netscape and true Mozilla forefathers isn't easy but for years now we have been accomplishing and it can only grow and get better from here. Especially now that Modern Mozilla is all but irrelevant.
Wow what a post. I wonder how much money you got from Moonchild for writing such irrelevant stuff on whole internet again and again.
Also let's see how long your fork works if
Modern MozillaMozilla exclude you from security Infos or your users leave cause they want up2date add-onsThat would be a big fat check of zero dollars and zero cents @beerisgood. There are more important things than money in this world such as my work work outlined above.
Though it does raise the question in some peoples minds like how much do people like you but not necessarily you specifically get paid for this kind opposition?
I hear in other causes it can be quite generous but what is the going rate to be paid opposition against projects and people who just want to make a small perhaps insignificant piece of the world that liitle bit better for those interested, hmm?
As for extensions, we have a growing ecosystem of our own on that front and the server/software infra to support it plus the back catalog of about sixteen thousand Firefox extensions that can either be installed directly or drawn upon to create new and supported ones.
Isn't open source grand?
@tya99
This wouldn't be a problem if the teams weren't so small, now would it? Also, as stated before, a hard fork does not necessarily depend upon the upstream.
Yes. As a developer, I might use WebExtensions more if the APIs were functionally on par with what XUL and XPCOM can do. But despite its occasional clunkiness, XUL/XPCOM remains the framework that provides me with the capabilities to extend the host application and take control of my privacy in more ways than WebExtensions can ever dream of.
Many of the points in your comment @mattatobin there lack citation or any kind of evidence https://github.com/privacytoolsIO/privacytools.io/issues/375#issuecomment-458208166 I am expected to just "take your word for it", so I am not convinced.
You make it sound like you're some industry moving force when that's not the case.
You may have a few contributors but that those aren't full time developers. That's a bit of an ambigious metric there.
So when Servo becomes the default layout engine, you'll make a third web browser?
Opinion. Ofcourse things like Rust don't exist obviously.
My opposition is for the reputation of privacytools.io. Maintaining an important piece of software such as a web browser that deals with sensitive information requires resources that you do not have and are unlikely to attract at this point.
I would love to know how many of those are actually maintained. Claiming old XUL addons that have mostly been converted to WebExtensions or abandoned isn't realy worth all this extra effort.
That makes it even worse. If that is the case the small team has even more work to do in regard to testing as a hard fork is likely to mean less code from upstream can be used.
Why anyone would develop on a platform has 0.0000001% market share is beyond my understanding. If you did need some functionality that WebExtensions couldn't provide then a stand-a-alone application using another maintained framework would be a more suitable option.
Incidentally while looking at your commit history I observed you have an option in Palemoon to disable HSTS. You do know that's agains the RFC https://tools.ietf.org/html/rfc6797#section-8.4
None of this discussion is going to yield anything productive so I vote that this issue be closed.
Nah, but we are tuned in to the industry standards.
All you need is a few good men to create the future!
No, we collectively aren't interested in Servo or anything Mozilla is really doing these days. Mainly, because we all feel it is wrong. Let them be who they have decided to be.. Doesn't have anything to do with us at this point.
See above about Servo. Though I should have clarified as "All but completely irrelevant to us." Sorry about that.
See above about a few good men.
Pale Moon extensions created or forked to specifically target Pale Moon are maintained by their developers.
See above about a few good men.
You mean 0.02% percent of the market share. Stop spreading fake news. As discussed already, the whole POINT to the Pale Moon project and broader Unified XUL Platform is to maintain the classical mozilla technologies and platform framework code. This is what we are doing. Don't like it, don't use it. However, don't dismiss our mere existence because it isn't from Google, Modern Mozilla, Microsoft, or Apple.
By default it is enabled. There are privacy conserns here.
I agree, so stop shitting on us and I will go away.
So what are you going to do when pages don't work in anything but Blink and Servo? Eventually those engines are going to implement features you do not have and site developers will test in those environments and nothing else.
This will in turn create even more work. Even Microsoft (with their resources) gave up developing EdgeHTML and opted to use Chromium.
😢
Continue.
Okay.
If you're concerned about privacy there are better ways to achieve this, such as Tor Browser. At least your fingerprint won't then be so unique and you actually have Tor to not expose your IP address. Having such a unique fingerprint will mean that your users can be singled out for targeted exploitation.
Nuke the sandbox too hard? Too much security for me. Lets scream about how Mozilla does everything wrong and whinge about fake news again.
Yes and tell me how that goes when you're trying to use NoScript or uMatrix on a mobile browser.
Also, you came here.
The sandbox doesn't work, Mozilla's own security bugs prove that. As for HSTS that is under user control.. Like I said, by default it is enabled.
Above all else the stuff we collectively do is done in the hopes it will be useful. Choice also remains paramount.
I came here because I was made aware of people spreading falsehoods about something I been helping develop and drive for years now.
If you guys are gonna keep on and on and on shitting on the good people who have made these projects possible.. of course I am gonna respond when I am made aware of it.
Why can't we all exist? Why is it such a crime for Pale Moon, Basilisk, Ambassador, Borealis, Interlink, and the technologies of the Unified XUL Platform to just BE? Why does it have to be a constant deluge of hate and misinformation? Answer that.
If you want to keep continuing this I am game until the heat death of the universe but I would rather get back to work building the future for our little corner of existence without this distraction.
No one wants stop your project, but don't list it on privacytools.io
That is totally up to you. I just don't get all the overdramatic bashing that happened. Don't want to list any UXP Application on privacytools then don't.
I have no opinion one way or another on if it is listed or not but this crusade against us is what I have a problem with and is the ONLY reason I am here. One of course is free to have their own opinions but that doesn't require 10+ posts of bashing for the crime of existing or the thoughtcrime of wanting something other than what Mozilla or the others are offering or wanting XUL and other classical mozilla technologies.
The
old and insecurenarrative is wearing quite thin these days to the point of it being on the same level of calling someone aracistnazihitlerfor not agreeing with you.Everything has bugs. Bugs are then fixed those bugs, people move on. I suppose you'd also say that Chrome's sandboxing is a complete waste of time too? The point is about reducing harm and employing a number of good principals to achieve that.
Which is in violation of the RFC. RFC6797 clearly states:
There are a couple of reasons for this:
There are better ways to waste time, that's your time so I really couldn't care less.
OMG FAKE NEWS is how you responded. In my last reply I placed a bet you'd respond in this way. You never refute so called "falsehoods" with evidence. Which brings me back to what I said earlier:
"There also seems to be a small group of devout followers who travel from the Palemoon forums to other parts of reddit, HN and github to spruik the project and derail criticism. I've observed (without naming names) it's the same names doing it over and over again."
If there was absolutely no truth to the criticism, it wouldn't bother you.
You can't delete my comments so that really must bother you. We have never criticized the people. We have however pointed out why these things do not belong on privacytools.io
You can exist if you want, just not on privacytools.io, not if the site wants to maintain it's credibility. There has never been any question of that.
You haven't provided any evidence which disproves my previous comments about your project. Why should I go to more effort to dig up more examples of why your project is a shitty pointless effort?
You edited your last reply a number of times. I was already in the process of replying.
Well I don't believe that at all based on your edits.
Nope. If there was evidence of the latter then it would still be something valid you could say about a person. There is certainly evidence of the former, so we can still say it about Pale Moon.
This is how I learned about this issue and why I came here.
https://freenode.logbot.info/palemoon/20190116#c1926961-c1927067
Good to have things on public record.
So that user was trying to form a brigade.
I have clearly stated why (in previous comments, in this issue) why they are wrong.
Where is your proof and evidence in this? Cause I see nothing that supports your so called facts. Our work can speak for its self.. What in-depth analysis have you done based on our work to support the
old and insecurenarrative?Also, two people a brigade does not make.
Additionally, if HSTS is disabled then that means
RFC 6797is not in effect thus there is no standards violation.Your browser hasn't had the scrolling code removed? Read my previous replies.
Note the key word in my comment trying.
No it just means your browser is compliant with commonly adopted security standards of today. I guess you could interpret that as being dangerous.
What scrolling code? I see no mention of it in this issue.
I was referring to your inability to use your scrollbar to read my previous comments. Ie:
Well that was misleading.. Anyway, the burden of proof really is on you to support the
old and insecurenarrative. OH you can link to those bashing articles but that just makes you fake news.. Where is your first hand proof.I figured other huge portions of your browser are missing so why not that.. 🙃
I have done so in my comments. You have just been in denial and haven't provided anything to counter it.
I know you will just keep responding until the issue is closed, specifically https://github.com/jasperla/openbsd-wip/issues/86 So I won't be responding after this unless there is something of value for me to respond to.
That's okay. Also, the public record is all the proof I need. Our work like the truth speaks for its self.
Also, you didn't need to cite the bsd issue because I already admitted that I handled that poorly. But you wouldn't know that since you don't seem to know much beyond what you are told. That is okay too.
I also directly said I wouldn't quit as long as you want to continue this.
I was not trying to form a brigade. Instead, I was annoyed at what appeared to be yet another example of someone repeating the same old claims that I have seen being spouted for years, as a user of the browser, when the fact is that independent development - when done seriously, as Pale Moon (and Basilisk, along with other UXP applications) is - isn't actually a bad thing just because someone doesn't have the resources of Microsoft/Google/Mozilla etc.
My other intention with replying here as suggested, was in the hope of providing another viewpoint so that at least one person may come across what has been said and give them more information to make their own decision based on that (rather than only being exposed to the "old and insecure" narrative).
I certainly still believe that Pale Moon is highly focused on privacy and security, and thus it would still fit in with the point of this list in my opinion, but that decision is not mine to make and I won't try to argue for its inclusion if it isn't included.
As long as the further information provided in this issue helps at least one person who comes across it to make a more informed decision, then that's good enough for me.
Complaining to your friends about misinformation that is not misinformation and expecting someone to do something about it is brigading.
Old claims, because they are old problems, being in denial isn't going to solve them. There's a very good chance the future will only make them worse.
Just because you make some modifications to an old discarded Mozilla codebase doesn't make it yours.
Sure you may have made some additions, changes, improvements, but the large majority of code would go untouched and unused. Many parts won't be touched for many years if at all. Less eyeballs means less chance of a problem being discovered "merely because the code looked wrong -@mattatobin" won't be a thing. Just because something is working doesn't mean it is right.
Well it is. As I have said previously, an application as large and complex as a web browser requires manpower to maintain.
A web browser deals with a lot of very sensitive user data. It is the primary focus for security researchers and black hats. To most people there is their "operating system" and their "web browser" which is the gateway to their entire online life.
You guys are deluding yourselves if you think 3 developers and a few contributors can somehow maintain all the components of a web browser. In addition to maintaining forks of old XUL extensions that have been abandoned by their own original authors.
To market yourself on privacy and security would be dishonest for a few reasons. Nearly all your time will go into maintaining XUL/XPCOM these are huge codebases in themselves abandoned by upstream.
Eventually Mozilla is going to deprecate more and more code which you depend on or still use. This will mean less security information from upstream will be useful to you.
Mozilla having the marketshare it does is the primary target of research (along with the other major browsers) at events like Pwn2Own. As nobody could care less about Palemoon it's unlikely to get any real auditing from outside parties (TorProject, Private netsec researchers, commercial cybersecurity firms etc). Essentially what you have is security through obscurity.
That being said if a specific Palemoon user was a target, browser fingerprinting would be a trivial thing to do. There are many ways to do it. It is very much a cat-and-mouse game between browser vendors and interests that would identify individual users (advertising companies, governments etc).
It's going to become more difficult to merge code from upstream when your codebases diverge. You can be in denial about it all you like but it isn't going to change that fact. You won't have the resources to develop replacement security technologies like those mentioned above (sandboxing), permission model etc. This is going to exacerbate any security issues existing in your browser.
Anything you do develop you won't have the resources to provide proper QA, integration, automation testing etc. I work in this industry and it often requires a team just to write new tests.
You have no presence on mobile platforms, and extension developers are going to be using WebExtensions in order to target both platforms and have code that can be used in Chrome.
There are new RFCs being released from the large vendors such as DANE verification and all the other things around TLS all the time. There's new W3C standards being drafted all the time.
Once Mozilla abandons Gecko for Servo (or something based off it) your browser is not going to be tested by web developers. This is because Firefox will no longer be using Gecko and thus won't have any similarity to your forked engine Goanna.
Even Microsoft with their vast resources decided to abandon EdgeHTML for Chromium this would have been because they did not want to maintain it all by themselves. EdgeHTML was by no means old (2014) before that they had Trident.
So in addition to fixing all the previous issues you'll also have to fix issues related to specific websites. When are you supposed to then make time to focus on things like performance (something that Gecko and XUL were never good at) and other general improvements?
You have a monumental amount of work ahead of you. Optimism will only get you so far, there will come a point when you have to be realistic.
Nobody here has explained why these things aren't something I should worry about if I used your product. All I've seen is denial and claims of misinformation.
Personally if I was you, it wouldn't be a "view point" I would want to stand by as it damages your credibility.
As far as @mattatobin goes (a core member of the Palemoon team) in regard to "public record", that is exactly why I have invested the time I have in this issue. So it can be referenced whenever Palemoon ever comes up, whether that be here on github, Reddit, HN or anywhere else.
Nope for the reasons above.
Hopefully that decision is not to use your product.
I have formed an opinion on if Pale Moon et all should be listed by privacytools.. I am against it because this organization gives bad advice like disabling the blocklist and supports the very mainstream companies they apparently want to fight against vs any alternative.
So yeah, I can secure an official statement from Moonchild if you want but you should just consider adding any Moonchild Productions or Binary Outcast products to your lists or w/e it is you do do when not giving terrible advice and making stuff up to justify your world view as a bad idea.
Nobody cares for your opinion so yeah... It wasn't going to be listed anyway.
Well actually if you read what it says there:
Notice the word optionally. Yeah. The first recommendation is simply to remove the parts of the blocklist URL string that might infringe on one's privacy ie
%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/Many open source projects of today wouldn't be a half as good as they are without commericial backing.
Binary Outcasts you mean your organization of one person, you. Again with the trying to make yourself sound big. By the way it's very nice to know about how you like the Lorem ipsum dolor sit amet. I like it too.
As for Moonchild Productions's crew of 3 there is nothing there worth adding. So you won't have to worry about that.
So you're trying to dump us before we dump you? 🤣.
Where's your evidence. You've refuted nothing. You know what there is evidence of?
I guess that's just my "world view". aka uMatrix's logger.
I don't really have the time to read all this but assuming @mattatobin is a Pale Moon dev,
sounds like we shouldn't add Pale Moon. Not sure if I can see all the org members here https://github.com/orgs/MoonchildProductions/people but looking at the commit history, Pale Moon is too small to be added to PTIO imo.
This thread is very long so the Waterfork/IceCat discussion should be moved to a separate thread imo.
I don't see mattatobin as a member of privacytools organization.
Everytime I found issues with mattatobin, I had the impression of reading boring words by some lawyer.
A practicing lawyer would almost certainly not have issues with reading comprehension, punctuation and writing coherent sentences. Failing at reading comprehension is counter productive to reading technical standards and then implementing them in your application.
Yes, it appears like they want their browser banned from most of the projects: some distributions have banned it.
To be fair, I am not against @mattatobin or the idea that the new firefox is crap... But I think he just shot himself in the foot with an AR15 being as agressive as he was with the aruging, etc...
I disagree though with privacytools.io that Basilisk Browser and forks shouldn't be on the list. Though I also agree the blocklist that is within palemoon is crap.
Aka, some addons which are extremely useful such as noscript are blocked unless the blocklist is off. People I install it for never have issues with noscript unless I have video blocked by default and all scripts are not enabled by default.
My point being, I believe in many of the different points that are here.
PS, I also think Tor Browser though it has web extensions, is fine. The tor people know what they are doing. More so than say... mozilla nowadays... ;)
You are more than free to disagree with me, but that is entirely my view. I currently use Iceweasel-uxp, and it is a fork of Basilisk-Browser.
The only thing I wonder though, is if Servo indeed is taking over as much as you say. If so, that is a problem for firefox forks. I wonder if anyone plans to make a Firefox alternative like Abrowser or IceCat.
But one that is more regularly updated of course. :) and is available for most distros.
More fake news.. noscript is level 1 which is just a Stability OR Security warning because it is known to cause stability issues and support nightmares.
@FrostKnight but only for mainline browser and not for old engine based forks ;)
More fake news
It does not do any such thing actually. Unless you have it setup the way it is by default. Doing those two things I mentioned, allowing all video and enabling all scripts, makes it work for anyone without the nightmare you say it is. I have that setup on my mother's windows 10 laptop in firefox, and she doesn't complain at all. So nice try, but what you are saying is the real fake news. No worries though, I don't take it personally, I understand you must have had a bad experience with noscript. PS, its in the tor browser for a reason. :) even back when it was a legacy based tor browser. 👍
PS, Tobin, its not on the blocklist for a reason... well a good one anyways. Its just because you got tired of complaints from users that's pretty much it. It is a security addon that gives firefox based browsers what would seem like tank armor in the cyber security world. So yeah, your argument is completely off point. I need to see some proof before I can even humor your argument. sorry, but that's how it is.
That would be fine, if it is set for full privacy and security by default and rips out as much tracking nonsense as possible and/or disables the tracking nonsense. I guess in essence, a browser like Icecat like I said only very frequently updated. :)
@FrostKnight you're wasting your time arguing with @mattatobin, he has nothing better to do than go around reddit, HN and github spruiking Palemoon/etc. Any argument you make will be simply responded with "fake news".
True, I guess I was bored and hoping I could help him in my spare time. I wonder if he likes the usa president. I wonder if that is why he keeps using that phrase. xD
Maybe he likes Putin like trump too. ;p
Mental illness is no laughing matter. 🙃
HN? No idea what that even is and I rarely use reddit. I don't like how the site operates.
Additionally, I don't use Pale Moon as my default browser and haven't for almost all of 2019 thus far. I am working on and using my Navigator.
I have never personally used NoScript nor felt any need to. However, I have dealt with hundreds of threads where users were having general issues and stability issues using the extension. So its level 1 status of known to cause stability issues is justified. You can disagree of course but it won't change anything.
Also, I have lots to do. I am here because I was notified and people such as your self are continuing to spread lies.
Stop doing that and I shall stop responding.
https://news.ycombinator.com/item?id=19527053, this in particular reads like something you would write:
In all honesty though, renaming whatever it is you're currently working on it's all the same and the same arguments apply.
Also who uses NoScript these days. uMatrix is waaay better, especially as you can do the same How to block 1st party scripts everywhere by default.
I recommend that we're stop talking about Pale Moon, cause mattatobin have a lot to do :D
Also he never use NoScript, but don't recommend it. I guess it's then fake that it's recommend and default in Tor browser?
Sorry dude, I have never seen anything you linked to before just now. I certainly didn't write it.
I don't use arbitary nicknames or anything and haven't for nearly 20 years. I use my name or something with my name in it like "New Tobin Paradigm".
@mattatobin Please tell your friend to stop using The Great Cloudwall of Google, Microsoft and Baidu
https://www.cloudflare.com/press-releases/2015/fidelity-google-microsoft-baidu-and-qualcomm-back-cloudflare-to-help-build/
I don't understand.