[HN Gopher] LibreWolf - A fork of Firefox, focused on privacy, s...
___________________________________________________________________
LibreWolf - A fork of Firefox, focused on privacy, security and
freedom
Author : transportheap
Score : 176 points
Date : 2021-11-04 12:15 UTC (10 hours ago)
(HTM) web link (librewolf-community.gitlab.io)
(TXT) w3m dump (librewolf-community.gitlab.io)
| Tepix wrote:
| This brings up the questions: How can i disable as much telemetry
| as possible when using the standard Firefox?
|
| What am i missing if i go to _< about:config>_, search for
| "telemetry" and set everything to _false_?
|
| Are there drawbacks to blocking the hostname
| _incoming.telemetry.mozilla.org_ in Pi-hole?
| keb_ wrote:
| https://github.com/arkenfox/user.js
| johnisgood wrote:
| There is https://gist.github.com/MrYar/751e0e5f3f1430db7ec5a8
| c8aa237b... as well (check out the comments, too).
|
| Or https://gist.github.com/davinian/1991bb3486cbf6005b5320e93
| b3... but it is quite old I think.
|
| In any case, make sure you know what you are disabling,
| because in the latter it suggests disabling WebSockets which
| you may not want to do.
| Communitivity wrote:
| Supposedly this will opt you out:
| https://support.mozilla.org/en-US/kb/telemetry-clientid
|
| One way is to use your firewall to block anything going to
| mozilla.org or firefox.com, or the subdomains. That probably
| gets most of it, but possibly not all. For example, Google has
| a number of non-Google.com subdomains, some of which seem to be
| used only for telemetry.
|
| Another more involved way is to start WireShark or tcpdump and
| capture the traffic, then start Firefox and browse some, and
| then close Firefox and stop the capture. Now you have a list of
| all the traffic it tries to send, normal and telemetry. Sift
| out anything that looks suspicious and block the ip/domain via
| your firewall.
| freddref wrote:
| Surely there's a way of scripting this...
|
| Something like this: https://github.com/shawnanastasio/firefox-
| privacy-restorer
| fsflover wrote:
| Genuine questions. Aren't such forks harming the actual Firefox
| developers by decreasing the Firefox user base? Doesn't it help
| the Google monopoly on the web?
| tokai wrote:
| If a fork like this would decrease ff's user base, Mozilla can
| change ff or have their lunch eaten by said fork. Hard to see a
| down side.
| maccard wrote:
| Is this fork going to actively develop Firefox if Mozilla's
| lunch is eaten? Are they going to continue implementing the
| ever moving standards? That's the down side.
| vladvasiliu wrote:
| I'd say if there's any harm, it would rather be related to
| money, as in Mozilla has less to bargain for their deals with
| their sponsors.
|
| However, seeing how these forks are just "cosmetic", they still
| use the same rendering engine, which doesn't increase Google's
| relative user base. As far as this monopoly is concerned, all
| these forks are still Firefox.
| fsflover wrote:
| > As far as this monopoly is concerned, all these forks are
| still Firefox.
|
| Not in the website statistics I guess, unless the forks
| present themselves as Firefox, which I doubt.
| Nextgrid wrote:
| To defend against browser fingerprinting you absolutely
| want them to present themselves as Firefox.
| fsflover wrote:
| Which forks are actually doing this?
| oynqr wrote:
| This one.
| xanaxagoras wrote:
| The one we're discussing here, LibreWolf. Here's my UA:
|
| `User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0)
| Gecko/20100101 Firefox/91.0`
|
| Note that I am on Linux, so your line of thinking has
| some validity.
| brightly-salty wrote:
| Librewolf does this. It presents itself as Firefox on
| Windows.
| throwawayswede wrote:
| No. Mozilla is actually helping Google build and maintain a
| monopoly on search (for money) and is accepting the scraps that
| Google leaves on the table from the browser market.
|
| Mozilla has continuously and repeatedly fucked up when it comes
| to defaulting to grab telemetry and shady deals with Google, to
| asking for money while spending way too much salaries for its
| execs for a supposed non-profit corporation (that is exempt
| from Federal income taxation).
|
| Although I'm a Firefox user, it pains me to say that I can't
| wait for the day where Mozilla and Firefox dies. At least it'll
| hasten the rise of a new effort. And I'd take anything other
| than Chrome or the Edges of the world.
|
| I'm still hoping Brave will wake up and properly fork Firefox
| and give Mozilla the big FUCK YOU.
|
| Edit: a special ps to down voters: Fuck Mozilla and its CEO.
| unsungNovelty wrote:
| Seriously, why are people down voting this? They have been
| paying the CEO a lot while laying off a ton off people at
| MDN!
|
| I don't think Mozilla is intentionally helping Google, but
| they are bleeding a ton of money with community events etc,
| laying off people while giving this horrible execs increased
| salaries. Like seriously WTH?
|
| Mozilla need to kill the current leadership, get lean on
| spenting and most importantly cater to their audience. They
| don't have much general users. A huge portion are hardcore
| fans, OpenSource folks, people who value privacy or anti-
| chrome. Pushing ads to this audience, is only going to
| accelerate the downfall.
|
| Focus on pleasing power users and devs. Market on shit that
| matters to power users, sys admins, devs and privacy folks,
| journalists! Like containers, and dev tools (some of which
| are already cool). Then these folks will whole heartedly
| embrace it in their workplaces, recommend to friends and
| family. Devs will write things more for FF. And don't break
| extensions again! This is how you got us before. Do it again.
| Then the general audiences will come.
|
| Currently all these power users an others are themselves not
| sure about Firefox. They are stuck with it cos neither can
| they donate directly to Firefox development, nor are they
| happy with the leadership decisions. They are just waiting
| till the last day of FF's existence so that they can be a lil
| more private until they have to move to Chrome based
| browsers.
|
| When their heart was at the right place their tech sucked.
| Their tech is better now, but their heart is not in the right
| place.
| sfink wrote:
| (Mozilla dev here, not speaking for Moz)
|
| "grab telemetery" - that data is really, really useful in
| making development decisions, and we are hyperparanoid about
| what we collect. From an armchair, it may seem like you can
| make the right guess about how to eg adjust garbage
| collection scheduling priorities, but actual data _always_
| surprises you in one way or another. It can make the
| difference between spending a month on a tough project that
| ends up making no difference for the vast majority of users,
| and having a month to spend on something more impactful.
|
| I really don't like to speculate on executive pay, but I'm
| pretty baffled why this is seen as such a big deal. Your
| argument sounds valid to me. So does the argument that we're
| talking about the CEO of a tech company that is competing
| directly with multiple Big Tech competitors, and perhaps
| paying comparatively bargain basement prices is not the
| smartest idea. Which is not to say that I'm happy about the
| layoffs.
|
| Mozilla _has_ messed up on a number of things, multiple
| times, including at least one time when it ended up (as in,
| made a deal to and carried it out) sending a bunch of data to
| a third party. (It was more nuanced than is generally
| appreciated, but I won 't go there.)
|
| I sincerely apologize that Mozilla isn't up to the pristine
| standards of the big technology companies. /s
|
| I'm not going to explain the MoCo/MoFo structure here. I'll
| just say that MoCo most definitely pays taxes, MoFo asks for
| donations because it's a nonprofit with its own initiatives
| and direction, and you can get tons of information about the
| finances involving both _because_ of MoFo 's nonprofit status
| and the resulting annual report. (MoCo = Mozilla Corporation,
| MoFo = Mozilla Foundation, MoFo owns MoCo.)
|
| The Google deal is, like, how MoCo makes money and is able to
| exist. What's shady about it? I'd certainly like the funding
| to be more independent. Maybe Mozilla can try drilling for
| oil on the land it doesn't own or start selling off the user
| data it doesn't collect?
| xanaxagoras wrote:
| > "grab telemetery" - that data is really, really useful in
| making development decisions, and we are hyperparanoid
| about what we collect.
|
| We understand that, and we're saying no. You can do
| whatever you want. I will use LibreWolf.
| throwawayswede wrote:
| Yeah that's a weird attitude to have, the only reason there
| are users who feel personally hurt by the attitude Mozilla
| has been taking for the past few years is because they know
| things could be going way better.
|
| No one is arguing that telemetry can be helpful but forcing
| users into it while acting holier than though is not just
| shady, but very much scammy.
|
| The whole structuring difference between the foundation and
| the corporation sounds a lot like a tactic to push for some
| things under the non profit front and others under the
| company front, aka scammy.
|
| All this turns on alarms in people's heads... in a way I
| don't find it weird that you guys still don't see it, this
| is a sinking ship, and you're going to think everything is
| going well until the last breath.
| lowercased wrote:
| > I really don't like to speculate on executive pay, but
| I'm pretty baffled why this is seen as such a big deal.
|
| They lay off 250+ people - many of whom are the very people
| needed to make the technical improvements many users desire
| - while the executives get pay raises. You wonder why it's
| a 'big deal'?
| unsungNovelty wrote:
| > I really don't like to speculate on executive pay, but
| I'm pretty baffled why this is seen as such a big deal.
|
| The problem is not the exec getting paid this much. It is
| about getting paid this much when to me and many long time
| users like me see a sinking ship with ever decreasing user
| base... while on the brink of no more pay from Google...
| Trying to push ads to us. < THIS IS WHERE EXEC PAY COMES
| INTO PLAY >
|
| The context is important. It's like when your house is on
| fire and you are casually using the fire to light up a
| cigar.
|
| > I sincerely apologize that Mozilla isn't up to the
| pristine standards of the big technology companies. /s
|
| In all seriousness, we just need the heart of the old MoCo
| (Pre quantum) and the tech of the current MoCo. ;)
|
| Firefox users are ideologically invested in the browser. I
| do feel like Mozilla is trying to push things like you are
| this big corp (In a way MoCo is.). While I am absolutely
| happy with the technical progress and direction Firefox
| taking, MoFo/MoCo should understand the ideological element
| here. This is why you see more outcry against "how things
| should be run" against Mozilla and not Google.
| kovac wrote:
| I'm absolutely with you on this. In fact, when I heard about
| the servo team and the CEO's salary, I stopped using Firefox.
| Now I mostly use qutebrowser (and Vivaldi for stuff I need
| more security).
|
| I will start using Firefox when it leaves Mozilla and I'd pay
| a subscription for it. For me, the ideal situation is a lean
| team (hopefully only the devs, because I'm not paying any
| useless middle or high level managers a penny) start
| developing it for a fee. Just the browser will do, no
| password managers, no vpns, no nonsense. I already pay for
| subscriptions for those.
|
| I've seen many here on hacker news expressing willingness to
| pay and the only reason that they don't is because they don't
| want to pay for other Mozilla nonsense but Mozilla doesn't
| want to open a direct channel for the community to support
| the Firefox team. I find this outrageous. Clearly, they are
| using Firefox, its very talented devs and the image of their
| noble fight for a private internet to fill the pockets of
| executives who don't know shit about engineering or the ethos
| of opensource software.
| unsungNovelty wrote:
| > and Vivaldi for stuff I need more security).
|
| I agree with you on almost everything except Vivaldi. They
| are closed source and Firefox is 100% much more capable of
| supporting privacy than Vivaldi.
|
| I have my own problems with Firefox but don't intend to
| stop using Firefox. They are still great. I will have to
| see this through I feel. lol.
|
| Also, when you use a browser based on Blink engine
| (Vivaldi, Opera, Brave, Edge, Chromium) you are giving more
| leverage to Google at W3C. This makes FLoC kind of stuff
| more probable from Google.
|
| "You need to change the browser engine as well, NOT JUST
| THE BROWSER." ;)
|
| Always choose Gecko or Gecko based (like Librewolf) :)
| iakov wrote:
| I think that Mozilla is harming Firefox much more with their
| decisions. Adding ads to address bar and sending metadata to
| unknown third parties alienated lots of users, I can't blame
| them for looking for alternatives - or making one.
| w6rpv3om wrote:
| excelent explanation
| dralley wrote:
| I'm not thrilled with every decision Mozilla has ever made
| but I think people have gotten so used to the unlimited
| resources that Apple, Microsoft, and Google are able to pour
| into their unprofitable ecosystem moats that they've lost
| sight of what running a self sustaining business in this
| space would even look like.
| DoingIsLearning wrote:
| > they've lost sight of what running a self sustaining
| business in this space would even look like
|
| Get your facts right.
|
| Mozilla Corporate receives 400mil a year from Google, for
| google search to be the default search engine. The
| engineering costs of Mozilla in 2020 were about 300mil. [0]
|
| So in actual fact you could maintain the not-for-profit
| status, fire all the corporate staff and still sit on a
| trove of cash every year.
|
| The google money will not dry out because it is the only
| CYA situation that Google has against an anti-trust case on
| Chrome.
|
| There is absolutely no reason Mozilla could not maintain
| the not-for-profit status and tick along, like other
| foundations such as Linux, Gnome, Apache, etc.
|
| [0] https://www.computerworld.com/article/3600206/mozilla-
| report...
| taneq wrote:
| > the unlimited resources that Apple, Microsoft, and Google
| are able to pour into their unprofitable ecosystem moats
|
| No sane company pours money into unprofitable anything.
| They pour money into those moats precisely because it pays
| dividends.
| dralley wrote:
| My point (which I'm confident you do understand despite
| the pedantry) is that the browsers themselves are not
| profitable without taking into account their effects on
| the entire ecosystem.
|
| Mozilla doesn't have an ecosystem like Google, Microsoft
| and Apple do. If they want to stay afloat they have to be
| profitable with the browser alone. So trying to directly
| compare that to the "free candy" approach which the
| others can get away with is unrealistic.
|
| It's like asking why Target and Best Buy can't match the
| prices of Amazon retail, which has a money fountain named
| AWS in their backyard that can subsidize their other
| activities for "ecosystem growth". If Amazon retail had
| been a separate standalone business which had to succeed
| on its own for the past decade, it probably would have
| been run differently.
| LargoLasskhyfv wrote:
| Can't see the value of Amazon Retail here without going
| full-in with Prime, and not even then.
|
| Though that may be regional, as I speak from Germany.
| _jal wrote:
| > they've lost sight of what running a sustainable business
| in this space would look like
|
| Is the claim that it is economically impossible to create a
| browser without turning it in to surveillance malware?
|
| To the extent that's true, it is the best argument yet for
| shutting down the web.
| _kulang wrote:
| Something I vehemently agree with
| LargoLasskhyfv wrote:
| Can't drain the swamps if the goal is to have moats.
|
| Except if you go full-on _Neo-Amish /Luddite_ and use
|
| [->] https://en.wikipedia.org/wiki/Gemini_(protocol)
|
| or the remaining stuff which stays accessible via simple
|
| browsers like [2] https://en.wikipedia.org/wiki/NetSurf ,
|
| [3] https://en.wikipedia.org/wiki/Dillo ,
|
| or textmode stuff like Lynx, (E)Links(2), W3M, and
| similar.
| jfk13 wrote:
| Are you implying that Firefox is "surveillance malware"?
| Precisely what surveillance are you referring to?
| Telemetry isn't surveillance. Recommended content (e.g.
| on the default New Tab page) doesn't involve
| surveillance.
| wintermutestwin wrote:
| >Are you implying that Firefox is "surveillance malware"?
| >Telemetry isn't surveillance.
|
| (honest question) Why is this necessary then:
| https://github.com/arkenfox/user.js
| detaro wrote:
| Why do you assume it's necessary? FWIW, I'd rate quite a
| bit of what it does as "not necessary".
| wintermutestwin wrote:
| On another thread, I was told: "Firefox is feeding your
| data to Google. You need to disable it in the user.js
| file"
| kaba0 wrote:
| To google? Other than it being the default search engine,
| highly doubt.
|
| And those "home calls" are nothing more than calls like
| whether you are on the public internet, whether a new
| update is available and other mundane things.
| jfk13 wrote:
| Oh, some random stranger on the Internet said so? That
| must be right, then.
| wintermutestwin wrote:
| I was not proclaiming that it was a fact. I am openly
| frustrated and confused. An oft repeated claim is that
| "people just don't care about their privacy." I am
| moderately technical and I am totally unsure of how to
| keep my data from these parasite companies. Achieving
| privacy is incredibly arcane and confusing. Instead of
| quipping at me with a low value post, why don't you tell
| me exactly what Mozilla's telemetry does? Do you know?
| jfk13 wrote:
| If you want to know about Mozilla's telemetry, you could
| start with https://support.mozilla.org/en-
| US/kb/telemetry-clientid and its links to additional
| details.
| wintermutestwin wrote:
| Perhaps these indicate data leakage?
|
| >Searches: Firefox sends Mozilla what you type into the
| search bar and Mozilla may share that data with its
| partners.
|
| >Sites you visit: For the Suggestions you click, Firefox
| sends Mozilla the website URL, and Mozilla may share that
| data with its partners.
|
| Interesting that turning off "suggestions" is not located
| in the "privacy" section.
| _jal wrote:
| > Telemetry isn't surveillance.
|
| As a categorical statement, this is false. "Not all
| telemetry is surveillance" is true.
|
| Telemetry is exfiltrated data the user did not ask to
| send. The line between telemetry and surveillance depends
| on the use and intent of the data recipient, not
| (necessarily) the data itself, and that use is opaque to
| the person whose actions generated the data.
|
| It is interesting to note that telemetry can become
| surveillance after it is collected. Perhaps a new manager
| has a different plan, perhaps the cops show up with a
| subpoena.
| jfk13 wrote:
| Your prejudice is showing. "Exfiltrate" implies a
| surreptitious operation. E.g. Merriam-Webster: "to remove
| (someone) furtively from a hostile area"; Dictionary.com:
| "to escape furtively from an area under enemy control";
| Collins: "to remove (data) from a computer, network, etc
| surreptitiously and without permission or unlawfully".
|
| When Firefox is first launched, it opens the Privacy
| Notice page https://www.mozilla.org/en-
| US/privacy/firefox/, which is totally up-front about data
| being collected. Nothing surreptitious about it. Data is
| not "exfiltrated", it's simply "sent". But that doesn't
| sound nearly as evil, does it?
| _jal wrote:
| I'm talking about telemetry, not FF. But whatever, I'm
| not going to have a pointless discussion with someone
| more interested in criticizing word choice than replying
| to what I wrote.
| ExtraE wrote:
| I can't tell if this is supposed to be serious, but just
| in case [1].
|
| In case it is, really, shut down the web? What would that
| look like? Why would we do it? How? How can "browsers are
| expensive" possibly be worth doing something that
| extreme?
|
| [1] https://xkcd.com/1454/
| nsonha wrote:
| The majority of the web should be standardized uniformed
| wizards. Then people can apply whatever the skin they
| want onto all of the web. We don't want to deal with all
| kinds of design that are hard to make, require crazy
| powerful browsers, and was asked for by no one anyway.
|
| Fancy UIs are made to slow people down in their tasks and
| draw attention to things that don't matter to what they
| want to do.
|
| Web developers and creative people like to think the web
| is their playground but really the most important role of
| the web should be delivering informations and services
| efficiently, and get the hell out the way.
| qwerty2021 wrote:
| so far, nobody has been more successful at decreasing the
| firefox user base than the actual firefox developers.
|
| mozilla is not the kind of entity I'd want to have control over
| the web either, considering the shit they feel comfortable
| doing even as an underdog with 3% market share.
| GhettoComputers wrote:
| They're sponsored by Google, and use google services and google
| as the default search engine. How are they not part of the
| Google ecosystem, or monopoly as you call it?
| fsflover wrote:
| Firefox does not receive orders from Google (except the
| default search). All decisions and code are independent.
| GhettoComputers wrote:
| They use Google safesearch to send all your browsing data
| to Google, and use Google as the default search engine.
| Tell me how why its not part of the monopoly you mentioned?
| How is this fighting Google at all?
| solarkraft wrote:
| No, since a fork is still fundamentally Firefox.
| hidden-spyder wrote:
| > Doesn't it help the Google monopoly on the web?
|
| Can't answer your other question, but this fork has a chance of
| helping those who don't want to use Mozilla Firefox avoid
| switching to Chromium browsers by offering a choice.
| account-5 wrote:
| How does this compare with IceCat and Fennic?
| December_Stars wrote:
| It's a lot more up to date than IceCat, which rarely has binary
| packages for distributions and hasn't seen an official binary
| release from the FSF since version 60.7.0 a few years ago.
| gostsamo wrote:
| It might make more sense to have no ads and for telemetry to be
| opt in. I actually want FF having my telemetric data as far as it
| is used for improving the product only. Ready to pay if they were
| into it.
| w6rpv3om wrote:
| For improving they said.
| jl6 wrote:
| So my choice is to trust one of either:
|
| 1. The Mozilla developers who are capturing telemetry, but
| probably just using it to push ads (at worst, and possibly not
| even that).
|
| 2. Some new devs who may have good intentions, but who are
| unknown to me, who are not capturing telemetry, but nevertheless
| have control over my browser.
| hezag wrote:
| It's just a custom build of the latest Firefox version with
| some patches applied. Everything is very well documented and
| you can build it by yourself, there is no need to trust "some
| new devs who may have good intentions"
| GhettoComputers wrote:
| It's easy without a code review, just trace it's network
| activity and see what connections it makes.
| nsonha wrote:
| > there is no need to trust
|
| Providing you actually review the code and not just trust it
| because the code is there. Reviewing (a fork of) Firefox
| sounds like a big job, if can be done at all. Being a Firefox
| fanatic does not magically make you a rust programmer
| toofy wrote:
| To echo a sibling comment, I think you may be discounting the
| time and effort it would take to monitor every change made
| and the ripple effects of each change.
|
| One of the key pieces of open source is the larger a project,
| the more people will be incentivized to monitor the code for
| malicious changes. This distributes the burden to a much much
| larger pool therefore minimizing the burden to single nodes
| across the board.
|
| Is it perfect? No, absolutely not. Do malicious or
| unintentional bugs slip through? Sure. But when it comes to
| scaled out projects, nothing is perfect and never will be. I
| certainly trust a large open project with years of reputation
| built up and a large user base _significantly_ more than a
| large closed source project or large and open with no
| reputation.
|
| There are of course valid criticisms of this model but I've
| yet to see an alternative put forward that isn't fraught with
| its own issues.
|
| I do find it strange how over the past few years we've seen a
| number of people who engage in a whiplash type behavior where
| they see minor problems with a model so they whiplash away
| into a far worse model with far more serious problems.
| jl6 wrote:
| Sure, I could review the source code. And then review it
| again next week when a change is released. I don't want to
| have to though.
|
| Trust matters.
|
| I don't trust Mozilla not to push ads, but I do trust them
| not to build in intentional backdoors and steal my personal
| data, because there's a whole public organization there, with
| a reputation and responsibilities and heads that will roll if
| they are caught doing nefarious things.
|
| You might ask why I trust thousands of other open source
| community led projects? Largely because they have built rep
| and get at least a minimal vetting via distro package
| management.
|
| I'm not saying this fork is malware. But I don't know it
| isn't, and the browser is the #1 critical component that
| handles all my most sensitive data.
| GhettoComputers wrote:
| Or just trace it's network activity without a code audit.
| jl6 wrote:
| Doesn't help if the exfiltration only occurs monthly and
| you only monitored for a week, or if there's something
| locally malicious, or if side channels are involved, or
| if it's manipulating data sent to legitimate sites (e.g.
| instructions to your bank, while logged in as you).
| GhettoComputers wrote:
| Keep it on, you can keep a firewall on, locally malicious
| files can be seen on your machine and if they aren't
| transmitted what is the worry?
|
| If its manipulating data sent to legitimate sites you'd
| notice while you used it. These concerns aren't absent in
| other official browsers either.
| jl6 wrote:
| Quite right that these concerns apply to any software,
| but they are significantly mitigated by sourcing software
| from organizations you trust.
|
| There's no way I would be able to spot the operation of
| malware-masquerading-as-browser without committing
| totally to a forensic examination of every system call it
| makes. Imagine how much attention you'd have to pay to
| stop it capturing your bank credentials and then making
| transactions in an invisible tab (the browser doesn't
| have to render a site in order to interact with it).
| GhettoComputers wrote:
| But trust is just assumed and not a real security
| measure, trust just means you are not going to audit it.
| jfk13 wrote:
| > probably just using it to push ads
|
| Telemetry isn't about "pushing ads".
|
| https://support.mozilla.org/en-US/kb/telemetry-clientid
| programmarchy wrote:
| Maybe I'm missing something but it looks like there aren't
| actually code changes, rather a repackage with a strict policy
| file:
|
| https://gitlab.com/librewolf-community/settings/-/blob/maste...
|
| I was wondering how they could instantly patch nightly builds and
| this seems to be the approach. Good idea and nice to have a build
| pipeline that allows tweaking Firefox to this degree.
| ahtaarra wrote:
| Their patches can be found here: https://gitlab.com/librewolf-
| community/browser/common/-/tree...
| rubyist5eva wrote:
| No way in hell I'm using a Firefox fork maintained by what..1
| person? lmfao no way
| diegocg wrote:
| How is this any different from a standard Firefox install with
| telemetry turned off
| puyoxyz wrote:
| It also comes preconfigured with a lot of good settings for
| privacy, like resist fingerprinting, 3rd party cookie stuff,
| etc...
|
| I know you can turn this stuff on manually but it's convenient
| to have a fork that does it for you _and_ turns off Mozilla 's
| telemetry _completely_
| user3939382 wrote:
| Hopefully it's a lot different. If you proxy Firefox you'll see
| that even with everything turned off that you possibly can
| through the UI, Firefox phones home many times, especially
| during launch and exit.
| mgbmtl wrote:
| It would be nice to back that up a bit more. I'm genuinely
| curious.
|
| For what it's worth, some of the startup checks are to see
| whether the user is on a public wifi with a captive portal,
| and talk to a Mozilla service rather than Google. Other
| checks are for upgrades, or Firefox Sync, if enabled.
| user3939382 wrote:
| There's a great macOS app called Charles Proxy that you can
| use to inspect this sort of thing which is a little quicker
| to get going and use than the CLI equivalent (mitmproxy I
| think it's called).
| EE84M3i wrote:
| I would be really surprised if the Firefox developers refused
| a patch adding a new about:config setting for whatever you're
| talking about.
| sundarurfriend wrote:
| When they get around to it in ten years.
| gnufx wrote:
| Concerning Firefox-type forks, https://cliqz.com/ (RIP) seems
| relevant. At least Brave has taken on the search engine.
| bjarneh wrote:
| > [ Debian-based ]
|
| > This is for Debian Unstable only - do not try to install this
| package on any other branch of Debian or Ubuntu/Mint..
|
| When I see a _" Debian based"_ installer, I would expect it to
| work on at least some type of OS apart from _Debian_. That header
| should really say - Debian Unstable installer, not a "Debian
| based" installer.
| st3fan wrote:
| Funny, those are all the things that Firefox also focuses on.
| Seems like a duplication of effort.
| alexmcc81 wrote:
| Once I would have used this, but I can't just can't bring myself
| to trust forks by small or unknown teams. We trust browsers with
| passwords to everything in our lives, like our bank details. The
| FAQ doesn't even cover who created LibreWolf. Why should I trust
| them?
|
| Even if I do trust the developers, are they really capable of
| keeping a modern complex browser secure in the hostile
| environment of todays internet? It has millions of lines of code
| in multiple languages with a history going back 2 decades. I
| can't find:
|
| - who is responsible for the project security
|
| - their CVE policies
|
| - policies for back porting Firefox patches etc
|
| - update schedules
|
| They also removed the auto-updater which is critical to ensuring
| browsers get the latest patches.
|
| I'm really skeptical about the (undocumented) "hundreds of
| privacy/security/performance settings and patches" they claim to
| have implemented. What exactly cannot be achieved through
| settings and addons?
| geofft wrote:
| What I'd like to see is a Firefox (and Chromium) fork with
|
| - automatic builds and uploads via GitHub/GitLab CI (or
| similar) from a well-commented build script
|
| - all the knobs for reproducible builds set up, so anyone can
| fork the repo, run the CI themselves, and see that it's bit-
| for-bit the same thing
|
| - an automatic merge or rebase of the latest stable release
| tag, and the result of that merge being plugged into automatic
| updates
|
| - an automatic merge or rebase of the latest beta tag (or even
| nightly), and some form of alerting if the build fails
|
| - perhaps some Selenium + Wireshark automation to see what
| requests happen and make sure there are no unexpected ones
|
| And, actually, it seems like LibreWolf is on the way there.
| https://gitlab.com/librewolf-community/browser/common has a
| decently-well-commented build script that grabs the latest
| tarball from Mozilla and builds on top of it and even supports
| building on nightly, and their documentation
| (https://librewolf-community.gitlab.io/docs/) mentions that as
| well. But I don't see where it is run / who runs it, and what
| they do if the build fails.
|
| (Honestly it seems like setting up the release automation and
| alerting is a substantial project in itself.)
| dblohm7 wrote:
| A lot of those forks don't even bother with CI: Some of them,
| one of their first commits is to remove all the tests.
| alexmcc81 wrote:
| I see Brave are interested [1] in reproducible builds but
| it's not implemented yet. [2] I'm not sure if their CI
| artifacts are public or not.
|
| [1] https://brave.com/building-brave/ [2]
| https://github.com/brave/brave-browser/issues/5830
| mdaniel wrote:
| This is relevant to my interests (less the reproducible
| builds part, but very much the "well commented CI script"
| part), and for a frame of reference I have successfully
| built the last couple of brave tags because I'm persistent
| that way. But I haven't put it in my CI yet because they
| appear to clone *the whole chromium* repo courtesy of
| depot_tools & gclient, making the caching story very bad as
| that git repo is _twenty two gigs_ (not the checkout, mind
| you, I mean the git repo)
|
| Plus, the build takes several hours on my Ubuntu machine,
| so unknown what the CI job timeout is or how beefy the
| runners need to be in order to not OOM a monster C++ linker
|
| I want to be careful with this commentary, because it's
| just my opinion as an outsider, and ultimately it's their
| project. But I struggle mightily with the decision tree
| that lead one to have a home grown build system written in
| npm that shells out to depot_tools, gclient, a bunch of
| manual git clones (although there are some git submodules,
| too), then a ... fascinating ... manual patching system
| layered on top of it all. I'm glad it works for them, but
| it makes wading in by the casual user incredibly hard.
|
| Compare that to mozbuild (and its new "mach" friend) that
| as very best I can tell is python all the way down and
| since their CI system is also open source, one can very
| easily crib enough config files to build it locally
| Isthatablackgsd wrote:
| I feel the same as you. It is great that there is another
| variants at the same time, we already have more than 6 FF
| variants and they are behind with security patches and updates.
| I recalled that WaterFox and Pale Moon are quite of versions
| behind Firefox.
|
| Would be nice to have a FF variant that are capable to be equal
| as Firefox like Chrome, Brave & Vivaldi. For Firefox variant, I
| couldn't think of variant that could have an equal footing.
| deviaan wrote:
| Something like Vivaldi but using FF as a base would be
| _wonderful_.
| rumpelstilz18 wrote:
| "We trust browsers with passwords to everything in our lives,
| like our bank details."
|
| No we don't. I use C&P from my PW Manager (Enpass).
|
| For your Bank you should have your own Browser (I use a vanilla
| Chrome). Firefox with a ton of privacy plug-ins. And Chromium
| for Facebook. I use other browsers too.
| solarkraft wrote:
| I've tried all the Firefox forks I could find, including
| LibreWolf. It's not your no-brainer "Non-Mozilla Firefox" you can
| just switch to.
|
| Basic browsing may work, but nothing remotely close to "web-app"
| will, because they disabled all modern APIs due to privacy
| concerns.
| ojosilva wrote:
| I'm currently using Iceraven on my Android phone and it's
| mostly a great experience! It gives access to all sorts of add-
| ons to block ads, cookies and other internet annoyances, some
| of which are not yet available on the official FF Android app
| since Fennec was abandoned.
|
| Even if speed were not 100% that of certain mobile browsers (I
| have not benchmarked them nor noticed any major differences),
| having no banners show up make up for it. I have no concerns
| with telemetry, but the Iceraven folks have cut down on some of
| the telemetry.
|
| In fact I use Iceraven as my default YouTube mobile app,
| instead of the official app. With the right add-ons, it makes
| for a quite nice YT experience!
|
| https://github.com/fork-maintainers/iceraven-browser
| SubzeroCarnage wrote:
| Iceraven is currently two major versions behind.
| https://divestos.org/misc/ffa-dates.txt
|
| I maintain a hardened fork called Mull. I also help maintain
| Fennec F-Droid. Both are available on F-Droid!
|
| Of extra note, both Iceraven, Mull, and Fennec F-Droid are
| based on Fenix, not Fennec. Fennec is any Firefox for Android
| before version 68 and is _not_ secure.
| GhettoComputers wrote:
| No web apps is a feature not a bug. I'm not unhappy it won't
| run bloated web apps.
| mg wrote:
| One factor that is important to me when comparing browsers is
| resource consumption. I don't like it when my fans spin.
|
| I wonder if the "time" tool that comes with Linux is a good way
| to quantify it? When I do "time firefox reddit.com", wait until
| the page is fully rendered (including the ads) and close the
| browser, I get: time firefox reddit.com
| real 0m13,089s user 0m9,411s sys 0m2,882s
|
| Does that mean that Firefox used about 12s of CPU time to render
| the frontpage of Reddit? (I guess user+sys is the amount that
| counts)
|
| "time firefox news.ycombinator.com" gives me about 7 seconds.
| nsonha wrote:
| you are counting bootstraping/closing the browser.
|
| Check firefox devtools timeline for a detailed breakdown.
| mg wrote:
| Yes, that is what I want to look at. The real resource impact
| of starting the browser, looking at a website and closing the
| browser. Using an in-browser tool to measure that would be
| like asking a robber how much they stole.
| cmeacham98 wrote:
| Most people don't close and open their browser between page
| visits, so time spend opening/closing the browser is a
| magnitude of importance less than time spent loading the
| page. I'd rather have a browser that takes 10secs to start
| and 0.1secs to render a page than 2sec to start and 1sec
| for each page render.
|
| Additionally, timing externally like this ends up
| indirectly measuring unrelated metrics like the speed of
| your DNS server and internet download speed. I've seen
| people with particularly shoddy ISP DNS experience a
| 0.5-1sec swing in page load times after the DNS entry gets
| cached.
| mg wrote:
| I think DNS speed will not impact the "user" and "sys"
| values of time. Only the "real" value. I think user+sys
| give the amount of CPU time used, not impacted by wait
| time.
| ameminator wrote:
| When I heard about all these shenanigans over at Firefox, I
| switched to Vivaldi, and I am enjoying the experience so far
| tokai wrote:
| Its not free or open software, so using it is a step back.
| ameminator wrote:
| Well, I have serious issues with most of the major open-
| source browsers. I liked Opera when it was around, I heard
| good things about Vivaldi and I'm willing to trust them more
| than Firefox and Chrome at this point. I wish it wasn't this
| way and I would have preferred open source or even paying
| hard cash for a good browser experience, but I will take a
| good browser experience from a source that is at least
| transparent about their funding and is not Google or funded
| by Google.
| kovac wrote:
| This indeed is true and I truly wish they made Vivaldi open
| source. However, free and open software is an ideal. Like any
| ideal, it can be used as a front and abused inna way that
| defeats its purpose.
|
| In its original form, free and open is noble. But since then,
| corporations have figured out how to monetise it. So, IMHO,
| we need to be very careful about anything free and open
| coming from corporations because their core objectives are
| very much orthogonal to the core objectives of the original
| free and open software movement. Those execs aren't the
| hackers who built the gnu/Linux tools in the early days.
| GhettoComputers wrote:
| We need to be careful about free and open software and your
| solution is to use non free and closed source software
| because they can make money off open source software? This
| makes no logical sense.
| kovac wrote:
| I'm not proposing any solutions. Just stating that a
| software with source open may not necessarily mean it's
| free and open in the sense it was originally intended.
| What one wants to do with it I think depends on one's own
| values.
|
| I use qutebrowser, vivaldi and brave (on mobile) and
| sometimes console based browsers when I can get away with
| it. Qutebrowser and Lynx are open source. Vivaldi and I
| think Brave aren't open source? I'm using them because I
| read about their team, their business model, their past
| and hung out in their forums and decided that I'd support
| them. Doesn't mean anyone else have to. And there's
| nothing wrong with making money off opensource software
| and that's how it was intended in the first place.
| Original open source software authors didn't mean that
| the software has to be free of charge. For me, I don't
| want to support an organisation that sacks the
| researchers of their core product but the execs pay
| themselves millions of dollars. Most of those dollars
| come from Google. I'm sorry that that makes no logical
| sense to you.
| taneq wrote:
| Depends which way you're facing, really.
| tokai wrote:
| A step back is always a step back no matter your facing.
| Try it out yourself. You see, your front and back stay
| towards your front and back respectively regardless how
| much you spin and turn. Weird ikr
| djbusby wrote:
| I made a fork, of Firefox, just to remove Pocket. That part was
| easy-ish. Maintaining it is difficult, cause code changes a lot.
| Building FF doesn't take long (Gentoo, 8 cores, 64G RAM). I wish
| I knew more about code so I could fix the rendering issues. I'd
| love to see FF the core of some apps, like Chromium. I tried that
| with Servo but, I don't know enough (and it keeps freezing up)
| tarasglek wrote:
| Author of Mozilla telemetry here. You can accomplish this with
| official firefox by blacklisting incoming.telemetry.mozilla.org
| domain, per https://searchfox.org/mozilla-
| central/search?q=telemetry.moz...
| junon wrote:
| Let's stop making privacy a techie-only thing, though. This
| should be a question a user chooses the first time they boot
| the browser, and Firefox should do its hardest to honor it.
| GhettoComputers wrote:
| What is privacy really? The browser? The ISP gets your data,
| the site gets metrics, and VPNs will just redirect traffic.
| agentdrtran wrote:
| Telemetry isn't inherently bad or privacy violating.
| nuerow wrote:
| > _Telemetry isn 't inherently bad or privacy violating._
|
| How can you tell?
| dblohm7 wrote:
| In Firefox:
|
| point your url bar to about:telemetry
|
| It shows you all the data that has been gathered. (Though
| IIRC it might still show stuff even when you've disabled
| telemetry -- in that case the data is being aggregated
| locally but not sent.)
|
| Go to https://telemetry.mozilla.org
|
| To look at the data on the server side. There are more
| sophisticated ways of querying it, but obviously not
| everybody can just be handed access to run arbitrary
| analysis code.
|
| Probe dictionaries:
|
| https://searchfox.org/mozilla-
| central/source/toolkit/compone...
|
| https://searchfox.org/mozilla-
| central/source/toolkit/compone...
|
| https://searchfox.org/mozilla-
| central/source/toolkit/compone...
| hulitu wrote:
| You forgot safe browsing.
| leppr wrote:
| It's open-source software.
| joshspankit wrote:
| I suspect that for every scenario you can think of someone
| will be able to reply with solid logic about how it could
| be used in a way that's bad and/or privacy-violating.
| criddell wrote:
| How valuable is the telemetry data to Mozilla?
| Scharkenberg wrote:
| Based on their recent design changes (deprecation of compact
| mode, for example), they are either not collecting enough
| telemetry about the affected parts of the UI/UX, or they are
| ignoring what they have collected for whatever reason. Of
| course, there is a chance that telemetry confirms their
| vision, but based on the explicit feedback I've been seeing
| online, I doubt the rationality of their decision-making at
| least part of the time.
| floatingatoll wrote:
| It is also possible that the telemetry shows that the vocal
| majority you perceive is, in fact, a vocal minority. I
| don't have any more knowledge than you about whether that's
| the case or not, but the possibility of being in the
| minority (and perhaps severely so) is absent from your
| list, and that deserves correction.
| joshspankit wrote:
| While I agree with you and the way you've stated it, it
| should be widely known that tiny groups of highly
| technical people can unlock huge understandings about how
| to improve.
|
| Look at the speedrunning community for example: sometimes
| it's not just a tiny group, but a _single person_ that
| sees something that the devs did not, and that can lead
| to fixing "wtf" bugs for everyone else.
| st3fan wrote:
| How do you compare strong voices of a few on a site like
| HackerNews or Reddit against many many many millions of
| data points of users around the world.
|
| Should written feedback overrule a bigger data set?
| caslon wrote:
| At the rate Firefox's market share is currently
| declining, it seems unlikely Mozilla actually has a
| finger on the pulse of the wider "millions [of users]
| around the world."
| md8z wrote:
| Is there anyone who you believe does have a finger on
| that pulse? If so, why? What can we learn from them?
| Scharkenberg wrote:
| If the telemetry-based removal of a feature would turn
| out to be a dealbreaker for a critical mass of users, it
| should be reconsidered (think of Mozilla's position in
| the browser market nowadays: it can't afford to piss off
| the "power users" and evangelists of Firefox).
|
| And it's not like Firefox has no Nightly or Beta branch
| to test the waters before making a significant change.
| For example, during the prerelease phase of the so-called
| Proton UI, there was no shortage of clear feedback about
| it. A lot of it was legitimate criticism about
| accessibility (harder to distinguish inactive horizontal
| tabs because the separators were removed; part of the new
| palette did not have enough contrast; etc.) and usability
| (e.g. in cases of low screen estate, some menus were
| suddenly so huge that they'd not fit within the height of
| the screen).
|
| Mozilla is slowly fixing some of these issues, which is a
| good sign IMO, but also sticking to some other
| "deliberate design decisions" that still remain
| controversial. I largely do _not_ believe in design-by-
| committee, by the way. However, I believe that all valid
| feedback should be evaluated and taken into consideration
| if it 's critical.
| rz2k wrote:
| Is there a guiding philosophy behind any of Firefox's
| decisions?
|
| If it isn't customizable by the type of users who care
| about customization, then what is the reason to use
| Firefox instead of what ships with your OS or Chrome. Why
| would "typical users" have chosen Firefox in the first
| place without some vocal user suggesting it?
|
| I still use Firefox for everything, I'm just sad that the
| lack of inspiration in the project means that it might
| not be a viable option in a few years. Maybe they're
| aiming for making 98% of users happy, and matching 98% of
| the features of other browsers, but it needs to have
| _some_ reason to exist. Usability testing without
| innovation is that different from p-hacking without
| hypotheses in science.
|
| Anyway, compact density was a non-default option, so it's
| difficult to understand why the option had to be
| deprecated. Compare that to MacOS. I didn't upgrade to
| Big Sur until Apple restored the option
| `NSWindowShouldDragOnGesture`, which allows you to drag a
| window from any pixel when you hold down control-option-
| command. Out of a billion users, I'd be surprised if more
| than 5,000 users care about this feature. (ie >99.9995%
| probably don't care) I only use the feature in
| combination with Karabiner Elements to change the command
| and Steermouse to recognize mouse button chords, but I
| invoke the command every couple minutes. Nevertheless it
| was restored, and it never disappeared in Monterey. Is it
| the budget alone that allows Apple to be simultaneously
| opinionated in their UI design and user accommodating, or
| is it completely different attitudes about users?
| md8z wrote:
| As someone who is currently implementing a compact theme
| for a different app, anything of that nature has a non-
| zero cost. Which is compounded by the number of designers
| you have working on the product who now all have to
| review every change multiple times.
| robbedpeter wrote:
| A technically competent user's feedback should be
| weighted at least one, if not tens or hundreds of orders
| of magnitude greater than anonymously gathered telemetry.
| Remove actual, intentional human communication from the
| loop and you're lost at sea - anyone can make the
| anonymous data mean anything, and then it's whomever can
| make the cleverest chart or analysis of the data that
| ends up directing decisions.
|
| Ignoring the people who actually take the time to
| communicate problems in favor of interpreted telemetry is
| exactly why Firefox is losing. Taking direction from
| technical users, or so-called power users, can give the
| application improvements in nuanced and technical uses.
| Taking direction from anonymous "averages" makes
| development a race to the bottom.
|
| Firefox developments over the last couple years feels
| like what would happen if you put grandma in charge of
| trying to make things better. To put it bluntly, fuck
| grandma, she doesn't know what the hell she's doing
| anyway. Firefox used to be a Lamborghini, it doesn't need
| training wheels and balloon bumpers. Lean into technical
| excellence and drop the obsessive ui/ux nonsense.
| bityard wrote:
| I agree with this so much.
|
| Once it was clear that Chrome was destined to cater to
| the masses, Firefox should have done a hard pivot with an
| emphasis on privacy and putting the user in control of
| their browsing experience. The best time to do this was a
| few years back when all of this was becoming obvious, but
| now with massive popular distrust of large tech companies
| like Facebook and Google making daily news, the second
| best time is now.
|
| There's a reason I run Linux and BSD on every computing
| device I own, instead of Windows or Mac. It's not because
| it's easier to use (they are not), it is not because it
| has more bells and whistles (they do not). It's because
| at the end of the day, _I_ am the one in control of my
| computers, not some product manager who needs bullet
| points on his or her annual review.
|
| There is no universe in which Firefox is going to
| successfully compete against Google at their own game,
| especially when Google is _still_ the majority source of
| their funding. I have no evidence for or against this,
| but my greatest fear is that the people at Mozilla who
| were passionate about the same things that I am
| passionate about have left out of frustration and the
| only ones left are there for the lifestyle and
| hipsterness of "working in tech" at a non-profit in a
| trendy city.
| nuerow wrote:
| > _Once it was clear that Chrome was destined to cater to
| the masses, Firefox should have done a hard pivot with an
| emphasis on privacy and putting the user in control of
| their browsing experience._
|
| Why do you believe that catering to the masses implies
| not focusing on privacy and putting the user in control
| of their browsing experience?
| md8z wrote:
| I cannot agree with it or your comment. I have seen these
| type of comments pop up in every Firefox thread on HN. It
| is so common for people to try to play armchair CEO. But
| when I actually dig into it, I have really never seen
| anyone with a competent vision of what a "competing
| browser" is supposed to look like. It all seems to boil
| down to "put the user in control of X feature and add a
| bunch of settings for it" or "don't remove Y feature that
| I used" or "bring back XUL" or something like that which
| I hope you can understand are not reasonable high-level
| directions. The various forks of firefox are well
| intentioned but these are all minor modifications, they
| don't try to do something different.
|
| To illustrate what I mean here, if you want a fork with
| an emphasis on privacy you can just use LibreWolf. It is
| the entire thread we are responding to, the thing you
| want exists right now. But I don't see people exactly
| flocking to use that, your comment seems to not even
| acknowledge that it exists!
| InTheArena wrote:
| Typically on the web more virulent, extreme content
| should always win against the quiet majority.
| SyzygistSix wrote:
| Is this sarcasm or sincere? I agree to a certain extent;
| informed people with good taste tend to be strongly
| opinionated.
| matthewmacleod wrote:
| Uninformed people with terrible taste generally seem to
| be even more strongly opinionated, though. I'm not sure
| we can draw many useful conclusions!
| Jansen312 wrote:
| Some vocal voices are superusers that can affect others
| to use or not. Think of them as like current social media
| influencers. FF userbase has been in decline for sometime
| now during which those vocal feedbacks had been largely
| ignore. Perhaps, that give some proof indication "should
| written feedback overrule a bigger data set"?
| Groxx wrote:
| While I broadly agree: data lies too. "X% more people use
| this now" says _absolutely nothing_ about if they like
| it, or if it 's doing what they want, or if you'll drive
| them off the system in a couple months because of it. It
| just says that X% more used it during the time you were
| watching.
|
| You can use nothing but positive data-driven results to
| drive yourself out of existence, and it's rather easy.
| Direct, human feedback is _absolutely essential_.
| st3fan wrote:
| We use the telemetry data as input to many product and
| business decisions. It is very important.
| squarefoot wrote:
| If that was entirely true, then better communication with
| users would probably be the ideal substitute for it.
| criddell wrote:
| Product decisions I can kind of see, but what kind of
| business decisions are you talking about?
| jcranmer wrote:
| I'm not an expert on Mozilla's telemetry, but my recollection
| is the vast majority of telemetry data is performance data
| (e.g., how long does it take the program startup, how long
| does it take to query the history database when typing in the
| URL bar) or features usage (and this is more on the level of
| "which SSL cipher suites are being used" versus "who clicks
| this button in the UI").
| cpeterso wrote:
| Here is Mozilla's list of telemetry probes, including
| descriptions and whether it is recorded in prerelease
| (Firefox Nightly and Beta) or release versions.
|
| https://probes.telemetry.mozilla.org/
| st3fan wrote:
| Those are great examples and we do both.
| ignoramous wrote:
| Of the 180 lists we track at RethinkDNS, all the top ones
| contain _*.telemetry.mozilla.org_
| https://rethinkdns.com/search?q=telemetry.mozilla.org
|
| That said, on Android, I don't see a single
| _telemetry.mozilla.org_ entry in my DNS query logs.
| xbdm wrote:
| LibreWolf is a pretty good firefox fork, But i would always use
| firefox with tweaks and user.js. Don't trust forks much, As i
| rather put my data with firefox plus mullvad vpn works with them
| on their vpn service. And mullvad is a really good privacy vpn...
| GhettoComputers wrote:
| Why not just audit the network activity? It's all the evidence
| I need.
| tristor wrote:
| I examined this and it appears that you can get the same effect
| yourself by enabling ETP strict mode, disabling telemetry and
| suggestions, and installing uBlock Origin in Firefox, which is a
| pretty common configuration for a lot of people. I suppose it's
| easier to just install this and have that already set up, but
| it's not exactly hard to do this in Firefox for the average HN
| reader and you most likely /already have/, so this gives you
| nothing except lagging security updates from an unknown
| developer.
| hnarn wrote:
| If anything, these types of projects should come as some sort
| of external wrapper to help you compile or configure the
| software to give you the wanted behavior.
|
| I don't know a lot about how Arch's AUR works but this seems
| like something that could be made an AUR package for example
| with special configuration while still using "base" Firefox to
| put it together, rather than profiling it as a new product.
| hutrdvnj wrote:
| It depends on how they plan to diverge from upstream firefox.
| Given enough source code changes a fork might be justifiable.
| kaba0 wrote:
| I don't think "hard forking" a browser of all things is
| manageable, even for largish companies, let alone a few
| developer team. Backporting all the security patches is a
| very expensive process.
| chrisjc wrote:
| Forgive my ignorance, but couldn't this be done as an
| extension? (Maybe even withing uBlock Origin itself, if they
| were to add an option?)
|
| Or do extensions not have access to these settings?
| NoGravitas wrote:
| They don't. But honestly, it would be easy enough to have a
| script/program run to fix the settings while Firefox is not
| running.
| yosamino wrote:
| This is exactly the sort of thing one might expect an
| extension to be able to to, but since the move to web-
| extensions many of these things aren't possible.
|
| For example, you can't change user settings from an
| extension. Or install other extensions.
| anonymousnotme wrote:
| That is part of why FF is having user drops. There should
| be a way to easily set a bunch of preferences in bulk for
| privacy/security or whatever one wants.
| tristor wrote:
| However, the same is true for all other browsers as well
| as most are forked from Chromium and also use the web
| extensions API. What other browser provides more control
| via extensions? This seems like it's not a reason for
| users to drop.
| anonymousnotme wrote:
| I also don't see all the excitement about ETP and similar. I
| have one profile that has javascript and cookies disabled and I
| do 90% of my browsing via that. I mostly just read text...
|
| I have another profile that I use to is less locked down that
| use that might need cookies and javascript. One can use plugins
| like noscript and enable on per site basis.
| tinus_hn wrote:
| Until Firefox accidentally disables these settings or replaced
| them with new ones with new defaults, deprecates these plugins
| or introduces a new privacy invasion.
| nuerow wrote:
| > _Until Firefox accidentally disables these settings or
| replaced them with new ones with new defaults, deprecates
| these plugins or introduces a new privacy invasion._
|
| Did anything of the sort ever happened at all or are we only
| entertaining thought experiments?
| joshspankit wrote:
| It happens all the time with different OS', software,
| games, and apps. I don't know of a single example of
| _Firefox_ doing it, but I feel like it's fair if people are
| thinking about it as a possibility.
| nuerow wrote:
| > _I don't know of a single example of Firefox doing it,
| but I feel like it's fair if people are thinking about it
| as a possibility._
|
| This line of reasoning doesn't add anything of value
| because the same fear mongering applies to LibreWolf and
| any other project just the same.
| joshspankit wrote:
| My intent was not to fearmonger. I agree that anyone
| could do it (including LibreWolf). My intent was to say
| that the comment I responded to has a rightful place in
| these discussions (and further: in any discussion about
| privacy)
| proactivesvcs wrote:
| I recently looked at the changes they make to the default
| preferences and so many are nothing to do with privacy, and some
| of those that are also reduce the user's safety (e.g. disabling
| Google Safebrowsing). I'd advise any prospective users to comb
| over the changes very carefully before using it.
| bityard wrote:
| There are those of us who would choose privacy over safety
| every time...
| GhettoComputers wrote:
| How does google safe browsing make me safer? It's just sending
| all my network data to google for them to tell me if it's safe
| or not. If you don't see the issue with sending every website
| you use to google for them to tell you if it's safe I don't
| know what to tell you. Sending your browsing history to a
| database has everything to do with privacy.
| proactivesvcs wrote:
| I suggest you look up how Google Safebrowsing works; it's not
| how you may think. I'm pretty anti-Google and I leave this
| feature switched on because I believe the trade-offs are
| worthwhile.
| GhettoComputers wrote:
| >Google maintains the Safe Browsing Lookup API, which has a
| privacy drawback: "The URLs to be looked up are not hashed
| so the server knows which URLs the API users have looked
| up". The Safe Browsing Update API, on the other hand,
| compares 32-bit hash prefixes of the URL to preserve
| privacy. The Chrome, Firefox and Safari browsers use the
| latter.
|
| >Safe Browsing also stores a mandatory preferences cookie
| on the computer.
|
| >Google Safe Browsing "conducts client-side checks. If a
| website looks suspicious, it sends a subset of likely
| phishing and social engineering terms found on the page to
| Google to obtain additional information available from
| Google's servers on whether the website should be
| considered malicious". Logs, "including an IP address and
| one or more cookies" are kept for two weeks. They are "tied
| to the other Safe Browsing requests made from the same
| device."
|
| Looks like it works exactly like I thought it did and is
| not useful to me and a privacy concern.
| kaba0 wrote:
| > The Safe Browsing Update API, on the other hand,
| compares 32-bit hash prefixes of the URL to preserve
| privacy. The Chrome, Firefox and Safari browsers use the
| latter.
|
| How exactly?
| GhettoComputers wrote:
| The rest of it.
|
| >Safe Browsing also stores a mandatory preferences cookie
| on the computer.
|
| >Google Safe Browsing "conducts client-side checks. If a
| website looks suspicious, it sends a subset of likely
| phishing and social engineering terms found on the page
| to Google to obtain additional information available from
| Google's servers on whether the website should be
| considered malicious". Logs, "including an IP address and
| one or more cookies" are kept for two weeks. They are
| "tied to the other Safe Browsing requests made from the
| same device."
| LargoLasskhyfv wrote:
| It's not even the privacy aspect alone. There have been
| repeated cases of absolutely legit,
|
| not even controversial sites landing on blacklists, for
| reasons of technical errors maintaining those,
|
| or some jurisdictions DMCAing some other site(s),
|
| hosted behind the same IP-range in the same data-center.
|
| Boom. Suddenly the site is gone, or at least you have to
| click around endless warnings about impending doom if you
| proceed.
|
| For nothing. This is the same shit like antivirus ware on
| Windows. Utter non-sense.
|
| Meanwhile, for instance on often visited sites(like weather),
| the Ads happily delivering malicious payloads.
|
| This also happened many times, but can't blacklist large
| sites for delivering malware, can we?
|
| Would cost too much ad-value. No-Go!
| kaba0 wrote:
| How often does a non-controversial site gets added to it vs
| the genuine threats/phishing websites it protects grannies
| from? I think it has an absolutely good tradeoff based on
| the relative percentages of the former categories.
| LargoLasskhyfv wrote:
| I'd have to consult lists, since I disabled those
| features almost as soon as they were becoming common. So
| about 10 years ago. With the exception of an Windows7
| installation which I had to use occassionally. There I
| disabled that later, out of curiosity, until it grew too
| annoying. And of course, when being elsewhere, wanting to
| show some people some sites(not porn, gaming, just self
| hosted bloggers or forums) again and again. And I've been
| like wtf, what am I doing wrong, where did I make a typo,
| or am I remembering the sitename wrong?
|
| Nope. Everything all right. Just not the blacklisting.
|
| And this also happened with FF running under Linux.
|
| Why are you all so apt to accept being conditioned into
| learned helplessness?
| GhettoComputers wrote:
| I also will not send my URLs to google for them to tell
| me if its safe or not. I do use hosts on my router for
| ads and to block malicious sites, but its all local files
| rather than phoning google with my browsing history.
| proactivesvcs wrote:
| I came across a very annoying case of it blocking
| seclists.org for a few months but it eventually cleared up.
| Despite this, I still advocate for it. If one day it does
| start seeming to act maliciously I can simply push a button
| and it's switched off. Until then it provides a real
| benefit to security because a whole lot of nasty sites are
| blacklisted using the service.
|
| If you think it's for nothing then perhaps it's worth
| looking into how the service works and how successful it
| is.
| LargoLasskhyfv wrote:
| Your's may be a valid point of view. But mine is too.
| Because I didn't pull that shit out of thin air,
|
| instead having experienced it,
|
| and came to the conclusion that it IS indeed the same
| shit.
|
| At the end of the day.
|
| All those 'swimmies' and life-savers are ball and chain
| to me,
|
| dragging me down. Learn to surf, row, swim, dive,
| whatever!
| longstation wrote:
| Would it be better if the project includes a native ad blocker?
| brightly-salty wrote:
| The reasoning given is that maintaining a native version of
| uBlock Origin would be very costly, and so not worth the focus
| right now, especially considering that many of their users are
| already familiar with the extension.
| yosito wrote:
| Why are there not more successful forks of Firefox? While it's
| still my browser of choice, I think it's safe to say there are a
| significant number of developers who are not happy with the
| leadership of Mozilla. What's preventing other forks from taking
| off?
| mgbmtl wrote:
| This will be an unpopular opinion here, but for developers,
| telemetry is a really useful way to make decisions about the
| direction of a project.
|
| Otherwise if it's just on a whim of the lead dev, that often
| does not scale. And we've seen with lots of projects, that
| actual regular-user feedback, not power-users, is crucial in
| taking those decisions. Switching off telemetry is easy, but I
| suppose you also have concerns about technical issues, and
| those can be really difficult to compromise on (a lot of people
| suggested forks when XUL was removed.. but today probably very
| few people would want XUL back).
|
| To have a successful fork, you need devs with either a business
| model behind it, or enough motivation to maintain it as a
| hobby. For a while, it worked for Iceweasel, but it was just
| branding. Firefox is complex, requires a lot resources to
| build, distribute binaries, etc.
|
| I'm not affiliated to Mozilla, but I do help maintain another
| open source project, where, in my opinion, power-users and
| consultants drove the project in a direction that made the
| product more difficult to use, and therefore gave it a bad
| reputation and limited growth. I can say that because I have
| access to some of the telemetry, and also because I talk to a
| lot of random users as part of my work.
| kaetemi wrote:
| Yet Firefox went in a weird direction. Telemetry decisions,
| huh.
| riedel wrote:
| I have question: what is the rate of opt in into telemetry? I
| like the concept of donating your data to improve a product.
| I wonder if there would not be enough data if ppl could
| simply chose when installing.
| Communitivity wrote:
| I don't mind telemetry, if it is opt-in. It should never be
| opt-out, but usually is.
| gtirloni wrote:
| Almost nobody goes out of their way to enable telemetry
| because they want to help some project. Very few power
| users do (and they don't represent the majority in most
| cases) and I'd say zero regular users would care.
| kaba0 wrote:
| The difference between opt-in and out organ donors between
| otherwise similar countries is a staggering 80% -- people
| are seriously lazy and will choose the default almost
| always. I think one should not be afraid to "exploit" this
| innate human quirk, if it is done for good reason.
| Unethical people will abuse it either way.
| solox3 wrote:
| "No one opts in" aside, any opt-in metrics you do collect
| tend to be skewed towards how the people who opt in, use
| the product. Anyone serious about making product decisions
| using opt-in metrics should be aware of this bias.
| dmos62 wrote:
| This could be solved by a lot of transperancy about what
| collected telemetry is saying. A user can then check if
| the users that opted-in to telemetry are representative
| of his own use cases and thus make an informed decision
| if he should opt-in as well (if he's not well
| represented). Telemtry is a lot like voting.
| spoctrial wrote:
| The vast majority of people will not read about the
| collected telemetry, even fewer will read it and then
| make a decision to opt-in.The telemetry is optimizing for
| the vast majority, not the loud minority, hence opt-out
| works better in order to cater to a larger group of
| users. Your voting analogy is really bad.
|
| With that said, I don't really like telemetry and will
| turn it off.
| dmos62 wrote:
| I think voting is a good analogy for telemetry. You
| submit your use case to help decide development
| direction.
| dblohm7 wrote:
| So, `about:telemetry`, https://telemetry.mozilla.org
| solarkraft wrote:
| I don't mind telemetry that much. I mind Pocket, ads and
| whatever bullshit they'll push next week.
| chinathrow wrote:
| I have some color packs for you, but they are only
| available briefly.
| veidr wrote:
| Yeah, what the fuck was that?
| chinathrow wrote:
| I honestly have no clue.
|
| https://blog.mozilla.org/en/products/firefox/introducing-
| new...
|
| But reading this and answering for Mozilla staff should
| get them some feedback:
|
| > What's next for Firefox colorways?
|
| We'll see. We'll go where our customers take us.
|
| Well, I saw and I clicked to skip this BS.
| cpeterso wrote:
| Additional "colorway" themes will be introduced
| seasonally, but the current colorway themes will not
| disappear. They will "graduate" to
| https://addons.mozilla.org/.
| chinathrow wrote:
| To be honest that was not clear at all from this work-
| interferung modal after the upgrade to 94.0
|
| It more read like some marketing FOMO inducing lingo like
| "use the new feature better now or you will miss out once
| they're gone".
|
| Do you have a user panel at Mozilla to vet stuff like
| that? I would love to participate. Being a Moz suite user
| since 1998.
| ReactiveJelly wrote:
| and it would be fine if it was opt-in. syncthings telemetry
| is very transparent, so I started enabling it on my nodes.
| but I hate when programmers who should absolutely know the
| difference conflate opt-in and opt-out.
| nix0n wrote:
| > regular-user feedback, not power-users, is crucial in
| taking those decisions
|
| In general, that's true. But Firefox is an exception to this.
|
| The most important thing to a regular user, is that their
| websites work. But for websites to work, the developer had to
| test in Firefox. So, Firefox's alienation of power users has
| hurt its regular userbase.
|
| There's also the distinction between users vs customers. Most
| users pay nothing for Firefox. A relatively small number of
| free-software lovers provide donations. If they want more of
| those people to give more money, Mozilla would have to cater
| to power users. This leaves Mozilla's main customer as being
| Google, who doesn't really want Firefox to be good.
|
| The other exception to this, is if the software you're making
| is so specialized, that you can get by on a handful of large
| institutional customers. Obviously this is not where Mozilla
| is, it's just another case where telemetry is not necessary.
| kaba0 wrote:
| Whether devs test in firefox or not is orthogonal to
| whether they like the product, it is entirely based on its
| market share. No sane person wanted to test on IE, but it
| was mandated by the company.
| iudqnolq wrote:
| That's partly true. N of one, but I have Firefox set up
| the way I want it to, so I do all my development in
| Firefox and then occasionally test in Chrome. Essentially
| all my users use Chrome, so if I didn't prefer Firefox's
| ux it would get much less attention
| anonymousnotme wrote:
| I like the mention of large institutional customers. Is
| there a way where mozilla can have companies sponsor
| firefox to be open so that these companies do have to deal
| with google and MS control and any of the crap that do to
| try to control it. I guess it is more so that google does
| not have control because MS is now using chrome engine.
| st3fan wrote:
| It is not an unpopular opinion. I bet most people here
| actually work on products that have a fair share of
| telemetry. How else would you know how your products are
| doing or what to focus on.
| mixmastamyk wrote:
| If telemetry were that useful and acted upon, we wouldn't
| have FF regularly breaking its interface. (Such as the stupid
| disconnected tabs and other vanity projects.) Almost everyone
| hates these kind of unique-snowflake interface changes for
| the sake of change.
| mcwhy wrote:
| even GNU has really hard time keeping up their IceCat releases
| vfclists wrote:
| Some years ago Mozilla decided that rather than creating a
| browser toolkit that browser developers could build browsers a
| round, they would go the whole hog and combine the engine with
| the user interface aspects.
|
| Even their own developers objected to the policy, but they went
| ahead anyway.
| [deleted]
| throw63738 wrote:
| Look at the code
| stapled_socks wrote:
| Ok thanks I'll read Chrome's and Firefox source code over the
| weekend.
| numbsafari wrote:
| One reason is that there's a ton of social pressure not to
| fork, for example:
|
| https://news.ycombinator.com/item?id=29106440
|
| Another is that doing so, and sustaining the effort, is a non-
| trivial amount of work. Throwing up a web page and a single
| release is one thing. Keeping up with the release cadence of an
| org like Mozilla, and the demands and expectations of a browser
| user base is something entirely different.
|
| Also, "Libre" is a terrible moniker.
| dmos62 wrote:
| I've not come across someone in tech who doesn't pronounce
| Libre in French (leebr). Libre is necessary, because English
| is deficient when talking about freedom, since it doesn't
| distinguish something being free of charge (free as in
| doesn't cost money) and something being free in the broad
| sense (as in freedom).
| iandinwoodie wrote:
| Out of curiosity, why do you think "libre" is a terrible
| moniker?
| torstenvl wrote:
| Because nobody knows how to pronounce it, for one. Is it
| /libre/ (Standard Spanish) or /libR@/ (Standard French) or
| /libkh/ (Northern French, esp. Parisian) or /laIb@/ (RP
| import) or /laIber/ (GA import) or /libre/ (GA Spanish
| import)?
|
| But that's a symptom of a different pair of issues, namely:
| (1) it's ambiguous what language the word is in, and (2)
| neither of those languages are really tech field lingua
| francas (English, Russian, maybe Hindi, probably in that
| order).
| thomquaid wrote:
| Libre comes from Latin, via Norman and New Orleans
| French, to American English. It seems to me quite well
| chosen, as tech lingua franca.
| torstenvl wrote:
| American English does not have this word. It uses it only
| as parts of other phrases imported from French or
| Spanish, with Spanish being the more predominant (more
| people have seen Nacho Libre than partake in vers libre).
|
| https://www.merriam-webster.com/dictionary/libre
| 1_player wrote:
| > Out of curiosity, why do you think "libre" is a terrible
| moniker?
|
| For me, as a fan of open source, Libre-something means
| something focused on being open source, than being a good
| product. And in my humble opinion, open source governance
| is generally not good at making big sweeping, or even just
| focused changes when needed, so the "Libre" moniker to me
| has an aftertaste of "good enough, but could be much
| better" compared to commercial offerings or products that
| have paid volunteers and stronger governance.
|
| Something called Libre usually means it will never get nor
| accept any paid sponsorship, and sometimes it's what is
| needed to turn a decent open source product into a killer
| product.
|
| None of these things are rooted in hard facts, that's the
| "feeling" the libre word gives me. To be honest, the only
| popular libre products I know of are LibreOffice (just good
| enough IMO) and LibreSSL, which was born after the OpenSSL
| fiasco, yet is still living in the shadow of OpenSSL. The
| "Open" word has similar shortcomings, but is less strict
| that the definition of libre and thus carries fewer
| negative connotations in my view.
| travisgriggs wrote:
| Totally agree. Love the Wolf part of the name. Do not
| like Libre. Would have rather seen any of just Wolf,
| WebWolf (alliterates), WolfWolfGo (couldn't help myself),
| FireWolf (ties to original), etc.
| mfer wrote:
| Maintaining a successful project takes A LOT of work. For
| something this size it's not a side projects amount of work.
|
| How do the people working on it get money to cover their bills?
| If they don't have this they will work on something that does
| that.
|
| A financial model is usually the blocker.
|
| Consider this, a lot of the people who work on Linux or many
| other projects are corporate backed. The companies pay the
| developers.
| secondaryacct wrote:
| And the clients pay the companies. When we ll start buying
| browsers they ll stop tracking us
| kgwxd wrote:
| Unlikely. I can't name even 1 major paid for product that
| doesn't have telemetry and other forms of tracking.
| qwerty456127 wrote:
| Perhaps, but they will still optimize to maximize sales
| then, i.e. do what sells to as many people as possible, not
| what is good for you (an advanced user in particular). In
| fact I'm Okay with Firefox but would rather pay for a good
| alternative to Facebook where I would be a customer rather
| than a commodity.
| folkrav wrote:
| I'd be willing to bet whichever paid browser popped up
| would both still keep the telemetry _and_ fuck us with
| subscription based, you-won't-ever-own-your-browser payment
| scheme.
| wintermutestwin wrote:
| Is it becoming a truism that (in this space) the profit
| motive will inevitably lead to user abuse?
|
| Maybe we need more 501c3 and benefit corps providing basic
| stuff like an internet browser?
| maccolgan wrote:
| _cough_ Mozilla is dead in the water _cough_
| zdragnar wrote:
| The mozilla Foundation doesn't provide their browser, the
| mozilla for-profit subsidiary corporation does.
| nsonha wrote:
| Nationalize new browsers and OSes' development, or
| subsidize them. Governments do it with things like energy,
| space tech aviation and even telecom, but surprisingly not
| their software foundation.
| LargoLasskhyfv wrote:
| I guess the French would be in a position to do so.
|
| They've already adopted some infrastructure software
| projects into their governmental operations, not only
| using them, but also participating and maintaining them.
|
| They also have many initiatives mandating the use of open
| source where applicable, and also suggestions of
| liability for closed source software by law. Harr!
| Unheard of! Those naughty Gauls!
| jasode wrote:
| _> Why are there not more successful forks of Firefox? [...]
| What's preventing other forks from taking off_
|
| Some of the replies to your question state "money" but there
| are also more fundamental reasons of choosing Chromium over
| Gecko: _technical functionality and performance (especially on
| mobile)_.
|
| You'd think an ex-Firefox programmer and Mozilla co-founder
| such as Brendan Eich would have chosen Gecko for Brave but he
| didn't. He explains in a previous comment why he switched from
| Gecko to Chromium:
| https://news.ycombinator.com/item?id=22062636
|
| So the "hidden" reason people are not comfortable saying
| (except maybe Brendan Eich) is that _Gecko isn 't as good as
| Chromium_ as a foundation for forking. That's why you get a
| bunch of companies independently choosing Chromium instead of
| Gecko such as :
|
| - Github Electron based on Chromium
|
| - Qt QtWebEngine uses Chromium
|
| - Opera Vivaldi switches from Presto to Chromium
|
| - Microsoft Edge switches from Trident to Chromium
|
| - Brave switches from Gecko to Chromium
|
| Some speculate Gecko's MPL license instead of Chromium's BSD
| might also be a factor.
| severine wrote:
| I'm a longtime Firefox user and advocate, but this feels
| mostly right.
| LargoLasskhyfv wrote:
| I neither want nor need DRM to work.
|
| I'd rather have the ability of ad-blocking and similar
| extensions to work on a deeper level, instead of crippling
| them, like on chromium-based browsers.
|
| _What about_ mono-culture and the risk there of?
|
| edit: Availability of working DRM is what it all boils down
| to.
| dmos62 wrote:
| I haven't kept up to date. Is Chromium hostile towards ad
| blocking?
| LargoLasskhyfv wrote:
| It started with this, but applies to other extensions
| also:
|
| [1] https://github.com/gorhill/uBlock/wiki/uBlock-Origin-
| works-b...
| fabrice_d wrote:
| I'm part of the team maintaining the "boot 2 gecko" aka b2g
| fork (we push it to https://github.com/kaiostech/gecko-b2g)
| so I have some experience building a non-firefox product on
| top of gecko, and maintaining a non-upstream platform (the
| "android without java" stack called Gonk).
|
| At some point we compared gecko with a blink port on Gonk,
| maintaining both while we were doing performance comparison
| on low end mobile devices. We were looking both at memory
| usage and page loading speed. I was expecting to see blink
| way ahead of gecko, but that was not the case at all. For
| some content blink was a bit better, for some it was gecko,
| but never with a large gap either.
|
| Maintenance of the blink product was not easy, with barely
| documented internals changing a lot (it's very different to
| build a new product on top of blink compared to just fork an
| existing one like chromium). I'm not blaming the blink team,
| that makes sense in the context of what they do, and we were
| not as familiar with blink code base as with gecko. Finally
| we stayed on gecko because this was the best choice for us
| (eg. including team velocity and the amount of non standard
| apis to rewrite).
|
| In my opinion if you want to start on a new browser product,
| the main Chromium benefits for a commercial project are: -
| web compat, which unfortunately is self sustaining. -
| licensing. The MPL vs. BSD doesn't matter for open source
| projects, but many companies (especially VC funded) are
| adverse to copyleft licenses. Gecko's xpcom architecture was
| actually not a bad fit with the MPL, since you can ship new
| xpcom components without publishing their code if you don't
| want, but that didn't make much of difference (some chipset
| vendors used the capability for FirefoxOS to replace the
| implementation of telephony apis with closed source ones).
|
| But you need to be comfortable being subject to the whims of
| google (and a little bit MS now). For instance, consider the
| changes to web extension resource blocking capabilities with
| the "manifest v3": some forks plan to keep the resource
| blocking api working, but it's very unclear if they will be
| able to do so in the long term without a growing complexity
| of their fork that may become too high.
|
| If you are an open source project, please don't cement
| Google's dominance of the web by using chromium.
|
| Gecko deserves to have a future - it may just not be
| Mozilla's corp current leadership that is the best for that
| to happen.
| sfink wrote:
| If you read that tweet, it mainly says that they made the
| choice based on DRM licensing. Well, plus a vague "it lost on
| many dimensions in a head to head comparison enumerating gaps
| vs. Chrome". Which I can't argue, because there are no
| specifics to disagree with.
|
| That said, I work on Gecko and it is indeed an old crufty
| codebase with numerous issues. From what I've seen of Blink,
| it seems surprisingly similar (overall; the specific problem
| areas are different). And Gecko has a surprising willingness
| to rewrite or revamp core aspects of the codebase -- by some
| metrics, it appears to be more nimble than Blink (eg, site
| isolation to separate processes was a massive project for
| both codebases, and it looks like although Gecko started and
| finished later, the elapsed time is a couple years less.)
|
| On the other hand, Eich was pretty well in touch with the
| Gecko codebase, so his opinion _should_ carry some weight.
| (Somewhat counterbalanced by his seeming enthusiasm for
| burning some bridges behind him, but that gets into very
| speculative territory.)
|
| I tend to agree that Gecko isn't as good as Chromium as a
| foundation for forking, though. I think working with the
| Mozilla development community is actually quite a bit better
| than working with Chromium's, but Gecko is pretty
| unapologetically focused on Mozilla's product needs and
| Mozilla doesn't have the resources to properly support
| external embedders or forks.
| toyg wrote:
| The continuous struggle to get Gecko used by any non-
| Mozilla project should also carry weight: there are many
| reasons why Apple went with the arguably-inferior KHTML
| engine when they started their own browser, and why the
| resulting library was quickly adapted all over the world -
| when arguably Gecko had had by then a headstart of a decade
| or so. Reportedly, embedding WebKit in one's codebase was
| basically trivial, whereas with Gecko was almost
| impossible.
| hyproxia wrote:
| Money.
| revolvingocelot wrote:
| Can you elaborate? Is Mozilla paying off people who try to
| start FF forks? Because I could use a bailout.
|
| More seriously, is the suggestion that FF is too complex to
| properly fork without full time devs?
| dralley wrote:
| It's 20 million lines of security sensitive code. Of course
| it's difficult to properly fork.
|
| The same is true of Chromium, btw.
| Sebb767 wrote:
| And yet we see quite a lot of Chromium forks - Brave,
| Vivaldi and Edge come to mind. For Firefox, the number
| seems to be a lot lower.
| est31 wrote:
| Due to its market share, Chromium has better website
| compatibility these days than Firefox. See the statement
| by the Brave creator on this: https://twitter.com/Brendan
| Eich/status/1165348116398104576
|
| Also, especially on mobile, Firefox is an extremely niche
| browser engine. The biggest browser forks in therms of
| global user count are actually not the likes of Edge,
| Brave, etc, but android Chromium forks popular in asia.
| fabrice_d wrote:
| The biggest chromium fork on mobile is actually FB "in
| app browser".
| masklinn wrote:
| > Brave
|
| Company trying to make money off of its fork.
|
| > Vivaldi
|
| Company trying to ???
|
| > Edge
|
| Microsoft, who found that maintaining a chrome fork would
| be less expensive than _playing catch-up with their own
| in-house browser_.
| Sebb767 wrote:
| And yet the all could have choose Firefox and you could
| say exactly the same.
| kunagi7 wrote:
| Chromium has proper separation of its components (Blink,
| V8, Desktop, iOS, Android UIs, etc). It's "easier" for a
| small full-time paid team to detach the default browser
| UI, implement their own thing and keep the other
| components up to date.
|
| Examples of this are the Electron Framework [0], Vivaldi,
| Brave, Opera, Yandex, Edge, etc.
|
| Firefox instead is a nightmare to fork. They used to have
| something called XulRunner[1] that allowed to create your
| own XUL application (things like Seamonkey, Thunderbird
| used it) thus making it fairly easy to fork Firefox.
| After the 41 release Mozilla removed it completely.
| XulRunner's components were intertwined with Firefox
| code. Mozilla deliberately killed the easiest way to work
| their product.
|
| Only light forks like Waterfox, LibreWolf are viable.
| Hard forks fail or struggle every single time Mozilla
| releases a new version (SeaMonkey, Waterfox Classic, Pale
| Moon, etc), lagging behind in features and performance.
|
| Even WebKit is easier to integrate with your own UI
| (Safari, Gnome Web [2], etc).
|
| [0] https://en.wikipedia.org/wiki/Electron_(software_fram
| ework)
|
| [1] https://en.wikipedia.org/wiki/XULRunner
|
| [2] https://wiki.gnome.org/Apps/Web/
| masklinn wrote:
| Yes? I've no idea what you're implying. All the viable
| Chromium forks have large amounts of manpower and
| resources available.
|
| The choice between forking Chromium and Firefox is mainly
| one of business[0]: Chrome has a >70% global marketshare,
| adding Edge & co even ignoring Safari it's probably
| around 80. Since Google also keeps pushing their own
| stuff, that means forking Chromium gives you much better
| compatibility guarantees.
|
| [0] though the history of Chromium -- and Webkit before
| that -- forks also means there's probably a lot more
| knowledge floating around about maintaining such a fork,
| especially since Chromium itself was originally a fork
| (running concurrently with its source and regularly
| synch-ing from it, forking a dead codebase or hard-
| forking with no sync is a different concern)
| mschuster91 wrote:
| Yeah, because of the usual open source problem: funding.
| Brave is funded by venture capital and crypto-crap,
| Vivaldi by advertising deals and Edge by the infinite
| coffers of Micro$oft.
|
| Firefox forks tend to dislike associating with any of the
| above.
| funcDropShadow wrote:
| Edge, for example, is a fork maintained by Microsoft. It
| is a strategic project for a multi-billion company. That
| is not comparable to a fork of your average open-source
| project.
| Sebb767 wrote:
| But it's absolutely comparable to a fork of Firefox. This
| does not solve the GPs question, why do so many people
| fork Chrome instead of Firefox.
| rubyist5eva wrote:
| It was definitely a strategic business move. Chrome is
| eating everyone's lunch with marketshare.
|
| Options:
|
| 1. Fork Firefox, people install Chrome anyway 2. Fork
| Chromium, some people realize that it's essentially the
| same as Chrome and don't install Chrome and just use Edge
| dralley wrote:
| >But it's absolutely comparable to a fork of Firefox.
|
| It's still not comparable for a fairly simple reason: the
| list of companies in the world that are as big as
| Microsoft consists of Google, and Apple, both of whom
| already have their own browsers.
|
| As for why Microsoft chose Chromium, it's probably a
| combination of marketshare, the fact that it _is_ a bit
| more cleanly architected as a result of having a decade
| less history than Gecko does, and the fact that they have
| ambitions of making a stripped down version of Electron
| part of the standard Windows userspace.
| revolvingocelot wrote:
| Chromium is the one with all the forks, right? I don't
| think "it's a browser, stupid" is the only reason.
| ...although reading some of the other comments elsewhere,
| it is a pretty good one. Chromium-based browsers do tend
| to have some form of corporate support.
| dralley wrote:
| OP said this:
|
| >> is the suggestion that FF is too complex to properly
| fork without full time devs?
|
| How many Chrome forks don't have "full time devs"? A lot
| of them (Vivaldi, Opera) aren't even open source!
|
| The only one I can think of is ungoogled Chromium which
| is basically equivalent to this Firefox one in that the
| actual changes being made are miniscule.
| revolvingocelot wrote:
| I'm not OP, but you, in GGP, said:
|
| >>>It's 20 million lines of security sensitive code. Of
| course it's difficult to properly fork.
|
| Did you forget to switch accounts? Which is it? Easy or
| hard?
| dralley wrote:
| >Did you forget to switch accounts?
|
| No, but nice accusation.
|
| > Which is it? Easy or hard?
|
| Could you spell out what the contradiction is, here? I
| said it's hard to fork both browsers, and then pointed
| out that the only real "community" ones are miniscule
| patchsets which pretty much exclusively _delete_ code -
| that even then, the list is only one or two forks long
| for each browser - and the rest all have multiple full-
| time professional devs behind them.
| revolvingocelot wrote:
| The "contradiction", coincidentally the very same reason
| I wondered if you switched accounts, is your implication
| that the reasoning for the way things are is blindingly
| obvious, except for the exceptions obviously, but those
| are blindingly obvious too. Apologies, I didn't realize
| the rationale behind your posting; that straightforward
| explanatory paragraph clearly couldn't have been deployed
| without all the posturing, first.
| stapled_socks wrote:
| > Money
|
| That's incredibly vague. Can you explain? How are the many
| forks/variants of Chromium and WebKit not affected by this
| "money" factor in the same way
| ajvs wrote:
| Google, Microsoft, Apple and Brave, are some of the
| corporations who fund Chromium/WebKit-based browsers. The
| ones who fund Firefox (Gecko)-based browsers do not have
| nearly enough money to dedicate to their own fork.
| masklinn wrote:
| Money in the terms of resources. Browsers are huge and
| complex codebases so maintaining one (even if "just" a
| fork) is quite expensive.
|
| > How are the many forks/variants of Chromium and WebKit
| not affected by this "money" factor in the same way
|
| They are, but the main Webkit/Chromium forks are either
| large companies (microsoft) or companies trying to make
| money off of their forks (Brave, Vivaldi).
|
| This here is trying to do the exact opposite. Vivaldi has
| ~50 employees, Brave has 150 and tens of millions in
| investments. Even if not all of them work on the fork
| management, that's a lot more resources than a dozen peeps
| doing that in their spare time.
| legrande wrote:
| LibreWolf is mostly a bunch of policies. If you go into the
| preferences pane, you should see a note: 'Your browser is being
| managed by your organization'. When you click the link, there's a
| bunch of 'features' disabled like telemetry, auto-updates etc. It
| also has the about:config section heavily tweaked and modified.
|
| Doing all that on stock Firefox is a lot of work which is why I
| prefer the developers of LibreWolf to do it for me. Call me lazy
| if you want.
|
| There is the added benefit of new Firefox features getting
| stripped in later releases of LibreWolf that otherwise would have
| gone un-noticed by me. Also: Trimming down the browser traffic
| and stopping it from being really chatty with Mozilla servers is
| great (if you don't like Mozilla for whatever reason).
| duskwuff wrote:
| > there's a bunch of 'features' disabled like [...] auto-
| updates
|
| YIKES. Automatic updates are incredibly important for security.
| Disabling them by default is highly concerning.
|
| Does the browser support (manual) self-updates at all, or has
| that functionality been disabled entirely?
| bityard wrote:
| I have been burned often enough by software that auto-updates
| itself that I am positive I don't want it enabled by default
| on _my_ systems. Anywhere from between "this feature I really
| liked is gone" to "now it crashes every five minutes."
|
| Perhaps more importantly, companies that offer software that
| can auto-update itself, can also make it so that the software
| uninstalls itself. Or worse, installs something you don't
| want. It also makes for an especially juicy target for supply
| chain attackers. So you have quite a bit of a double-edged
| sword there, from a security standpoint.
|
| I wonder when we're going to stop pretending that there
| shouldn't be at least a fuzzy divide between software and
| systems intended for technical users and software for non-
| technical users. (And we should not be afraid to label them
| as such.) I fully agree with auto-updates for mass-market
| software but as a technical user, I don't want the system
| that I rely upon to make a living to constantly be changing
| out from underneath me.
| kaba0 wrote:
| I'm sorry but if you think that disabling auto-updates on
| goddamn browsers, then you may not be as technical a user
| as you think of yourself.
|
| Browsers run untrusted code 0-24, which get JIT compiled to
| machine code through a very complex and bug-prone process.
| Add to that that desktop OSs are quite lacking when it
| comes to sandboxes, so even with browser sandboxes, the
| potential for serious damage is quire hard.
|
| So, staying ahead of bugs is a must.
| duskwuff wrote:
| > I have been burned often enough by software that auto-
| updates itself that I am positive I don't want it enabled
| by default on _my_ systems.
|
| Even then, there's a difference between "automatic updates
| aren't enabled by default" and "the application cannot
| update itself at all, even if you ask it to, so you'll have
| to download the new version yourself" -- and it sounds like
| this developer has chosen the latter.
| dont__panic wrote:
| Some of us are responsible software owners who prefer to
| update on our own terms.
|
| I understand the argument that my grandmother should probably
| enable auto-updates, because otherwise she could easily end
| up months behind on releases.
|
| But I care deeply about my personal computing environment. I
| notice every minuscule change because I'm on my computer for
| hours and hours each day. Sometimes I'm in the middle of some
| important projects and I don't want anything to automatically
| update. Sometimes I'm really productive during an afternoon
| and I don't want to waste time and lose momentum on an update
| (or some bug, or UI change, as a result of that update).
| Sometimes I've heard about some problem coming down the pipe
| in the next update and I'd rather wait until there's
| mitigations to make that change work better with my specific
| setup.
|
| Automatic updates basically assume that I have the computing
| proficiency of my grandmother. But I actually manage my
| computer in a very conscious, thoughtful way. All software
| should provide the ability to disable automatic updates (and
| update nagging) out of respect for power users. It's OK to
| hide it in a developer or advanced menu. Just give me the
| option.
|
| That being said: automatic updates are a sensible default for
| the same reason. But let me opt out, and (Mozilla, are you
| listening?) for the love of god please don't override my
| preferences back to automatic updates when you decide to
| change the UI of preferences.
| todoslostacos wrote:
| (Disclaimer: I work on the Firefox Application Update
| system)
|
| > But let me opt out
|
| It seems to me that you can opt out. You can use the "Check
| for updates but let you choose to install them" setting in
| `about:preferences`. Or you can use the exact policy
| currently under discussion: `DisableAppUpdate`. Or there is
| another policy called `ManualAppUpdateOnly` [0].
|
| > (Mozilla, are you listening?)
|
| Why yes, we are listening. We have heard many people
| request the ability to disable automatic updates, which is
| why we have the options that I mentioned above. If you feel
| that these options don't meet your needs, we would really
| appreciate you filing a bug [1]. We will get to it fastest
| if you put it in the correct component (which for this
| issue is `Toolkit::Application Update`).
|
| > for the love of god please don't override my preferences
| back to automatic updates when you decide to change the UI
| of preferences.
|
| I'm guessing that you are referring to when we removed the
| "Never install updates" setting [2]? This wasn't
| fundamentally a UI change. We had several good reasons to
| remove the underlying pref. Naturally, that meant that the
| UI for that pref went away as well. I won't spend a lot of
| time getting into our reasoning here, but we would be happy
| to discuss it with you if you want to chat with us about
| it. You can find us in the `#install-update:mozilla.org`
| channel on https://chat.mozilla.org
|
| [0] https://github.com/mozilla/policy-
| templates/#manualappupdate... [1]
| https://bugzilla.mozilla.org/home [2]
| https://bugzilla.mozilla.org/show_bug.cgi?id=1420514
| md8z wrote:
| I'm not a security engineer but I have attended a lot of
| talks by security people. And the feeling I get from them
| is: don't opt-out of security updates. You don't want that
| option, it is a lose-lose for everyone involved, including
| your grandmother who is very likely to be a target of all
| kinds of scams and phishing attempts.
| legrande wrote:
| > Does the browser support (manual) self-updates at all, or
| has that functionality been disabled entirely?
|
| It has been disabled, as per the policy. It looks something
| like this in the policies.json file: {
| "policies": { "DisableAppUpdate": true }
| }
|
| This is why when mainline Firefox increments to the next
| major version, you have to manually download the
| corresponding LibreWolf version as LibreWolf closely watches
| the new mainline updates.
|
| In terms of security, it kind of sucks having to manually do
| this, but it's a small price to pay for a hardened stripped
| down Firefox with all the Mozilla crap (Pocket, Telemetry
| etc) stripped out.
| OrvalWintermute wrote:
| Having gone through most, if not all of the browser lockdown
| activities on FF, can concur completely - it is a huge time
| saver. I would vastly prefer to use a common approach for this,
| rather than my own ad hoc decisions for this.
|
| Am very interested in LibreWolf for this reason.
| ChrisArchitect wrote:
| anything new here? it's not new
|
| Some discussion about it maybe a year ago and it dwindled off as
| barely any changes to Firefox except branding....
| shmerl wrote:
| I think telemetry is useful for improving the UI.
___________________________________________________________________
(page generated 2021-11-04 23:02 UTC)