Sarah Jamie LewisSep 13, 2024

Firefox forks might be a reasonable short-term solution to the current era of Mozilla paper cuts, but the crisis is ultimately driven by economics.

Browser dev and maintenance is expensive and that pressure is pushing Mozilla towards the same underhanded, advertiser-driven strategies embraced by google et al.

At best firefox-forks are a less well funded version of what Mozilla used (at least publicly) aim for.

Show threadmccSep 13, 2024
@sarahjamielewis It is also unfortunate because a point a number of mozilla/ex-mozilla people have raised with me is that the forks don't have security fast-response teams and will naturally lag a little on deploying time-sensitive security patches. and i just don't have a compelling response to that :(
Show threadHishamSep 13, 2024

@mcc @sarahjamielewis An honest, vulnerable and naive question: how fast do we really need security response to be?

I mean, I've often ran browsers several versions out-of-date (either by disabling auto-updates on my phone, or by installing an alternative .deb over Ubuntu's) and I have only updated when I found that a particular site stopped working. All seemed ok.

Again, not a rhetorical question and not me saying "maybe we don't need fast updates". I'm asking why should I not be doing this.

Show threadviq
@hisham_hm @mcc @sarahjamielewis browsers are a high value target, since that's what you use to reach out to the world.
When high profile software is patched, especially for an "interesting" bug, from what I hear it's not unusual for exploits for that to appear within days, maybe a week.
There have been documented cases of advertising networks serving ads that were malicious.
[1/2]
Sep 13, 2024 at 8:55pmWeb
Show threadviqSep 13, 2024
@hisham_hm @mcc @sarahjamielewis How far from that to being able to compromise your browser and your system? I don't know. But I don't feel comfortable using an outdated version of such an exposed piece of software.
[2/2]
Show threadviqSep 13, 2024
@hisham_hm @mcc @sarahjamielewis and how fast a response would be "comfortable"? Personally I'd probably accept builds with fixes from upstream to be available within 2-3 days. If they were on the ball and kept vital fixes to that, I guess I could live with waiting for bugfix releases for a week, but that's pushing it.
But there's a question of what *their* code changes, and how well they're able to deal with bugs and vulns in that.